NEED SUPPORT? CALL (855) 422-8283

Virtual Armour
The Benefits of XDR: How AI is Improving Your Cybersecurity Posture

The Benefits of XDR: How AI is Improving Your Cybersecurity Posture

Summary

  • XDR empowers organizations with holistic security while reducing administration and management
  • XDR reduces reliance on human resources, using AI to “screen” false alerts and alert the cybersecurity team when appropriate
  • XDR monitors your entire network as opposed to singular channels or devices
  • XDR is ideal for organizations that process sensitive information (payment data, customer information, etc.) or organizations in regulated industries
  • XDR acts as a strong second and third level of defense
programs running a security scan

An Introduction to Extended Detection & Response (XDR)

Modern digital security requires a more complex approach than simply installing antivirus software and setting up a firewall. While those activities are certainly important, hackers today are far more sophisticated, and you need to have additional layers of protection in place to keep your IT environment protected. 

For many organizations, Extended Detection and Response (XDR) solutions are the ideal way to get the holistic security that they need while still allowing for simple administration and management. Read on to learn more about what XDR is and how it may benefit your organization.

See also:

What Exactly Is XDR?

XDR is a relatively new idea to the concept of threat detection and response. The term itself was only coined in 2018.  While there are varying definitions, ultimately, XDR unifies disjointed and fragmented security solutions and data sources to provide organizations a single pane of glass for threat detection, investigation, and response. 

Once implemented, XDR delivers a more unified and holistic approach to defend against all types of attacks, including standard cyberattacks, misuse of networks, unauthorized access, etc.

XDR is designed to actively learn about evolving threats through artificial intelligence and machine learning technologies. In many ways, XDR is the next major step forward for both endpoint detection and response (EDR) and managed detection and response (MDR), both of which have been long-standing key security components for organizations that need to keep their networks safe.

a lock on a screen grid

How Does XDR Work?

XDR takes a more proactive approach to threat detection and response than a standalone EDR or SIEM solution. An effective XDR solution automatically correlates all telemetry to drive detection, as opposed to narrowly focusing on endpoints. This telemetry focus helps to not only provide greater visibility into threats in your environment, but also allows for easier administration and management of your security efforts. 

Some of the most significant ways that security engineers can benefit from XDR include: 

  • Detecting Sophisticated Threats – Modern cyberattacks do not require infected files to be successful. Instead, these cyber attacks are done through attacks on your website, DNS attacks, SQL injections, URL interpretation, and more. XDR actively monitors all traffic to detect anomalies to determine what is legitimate and what is a threat so that it can be blocked. 
  • Tracking Threats Across Devices and Sources – XDR offers a holistic approach to cybersecurity. It does not simply monitor one threat location such as endpoints or user activity. Instead, it monitors traffic throughout your network so that potential threats can be spotted no matter where they occur. 
  • Collecting and Analyzing Data from Multiple Sources – In addition to simply monitoring the traffic, files, and other data points throughout your network, XDR collects data trends so that automatic correlation can determine abnormal activity within your network. Each day your security environment becomes more secure by XDR’s automatic correlation and AI. 
  • Quicker and Custom Alerting to Unknown Threats – While XDR automatically reacts to varying threats, you can customize what you and your team needs to know when a particular event arises. 

To put it simply, XDR goes well beyond just watching your network for known threats and responding to them. XDR delivers a solution that centralizes all of your organization’s telemetry (across numerous tools and sources), correlates your telemetry, and equips you to detect and respond to more threats than ever. 

Who Needs XDR? 

Properly speaking, any company that wants to make sure that their environment is as safe as possible would at least want to consider adding XDR to their cybersecurity strategy. This would include companies that collect and store private customer data, companies that have any type of proprietary data on their systems, and companies that operate within regulated industries. 

The reality is, however, that XDR may be ‘overkill’ for some organizations. Many small businesses that use their computer systems for little more than communication and inventory tracking, for example, may not need to invest in an advanced security suite given their risk profile. 

When a company falls victim to a cyberattack that results in customer data being compromised, they are often unable to recover from the financial losses or the loss of reputation. Depending on your company’s risk profile, investing in a more comprehensive security solution like XDR makes sense. 

man reviewing stats on his laptop

What are the Benefits of XDR?

XDR offers many different benefits to your company that go well beyond a simple improvement in the level of security that is in place. Every organization faces unique challenges related to security and will experience benefits specific to their circumstances. 

The following are some advantages that virtually every company will appreciate once they have XDR in place: 

  • Immediate Protection Against Known and Unknown Attacks – As soon as you implement XDR into your system you will begin benefiting from its advanced monitoring and detection. Out of the box, it is able to block all known types of threats and also watch for new and unknown threats. 
  • Reduced Alert Fatigue for Your Security Team – XDR is able to detect and react to threats without the need of human intervention in the vast majority of situations. This means there are far fewer alerts that need to be presented to your cybersecurity or network operations teams in real time. This can help to reduce alert fatigue so that your teams are able to be more effective in their roles. 
  • Optimizing Technical Resources – While XDR and other software systems are extremely good at many things, there are some activities that are done best by real people. Allowing XDR to provide advanced threat detection and response, your technical teams will be freed up to work on additional projects where they will be more valuable. 
  • Continuous Improvement Over Time – Since XDR has AI technologies built right in, it is able to continuously learn and improve over time. This means that the protection your systems have will naturally evolve and improve to ensure they remain effective against whatever threats the future may hold. 
  • Rapid Restoration of Functionality After Compromise – In the event that one of your systems is compromised, XDR is able to quickly isolate it and help to clear off any problems. This helps to minimize downtime as well as reduces the risk of a compromised system from infecting other areas of your environment. 
  • Effective Security for Local and Cloud Environments – Most companies today utilize both local and cloud based environments. XDR is able to actively monitor and protect all types of environments to ensure your entire system is safe. 

Where Should XDR Fit in Your Security Posture? 

When developing your digital security strategy, you will need to make sure that your environment is protected at every level. 

In general, the first line of defense is going to be the common practices such as a good username and password policy, proper access control strategies including authentication, and other solutions that are built right into the environment. 

XDR strengthens your security posture both as a second and third level of defense. In the past, network monitoring tools and concepts such as endpoint detection and response (EDR) would be used to monitor systems and report up to the third level (humans) in order to mitigate the threat. Since XDR offers advanced monitoring as well as threat mitigation systems, XDR can be used to reduce the number of alerts requiring human review.

How to Find A Strong XDR Partner

If you want to implement XDR into your environment, you will want to work with an experienced managed security services provider. When determining which MSSP to work with, you want to make sure that you choose one that is able to handle every aspect of your XDR implementation and management. This means working with a team that has worked extensively with leading XDR technology partners. Virtual Armour has worked with businesses of all sizes in multiple industries including energy, finance, healthcare, retail, and more. We are focused on providing industry leading cybersecurity solutions to all of our clients, and we are ready to help you today. Whether you are looking specifically for an XDR partner, or you want full security consulting, we are here for you. Contact us to speak with an expert and learn how we can help protect your systems from the ground up.

The 7 Most Common Types of Malware

The 7 Most Common Types of Malware

Last updated August 19, 2022

Summary:

  • Malware is software designed to steal data, damage equipment, or spy on users.
  • Viruses infiltrate a program or device and then spread across a network.
  • Worms are viruses that self-replicate and spread without human action.
  • Trojans disguise themselves as legitimate code or software, but allow attackers to carry out the same actions as authorized users.
  • Ransomware restricts access to a device and gives control of it to an attacker unless a sum of money is paid to them.
  • Malicious Adware uses ads to lure users to download other types of malware or visit sites that will automatically infect their devices.
  • Malvertising is similar to malicious adware, but is delivered through a compromised website and only affects users while they are visiting it.
  • Spyware is malware designed to gather a user’s data without their consent or knowledge.

In the internet age, organizations in all verticals are increasingly relying on digital tools to get the job done. From seemingly mundane tools such as email and digital calendars to highly specialized programs, more work than ever relies on digital and internet-connected tools, including the cloud. Unfortunately, this rapid increase in digital interconnectivity has brought with it a sharp rise in digital crime, including the distribution of malware. 

If your organization has recently been targeted or is currently being targeted in a malware attack please contact our team of experts for advice and practical assistance as soon as possible and consider reading our educational article: Hacked? Here’s What to Know (and What to Do Next).

See also:

comprimised phone

What is Malware?

Malware, short for malicious software, is a general term that encompasses a wide variety of malicious programs designed to steal sensitive data, damage equipment, or spy on unsuspecting users. In this article, we will discuss seven of the most common types of malware: 

  • Viruses
  • Worms
  • Trojans
  • Ransomware
  • Adware
  • Malvertising
  • Spyware
virus code

2021 Saw An Alarming Increase in Ransomware & This Trend is Likely to Continue

According to a joint cybersecurity advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI and the NSA, and in partnership with the Australian Cyber Security Centre (ACSC) and the United Kingdom’s National Cyber Security Centre (NCSC-UK) 2021 saw the continuation of several alarming cybercrime trends, and found that “Ransomware [a type of malware] groups are having an increasing impact thanks to approaches targeting the cloud, managed service providers, industrial processes and the software supply chain” and that “More and more, ransomware groups are sharing victim information with each other, including access to victims’ networks.” 

The advisory also reported that the ransomware market, in particular, is becoming increasingly “professionalized”, with more criminals relying on cybercriminal services-for-hire to attack targeted organizations.

These alarming statistics highlight the importance of having an up-to-date and comprehensive cybersecurity incident response plan in place, investing in critical cybersecurity infrastructure to safeguard your digital assets, and offering all team members regular cybersecurity training.  

spyware on the web

The 7 Most Common Types of Malware (& How They Can Impact Your Organization)

1. Viruses

Computer viruses are a form of malware designed to infiltrate one program or machine and then spread to other systems, much like the viruses that target the human body. As it spreads, the virus wreaks havoc on business activities by encrypting, corrupting, deleting, or moving data and files or launching DDoS or ransomware attacks on other connected machines. 

Viruses are particularly insidious because they may remain dormant for a set period, allowing the virus to spread to as many machines and devices as possible before launching the attack. Viruses may be delivered via email or inadvertently downloaded from infected or malicious websites and can also be delivered via physical media such as USB drives. Cybercriminals may leave infected USB drives in lobbies or parking lots, hoping that a worker will pick them up and plug them into their network-connected computer. 

Unlike worms (discussed below), computer viruses must be embedded in a host program and often remain dormant until they are activated by unsuspecting users, such as when a user plugs an infected USB drive into their machine, opens an infected file, or clicks on a malicious URL.

2. Worms

Worms are similar to viruses, but they do not require human action to infect, self-replicate, and spread to other machines. As soon as the system is breached, worms can infect both the entry point machine and spread to other machines and devices on the network unaided by humans. 

Worms rely on network vulnerabilities, such as unpatched operating systems, weak email security protocols, and poor internet safety practices. Originally, the goal of most worms was to damage system resources to hinder performance. However, modern worms are often designed to steal or delete files and are typically deployed against email servers, web servers, and database servers. 

The Stuxnet attack is a particularly devastating example of a worm at work. This attack targeted operations technology systems involved in uranium enrichment and impacted organizations across Iran, India, and Indonesia. 

small trojan horse on a computer

3. Trojans

A trojan is a type of malware that has disguised itself as a piece of legitimate code or software. Once an unsuspecting user grants the trojan network access, it allows attackers to carry out the same actions as legitimate users, including exporting or deleting files, modifying data, and otherwise altering the contents of the infected device. Trojans are designed to appear innocuous and are often found in downloads for games, apps, tools, or even software patches. 

Many trojans rely on phishing, spoofing, or other social engineering attacks to trick users into granting them network access, but this is not always the case. Though trojans are occasionally referred to as trojan viruses or trojan worms, these terms are not strictly correct: unlike viruses, trojans cannot self-replicate, and unlike worms, they cannot self-execute. All trojans require specific and deliberate user actions to spread, such as convincing a colleague to try out this great new productivity app or download this fun game onto their work phone so you two can play together on your lunch break. 

4. Ransomware

Ransomware is one of the most common and widely discussed forms of malware, and for a good reason. According to a cyber threat bulletin from the Canadian Centre for Cyber Security, 2021 saw the average recovery cost from a ransomware attack more than doubled between 2020 and 2021, from $970,722 CAD (roughly $757,852 USD as of the writing of this article) in 2020 to $2.3M CAD (roughly $1,795,380 USD) in 2021. The same bulletin revealed that the increased impact and scale of ransomware operations between 2019 and 2020 was largely fuelled by the “professionalization” of ransomware and the growth of the ransomware-as-a-service (RaaS) model, which involves less-technically-savvy criminals hiring skilled attackers to distribute ransomware campaigns, with attackers being paid a percentage of the victim’s ransom payment.

Ransomware is focused primarily on financial gain and is designed to encrypt files on an infected machine and hold them hostage until a ransom is paid. With the invention of cryptocurrencies such as Bitcoin, which don’t rely on a central authority such as a bank and are therefore more difficult for law enforcement to trace, has made it easier than ever for attackers to extort victims.

Ransomware frequently relies on social engineering to manipulate unsuspecting users into downloading infected email attachments or clicking on URLs from untrustworthy sources. Once a device is infected, the program typically creates a back door, which allows the attackers to covertly access the device and begin encrypting files while locking owners and other legitimate users out. 

Even if your organization decides not to pay the ransom, you may still suffer financial loss. Employees who can’t access their work devices aren’t likely to get much work done, and your IT team and other technical specialists may need to be pulled away from other critical tasks to deal with the crisis. Depending on the nature of your business, even a few hours of downtime can have devastating consequences, as highlighted by the now-famous WannaCry attack that targeted the United Kingdom’s National Health Service (NHS) in 2017. The attack rendered the IT systems of hospitals and doctor’s surgeries inaccessible, which compromised medical care and put patient lives at risk. The attack knocked CT scanning facilities and MRI machines offline and left healthcare professionals unable to access vital data, including digital patient health records.

pop up on a website

5. Malicious Adware 

Adware, also called advertising-supported software, is legitimate software that is designed to display ads to a user when they are online, thereby generating revenue for the website’s owner. Though it is not inherently malicious, it can be used for malicious purposes. 

While most legitimate organizations will carefully vet what sort of advertisements they allow to appear on their website (to ensure they don’t accidentally damage their brand by serving hateful or controversial content or drive business away by showing competitor ads), not all businesses are as meticulous as they should be. Cybercriminals may use malicious ads to trick unsuspecting users into downloading malware when they click on the ad or may use pop-ups, pop-unders (where the pop-up is intentionally hidden from view by the active window), or permanent windows that allow for drive-by downloads (where a user’s device becomes infected with malware simply by visiting the site). Malicious ads may also preemptively block antivirus programs from opening, further weakening your organization’s defenses. 

6. Malvertising

Malvertising (malicious advertising) is similar to malicious adware. One key difference is that adware only targets individual users and relies on infected digital ads served via unsuspecting websites. Once a device is infected, adware operates continuously on that device unless actively removed. On the other hand, malvertising is served by the compromised web page itself (not via third-party adware programs) and only affects users while they are on the infected web page. 

Like malicious adware, malvertising may take advantage of browser vulnerabilities to deploy drive-by-downloads. However, because the entire webpage (and potentially the entire website) is compromised, it can also forcibly redirect users away from the legitimate site to a malicious one or display advertising, malicious content, pop-ups, or pop-unders that the website’s owners did not intend to display. In the case of a forcible redirect, users may be brought to a different site infested with drive-by download malware (allowing attackers to compromise multiple sites and simply redirect them to the malicious site) or direct users to a site that looks almost exactly like the legitimate site as part of a wider phishing scam and attempt to trick unsuspecting users into handing over private information such as banking details or login credentials.

Malvertisements Cost Organizations More than Just Revenue & Site Traffic

While redirecting users to a different site impacts both website traffic and can compromise revenue streams, these are hardly the only potential costs. Website publishers may suffer reputational damage (since users are less likely to trust compromised organizations with their personal information going forward) and may be found legally liable for any damage suffered by users visiting their website. 

7. Spyware

Spyware differs from the other forms of malware we have discussed so far in that its goal is not to extort funds, steal sensitive files, or damage files but instead to, as the name suggests, spy on you and your organization. Spyware is designed to gather data without your consent and forward it to a third party. 

Spyware can also refer to legitimate software installed by companies to monitor their workforce or programs, such as tracking tools embedded in websites that you visit that are used for advertising purposes. However, we will be focusing on malicious spyware deployed by cybercriminals against unsuspecting targets such as businesses so they can profit from stolen data, including proprietary data and usernames and passwords (obtained via keylogging software).

Malicious spyware is a type of malware that has been installed without your informed consent and is designed to monitor your activities and capture personal, confidential data, often via keystrokes, screen captures, and other types of tracking tools. This stolen data is then aggregated and either used by the party that gathered it or sold to other parties. 

Malicious spyware is typically interested in confidential information such as:

  • Login credentials
  • Credit card numbers
  • Account PINs

However, it will also monitor your keyboard strokes, track your browsing habits, and harvest email addresses (including your own and those of the people and organizations you are corresponding with). 

Unlike ransomware, spyware goes out of its way to remain undetected and obscure its activities. Spyware often embeds itself in other programs that users are likely to intentionally download and install, such as bundleware (bundled software packages), without the knowledge or consent of the company that is offering the legitimate software.

However, sometimes companies will purposefully embed spyware in their bundleware while describing and requiring you to agree to the spyware in the license agreement without explicitly using the term “spyware”, tricking users into voluntarily and unknowingly infecting their devices. Spyware can also infect devices using similar methods to other malware, including via compromised websites or malicious attachments. Trojan malware and malicious adware may also both include spyware.

Spyware can wreak havoc on any business environment, allowing cybercriminals to better:

  • Steal data
  • Commit identity fraud
  • Damage computers
  • Disrupt business operations
computer and coffee with lock logos

Safeguarding Your Business From Malware

There are a few steps you can take to safeguard your organization against malware. These include:

Avoid Abandoned USBs

Attackers will often leave infected USB drives in publicly accessible places such as lobbies or parking lots in the hopes that some unsuspecting employee will pick it up and plug it into their machine. Should you come across an abandoned USB drive, you should report it to security and then hand the USB drive over to your cybersecurity team for further analysis and proper destruction.

Keep Your Software Up to Date

Software developers frequently release security patches, small programs designed to address known flaws and improve security. However, your organization can only take advantage of these improvements if the security updates are installed.

Invest in Antivirus Software

While antivirus software may not seem cutting edge anymore, it still plays a critical role in any cybersecurity strategy.

Think Before You Click

While most email providers include built-in antivirus scanning that flags potentially harmful attachments or links, it never hurts to be cautious. If you encounter a suspicious link or file, do not open it. Instead, you should forward the email to your cybersecurity team for further analysis. If the email is purportedly from someone you trust (such as your company’s bank or your boss) but seems suspicious, you should reach out to that person independently to verify that they are the real sender. You should also carefully read the sender’s email address on any email you receive. 

For example, if your boss Jennifer Smith usually emails you from her work email ([email protected]com), but this email is from a different address, such as [email protected]org or [email protected], you should not reply to the email, but should instead reach out to your boss independently to verify that she sent the email. This is particularly important if the sender is asking you for sensitive or personal information, such as banking details or your password, or asking you to do something unusual, such as purchase a large number of gift cards or make changes to company banking details.  

If someone sends you a URL, make sure you read it carefully. While you may be expecting a URL that directs you to www.yourbank.com and instead see www.yourbaank.com (note the extra ‘a’), you should once again independently verify that the sender is who they say they are before taking any action or handing over any information. It’s always better to spend a bit of time verifying than rush and take actions that could potentially compromise the safety and security of your organization.

Invest in Cybersecurity Training for All Employees

Even the most comprehensive and robust cybersecurity incident response plan and cutting-edge cybersecurity infrastructure depends on educated users for maximum efficacy. Ensure all employees undergo cybersecurity training as part of your onboarding process and periodically receive additional training. 

Only Buy Devices from Trusted, Reputable Sources

While it may be more budget-conscious and environmentally friendly to purchase gently used devices, second-hand devices may offer more than you bargained for in the form of pre-downloaded malware. If you still intend to purchase second-hand equipment, make sure you do so from a trusted, authorized retailer of pre-owned devices and audit each item thoroughly for suspicious programs before connecting it to your network.

Opt for the Paid Version

One of the easiest ways to avoid falling victim to malicious adware is to opt for the paid, ad-free version of the software you are using whenever possible. Most organizations that offer premium subscriptions to otherwise ad-supported free products do not serve ads to premium users, so opting for the paid version can dramatically reduce your attack surface.

Vet Ads Partners Carefully to Avoid Malvertisement

Ad networks serve users ads from millions of advertisers, and most rely on real-time bidding, which means the ads shown on a website are constantly changing. This can make it difficult, if not nearly impossible, for individual website publishers to separate malicious ads from innocent ones. As such, it falls primarily on the ad provider to carefully vet ads, so it is critical that all website publishers choose their advertising partners with care. 

Be Cautious About Cookies

With GDPR compliance affecting more organizations each day, almost all websites now ask users for their explicit permission before creating cookies. Cookies are considered by some to be a form of spyware, so make sure you only accept cookies from trusted sites and consider limiting your permission to essential cookies only.

Consider Using an Anti-Tracking Browser Extension

Not all of your browsing activities need to be tracked by third parties, whether for legitimate means like advertising or otherwise. Anti-tracking tools can allow you to better opt-out of omnipresent tracking, which helps keep your browsing activities and data private.

Avoid Third-Party App Stores

Cybercriminals are increasingly targeting people through their phones, often using apps. Third-party app stores may not vet the apps they offer as carefully as Apple and Google, so it is best to be cautious and stick to the official app stores. 

Stick with Official App Publishers

Apps are an increasingly common delivery mechanism for malware, particularly spyware. Before you download an app, make sure that you trust the company that developed it.

Limit App Permissions

A troubling trend in the app space is apps that ask for more generous permissions than they require. Many apps ask to access your microphone, camera, or location data without justifying why they need this information. To avoid handing over more data than you need or want to, you should regularly review your app permissions and ensure your current settings reflect your actual preferences.

Nothing is Ever Really Free

As the old saying goes: if something is free, it’s because you are the product, not the customer. While sometimes free can mean a limited-time trial that allows prospective customers to try out the product for themselves, it can also mean that its creator is profiting off of the data you generate. Before you start using new software, make sure you take the time to read through the terms of use and only agree to them if you understand and accept them. 

a comprimised usb drive

Are You Concerned About Malware? VirtualArmour is Here to Help!

While it may feel like malware is lurking around every corner, there are concrete steps you can take to better safeguard your organization and its data. In addition to the advice above, you should also consider partnering with a trusted MSSP like VirtualArmour. With offices in both Denver, Colorado, and Middlesbrough, England, we are able to offer live, 24/7/365 monitoring as well as industry-leading response times. 

The cybersecurity experts at VirtualArmour have extensive experience working with organizations in a variety of verticals, including healthcare, finance, retail, and energy and are also familiar with the unique needs of service providers and offer tailored plans based on your level of need, including essential services, premium services, and one-time consults. We offer a wide selection of cybersecurity services, including:

For more information, or to get your free, no-obligation quote, please contact our team of experts today.

OT Security: Safeguarding Your OT Assets in An Increasingly Connected World

OT Security: Safeguarding Your OT Assets in An Increasingly Connected World

Last updated August 19, 2022

Summary:

  • Operations Technology (OT) is increasingly being targeted by cyber attacks.
  • In recent years, high-profile cyber incidents at Stuxnet and Norsk Hydro caused tens of millions of dollars in damages and destroyed critical equipment.
  • The Industrial Internet of Things (IIoT) has removed the “air-gap” that once existed between OT assets and broader IT networks—making OT more vulnerable to cyber threats.
  • Cybersecurity threats faced by OT include direct internet connections, insecure passwords, misconfigured access points, outdated operating systems, and poor employee training.
  • OT-heavy organizations should carefully audit third-parties who want access to their systems and take steps to combat cyber espionage (especially in the mining and energy sectors). Be wary of phishing attacks as well.
  • Managed cybersecurity services can provide vital protection for an organization’s OT, especially when combined with best practices like network mapping, a zero-trust framework, and controls for identity and access management.

While once rare, cybersecurity incidents targeting Operations Technology (OT) assets have become increasingly common in the past few years. This unfortunate trend prompted Verizon (in their 2020 Data Breach Investigation Report) to examine, for the first time in its then 12 year publication history, the involvement of OT assets vs. IT assets in security incidents. This report also included a section specifically aimed at organizations in the Mining, Quarrying, and Oil & Gas Extraction business. 

See also:

Norsk Hydro & Stuxnet: The Canaries in the Coal Mine

man pressing touchscreen with ot services

Norsk Hydro

Verizon’s 2020 report was released in the wake of the devastating 2019 ransomware attack on Norsk Hydro, which forced the organization to resort to manual operations at 170 sites in 40 different countries and cost the company tens of millions of dollars in damages. While OT networks and assets weren’t the primary target in this attack, the spill-over from the IT-focused attack disrupted OT networks substantially and shone a light on how unprotected many OT systems and assets really are. 

Stuxnet

However, the Norsk Hydro attack was not the first widespread, OT-disrupting attack. In 2010, Stuxnet, a highly sophisticated computer worm that targeted computers involved in uranium enrichment, disrupted OT systems across Iran, India, and Indonesia. The program began by checking to see if an infected computer is connected to specific programmable logic controller (PLCs) models manufactured by Siemens (PLCs are devices that computers use to interact with and control complex industrial machines like uranium centrifuges). 

Computers that weren’t connected were ignored (and typically left unharmed). However, computers connected to the PLCs then had their programming altered, causing the centrifuges to spin too quickly and for too long, extensively damaging and even destroying delicate and expensive equipment. While this was happening, Stuxnet directed the PLCs to report that all equipment was working normally, which, in the world of remote monitoring, made it incredibly difficult to detect and diagnose the problem before extensive damage had already been done.

OT assets bring with them unique security implications, and as an organization’s footprint expands, their security risk scales as well. This reality, partnered with broader market changes, is significantly influencing OT security environments. To keep your organization secure, businesses with significant OT assets need to take steps to secure their OT devices and improve their overall cybersecurity posture. 

IT Security vs OT Security: A Brief Overview

While many organizations used to manage their IT and OT networks separately, IT and OT systems have a lot in common and rely on very similar tools. However, these tools are used in different ways: while IT tools are designed to interact with humans so they can complete their work tasks, OT tools are designed to interact with machines and ensure that the industrial control systems within your organization are operating correctly and available for the tasks your organization depends on them for.

One of the reasons OT and IT were kept apart for so long is that traditionally OT environments were “air-gapped”: kept isolated from the broader IT network and run in separate, siloed environments without internet access. However, the rise of IIoT (the industrial internet of things), which allows OT assets to be controlled and monitored remotely, has broken this isolation. While remote capabilities allow organizations to enjoy decreased costs and increased efficiency, the trade-off is that OT systems are no longer automatically protected from internet-based threats, such as cybersecurity attacks. 

woman pressing the ulcok button on a touchscreen

The Security Risks Associated with Operational Technology

IT security has been a priority for most organizations for decades, but unfortunately, OT security has not received the same amount of attention. According to the 2020 Global IoT/ICS Risk Report:

  • 71% of IoT and Industrial Control Systems (ICS) networks are running on outdated operating systems that are no longer receiving security updates,
  • 66% have not been updated with the latest antivirus software, and 64% of these networks rely on insecure passwords. These findings are alarming and highlight several pervasive problems.

Direct Internet Connections

Many OT reliant organizations depend on direct connections to the public internet; this is a serious problem, as even a single internet-connected device can provide a gateway for cyberattackers to introduce malware onto a network or infiltrate the network and gain access to sensitive or proprietary information.  

Insecure Passwords

While easy-to-remember passwords are great for providing convenient entry for authorized workers, it also makes it easy for attackers to brute-force their way onto your network. To improve password security, you should consider following the NIST password guidelines (please see section 5.1.1.1 Memorized Secret Authenticators) or investing in a secure password manager. 

Misconfigured APs Are a Security Risk

A single misconfigured wireless access point (AP) can compromise the security of your entire network. To help prevent unauthorized network access, you should audit all APs regularly and ensure any new APs added to the network are correctly configured.

Outdated Operating Systems

While transitioning to a new operating system may pose a bit of a headache, outdated operating systems that no longer receive security updates are a prime target for security attacks. To help improve your security posture, you should inventory all machines and access points on your network to ensure they are able to take advantage of their manufacturers’ latest security patches and updates. 

Operating systems that are no longer supported should be phased out as quickly as possible and replaced with more secure options. During the transition, your security team should monitor your currently outdated systems more closely than usual since they present a particularly tempting entry point to attackers.

Inadequate OT Employee Training

Without proper employee cybersecurity training, even the best policies, most secure systems, and the latest and greatest security products will fall short. All employees should undergo regular cybersecurity training, and you should include security training during your onboarding process.

Well-trained employees are an incredibly valuable security asset, giving you eyes and ears across your network. You should ensure employees can identify potentially suspicious activities (such as phishing scams) and know who to report potentially suspicious activities to. 

You should also consider running tabletop cybersecurity exercises. Tabletop exercises are similar to fire drills: allowing your employees to put their cybersecurity skills and knowledge to the test in a no-stakes environment. Employees are presented with a hypothetical cybersecurity incident which they have to respond to. This not only allows employees to get comfortable using their cybersecurity knowledge and helps them familiarize themselves with your incident response plan but is also a great way to identify gaps in your security posture and response procedures so that they can be addressed before those deficiencies can be used against you. 

hacker trying to breach a computer wiht brute force

As Your OT Footprint Expands, Industry Operators Need to Consider These Cyber Risks As Well

As your OT footprint expands, so do your cyber risks. However, by adopting a security-focused and proactive mindset, you can help ensure your cybersecurity posture remains robust. 

Keep Third-Party Risk Management Top-of-Mind

Many OT-heavy organizations rely heavily on third parties. While oil and gas businesses looking to transition to renewable energy sources are looking to partner with third parties to ease this transition, many mining companies also rely on third parties to provide support services such as equipment assembly and maintenance. However, without proper planning and integration, partnering with a third party can increase risk and create security gaps in both parties’ systems.

To help keep your OT ecosystem remains secure, you should ensure that your new partners are able to smoothly integrate with your OT and IT networks. Linking two systems introduces risk to both, so it is important to ensure that this partnership won’t inadvertently introduce security gaps that could leave either party or both parties vulnerable. You should also carefully vet all partners to ensure they meet your rigorous cybersecurity standards and limit third-party access to only the systems they require to do their work. Should a third party require access to a critical or sensitive system, this access should be carefully monitored for suspicious activity in case your third-party partner’s network or organization becomes compromised. 

Beware of Cyber Espionage

Cyber espionage, particularly in the mining industry, remains a serious threat. Common cyber espionage attackers include competitors looking for an economic advantage and state-sponsored attackers looking to disrupt or cripple a rival country’s economy (such as the suspected attacks by Russian hackers on power companies, government agencies, and banks in Ukraine starting in 2015). 

Mining Companies

Both state-sponsored attackers and corporate interest groups view mining companies as treasure troves of valuable data and may seek to use cyber espionage tactics to gain unauthorized access to geological exploration research (including details on the location and value of natural deposits), corporate strategy documents (containing pricing information), and sensitive information on proprietary extraction and processing technologies. 

At the same time, insights into business strategies and mine values could be leveraged during merger and acquisition negotiations in an effort to outbid a competitor or lower the price of an acquisition target. Stolen trade secrets and IP can also be used to reduce R&D costs for the attacker, providing a long-term competitive advantage. A good example of cyber espionage in action within the mining industry came in 2011 when global mining company BHP Billiton was targeted by both state-sponsored attackers and competitors in an attack that sought to gain access to market pricing information for key commodities. 

Energy Providers, Including Oil & Gas

Oil and gas companies, as well as other energy providers, are also vulnerable to cyber espionage attacks. In 2021, many large international oil and gas companies were targeted in an attack that leveraged malware called Agent Tesla and other RATs (remote access trojans) to steal sensitive data, banking information, and browser information by logging keyboard strokes. While the Agent Tesla cyber espionage campaign mainly targeted energy companies, the attackers also targeted a small number of organizations in the IT, manufacturing, and media industries. 

By fortifying your current cybersecurity posture, keeping security top of mind, and investing in robust and comprehensive employee cybersecurity training, you can help ensure your OT assets and other critical systems are better able to fend off potential cyber attacks. 

Phishing Attacks Target OT Assets As Well

Phishing attacks have begun to target OT assets and networks as well as IT networks. As such, all OT personnel should undergo cybersecurity training that includes how to identify potential phishing scams, what to do if they suspect they have been targeted by a phishing scam, and whom to report the potential scam to for further investigation.

Securing Your OT Devices: Steps for All Organizations

Take a Proactive Approach

As the old saying goes: the best offense is a good defense. A proactive approach to cybersecurity includes: 

Learn What to Look For

When it comes to cybersecurity and suspicious activities, It’s critical that your entire team knows what sort of red flags to look for. While false flags can temporarily divert personnel away from other critical tasks, underreporting can allow threats to sneak through, so it is always best to err on the side of caution. 

To help identify and investigate suspicious activities, many organizations turn to managed SIEM solutions. SIEM experts have extensive experience with cybersecurity and stay up to date on the continually evolving threat landscape, which allows them to quickly assess potentially suspicious activities and attacks that could impact your OT ecosystem.

You should also seriously consider investing in a managed firewall solution. Unlike passive firewall programs, managed firewall solutions include access to a team of security experts, who will monitor and fine-tune your firewall as well as ensure all necessary security patches are downloaded and implemented as soon as they become available. 

Invest in Network Mapping & Connectivity Analysis

It’s really easy to get lost without a map. Network mapping allows you to understand the physical and digital locations of all devices on your network, pinpoint issues, and isolate potentially compromised equipment quickly and effectively. This way, should an incident such as a malware or ransomware attack occur, your security team can quickly isolate infected machinery from the rest of the network, limiting or even preventing damage and disruption. 

Implement a Zero-Trust Framework

Zero-trust frameworks are built on the security philosophy of “never trust, always verify”. Zero-trust systems assume that every person, device, application, and network is presumed to be a threat until they have been properly vetted and verified. As such, each entity must prove its legitimacy (essentially show its digital ID badge) before it is allowed to connect to the OT network.

Many Zero-trust systems rely on dual-factor or multi-factor authentication (MFA) tools, which require users to provide more than one form of identification. Typically, this may require a user to provide a username and password, as well as an additional piece of identification, such as a short-lived code sent to their mobile device or a fingerprint scan, or provide the correct answer to a security question. By adding an extra layer of verification, organizations can make it more difficult for an attacker to gain access to your OT systems.

Control Identity & Access Management

Not every worker needs to be able to access every part of your network, and overly-permissive access can pose a serious security risk. Controlling who is able to access what parts of your system is a critical piece of your overall cybersecurity posture, especially since every set of access credentials issued presents another potential entry vector for attackers. 

If an employee falls for a phishing scam or leaves their credentials unsecured or exposed, it could allow attackers to access critical systems or gain access to sensitive information. As such, all organizations should:

  • Educate employees about the importance of safeguarding their access credentials
  • Teach employees about the dangers of credential sharing
  • Adopt a least-privilege policy, and ensure it is maintained across your organization. This will limit access rights to those users who absolutely need them.
  • Revoke access privileges of former employees as soon as possible. Attackers will often look to leverage dormant accounts, and since the person the account is intended for is no longer using it, the use of these credentials is often not discovered right away.
  • Revoke temporarily-granted access for visitors, guests, and other third parties as soon as it is no longer required.

Create an OT Systems Management Program

An OT systems management program is a great way to ensure you are covering all of your security bases. Most programs typically include:

  • Asset inventory management
  • Lifecycle management, including:
    • Defining system requirements to ensure desired physical system outcomes
    • Establishing specifications to ensure security and reliability
    • Control and supply chain management over these systems
    • A schedule for replacing outdated components
  • Configuration management
  • Patch and vulnerability management
  • Network and system design
  • User and account management
  • Log and performance monitoring (critical for both reliability and security)
  • Incident and trouble response
  • Backup and restore functionality

A good OT systems management program offers a wide range of benefits, including:

  • Providing valuable insights into all hardware and software on your OT network, allowing your security team to identify vulnerabilities swiftly
  • Properly updating and configuring systems, which reduces attack surface areas
  • Providing a way for your team to update automation systems for key operational tasks in an operationally efficient manner 
  • Providing a mechanism that handles reporting and monitoring across your OT and IT systems in a consistent manner, thereby simplifying the reporting process.
  • More advanced and effective security controls by offering both proper visibility and access to underlying endpoints and other network infrastructure

Segment Your Network

Network segmentation is a great way to safeguard your most valuable OT assets and systems. Segmenting your network is a physical security measure that sections off vulnerable or sensitive systems and networks from the wider network. In IT, this may take the form of segmenting the accounting department’s network (which contains both private financial information and sensitive employee information) from less-critical or sensitive areas of the network, such as the guest wifi.

Network segmentation is becoming increasingly common in organizations that deal with critical infrastructure, including oil and gas companies, power companies, utility companies, and manufacturing companies, and is a great way to improve your security posture by better isolating and safeguarding critical and sensitive systems and assets. 

Consider Partnering with a Trusted MSSP

Securing your OT assets and networks against cyber attackers can be a daunting prospect, particularly for organizations without their own in-house cybersecurity teams. Fortunately, experts like VirtualArmour are here to help. Our team has extensive experience working with companies in a variety of OT-heavy industries, including the energy sector, mining, and manufacturing

We offer a variety of security services, including:

We also offer tailored services à la carte, allowing you to select the services your organization requires so you can create a personalized premium or essential services package designed to meet your organization’s unique needs. We are also pleased to offer personalized, one-time expert consults

With offices in both Denver, Colorado, and Middlesbrough, England, we are able to offer live, 24/7/365 monitoring and assistance, as well as industry-leading response times. Whether you are looking to assess your current OT cybersecurity posture, update or create your incident response plan, or coordinate employee training via our VirtualArmour Academy, the experts at VirtualArmour are here to help. For more information or to get your free, no-obligation quote or free cyber risk report, please contact our team today.

What the War in Ukraine Means for American Cybersecurity Engineers

What the War in Ukraine Means for American Cybersecurity Engineers

The Russian invasion of Ukraine has shocked the world, driving millions from their homes as they seek safety. However, in the internet age, wars aren’t fought in the physical world alone, and cyber warfare has become an increasingly serious threat. 

woman on her laptop with a lock icon on the screen

The Invasion of Ukraine is Already a Cyberwar

Though most of the news coverage of the situation focuses on developments in the physical world, early cyber skirmishing has already begun. Cyberattacks have recently targeted the Ukrainian defense ministry, and two banks in what the country’s deputy prime minister stated is the largest attack of this type ever seen in the country. 

While the Kremlin has denied they are behind the denial of service attacks, the disruption has brought concerns about the threat of cyberconflict into the spotlight. Ilya Vitayuk, the cybersecurity chief of Ukraine’s SBU intelligence agency, has stated that it is still too early to definitively identify the perpetrators behind the attack. This is because, as with most cyberattacks, the perpetrators worked hard to cover their tracks. However, he also added, “The only country that is interested in such … attacks on our state, especially against the backdrop of massive panic about a possible military invasion, the only country that is interested is the Russian Federation.”

Ukraine has accused Russia of cyberattacks in the past and believes the Kremlin is behind a string of cyberattacks against Ukraine starting in 2014. In an age when war is fought on battlefields, both physical and digital, combat is no longer confined to combatants on the ground. While Ukraine’s SBU has made cybersecurity a major security focus in the current conflict, a cyberattack on Ukraine by Russia or its allies could have wide-reaching consequences for Ukraine’s allies as well. As such, countries and private organizations alike need to remain vigilant.

The American Government Prepares to Respond

Cyberattacks, even those specifically targeting Ukraine, could seriously impact the United States. 

In response to the invasion of Ukraine, CISA (Cybersecurity and Infrastructure Security Agency) has issued a statement. Entitled Shields Up, it states (as of the writing of this article):

“While there are no specific or credible cyber threats to the US homeland at this time, Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region. Every organization—large and small—must be prepared to respond to disruptive cyber activity. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyber-attacks. When cyber incidents are reported quickly, we can use this information to render assistance and as a warning to prevent other organizations and entities from falling victim to a similar attack.”

President Joe Biden has announced the American government is prepared to respond to cyberattacks from Russia if necessary, and “For months, we have been working closely with our private — with the private sector to harden their cyber defenses, sharpen our ability to respond to Russian cyberattacks, as well.” NBC News also reported that President Biden has a “menu of options for the US to carry out massive cyberattacks designed to disrupt Russia’s ability to sustain its military options in Ukraine.”

However, as the Shields Up announcement indicates, cyberwarfare concerns are not contained to the national and international stage. Organizations of all sizes and in all verticals need to be taking appropriate steps to proactively safeguard their digital assets. 

room of people on their electronic devices

What Sort of Cyberattacks Should We Anticipate?

While we have no way of knowing exactly what sort of attacks the cyber warfare front of the Ukraine-Russia conflict will bring, we can look to a history of previous international attacks for guidance. According to Forbes, organizations should be prepared to handle:

Advanced Persistent Threats (APTs)

APTs is a broad term used to describe any attack campaign where an attacker, or group of attackers, establishes an illicit, long-term presence on a network in order to covertly mine highly sensitive data. Most intrusions of this nature that target private companies tend to focus on the theft of intellectual property, compromising sensitive data (such as employee or private user data), sabotaging critical infrastructure (such as deleting database data), or taking over websites with a goal of illegal financial enrichment, the strategies deployed against private companies can be used against nations and companies alike. 

With cyber warfare on our doorstep, now is the time to batten down the hatches and strengthen your cybersecurity posture. By improving your overall security posture, you can proactively guard against ATPs by making it difficult for intruders to infiltrate your network in the first place, preventing them from establishing a covert, long-term presence. 

Malware

Malware refers to any form of malicious software, typically spread by infected email attachments and suspicious website links deployed as part of phishing scams. While most email providers automatically filter out suspicious messages, one of the best steps organizations can take to improve their cybersecurity posture is to invest in employee cybersecurity training. 

Cybersecurity is everyone’s responsibility, from the CEO down to the summer intern. Teaching workers to identify and report suspicious activities can stop an attack before it even begins, so all team members should receive robust cybersecurity training as both part of their onboarding process and on an ongoing basis. 

Ransomware

Ransomware is a subset of malware, which uses malicious code to encrypt files and prevent legitimate users from accessing data or systems on either their individual machine or the organization’s network. 

DDoS

DDoS (Distributed Denial of Service) attacks are attempts to crash a web server or other online service by flooding the supporting infrastructure with more traffic than the network can reasonably handle. 

This type of attack can be instigated by either a large group of attackers working together or a single attacker with a sufficiently large botnet (connected computers performing repetitive tasks as directed by the user in charge). The goal of DDoS attacks is to overload the server, forcing it offline and preventing legitimate users from accessing the organizations’ products or services. 

Network Security Attacks

Network security attacks is an umbrella term for attacks aimed at disrupting an organization’s network and system for a variety of reasons, including causing service disruptions, stealing data, or corrupting files. While this is often done for financial gain, in the case of the cyberwarfare front of Russia’s attack on Ukraine, it is likely to be for political or military gain. 

To help safeguard themselves from these types of attacks, organizations should be taking proactive steps to safeguard their networks from network breaches. 

person being locked out of their phone

What Steps Should Your Organization Be Taking to Best Safeguard Your Digital Assets

Follow All Current Advice From Your National Cybersecurity Authority

The situation, both on the ground in Ukraine and in the digital sphere, is continually evolving, with new threats always on the horizon. To best safeguard your organization, it is vital to stay up to date on the situation and follow the current advice of your national cybersecurity authority. 

Establish A Relationship With Local Governments in Jurisdictions Where Your Company Operates

  • In the United States, InfraGard is responsible for coordinating information sharing between critical infrastructure providers.
  • Organizations operating in the United Kingdom should review information provided by NCSC’s Critical National Infrastructure hub.
  • Organizations in the European Union should speak to their local CSIRT (Computer Security Incident Response Team) and CERT (Computer Emergency Response Teams) contacts. A full list of these can be found here
  • In Germany, the BSI (Federal Office for Information Security) has released several cybersecurity warnings related to the situation. Current security warnings can be found here
  • In Australia, the Australian Cyber Security Centre (ASCS) is providing guidance using ongoing alerts. You can also register to receive alerts from ACSC, and they provide general cybersecurity advice for small and medium businesses and organizations and critical infrastructure

Success Depends on Interorganizational Trust

Even the most comprehensive, best-designed cybersecurity strategy can be easily undermined if your organization lacks interdepartmental trust. A solid relationship between stakeholders and your security team is critical if you want to keep your organization secure. 

Building trust can be hard, but there are concrete steps your security team can take to build stakeholder trust. This includes:

Overcommunication 

Clear, concise, focused, and on-point communication is critical, and there is no such thing as too much information. Too many stakeholder-security team conflicts are rooted in a lack of communication, miscommunications, or misunderstandings. Opening the lines of communication, and keeping them open, is an excellent way to build trust.

Honesty & Transparency

When it comes to cybersecurity, honesty is the best policy. When it comes to admitting fault, acknowledging a mistake, or delivering bad news, stakeholders and security teams alike appreciate honesty. By being honest about your organization’s current security posture (including any deficiencies), security and stakeholders can work together to fortify your organization’s cybersecurity posture. 

On the other hand, lies, omissions, and misrepresentations cause cracks in your cybersecurity posture and foster inter-organizational distrust, with potentially disastrous consequences. All trusting relationships are built on a foundation of honesty.

Diligence

Hard work, dedication, and commitment from both your security team and your stakeholders is critical for building organizational trust. Both sides of the table need to know that the other side is working hard to fulfill their obligations and is willing to own up to any mistakes or shortcomings. It’s a lot easier to build trust when you know the rest of the team has your back.

A Willingness to Listen & Accept Feedback

Communication is a two-way street, and both stakeholders and security teams need to be willing to listen and accept honest feedback and not dismiss the other side’s suggestions and concerns out of hand. When one side feels that the other isn’t taking their concerns, expertise, or advice seriously, it undermines the relationship and damages trust, weakening the organization and compromising its security posture. 

Action

Talk is great, but only when it is followed by concrete action. When either the security team or the stakeholders promise to do something, the other side needs to see that they will follow through. When we can’t trust our teammates to act on their promises, those promises become meaningless. 

That being said, we are only human, and sometimes promises are broken. When this happens, it is critical to acknowledge that the promise was not honored, provide an explanation (budgetary concerns, staffing shortages, etc.), amend the promise so it can be reasonably accomplished, commit to action, and then act to fulfill the promise. A cycle of inaction and broken promises can impact more than your cybersecurity posture; it can poison your organization, driving away good workers and demoralizing those who remain.   

ransomware downloading on a laptop

Initiate a “Request for Intelligence” From Your Threat Intelligence Partner

You can’t adequately defend yourself if you don’t know what you are defending against. A request for intelligence is a comprehensive report compiled by your threat intelligence partner. When requesting your report, make sure you specify your intended audience (such as your board of directors or security team) and any specific concerns you may have so that your vendor can tailor the report accordingly and ensure all critical and relevant information is included. 

A good request for an intelligence report should go beyond the normal overviews your partner is providing and should include specific concerns related to your vertical, industry, and operating locations. It should also provide information on threat actors you should be concerned about, as well as the TTPs (tactics, techniques, and procedures) those threat actors typically use. 

Collaborate Closely With Your Security Vendors

Your security vendor needs to take a proactive role when it comes to preparing your organization for cyber conflict and defense. 

  • Vendor account representatives can help ensure your organization receives the correct level of care and attention and help you get the most out of your security products and services.
  • You should also work closely with your product vendors to confirm turnaround times and automation options for ruleset and patch updates (to ensure your software automatically downloads and installs security patches as soon as they are made available).

A good vendor should be already communicating with you about the situation in Ukraine, but if you have not received any communications, you should reach out directly to your vendor, representative, or support team.

Keep an Eye Out for Disinformation & Misinformation

Disinformation and misinformation featured heavily in the lead-up to the conflict in Ukraine. On February 3rd, 2022, the United States even predicted that Russia might use fake graphic videos as a pretext for invasion, a prediction that came true two weeks later. Videos like these and other forms of misinformation and disinformation serve two purposes: to bolster internal sentiment for an invasion (or justify an ongoing invasion) and distort the narrative abroad. 

As such, it is vital to get your news from trustworthy sources and rely on the advice of local and national leaders as well as your security team to ensure you are getting the facts. As the situation continues to evolve, it is also vital that you are keeping your incident response plans up to date and keeping the lines of communication open both across your organization and between your organization and relevant third parties, such as your managed security services provider (MSSP) and relevant government bodies. 

Consider Adopting Secure Communications Tools

Organizations that are concerned about the security and privacy of their business communications (including eavesdropping, data loss, communications metadata exposure, or non-compliance) should consider increasing communications security or switching to more secure communications tools. Organizations with employees in and around Ukraine should also be aware that those individuals may face communications disruptions.

Encrypted messaging and calling solutions like Element and Wickr are ideal for low-bandwidth environments and can be used to enhance the security of your everyday communications as well as work as out-of-band communication channels during incident responses. They can also be used to provide traveling executives with improved communications security. If you are concerned about the security of your current in-house communication tools or are looking to replace them with a more secure option, your managed security services provider can help you make the right choice for your organization. 

Build Out Your Incident Response Ranks

Small and medium-sized organizations often don’t have the resources to support a full, in-house cybersecurity team, which is why many choose to partner with an MSSP. A good MSSP can help you augment your in-house security team, provide employee cybersecurity training, and help you evaluate your current cybersecurity position and incident response plans

Should an incident occur, your MSSP can help you respond effectively (mitigating, or even eliminating, damage), conduct a thorough investigation into the root cause of the incident, and help you prepare any reports required for relevant legislative bodies (such as GDPR, HIPAA, or CCPA).

Safeguard Your Endpoints & Practice Good Software Hygiene 

Safeguarding your endpoints (smartphones, laptops, and tablets that have access to your network) and hosts (such as networks) is vital. Endpoint detection and response (EDR) involves using tools and solutions to detect, investigate, and mitigate suspicious endpoint and host activities. Unlike traditional anti-virus software, EDR isn’t reliant on known behavioral patterns or malware signatures, allowing it to quickly and easily detect new threats. Depending on the nature of the threat it has detected, EDR is also designed to trigger an adaptive response (much like your immune system springing into action).

One of the easiest yet most critical steps any organization can take to improve their security posture is to keep all their software up to date. When software developers discover vulnerabilities in their products, they release patches to address them. Cybercriminals often target recently patched software in the hopes that not all organizations have been as diligent as yours about installing new security patches. Installing patches takes a few minutes, and the process can often be automated and scheduled so that patches are installed during non-business hours to completely eliminate downtime. 

Take Proactive, Preventative Steps Before an Incident Occurs

As the old saying goes, the best defense is a good offense. By being proactive and shoring up your cybersecurity defenses before an incident occurs, you stand a better chance of mitigating or even eliminating damage. Regular pen (penetration) testing, which involves hiring an ethical hacker to stress-test your defenses and search for vulnerabilities, can help highlight security deficiencies so they can be addressed before a cyber attacker is able to exploit them.

Investing in ongoing cybersecurity training is also critical: Employees who can’t identify potential threats are more likely to fall for things like phishing scams, and employees who don’t know how to respond to an incident won’t be able to respond effectively. As such, it is critical that you review your incident response plans regularly and make sure all relevant stakeholders are kept up to date.

You may also want to consider running tabletop scenarios. Tabletop scenarios work like cyber incident fire drills: Your team is presented with a hypothetical scenario and asked to respond, allowing them to put their cybersecurity training to use in a no-stakes environment. Tabletop scenarios not only familiarize your employees with potential threats and help them hone their response skills, but they are also a great way to identify and address security gaps before they can be exploited. 

Concerned About Your Cybersecurity Stance? VirtualArmour is Here to Help!

The situation in Ukraine has put many organizations on edge, and trying to figure out how to shore up your organization’s cybersecurity defenses against cyber conflict may be overwhelming. Fortunately, the VirtualArmour team is always here to help.

We offer a variety of security solutions, including:

We also offer tailored services à la carte, allowing you to pick and choose the services your organization requires to create your own premium services package or essential services package. We also offer personalized, one-time expert consults.

We have extensive experience working with organizations in a variety of highly-specialized industries, including energy, finance, healthcare, and retail, and are well-versed in the unique security and IT challenges faced by service providers. With offices in both Denver, Colorado, and Middlesbrough, England, we are able to offer live, 24/7/365 monitoring and industry-leading response times. 

Our team of experts can help you assess your current cybersecurity posture and create or update your incident response plans. We also provide cybersecurity training through our VirtualArmour Academy. For more information or to get your free, no-obligation quote or free cyber risk report, please contact our team today.

Suggested Reading & Useful Links

The Cybersecurity Situation in Ukraine

The situation in Ukraine is constantly shifting, and it can be hard to stay up to date and get the facts your team depends on to best inform your cybersecurity posture. To help you get the information you need, we have compiled a list of links to relevant organizations below. 

The United States

Europe

The United Kingdom

Australia

Educational Articles from VirtualArmour

Cybersecurity is a complex and continually evolving field. To best safeguard your organization and its digital assets, it’s important to stay up to date. 

To learn about the latest news and developments in the cybersecurity sphere, please consider visiting our Articles and Resources page and reviewing the educational articles listed below.

Cybersecurity Basics For All Organizations

Cybersecurity Basics By Industry

Minimizing Your Risks

Common Threats (and How to Avoid Them)

Hack the Chat

Hack the Chat

Last updated August 19, 2022

Summary:

  • By the end of 2022, 70% of white collar workers will interact with chatbots on a daily basis—but chatbots can pose a cybersecurity risk if they are not properly protected.
  • Chatbots can improve customer experience by identifying leads in real time, improving user engagement, and collecting user data for A/B testing.
  • However, cybercriminals can exploit chatbots to impersonate people, deliver malware, steal or alter data, and launch phishing attacks.
  • Common chatbot vulnerabilities include unencrypted communications, allowing back-door access, missing protocols, and hosting platform issues.
  • Types of chatbot attacks include network hacks, social engineering attacks, and real-time chatbot takeovers.
  • Software updates, working with experienced chatbot developers, restricting chatbot access to registered users, and implementing multi-factor identification can all make your chatbot usage more secure.
  • Web Application Firewalls, end-to-end encryption on messages, authentication timeouts, self-destructing messages, and other strategies can also improve chatbot security.

Chatbots, those little customer service pop-up menus on websites that ask how they can help you, are becoming ubiquitous, changing how users interact with both websites and the businesses behind them. 

Machine-learning programs such as Siri, Alexa, Google Assistant, and website chatbots have become one of the fastest online sales generating tools businesses have at their disposal. A 2016 study by Oracle found that 80% of businesses planned to onboard customer interaction AIs to their website, and a 2019 article by Gartner predicts that by the end of 2022, a full 70% of white-collar workers will interact with conversational platforms (chatbots) daily. 

However, while website chatbots are incredibly useful, they can also pose a security risk if appropriate cybersecurity measures aren’t taken. In this article, we will discuss how chatbots can leave your organization vulnerable to new hacking tactics and explore steps your organization should be taking to secure your website chatbot.

If your organization has recently experienced, or is currently experiencing, a cybersecurity incident such as a chatbot hack, please contact our team right away and consider reviewing our educational article: Hacked? Here’s What to Know (and What to Do Next).

See also:

woman locked out of her computer

How Chatbots Can Improve the Customer Experience

Chatbots offer many advantages to both customers and businesses. Chatbots allow customers to independently move down the sales funnel, offer users more information about your company’s products and services, and provide your company with valuable data on customer interests. 

By taking over these functions from live staff members, businesses can free up valuable team members for other business-building activities or reallocate the funds that would have been spent on sales staff wages for other uses. Chatbots are also not constrained by reasonable shift lengths or labor laws and never need sick days or vacations.  

When implemented correctly, chatbots can:

Identify Leads in Real Time

Chatbots allow you to engage with customers while they are using your app or website, catching them when they are most engaged. It also allows customers to get answers to common questions right away (an IBM study found chatbots can handle 80% of routine tasks and customer questions) and make the entire website experience more engaging. Chatbots can also gently guide customers towards the next sales funnel stage.

Improve User Engagement

Unlike human beings, chatbots can easily engage with multiple customers at once without losing focus. They can also regularly send customers product updates and offers, offer instant responses to customer inquiries, and are available 24/7/365. They can also be programmed using multiple languages to better engage with all of your target demographics.

Collect Valuable User Data & Engage in A/B Testing

Modern marketing runs on user data, and chatbots are well-positioned to collect it. Chatbots can seamlessly gather customer data in real-time (and ask follow-up questions to gain more information), analyze the data, and provide you with the information you need to continue to improve your products or services and reach new consumers.

Chatbots also allow you to contact A/B tests simultaneously (and much faster than manual A/B testing) and swiftly provide your team with test results and the chatbot’s analysis.

man and woman looing at solutions

Chatbot Risks

Chatbots are a valuable tool, but like any digital tool, they are also vulnerable to cybercriminals. Without proper security precautions in place, chatbots can be used to:

  • Impersonate individuals 
  • Deliver ransomware and other forms of malware
  • Engage in data-theft
  • Alter data
  • Engage in phishing or whaling attacks

Many companies offer chatbot programs, but not every chatbot is as secure as it could be. Common chatbot vulnerabilities include:

Hack the Chat: How Bad Actors Are Taking Advantage of Chatbots

Before you implement a chatbot, you should ensure it meets your company’s existing security standards and make sure your team is aware of the types of attacks cybercriminals commonly use against chatbots.

Types of Chatbot Attacks

Network Hacks

Much like a burglar can creep through an unlocked window, cybercriminals can use unsecured or insufficiently secured chatbots to gain access to your network. As such, cybercriminals will frequently evaluate chatbots for potential vulnerabilities that can be exploited to gain wider network access.

Social Engineering Attacks Using Chatbots

Cybercriminals can also turn chatbots into tools of their own. If a cybercriminal already has an existing customer’s username, they may be able to leverage the chatbot in a social engineering scheme to reset the account password (granting the cybercriminal access), make unauthorized purchases, or change the payment information on the user’s account.

Real-time Chatbot Takeovers

In this scenario, a cybercriminal would have to have already infiltrated your website and be in a position to intercept customer communication via the chatbot. Because chatbots are an extension of your company, customers may let their guard down as they would around one of your human employees. 

Cybercriminals can take advantage of that presumed trust to ask users for sensitive personal information, such as social insurance numbers or credit card numbers, or direct users to send funds outside of usual payment avenues. 

Safeguard Your Website With These Chatbot Best Practices

Keep Your Software Up to Date

One of the easiest things any company can do to quickly improve their security is keep their software up to date. When software developers discover vulnerabilities, bugs, or other issues with their programs, they release patches to fix them. By downloading all security patches as soon as they become available, you can proactively safeguard your network and the digital assets stored on it. 

Unpatched software is also particularly vulnerable. Companies typically announce when a patch is released, alerting both legitimate users and cybercriminals. This can inadvertently increase a company’s chances of being targeted by cybercriminals as these criminals redirect their attention to companies that they know are using the recently patched software in the hopes of exploiting the vulnerability before all network users have downloaded the patch.

Hire an Experienced Chatbot Developer

While you may be excited to get your chatbot up and running, it pays to shop around and find a developer with chatbot security and design experience. Before you begin production, make sure to ask your developer how they plan to secure your chatbot and make sure their plan meets your high security standards.

Restrict Chatbot Use to Registered Users Only

While restricting chatbot use privileges to registered users may hinder your efforts somewhat from a sales perspective, it can pay attractive security dividends. Cybercriminals are always on the lookout for easy targets, and adding this extra layer of security both eliminates (or at least reduces) anonymity and makes your website chatbot a less appealing target. Requiring users to register with your website before using the chatbot is an easy to implement and cost-effective security measure.

Implement Two-Factor Authentication

In addition to requiring usernames and passwords, you may want to consider implementing two-factor authentication. This adds an extra layer of security during the login process, requiring users to enter two different pieces of information to verify their identity. 

This often takes the form of a strong password paired with a text message prompt or a hardware element. As such, for a cybercriminal to successfully log in to a legitimate user’s account, they would need the user’s username and password as well as access to the one-time code sent to the user’s phone or the physical hardware element attached to that user’s account.

Install a Web Application Firewall (WAF)

Web application firewalls are designed to safeguard your website from malicious traffic and harmful requests. This is critical since it could help prevent cybercriminals or their botnet from using your chatbot to inject malicious code into your network (such as during a ransomware or other malware attack). 

Implement End-to-End Encryption on Chatbot Messages

End-to-end encryption is a critical security measure and should be used both for chatbot conversations and in any context where a message is sent from one person or entity to another (including chatbot sessions, email, and internal employee chat programs). 

Implement Authentication Timeouts

This simple yet effective step, designed to limit how long a user remains logged in before they are automatically logged out, is incredibly effective. If a user remains logged in but inactive for too long, a prompt window will appear asking them to re-enter their login credentials or confirm that they are still active. The prompt window may also be designed to inform the user that they have been logged out. This simple design change can prevent crimes of opportunity, where a cybercriminal is able to take advantage of a still-logged-in user to wreak havoc. 

Self-Destructing Messages

While this may sound like something out of a spy movie, self-destructing messages are a great way to make your chatbot more secure. This security measure is just what it sounds like: either after a chat session has concluded or a select amount of time has elapsed, all messages sent to and any sensitive information shared with the chatbot is automatically erased. While some users may find this inconvenient, the inconvenience is outweighed by this approach’s security benefits.  

Put Your Chatbot to the Test With Pen Testing

As the old saying goes, the best defense is a good offense. Pen (penetration) testing involves hiring an ethical hacker (sometimes called a “white hat”) to stress test your defenses and try to break into your network. The pen tester documents any security gaps or deficiencies they find and then shares their findings and their recommendations with you and your security team once the test is complete. 

By proactively seeking out vulnerabilities, you can ensure these shortcomings are addressed before any actual cybercriminals can exploit them. 

Consider Offering a Bug Bounty

While this option can be risky because it involves actively inviting technically-savvy users to look for security issues, offering a bug bounty can also pay off. Bug bounties are just what they sound like: if a user finds a security bug and tells your team about it, you offer them a reward as a thank you. 

Chatbots can be a great way to reach customers, improve the customer experience, and help move potential customers down the sales funnel. However, like all digital tools, chatbots can pose a risk to your company’s overall security if appropriate measures aren’t taken. 

Worried Your Chatbot is A Security Liability? VirtualArmour is Here to Help

Not everyone is a cybersecurity expert, and that’s okay. The VirtualArmour team is staffed by security experts from a wide selection of cybersecurity and IT disciplines. Whether you’re starting from scratch or improving an existing website or chatbot, our team is here to help. We offer a variety of services, including vulnerability scanning and managed firewall services.

For more information, or to start improving your company’s security posture, please contact our team

Subscription Model Software: Pros and Cons

Subscription Model Software: Pros and Cons

Last updated August 19, 2022

Summary:

  • Subscription-based cloud and managed IT and security services help SMBs eliminate the up-front costs of setting up their own in-house systems.
  • Managing IT and cybersecurity systems is time-consuming, and can drain critical resources from an organization during incidents, disrupting profits and business operations.
  • Subscribing to a SaaS company provides instant updates, bug fixes, and new features while reducing initial costs.
  • Subscription-services often take a modular or a la carte approach, allowing them to be personalized to each client and scale with the organizations that use them.
  • The set fees associated with subscription software also make them easier to budget for and incentivize providers to keep adding value, resulting in improved services over time.

The subscription model has become increasingly popular over the last few years as apps and other services move away from one-time purchase models. Once just the domain of magazines and cheese of the month clubs, service providers in the IT and cybersecurity spaces have begun to adopt this model with increased frequency as software transitions away from being desktop-based and migrates to the cloud. In this article, we will discuss the benefits of subscription-based IT and cybersecurity platforms for users.

Cloud and managed IT and cybersecurity services, in particular, are an excellent fit for the subscription-based model. Under this model, users don’t purchase software (or software licenses) outright and instead pay a monthly fee per user. 

Complex IT systems are incredibly expensive to set up, maintain, and operate and come with steep upfront costs, putting them out of reach for most small and medium-sized businesses. Both the OPEX and CAPEX of maintaining the hardware and software needed to support complex IT and cybersecurity systems can be unpredictable, making even those SMBs with the budget to attempt a DIY approach hesitant to take this road.

See also:

comprimised phone

Subscription Models Allow SMBs to Offload the Hassle & Expense of Maintaining Complex Infrastructure

The hardware and software needed to manage IT and cybersecurity systems is complex enough that entire teams of dedicated professionals are required to manage and support them to ensure everything is running smoothly. Should something go wrong, the entire system may grind to a halt until the experts determine what the core problem is. This is completely unacceptable for a SMB, who would need to pull critical team members away from other valuable, revenue-generating tasks to attend to the problem and pausing regular business operations until the situation is resolved. 

By offloading this stress and people-power onto a SaaS (software as a service) company, SMBs can focus on running and growing their business, knowing that if an issue should occur an entire team of dedicated professionals will address it, often before the end user even realizes something was amiss. SaaS companies have one job: to maintain the hardware and software their product needs to run smoothly so that their customers can focus on their business and leave the IT and cybersecurity up to the professionals. 

The User Benefits of Subscription-Based Software Platforms

man and woman looing at solutions

Your Software is Always Up to Date

There is nothing worse than sitting down at your desk, ready to start the workday, and turning on your computer only to learn that your software requires updating. While many updates only require a few minutes, others can take much longer, leaving workers twiddling their thumbs while the clock ticks. And since desktop-based software requires users to manually trigger updates, many busy SMB IT managers are forced to continually remind their equally busy co-workers to update their software and download new security patches to ensure everyone is using the same version and that the network remains secure.

The subscription model addresses both of these problems by ensuring all new software updates are applied automatically, and if downtime is required, these updates can be timed so that they happen when the office is closed. This both ensures everyone is always using the same version, security patches are up to date, and eliminates time wasted while employees wait for software updates to finish. 

Get the Latest Features & Bug Fixes Instantly

Security is everyone’s responsibility, from the summer intern to the CEO. Because subscription-model software is kept up to date automatically, businesses can rest easier knowing that every device on the network has its security patches up to date. This simple action, which the SaaS provider handles for you, has outsized results when it comes to cybersecurity. 

Cybercriminals often target recently patched software, knowing that not all users will be as diligent as your business about installing security patches right away. By handing this responsibility back to the SaaS provider, your busy IT team can get this off their plate and focus on activities that build your business instead of just maintaining its infrastructure. 

Everyone is Always on the Same Page

Automatic updates also ensure that every user on the network is using the same version of every program, eliminating versioning issues across your organization. By ensuring everyone is always on the same page, you can focus on building and growing your business instead of worrying about whether your co-workers will be able to access the report you wrote or if they are seeing something different than you are when they open a file.

Dramatically Reduce Up-Front Costs

Setting up and maintaining your own IT and cybersecurity infrastructure is incredibly expensive and labor-intensive; that is why entire companies are built around providing these services for other businesses. 

The subscription model eliminates the need to purchase a bunch of expensive software licenses upfront (a not insignificant expense, even if your business only has a handful of employees). Offloading the stress and hassle of maintaining a server room or other IT or cybersecurity infrastructure also dramatically reduces CAPEX costs, and not needing to hire an entire team to manage and maintain this infrastructure drastically reduces personnel costs at the same time. 

Hiring even a single IT or cybersecurity professional to wait around in case something goes wrong is an unnecessary expense, using up funds that could be better deployed elsewhere. With the subscription model, if something goes wrong, you can breathe easy knowing an entire team of professionals, whose entire job is to make sure things go smoothly, is already on it. These service providers also invest in layers of hardware redundancy, so if something does go wrong, user traffic can be smoothly rerouted (eliminating or at least dramatically reducing downtime) while the experts get to the root of the problem.  

Shop Around Before You Commit

Software licenses can be very expensive, so you want to make sure you have chosen the right tool for the job before you hand over your business’ hard-earned funds. Because the subscription model dramatically reduces these upfront costs, it is much easier to shop around for a SaaS provider that offers a product that meets your team’s needs and plays nicely with your existing infrastructure. 

Scale Your Subscription to Meet Your Current Organizational Needs

When you purchase a software license up-front, you are often locked into a contract that lasts at least a year and may not be easy to cancel. By opting for a provider that operates using a subscription model, you are never paying for more licenses than you are actually using at any point in time, and scaling up or down to meet your organization’s shifting needs is as easy and painless as a few clicks of a button. 

Also, because SaaS subscription models are specifically designed to scale smoothly, you can avoid the headache and lost productivity associated with finding a new vendor should you outgrow your current software solution. 

Multi-Tier Approach & Personalized Options to Suit Your Needs

Every business is unique and has unique IT and cybersecurity needs and concerns that need to be addressed. Many SaaS providers offer multiple tiers for users to choose from so client companies can select the best tier to meet their needs. For example, VirtualArmour offers two tiers: essential services and premium services

Many of these services can also be personalized using an à la carte approach that allows users to pick and choose between multiple services so they can curate a package that suits their needs. This not only gives users more granularity over their solution but eliminates the need to pay for services a particular company doesn’t actually need or want. 

Subscription Model Software Makes Budgeting a Breeze

Moving CAPEX into OPEX by opting for a subscription model approach makes it much easier to budget for software expenses. When a software license is purchased outright, most companies offer users a quote based on the customer’s current number of users and (if relevant) the service tier they would require. However, a once cost-effective solution can transform into a huge financial drain if a company scales more rapidly than anticipated (thereby jumping into a higher, more expensive, user number tier) or requires a more personalized approach, achieved via pricy add-on services, than their current providers’ one-size-fits-all approach can offer (the additional cost of which the customer may not have been made aware of before committing to a one year or multi-year contract). 

Software licenses are also typically purchased on contract, meaning you pay for a full year upfront, whether you will use the full year or not. Suppose a pivot or other business change leaves you with a bunch of unnecessary software licenses. In that case, the traditional licensing approach can leave you eating the cost for the whole year, effectively paying for software you aren’t even using. The subscription model offers much more transparent pricing: You pay a set fee per user, which is communicated upfront before signing on the dotted line. If you need to add or subtract users, your price increases or decreases by the previously communicated per-user amount accordingly, and the change is reflected in your next monthly bill. 

Not having to purchase, upgrade, and maintain your own supporting hardware makes it significantly easier to allocate your infrastructure budget since you don’t need to worry about suddenly replacing damaged hardware or pouring your own money into necessary upgrades to ensure your workers can continue to do their jobs effectively. 

Build Relationships

Unlike one-time purchases, the subscription model approach also helps build relationships between providers and users. In addition to providing you with a service, subscription model providers are now invested in helping ensure you and your team are comfortable using their product and pleased with the functionality it offers since an unhappy subscription customer can quickly and easily switch to a competitor. 

Providers are also more likely to proactively solicit and consider user feedback to keep users happy. There is also a strong incentive for the provider to stay up to date on the latest industry developments and continually work to improve their product by adding more features and addressing user concerns promptly and effectively, all while sharing expert knowledge with their customers so users can get the most out of the provider’s product. 

Unlike the one-time purchase model, the subscription model is a natural relationship-building tool, encouraging ongoing communication and feedback between the user and the provider in a way that benefits both parties: providers typically enjoy higher levels of customer loyalty, while users are often given more say in future features and updates.

Reliability You Can Depend On

You have a job to do: yours, not your IT or cybersecurity teams’. The SaaS business model is predicated on making sure all users have the tools they need to do their jobs effectively at all times. To help ensure smooth, uninterrupted service, many SaaS providers invest in multiple layers of hardware redundancy and multiple secure backups (a high but necessary expense, well out of the reach of the average SMB) and employ an entire team of experts whose only goal is to keep things running smoothly. 

Redundant systems also help ensure that impacted user traffic is swiftly and smoothly rerouted until the problem is solved, a process so seamless that many end users might not even realize there was a hiccup in the first place. This allows customers to focus on their business instead of managing their own IT and cybersecurity infrastructure, hiring internal IT or cybersecurity experts using funds better spent elsewhere, or spending money on now-redundant licenses for software they may not even be using anymore. 

Need an Expert? VirtualArmour is Here to Help

Not everyone is an IT or cybersecurity expert, and that’s okay. A good SaaS provider is more than just a service provider; they are a valued partner, working with you and your team to ensure you have the tools you need to do what you do best and leave the hassle and expense of managing your IT or cybersecurity infrastructure up to a trusted team of experts. 

VirtualArmour offers a wide variety of IT and cybersecurity services, including :

We also offer three service tiers to best suit your needs: Essential services, premium services, and one-time consulting services. For more information about how we can help support your IT and cybersecurity needs, or to request your free, no-obligation quote, please contact us today