Recent ‘MFA Bombing’ Attacks Targeting Apple Users

Read Time:8 Minute, 26 Second

Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. In this scenario, a target’s Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds “Allow” or “Don’t Allow” to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to “verify” a one-time code.

Some of the many notifications Patel says he received from Apple all at once.

Parth Patel is an entrepreneur who is trying to build a startup in the cryptocurrency space. On March 23, Patel documented on Twitter/X a recent phishing campaign targeting him that involved what’s known as a “push bombing” or “MFA fatigue” attack, wherein the phishers abuse a feature or weakness of a multi-factor authentication (MFA) system in a way that inundates the target’s device(s) with alerts to approve a password change or login.

“All of my devices started blowing up, my watch, laptop and phone,” Patel told KrebsOnSecurity. “It was like this system notification from Apple to approve [a reset of the account password], but I couldn’t do anything else with my phone. I had to go through and decline like 100-plus notifications.”

Some people confronted with such a deluge may eventually click “Allow” to the incessant password reset prompts — just so they can use their phone again. Others may inadvertently approve one of these prompts, which will also appear on a user’s Apple watch if they have one.

But the attackers in this campaign had an ace up their sleeves: Patel said after denying all of the password reset prompts from Apple, he received a call on his iPhone that said it was from Apple Support (the number displayed was 1-800-275-2273, Apple’s real customer support line).

“I pick up the phone and I’m super suspicious,” Patel recalled. “So I ask them if they can verify some information about me, and after hearing some aggressive typing on his end he gives me all this information about me and it’s totally accurate.”

All of it, that is, except his real name. Patel said when he asked the fake Apple support rep to validate the name they had on file for the Apple account, the caller gave a name that was not his but rather one that Patel has only seen in background reports about him that are for sale at a people-search website called PeopleDataLabs.

Patel said he has worked fairly hard to remove his information from multiple people-search websites, and he found PeopleDataLabs uniquely and consistently listed this inaccurate name as an alias on his consumer profile.

“For some reason, PeopleDataLabs has three profiles that come up when you search for my info, and two of them are mine but one is an elementary school teacher from the midwest,” Patel said. “I asked them to verify my name and they said Anthony.”

Patel said the goal of the voice phishers is to trigger an Apple ID reset code to be sent to the user’s device, which is a text message that includes a one-time password. If the user supplies that one-time code, the attackers can then reset the password on the account and lock the user out. They can also then remotely wipe all of the user’s Apple devices.

THE PHONE NUMBER IS KEY

Chris is a cryptocurrency hedge fund owner who asked that only his first name be used so as not to paint a bigger target on himself. Chris told KrebsOnSecurity he experienced a remarkably similar phishing attempt in late February.

“The first alert I got I hit ‘Don’t Allow’, but then right after that I got like 30 more notifications in a row,” Chris said. “I figured maybe I sat on my phone weird, or was accidentally pushing some button that was causing these, and so I just denied them all.”

Chris says the attackers persisted hitting his devices with the reset notifications for several days after that, and at one point he received a call on his iPhone that said it was from Apple support.

“I said I would call them back and hung up,” Chris said, demonstrating the proper response to such unbidden solicitations. “When I called back to the real Apple, they couldn’t say whether anyone had been in a support call with me just then. They just said Apple states very clearly that it will never initiate outbound calls to customers — unless the customer requests to be contacted.”

Massively freaking out that someone was trying to hijack his digital life, Chris said he changed his passwords and then went to an Apple store and bought a new iPhone. From there, he created a new Apple iCloud account using a brand new email address.

Chris said he then proceeded to get even more system alerts on his new iPhone and iCloud account — all the while still sitting at the local Apple Genius Bar.

Chris told KrebsOnSecurity his Genius Bar tech was mystified about the source of the alerts, but Chris said he suspects that whatever the phishers are abusing to rapidly generate these Apple system alerts requires knowing the phone number on file for the target’s Apple account. After all, that was the only aspect of Chris’s new iPhone and iCloud account that hadn’t changed.

WATCH OUT!

“Ken” is a security industry veteran who spoke on condition of anonymity. Ken said he first began receiving these unsolicited system alerts on his Apple devices earlier this year, but that he has not received any phony Apple support calls as others have reported.

“This recently happened to me in the middle of the night at 12:30 a.m.,” Ken said. “And even though I have my Apple watch set to remain quiet during the time I’m usually sleeping at night, it woke me up with one of these alerts. Thank god I didn’t press ‘Allow,’ which was the first option shown on my watch. I had to scroll watch the wheel to see and press the ‘Don’t Allow’ button.”

Ken shared this photo he took of an alert on his watch that woke him up at 12:30 a.m. Ken said he had to scroll on the watch face to see the “Don’t Allow” button.

Unnerved by the idea that he could have rolled over on his watch while sleeping and allowed criminals to take over his Apple account, Ken said he contacted the real Apple support and was eventually escalated to a senior Apple engineer. The engineer assured Ken that turning on an Apple Recovery Key for his account would stop the notifications once and for all.

A recovery key is an optional security feature that Apple says “helps improve the security of your Apple ID account.” It is a randomly generated 28-character code, and when you enable a recovery key it is supposed to disable Apple’s standard account recovery process. The thing is, enabling it is not a simple process, and if you ever lose that code in addition to all of your Apple devices you will be permanently locked out.

Ken said he enabled a recovery key for his account as instructed, but that it hasn’t stopped the unbidden system alerts from appearing on all of his devices every few days.

KrebsOnSecurity tested Ken’s experience, and can confirm that enabling a recovery key does nothing to stop a password reset prompt from being sent to associated Apple devices. Visiting Apple’s “forgot password” page — https://iforgot.apple.com — asks for an email address and for the visitor to solve a CAPTCHA.

After that, the page will display the last two digits of the phone number tied to the Apple account. Filling in the missing digits and hitting submit on that form will send a system alert, whether or not the user has enabled an Apple Recovery Key.

The password reset page at iforgot.apple.com.

RATE LIMITS

What sanely designed authentication system would send dozens of requests for a password change in the span of a few moments, when the first requests haven’t even been acted on by the user? Could this be the result of a bug in Apple’s systems?

Apple has not yet responded to requests for comment.

Throughout 2022, a criminal hacking group known as LAPSUS$ used MFA bombing to great effect in intrusions at Cisco, Microsoft and Uber. In response, Microsoft began enforcing “MFA number matching,” a feature that displays a series of numbers to a user attempting to log in with their credentials. These numbers must then be entered into the account owner’s Microsoft authenticator app on their mobile device to verify they are logging into the account.

Kishan Bagaria is a hobbyist security researcher and engineer who founded the website texts.com (now owned by Automattic), and he’s convinced Apple has a problem on its end. In August 2019, Bagaria reported to Apple a bug that allowed an exploit he dubbed “AirDoS” because it could be used to let an attacker infinitely spam all nearby iOS devices with a system-level prompt to share a file via AirDrop — a file-sharing capability built into Apple products.

Apple fixed that bug nearly four months later in December 2019, thanking Bagaria in the associated security bulletin. Bagaria said Apple’s fix for that bug was to add stricter rate limiting on AirDrop requests, and he suspects that someone has figured out a way to bypass Apple’s rate limit on how many of these password reset requests can be sent in a given timeframe.

“I think this could be a legit Apple rate limit bug that should be reported,” Bagaria said.

Read More

Avoid Making Costly Mistakes with Your Mobile Payment Apps

Read Time:4 Minute, 50 Second

There used to be a time when one roommate split the cost of rent with another by writing a check. Who still owns a checkbook these days? Of course, those days are nearly long gone, in large part thanks to “peer to peer” (P2P) mobile payment apps, like Venmo, Zelle, or Cash AppNow with a simple click on an app, you can transfer your friend money for brunch before you even leave the tableYet for all their convenience, P2P mobile payment apps could cost you a couple of bucks or more if you’re not on the lookout for things like fraud. The good news is that there are some straightforward ways to protect yourself. 

You likely have one of these apps on your phone alreadyIf so, you’re among the many. It’s estimated that 49% of adults in the U.S. use mobile payment apps like these

Yet with all those different apps come different policies and protections associated with them. So, if you ever get stuck with a bum charge, it may not always be so easy to get your money back. 

With that, here are seven quick tips for using your P2P mobile payment apps safely.

1. Add extra protection with your face, finger, or PIN. 

In addition to securing your account with a strong password, go into your settings and set up your app to use a PIN code, facial ID, or fingerprint ID. (And make sure you’re locking your phone the same way too.) This provides an additional layer of protection in the event your phone is stolen or lost and someone, other than you, tries to make a payment with it.  

2. Get a request or make a test before you pay in full. 

What’s worse than sending money to the wrong person? When paying a friend for the first time, have them make a payment request for you. This way, you can be sure that you’re sending money to the right person. With the freedom to create account names however one likes, a small typo can end up as a donation to a complete stranger. To top it off, that money could be gone for good! 

Another option is to make a test payment. Sending a small amount to that new account lets both of you know that the routing is right and that a full payment can be made with confidence. 

3. You can’t always issue a “hold” or “stop payment” with mobile payment apps. 

Bye, bye, bye! Unlike some other payment methods, new mobile payment apps don’t have a way to dispute a charge, cancel a payment, or otherwise use some sort of recall or retrieval feature. If anything, this reinforces the thought above—be sure that you’re absolutely making the payment to the right person. 

4. When you can, use your app with a credit card. 

Credit cards offer a couple of clear advantages over debit cards when using them in association with mobile payment apps (and online shopping for that matter too). Essentially, they can protect you better from fraud: 

Debit cards immediately remove cash from your account when a payment is made, whereas credit card payments appear as charges—which can be contested in the case of fraud. 

In the U.S., if your credit card is lost or stolen, you can report the loss and you will have no further responsibility for charges you didn’t make. Additionally, liability for each card lost or stolen is $50. Debit cards don’t enjoy these same protections. 

5. Fraudulent charge … lost or stolen card? Report it right away. 

Report any activity like this immediately to your financial institution. Timing can be of the essence in terms of limiting your liabilities and losses. For additional info, check out this article from the Federal Trade Commission (FTC) that outlines what to do if your debit or credit card is stolen and what your liabilities are.  

Also, note the following guidance from the FTC on payment apps: 

“New mobile apps and forms of payment may not provide these same protections. That means it might not always be easy to get your money back if something goes wrong. Make sure you understand the protections and assurances your payment services provider offers with their service.”  

6. Watch out for cybercrooks cashing in on mobile payment app scams. 

It’s sad but true. Crooks are setting up all kinds of scams that use mobile payment apps. A popular one involves creating fake charities or posing as legitimate ones and then asking for funds by mobile payment. To avoid getting scammed, check and see if the charity is legit. The FTC suggests researching resources like Better Business Bureau’s Wise Giving Alliance, Charity Navigator, Charity Watch or,  GuideStar. 

Overall, the FTC further recommends the following to keep yourself from getting scammed: 

Review the app’s fraud protection policies and understand whether and how you can recover funds if a problem arises. 
Be wary of any business that only accepts P2P payment apps or pre-paid debit card payments. Consider this a red flag. 
Never send P2P payments to, or accept payments from, someone you don’t know. 
Don’t use P2P payment apps for purchasing goods or services. As noted above, you may not get the consumer protections a credit or debit card can offer. 

7. Protect your phone 

With so much of your life on your phone, getting security software installed on it can protect you and the things you keep on your phone. Whether you’re an Android owner or iOS owner, mobile security software can keep your data, shopping, and payments secure. 

The post Avoid Making Costly Mistakes with Your Mobile Payment Apps appeared first on McAfee Blog.

Read More

Quizzes and Other Identity Theft Schemes to Avoid on Social Media

Read Time:7 Minute, 39 Second

Before you take the fun-looking quiz that popped up in your social media feed, think twice. The person holding the answers may be a hacker. 

Where people go, hackers are sure to follow. So it’s no surprise hackers have set up shop on social media. This has been the case for years, yet now social media-based crime is on the rise. Since 2021, total reported losses to this type of fraud reached $2.7 billion

Among these losses are cases of identity theft, where criminals use social media to gather personal information and build profiles of potential victims they can target. Just as we discussed in our recent blog, “Can thieves steal identities with only a name and address?” these bits of information are important pieces in the larger jigsaw puzzle that is your overall identity. 

Let’s uncover these scams these crooks use so that you can steer clear and stay safe. 

A quick look at some common social media scams 

Quizzes and surveys 

“What’s your spooky Halloween name?” or “What’s your professional wrestler name?” You’ve probably seen a few of those and similar quizzes in your feed where you use the street you grew up on, your birthdate, your favorite song, and maybe the name of a beloved first pet to cook up a silly name or some other result. Of course, these are pieces of personal information, sometimes the answer to commonly used security questions by banks and other financial institutions. (Like, what was the model of your first car?) With this info in hand, a hacker could attempt to gain access to your accounts.  

Similarly, scammers will also post surveys with the offer of a gift card to a popular retailer. All you have to do is fork over your personal info. Of course, there’s no gift card coming. Meanwhile, that scammer now has some choice pieces of personal info that they can potentially use against you. 

How to avoid them: Simply put, don’t take those quizzes and surveys online. 

Bogus benefits and get-rich-quick schemes  

The list here is long. These include posts and direct messages about phony relief fundsgrants, and giveaways—along with bogus business opportunities that run the gamut from thinly veiled pyramid schemes and gifting circles to mystery shopper jobs. What they all have in common is that they’re run by scammers who want your information, money, or both. If this sounds familiar, like those old emails about transferring funds for a prince in some faraway nation, it is. Many of these scams simply made the jump from email to social media platforms. 

How to avoid them: Research any offer, business opportunity, or organization that reaches out to you. A good trick is to do a search of the organization’s name plus the term “scam” or “review” or “complaint” to see if anything sketchy comes up. 

Government imposter scams 

If there’s one government official that scammers like to use to scare you, it’s the tax collector. These scammers will use social media messaging (and other mediums like emails, texts, and phone calls) to pose as an official who’s either demanding back taxes or offering a refund or credit—all of which are bogus and all of which involve you handing over your personal info, money, or both.  

How to avoid them: Delete the message. In the U.S., the IRS and other government agencies will never reach out to you in this way or ask you for your personal information. Likewise, they won’t demand payment via wire transfer, gift cards, or cryptocurrency like Bitcoin. Only scammers will. 

Friends and family imposter scams 

These are far more targeted than the scams listed above because they’re targeted and often rely upon specific information about you and your family. Thanks to social media, scammers can gain access to that info and use it against you. One example is the “grandkid scam” where a hacker impersonates a grandchild and asks a grandparent for money. Similarly, there are family emergency scams where a bad actor sends a message that a family member was in an accident or arrested and needs money quickly. In all, they rely on a phony story that often involves someone close to you who’s in need or trouble. 

How to avoid them: Take a deep breath and confirm the situation. Reach out to the person in question or another friend or family member to see if there really is a concern. Don’t jump to pay right away. 

The romance con  

This is one of the most targeted attacks of all—the con artist who strikes up an online relationship to bilk a victim out of money. Found everywhere from social media sites to dating apps to online forums, this scam involves creating a phony profile and a phony story to go with it. From there, the scammer will communicate several times a day, perhaps talking about their exotic job in some exotic location. They’ll build trust along the way and eventually ask the victim to wire money or purchase gift cards.  

How to avoid them: Bottom line, if someone you’ve never met in person asks you for money online, it’s a good bet that it’s a scam. Don’t do it. 

Protecting yourself from identity theft and scams on social media 

Now with an idea of what the bad actors are up to out there, here’s a quick rundown of things you can do to protect yourself further from the social media scams they’re trying to pull. 

Use strict privacy settings. First up, set your social media profile to private so that only approved friends and family members can access it. McAfee’s Social Media Privacy Manager can easily help you do this. This will circulate less of your personal information in public. However, consider anything you do or post on social media as public information. (Plenty of people can still see it, copy it, and pass it along.) Likewise, pare back the information you provide in your profile, like your birthday, the high school you attended, and so on. The less you put out there, the less a scammer can use against you. 
Be a skeptic. You could argue that this applies to staying safe online in general. So many scams rely on our innate willingness to share stories, help others, or simply talk about what’s going on in our lives. This willingness could lower your guard when a scammer comes calling. Instead, try to look at the messages you receive beyond face value. Does something seem unusual about the language or request? What could be the motivation behind it? Pausing and considering questions like these could spare some headaches. 
Know your friends. How well do you know everyone on your list of friends and followers? Even with your privacy settings set to the max, these people will see what you’re posting online. Being selective about who you invite into that private circle of yours can limit the amount of personal information people have immediate access to via your posts, tweets, and updates. However, if you like having a larger list of friends and followers, be aware that any personal info you share is effectively being broadcast on a small scale—potentially to people you don’t really know well at all. 
Follow up. Get a message from a “friend” that seems a little spammy or just plain weird? Or maybe you get something that sounds like an imposter scam, like the ones we outlined above? Follow up with them using another means of communication other than the social media account that sent the message. See what’s really going on.  
Look out for each other. Much like following up, looking out for each other means letting friends know about that strange message you received or a friend request from a potentially duplicate account. By speaking up, you may be giving them the first sign that their account (and thus a portion of their identity) has been compromised. Likewise, it also means talking about that online flame with each other, how it’s going, and, importantly if that “special someone” has stooped to asking for money. 

Stay steps ahead of the scams on social media 

Above and beyond what we’ve covered so far, some online protection basics can keep you safer still. Comprehensive online protection software will help you create strong, unique passwords for all your accounts, help you keep from clicking links to malicious sites, and prevent you from downloading malware. Moreover, it can provide you with identity protection services like ours, which keep your personal info private with around-the-clock monitoring of your email addresses and bank accounts with up to $1M of ID theft insurance. 

Together, with some good protection and a sharp eye, you can avoid those identity theft scams floating around on social media—and get back to enjoying time spent online with your true family and friends. 

The post Quizzes and Other Identity Theft Schemes to Avoid on Social Media appeared first on McAfee Blog.

Read More

On Secure Voting Systems

Read Time:1 Minute, 21 Second

Andrew Appel shepherded a public comment—signed by twenty election cybersecurity experts, including myself—on best practices for ballot marking devices and vote tabulation. It was written for the Pennsylvania legislature, but it’s general in nature.

From the executive summary:

We believe that no system is perfect, with each having trade-offs. Hand-marked and hand-counted ballots remove the uncertainty introduced by use of electronic machinery and the ability of bad actors to exploit electronic vulnerabilities to remotely alter the results. However, some portion of voters mistakenly mark paper ballots in a manner that will not be counted in the way the voter intended, or which even voids the ballot. Hand-counts delay timely reporting of results, and introduce the possibility for human error, bias, or misinterpretation.

Technology introduces the means of efficient tabulation, but also introduces a manifold increase in complexity and sophistication of the process. This places the understanding of the process beyond the average person’s understanding, which can foster distrust. It also opens the door to human or machine error, as well as exploitation by sophisticated and malicious actors.

Rather than assert that each component of the process can be made perfectly secure on its own, we believe the goal of each component of the elections process is to validate every other component.

Consequently, we believe that the hallmarks of a reliable and optimal election process are hand-marked paper ballots, which are optically scanned, separately and securely stored, and rigorously audited after the election but before certification. We recommend state legislators adopt policies consistent with these guiding principles, which are further developed below.

Read More

The Growing Importance of CAASM in Company Cybersecurity Strategy

Read Time:6 Minute, 50 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.

The recent years’ events, including the proliferation of ransomware, the pandemic, and political tensions, have fast-tracked the development of both offensive and defensive tools in the cyber domain. Cybersecurity concepts that were nascent a few years ago are now being refined, demonstrating the practical benefits of modern digital risk management strategies.

Gartner analysts have highlighted the expansion of the attack surface as a significant risk for corporate cyber environments in the upcoming years. The most vulnerable entities include IoT devices, cloud apps, open-source systems, and complex software supply chains.

There is an increasing demand for concepts like Cyber Asset Attack Surface Management (CAASM), External Attack Surface Management (EASM), and Cloud Security Posture Management (CSPM) in corporate security frameworks. This trend is also documented in Gartner’s “hype” chart.

Let’s discuss the concept of CAASM, which is centered on identifying and managing all digital assets within an organization, whether they are internal or external. This approach aims to provide a comprehensive view and control over the organization’s cyber environment, enhancing security measures and management practices.

What Is CAASM

CAASM assists IT departments in achieving end-to-end visibility of a company’s cyber assets. This strategy creates a fuller understanding of the actual state of the infrastructure, enabling the security team to respond promptly to existing threats and potential future ones.

CAASM-based products and solutions integrate with a broad array of data sources and security tools. CAASM gathers and aggregates data and analyzes perimeter traffic, providing a continuous, multi-dimensional view of the entire attack surface.

Having access to current asset data enables information security officers to visualize the infrastructure and address security gaps promptly. They can prioritize the protection of assets and develop a unified perspective on the organization’s actual security posture. This sets the stage for proactive risk management strategies.

Exploring CAASM’s Core Functions

The CAASM approach equips security professionals with a variety of tools necessary for effectively managing an organization’s attack surface and addressing risks.

Asset Discovery

A lack of visibility into all of an organization’s assets heightens the risk of cyberattacks. Cyber Asset Attack Surface Management products automatically detect and catalog every component of a company’s digital infrastructure, encompassing local, cloud, and various remote systems, including shadow IT.
A company employing CAASM gains a clear overview of all its deployed web applications, servers, network devices, and cloud services. CAASM facilitates a comprehensive inventory of the devices, applications, networks, and users constituting the company’s attack surface.

Vulnerability Detection

It is important to understand the risks each asset poses, such as missing the latest security updates or opportunities to access sensitive data. CAASM systems integrate asset data, helping security teams identify misconfigurations, vulnerabilities, and other risks. The analysis considers software versions, patches, and configurations that hackers could exploit to launch an attack.

Risk Prioritization

CAASM systems evaluate how critical detected vulnerabilities are, helping prioritize and reduce the most substantial risks. Suppose the developers at a company are using an open-source library that has a known Log4Shell vulnerability. In such a scenario, CAASM will assist IT specialists in identifying all assets impacted by this vulnerability. It will also help prioritize this issue among other risks and communicate the relevant risk information to the information security department.

Integration With Security Tools

Broad visibility into infrastructure components is realized by integrating CAASM solutions with existing cyber defense tools, including:

Active Directory monitoring and protection solutions
Vulnerability scanners
Endpoint Protection Platforms (ERP)
Software Bill of Material (SBOM)
External Attack Surface Management (EASM)

Continuous Monitoring

CAASM products continuously monitor an organization’s attack surface for changes and new vulnerabilities, covering hardware, software, and data, both on-premises and in the cloud. For example, should new cloud storage be deployed without adequate access controls, CAASM will spot the insecure configuration and alert the security team. This real-time visibility significantly narrows the window of opportunity for potential attacks.

Mitigation and Remediation

CAASM platforms offer insights and recommendations on ways to remedy identified vulnerabilities, asset misconfigurations, and issues with security tools. For example, these actions can involve automated virtual patch deployment, configuration tweaks, or other measures designed to reduce the organization’s attack surface.

Reporting and Analytics

The advanced reporting and analytics features of CAASM products enable a company to track its infrastructure security status over time, assess the success of its security initiatives, and demonstrate compliance with regulatory requirements.

CAASM vs. Other Surface Management Tools

Let’s explore the main differences between CAASM and similar strategies. Using a table, we will compare them side-by-side, focusing on External Attack Surface Management and Cloud Security Posture Management systems.

CAASM vs. EASM vs. CSPM

 
CAASM
EASM
CSPM

Product Focus

Covers all cyber assets including on-prem, cloud, remote systems, and IoT devices.

Focuses on external resources like public apps, cloud services, servers, and third-party elements.

Targets cloud infrastructure, settings, and security policy compliance.

Threat Management

Manages internal and external threats, integrates with EASM tools for external data.

Addresses threats from external sources or attackers.

Fixes misconfigurations and compliance issues in cloud environments.

Visibility

A comprehensive view of the attack surface includes assets, misconfigurations, and vulnerabilities.

Views external attack surface from an attacker’s perspective.

Continuous monitoring of cloud security status.

Integration

Integrates with diverse data sources and security tools to detect and prioritize weak points.

Uses scanning, reconnaissance, and threat analysis to assess external risks.

Integrates via APIs with cloud service tools for security policy assessment and monitoring.

Attack Surface Management

Controls and reduces attack surface through continuous vulnerability detection and monitoring.

Manages the external attack surface by identifying exploitable software and network elements.

Improves cloud security through the identification and resolution of misconfigurations and compliance risks.

Objectives

Aims to improve overall security by timely addressing risks across all assets.

Seeks to reduce the risk of data breaches by minimizing external attack surface.

Aims to improve cloud security according to best practices and standards.

As you can see, CAASM is a universal security information system that encompasses and continuously protects all the company’s digital assets against both external and internal threats. Integrating CAASM-based products enhances data sharing, effectively complementing EASM and other tools aimed at overseeing the company’s assets.

Measuring the Success of CAASM Adoption

You can assess the effectiveness of CAASM after its integration into the company’s cyber defense system by monitoring various indicators. Let’s identify the main factors that will help you make this evaluation.

Asset Coverage

The primary measure of CAASM’s effectiveness lies in how comprehensively it covers the organization’s assets. This includes servers, devices, applications, databases, networks, and cloud resources. The broader the range of assets CAASM can monitor, the more accurately it can map the potential attack surface, leading to more effective threat protection.

Mean Time to Inventory

The Mean Time to Inventory (MTTI) metric shows how quickly new assets are identified and added to CAASM. A quicker discovery process suggests a proactive strategy in spotting and handling assets.

Vulnerability Mitigation Speed

The vulnerability detection and remediation rates reflect the percentage of identified vulnerabilities resolved within a specific timeframe. Swiftly addressing issues signifies a more efficient strategy in minimizing security risks.

Incident Detection and Response Time

Mean Time to Detect (MTTD) shows how quickly a security incident is noticed, while Mean Time to Respond (MTTR) tracks the time taken to respond and recover. Lower MTTD and MTTR indicate that CAASM is performing more efficiently within the company.

Compliance

This metric reflects the share of assets adhering to industry standards and regulatory requirements. The greater this percentage, the more efficiently assets are managed, leading to a decreased chance of security incidents.

Cost Savings and ROI

Reducing business downtime, cutting incident response expenses, avoiding regulatory penalties, and more – all reflect the effectiveness of CAASM implementation and contribute to its ROI in the long run.

Conclusion

CAASM is beneficial for mature organizations with complex and dynamic infrastructures. Continuous monitoring of all assets, including shadow IT, enables the timely adaptation of protection measures against existing and emerging threats, making CAASM a valuable component of a company’s cybersecurity strategy.

Read More