While most organizations list cloud security as one of their top IT priorities, they continue to ignore basic security hygiene when it comes to data in the cloud, according to Orca’s latest public cloud security report. The report revealed that 36% of organizations have unencrypted sensitive data such as company secrets and personally identifiable information in their cloud assets. 

The global pandemic accelerated the shift to cloud computing, as the sudden and massive move to remote work forced companies to provide employees with access to business systems from anywhere.

Gartner predicts that worldwide spending on public cloud computing services will rise 20.4% to a total of $494.7 billion this year and expects it to reach nearly $600 billion in 2023. 

To read this article in full, please click here

Read More

Using the correct tool for the job and optimizing scanner placement will have a large impact on scan efficiency with Nessus, Tenable.io and Tenable.sc.

When working with Nessus at scale or in unique environments, it can be a challenge to balance scan time, target resource usage and assessment effectiveness. In this blog post, we’ll cover some common configurations that you can use to optimize scan times and reduce load on scan targets and network infrastructure.

The first item to consider is the appropriate scan or assessment method for your target and your objective. Different types of systems require different methods of assessment. And there are different goals when doing a host or network scan, including::

Scan a large network and see what hosts are on it.
Assess remote user workstations for vulnerabilities.
Review the configuration of Apache against a security baseline.
Ensure that a sensitive network doesn’t have systems added to it outside of change control.

Each of these scenarios could use the same basic configuration, but as every IT environment is unique, understanding the way to optimize each will make your program more effective.

Assessment goals

What is your objective? Using the examples above, let’s take a look at ways to be more efficient than with a generic network scan, depending on what you’re trying to accomplish.

Nessus uses a variety of methods to determine if a host is alive. These are performed in a specific order so that systems are detected as quickly as possible. However if you know that a certain discovery method isn’t applicable to your environment, you can disable it.
Remote workstations are often very hard to reach via traditional network methods. Installing a local Nessus Agent will enable local assessment of the host and upload of the data back for centralized reporting. Meanwhile, attempting to assess over a VPN or wireless connection can result in dropped packets, corrupted scans and performance impacts on network infrastructure.

 
Compliance benchmarks require authentication and perform validation against local configuration settings. If you’re only running compliance checks, you can use a specific scan policy to ensure that only the configurations required are enabled and that un-necessary checks are not performed.
In general, systems in sensitive environments should not be network-scanned using traditional IT methods. While Nessus will attempt to avoid these systems during a scan, agents or passive assessments of these hosts are generally safer and can still provide valuable information without impacting the availability of the specialized assets.

In summary, the first step is to ensure you’re using the correct tool and configuration for the job.

Simultaneous assessment

When exploring the most effective way to perform an assessment, scanning many systems simultaneously isn’t always the best option. Just because the tool is capable of a certain threshold doesn’t mean it should be maxed out. Consider the following:

If network traffic from your scan passes through a single bottleneck, that network infrastructure may be overwhelmed by the number of hosts being assessed at any given moment.
Scans on hosts sharing the same underlying infrastructure, such as storage or compute resources, may overwhelm those systems if too many assessments start at the same time.
Some checks will query other local or internet infrastructure as part of the assessment. This can overwhelm infrastructure with additional connections or queries the systems that aren’t being explicitly assessed.

The default scan configurations for simultaneous assessments of scan targets is sufficient for most use cases. However, this may be scaled up to increase performance or scaled down to reduce impact on infrastructure. There are other options within the scan configurations to address specific issues, such as:

Stagger scan launch times for Nessus Agents
Randomize the order in which IPs are scanned
Slow down the scan when network congestion is detected

Scanner resources and placement

In general, Nessus sensors should meet the recommended hardware requirements whenever possible. This allows Nessus to scale appropriately to most network sizes and run a large variety of assessments at once.

Occasionally, you may not have dedicated hardware or resources that meet even the minimum Nessus specs. In these cases, you can use shared resources to a certain extent, assuming that you keep in mind expectations on reduced functionality. A shared Windows server in an office trailer with 10 systems will likely be sufficient to install Nessus on (and only scan those 10 targets), and generally makes more sense than setting up an entirely new system dedicated to Nessus. 

You should also deploy scanners as close as possible to the targets being assessed. For example, a regionally distributed network with 25 distinct Class B subnets may benefit from a scanner in each one, if there is no centralized (or robust) backbone to a central hub. A scanner that’s as close as possible to the targets will achieve various goals like:

Using ARP if it’s in the same subnet as the targets
Reduced or no load on infrastructure to scan through
Quicker scans due to reduced network transit time

However, this is not always possible, nor optimal, in every environment. In the scenario above, perhaps there is no infrastructure at each network, and creating such an infrastructure is cost prohibitive. In this case, deploying other types of technologies (Nessus Agents, Nessus on a Raspberry Pi, Nessus Network Monitor, etc) may achieve the same end goal. 

Enterprise platform configuration

One of the fastest ways to improve scan times is to simply increase the number of scanners you’re using. With Tenable Enterprise platforms like Tenable.io or Tenable.sc, customers can deploy as many scanners as they wish, allowing for complex network configurations deployments.

Customers can also logically group scanners in both Tenable.io and Tenable.sc (using Scanner Groups and Scan Zones, respectively) so that one scan task is broken out over many scanners. This effectively increases the concurrent hosts tested at any given time while reducing the potential bottleneck around scanner resources.

Be aware however that increasing the number of scanners will also increase the amount of network traffic and connections made to endpoints. This can overwhelm network infrastructure if scanners are improperly placed or additional configurations are made to the scan policies. Tenable recommends monitoring network usage and coordinating changes with internal infrastructure teams to ensure there is no impact to production networks.

Making your network assessments as efficient as possible will depend on a number of factors. In this article, we’ve covered the basics of planning out your goals for assessment, checking numerous hosts at the same time, scanner placement and resource usage, and utilizing Tenable.io and Tenable.sc’s capabilities around multiple scanners.

Learn more:

Nessus Discovery Settings (Documentation)
Nessus Scanner Hardware Requirements (Documentation) 
Advanced Settings in Vulnerability Management Scans – Tenable.io (Documentation)
Variables Impacting Scan Time (Documentation)
Scanner Groups – Tenable.io (Documentation)
Scan Zones – Tenable.sc (Documentation) 
4 Ways to Improve Nessus Scans Through Firewalls (Blog)
Configuring the Ports that Nessus Scans (Blog)
ICS/SCADA Smart Scanning (Blog) 

Read More

Safety has a feeling all its own, and that’s what’s at the heart of McAfee+. 

We created McAfee+ so people can not only be safe but feel safe online, particularly in a time when there’s so much concern about identity theft and invasion of our online privacy.   

And those concerns have merit. Last year, reported cases of identity theft and fraud in the U.S. shot up to 5.7 million, to the tune of $5.8 billion in losses, a 70% increase over the year prior. Meanwhile, online data brokers continue to buy and sell highly detailed personal profiles with the data cobbled together from websites, apps, smartphones, connected appliances, and more, all as part of a global data-gathering economy estimated at well over $200 billion a year. 

Yet despite growing awareness of the ways personal information is collected, bought, sold, and even stolen, it remains a somewhat invisible problem. You simply don’t see it as it happens, let alone know who’s collecting what information about you and toward what ends—whether legal, illegal, or somewhere in between. A recent study we conducted showed that 74% of consumers are concerned about keeping their personal information private online. Yet, most of us have found out the hard way (when we search for our name on the internet) that there is a lot of information about us that has been made public. It is our belief that every individual should have the right to be private, yet we know too many individuals don’t know where to begin. It is this very worry that made us focus our new product line on empowering our users to take charge of their privacy and identity online. 

McAfee+ gives you that control. 

Now available in the U.S., McAfee+ provides all-in-one online protection for your identity, privacy, and security. With McAfee+, you’ll feel safer online because you’ll have the tools, guidance and support to take the steps to be safer online. Here’s how: 

You’ll see where your personal information appears in risky locations online, such as people search and data broker sites that sell this information to advertisers, in addition to hackers, spammers, and thieves. Then McAfee+ helps you remove it (or depending on the plan we do it for you). We call this Personal Data Cleanup. 

It protects you by scanning the dark web for places where your personal information may appear. This way you can keep an eye on your email addresses, social security number, credit card numbers, and more on the dark web—and receive notifications an average of 10 months sooner than similar services if your info is found in a data breach. This gives you ample time to change your passwords before hackers try to access your account. Depending on your plan, McAfee+ offers you $1M identity theft coverage and credit monitoring services as well for additional peace of mind. 
You’ll also see how safe you are with our industry-first Protection Score. It checks the health of your online protection and shows you ways you can improve your score so you’re safer still. 

And as always, it all includes McAfee’s award-winning antivirus and device security solution.  

You can see the entire range of features that cover your identity, privacy, and security with a visit to our McAfee+ page.  

McAfee+ Ultimate offers our most thorough protection, with which you can lock your credit with a click or put a comprehensive security freeze in place, both to thwart potential identity theft. You can keep tabs on your credit with daily credit monitoring and get an alert when there’s credit activity to spot any irregularities quickly.  

You’ll also feel like someone has your back. Even with the most thorough measures in place, identity theft and ransomware attacks can still strike, which can throw your personal and financial life into a tailspin. What do you do? Where do you start? Here, we have you covered. We offer two kinds of coverage that can help you recover your time, money, and good name:  

$1 million in identity theft coverage and with the assistance of professional identity restoration specialists who can take steps to repair your identity and credit. 
$25,000 in ransomware coverage, which likewise comes with expert support that can help you determine the severity of a ransomware attack, learn what immediate steps you can take, and determine if a ransom should be paid or if alternative options exist. 

Starting today, customers in the U.S. can purchase McAfee+ online at McAfee.com in Premium, Advanced, and Ultimate plans, in addition to individual and family subscriptions. McAfee+ will also be available online in the U.K., Canada, and Australia in the coming weeks with additional regions coming in the months ahead (features may vary by region). 

We are very excited about bringing these new protections to you and we hope you will be too.  

The post The Feeling of Safety with McAfee+ appeared first on McAfee Blog.

Read More

The Wall Street Journal is reporting that the FBI has recovered over $30 million in cryptocurrency stolen by North Korean hackers earlier this year. It’s only a fraction of the $540 million stolen, but it’s something.

The Axie Infinity recovery represents a shift in law enforcement’s ability to trace funds through a web of so-called crypto addresses, the virtual accounts where cryptocurrencies are stored. These addresses can be created quickly without them being linked to a cryptocurrency company that could freeze the funds.

In its effort to mask the stolen crypto, Lazarus Group used more than 12,000 different addresses, according to Chainalysis. Unlike bank transactions that happen through private networks, movement between crypto accounts is visible to the world on the blockchain.

Advanced blockchain-monitoring tools and cooperation from centralized crypto exchanges enabled the FBI to trace the crypto to where Lazarus Group tried to cash out, investigators said.

The money was laundered through the Tornado Cash mixer.

Read More

This blog was written by an independent guest blogger.

Anyone who has watched the Lockpicking Lawyer realizes that certain locks promoted as the latest-and-greatest aren’t necessarily the most reliable devices for securing physical assets. Like many other security professionals, he seeks to educate consumers and manufacturers on defects in devices and how to improve their security. It reminds me of a quote by Deviant Ollam (security auditor and penetration testing consultant): “Security is achieved through openness. Take things apart and play with them… exposing bad security is what protects us all.”

This preemptive step of testing security is vital because, while the defenders are actively finding security holes, so are criminals. Criminals – in this current context, cybercriminals – are looking to do all kinds of disruptive or destructive activities, whether it’s a straightforward denial of service attack on one end of the spectrum to a full-scale attempt to take down a government or critical infrastructure by whatever means possible on the other.

These threat actors start by stealing credentials, focusing on those that give access to servers and other corporate assets, though individual non-admin accounts are not out of their sight. What sets them apart from many other thieves is that they don’t use the credentials themselves to gain entry. Either the credential thieves are Initial Access Brokers (IABs), or they sell these credentials sets to IABs, who turn around and sell these to customers and affiliates who are organized underground (aka Dark Web) threat actors. While it is not necessarily simple or straightforward, this is the entry point for the topic at hand: Ransomware-as-a-Service.

What is Ransomware as a Service (RaaS)?

Ransomware as a Service (RaaS) is Conti attacking numerous healthcare, first responder, and law enforcement agencies in early 2021.

RaaS is Lockbit 2.0 attacking a Bulgarian refugee agency.

RaaS is REvil abusing Kaseya Virtual Systems Administrator (VSA) to attack Managed Security Service Providers.

RaaS, though illegal, is a valid and highly efficient business model, similar to the Software-as-a-Service (SaaS) model. Ransomware operators create ransomware attacks, then customers, or affiliates, can buy those services and launch the attacks. RaaS syndicates may offer different tiers of services, including technical support, bundles, and community forums.

How the RaaS model operates

Because it is a business model, the success of affiliates plays a part in the sales strategy. The better affiliates perform, the better chance they have of being noticed by other groups for future sales and engagement opportunities.

One aspect of attempting to increase market performance is Big Game Hunting (BGH). In scoping out ransomware victims, one target has been large organizations whose industries include Healthcare, Manufacturing, Managed Services, Media, and Government agencies.

While BGH seems intuitive (low effort, enormous payoff), there has been a decrease in its activity recently. This drop-off is most likely due to US authorities focusing on protecting those industries and successfully combatting ransomware activities (e.g., retrieving some of the ransom paid by Colonial Pipeline). Due to the increased investigation, RaaS has moved more toward mid-sized industries, but is still highly successful.

Why the success? Like the old saying goes: “Why did I rob the bank? Because that’s where the money is.” From 2013 to 2019, ransomware brought in over $144 million for criminals. In 2020 alone, ransomware groups extorted $692 million. RaaS not only works, but it is lucrative and demonstrates exponential growth.

Preventing RaaS attacks

There are many ways to protect oneself from RaaS attacks. Here are some common and proven approaches for data defense:

Zero Trust

No product or suite of tools that achieves this, but Zero Trust (ZT) is a mindset. ZT can be used as a hanger from which all other security controls hang.

Phishing training

This can be purchased, obtained for free (e.g., Cofense), or created in-house (e.g., using Moodle). There are numerous options for protecting Layer 8.

Identity and Access Management (IAM)

Being able to set granular controls to ensure only the proper individuals access the proper resources is a key component of attack prevention. This includes monitoring, logging, alerting anomalous activity, and denying suspicious logins.

Two-factor/Multi-factor Authentication

MFA and 2FA get bad publicity at times because they can be circumvented. In truth, any security can be circumvented given the right resources (knowledge, software, access, etc.), but that shouldn’t keep anyone from implementing layered security. The percentage of attacks stopped by 2FA/MFA varies, but using it makes theft just that much harder, and for some, the prevention was 100%. MFA is a strong security authentication addition to anyone’s defense strategy.

Backup and restore-ready

There will always be a debate about the best way to back up data (tape, cloud, hybrid, local, scheduled, real-time, etc.; and all dependent on one’s resources), but there’s no doubt about the need to back up data and to ensure it can be restored. While even the restoration strategy can be debated (e.g., 3-2-1, incremental, differential), being able to restore slowly is better than not at all.

Education on the ransomware ecosystem

While RaaS is a huge industry, it’s also run by people, and people can be turncoats. One example is to being aware of events such as the Conti Leaks. Like the “Panama Papers”, the Conti Leaks, leaked by a disgruntled former Conti employee, provide the inner workings of one of the most successful ransomware groups. This helped the world-at-large better understand RaaS.

Understand the business risk

Keep up with the latest attack trends against your industry. According to the FBI’s 2021 IC3 Report, Conti (though not in business anymore, at least by that name) often targeted manufacturing, commercial facilities, and Food/Agriculture; Lockbit 2.0 has focused its efforts on government facilities, healthcare, and financial services; and REvil targeted financial services, IT, and healthcare. Knowing where attacks may come from puts organizations in a better position to be on the lookout for IoCs.

If compromised, don’t pay the ransom

This might not seem like a tactic for prevention or protection, but it’s a longer-term approach. Paying may seem like a valid option, but in the long run, it has a couple of negative results:

Discourages proper security

A similar attitude prevails when consumers rely on payment card providers to return money lost in fraudulent transactions while simultaneously not setting relevant account alerts, not using good passwords, or setting other controls (such as 2FA) on their accounts, which could have prevented the theft to begin with. There’s a financial burden placed on others or displaced to the future.

Encourages crime

Not only do the criminals end up getting their money, but they also realize who they can attack again.

There’s no doubt that RaaS is a tremendous negative force to reckon with, but there are also good forces out there ready to provide the right resources to protect individuals and organizations. With the right people, processes, and technology, data defense is realistic and feasible.

Read More