Connect with us

CISA Recognized One-Factor Authentication as Bad Practice

Published

on

CISA recommends using multi-factor authentication to protect any account.

In June of this year, the US Cyber ​​and Infrastructure Security Agency (CISA) launched a new project called Bad Practices, which is a catalog of discouraged cybersecurity practices, methods and configurations.

At first, the list included only two entries, but in a recently updated version of the guide, CISA added a new “bad practice” to use single-factor authentication for remote or administrative access systems.

“Single-factor authentication is a common authentication method with a low level of security. You only need to match one factor, for example a password, with a username to gain access to the system, ”the agency said.

CISA recommends that organizations review their Strong Authentication Implementation Guide, where multi-factor authentication is the recommended method of protecting not only Internet-connected accounts, but any type of account.

The current catalog of CISA “bad practices” includes: using unsupported (or outdated) software, using common / built-in / default passwords and credentials, and using one-factor authentication for remote or administrative access to systems.

Other bad practices that CISA experts are currently considering adding to their catalog include: using weak cryptographic functions or key sizes, using flat network topologies, combining IT and OT networks, giving all users administrator rights, disposing of previously compromised systems no cleanup, transmission of confidential, unencrypted / unauthenticated traffic over rogue networks, and poor physical control.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Security

Biden: the US does not want to unleash a new cold war

Published

on

But cyberattacks will be answered

The United States does not seek to unleash a new Cold War and does not want to see the world split into tough blocs, said US President Joe Biden at the general political debate of the 76th session of the UN General Assembly (GA).

“We do not want a return of the Cold War or a world divided into blocs,” Biden said in his first US presidential address from the UN rostrum.

“The United States is ready to cooperate with any state that is ready to solve existing problems,” the American leader added.

Biden also noted that Washington is in favor of developing uniform rules for the safe behavior of states in cyberspace. The US is strengthening its infrastructure to better defend against foreign hackers.

Biden stressed that the country reserves the right to respond to hacker attacks in the strongest possible way because they threaten the people and interests of the United States.

Continue Reading

Security

Security Vision 5.0: The Swiss Knife in Information Security

Published

on

In this article, we will talk about the mechanisms that underlie the Security Vision 5.0 platform and allow you to automate any formalized process in the field of IT and information security.

Recently, the globally updated information security process management platform Security Vision 5.0 has entered the market. The changes have affected many aspects, from design and architecture to filling modules and principles of working with data, while the flexibility of the platform has not only been preserved, but also increased. In this article, we will talk about the mechanisms that underlie the platform and allow you to automate any formalized process in the field of IT and information security.

Object Oriented Approach

Most IRP / SOAR systems today are focused around one single object: the “incident”. Best practices recommend using CMDB for asset control, and Vulnerability Management System for vulnerability control. IDM will be responsible for accounts and GRC will be responsible for risks. Even if all these systems are in the company and each of them copes with its tasks, to obtain a comprehensive picture it will be necessary to do a lot of work: unload all the results of interest, bring them to a single data model and, based on this data, generate the necessary analytics. As a result, you never have a really up-to-date picture of what is happening – the situation can change dramatically immediately after you load the data into Excel. Needless to say

When it counts for minutes, and sometimes for seconds, incident response specialists simply do not have time for consolidated analytics from dozens of different sources, some of which are available only by calling the “possessor of sacred knowledge”. The owner of the system left for lunch – and now Initial Access turns into Lateral Movement .

But the list of types of objects of control in IB is not at all limited to the above. certifications, software and licenses, external service providers, user awareness companies, hardware inventory and obsolescence, changes, projects, Shadow IT and more. All this requires accounting and a special life cycle, for the successful functioning of which a well-coordinated interaction of employees and systems is required. It is for this reason that there are no restrictions on the types of control objects in our product, and it has become simple and convenient to create them.

The Security Vision platform can be delivered with pre-installed modules for managing incidents, assets, vulnerabilities, risks, specialized conformity assessments such as CII, PCI DSS, SWIFT, etc. These modules contain all the necessary objects, directories, dashboard workflows and reports.

But even the best analysts will not be able to think through every nuance of the customer’s infrastructure, take into account the peculiarities of the company’s internal processes, the requirements of regulators and business. For this reason, the main focus of our product is on the flexibility of any of the system elements. And this flexibility is available to the average user, without the involvement of a vendor or integrators. Without external scripts, right in the platform interface in NoCode or LowCode mode (in the case of integrations).

What does this flexibility look like in reality? Let’s consider several customization scenarios.

Incidents

Undoubtedly, the constantly growing number of incidents is becoming the main driver in information security automation. The process of their processing for the analyst should be as simple and clear as possible. He does not have time to read the string of incident properties in the hope of finding meaningful information. Depending on the type of incident, the focus should be on completely different inputs. For this reason, different types of incidents in the platform have completely different views in Security Vision.

Your existing incident handling process can be modified as part of your existing incident handling policy or procedure. For example, let’s add the attribute “Closing reason” to the incident card, which will be required to be filled in only if the status is “Waiting for closing confirmation”, and the ability to edit it will be available only to a user with the role “Information security incident manager”.

The calculation of the criticality of an incident can take into account any parameters of both the event itself and the objects involved in it.

In our case, the initial criticality of the incident and the criticality of the asset are used to calculate the criticality of the incident. For each of the incident types and information enrichment tools, you can assign your own criticality parameters and significance weights. You can use qualitative metrics or link the calculation to a quantitative risk assessment built in the company.

The field reflecting the quantitative assessment of potential damage can be hidden for employees of the first lines of support, making it available only to managers.

Properties of objects are available for layout in the card relative to each other, as well as for combining into semantic blocks and tabs. The data output form allows you to replace the values ​​with color indicators or icons for greater clarity.

One of the most interesting features of the platform interface is the ability to add graphic widgets directly to object cards. Chart the number of incidents by device or user involved in the incident, broken down by severity? See the timeline of a user’s VPN connection over the past month? No problem, adding such analytics to a specific type of incident has never been easier.

Most incident handling systems operate with tree-structured workflows. This means that our object can only move forward and never backward. However, it is often impossible to identify all involved accounts, hosts, IoCs in one pass. All stages of containment have already been carried out and it seems that the incident can be closed, but the Sandbox report reveals new objects, and the picture of the investigation completely changes. In such a situation, it is quite logical to return the incident to work.

In Securty Viison, incident handling reports are available for generation directly from the card. You can use ready-made report templates, such as the NKTsKI format, or customize your own, within the existing methodology in the company.

Integration

However, all of the above was mainly related to the interface. But the incident handling process gains real power thanks to the integration designer.

Today, a huge number of both paid and free services for enriching the available information are available for a SOC specialist. VirusTotal, Threat Crowd, Hybrid Analytics: – all these integrations are available by default in most IRP \ SOAR platforms. But let’s consider a situation where we want to add a new enrichment framework or just handle a new property that returns the API of the service we are interested in. To do this, you do not need to wait for a vendor’s response or write Python scripts. In Security Vision, we literally set up a connection in a couple of iterations and get the desired value.

All that remains is to add data retrieval to the incident handling workflow, choosing whether this action will be fully automatic or require manual activation of the function by the analyst.

But integrations aren’t just about friendly external APIs. Many infrastructure components are still difficult to integrate into automated procedures. For example, a Cisco cluster in Active-Passive mode will require access to the active IP address. How does the system know about the required connection parameters? The functionality of redundant connector configurations allows you to create additional configurations that will be applied if the main system is unavailable.

It is not always enough to get the data you need in just one step. Quite often, for example, in Sandbox systems, the following scenario occurs: 1. send the file being examined 2. get the request id 3. apply for the analysis status at regular intervals 4. and, finally, get the analysis results. But there are also more complex interactions, in which the data for authorization in the system must be obtained from Privileged Access Management and only after that the operations of interest must be carried out. The connector steps mechanism allows you to cope with such difficulties. The data from one step can be used as input parameters for the next. In Security Vision, functions of data transformation are available to the “meeting”: text, numeric, operations with arrays and structures.

If the company already has ready-made response tools in the form of scripts in PowerShell, Bash, Python or other scripting programming languages, then it will not be a problem to implement them into the platform. The script receives static values ​​or variables from system objects. The built-in regex, jpath, xpath and a number of other handlers will help you cope with any format of the returned data.

Many companies are faced with the problem of processing large reports, for example, from vulnerability scanners. The infrastructure scan file can be several gigabytes in size, but most systems are capable of processing files no larger than 100 MB. Security Vision connectors are able to cope even with such a task that is not solvable for many.

Complex report structures are another non-trivial task. For example, the scan policy and the credentials used are in one NameSpace, the plugins used are in the other, and the scan results are in the third. How to turn a report into a single table instead of 3 different ones? In Security Vision, this is very easy to do.

All the integrations described above can be performed both within the workflow and on a regular basis in the task scheduler. The results can be stored in the properties of objects, reference books or the platform can create new objects based on them: indicators of compromise, vulnerabilities, assets, or save their own types created by the user.

Assets

Having considered the functionality of creating objects, let’s now take a closer look at the part of it that is responsible for inventory and working with assets. In Security Vision, data sources about the assets being created can be any information storage available for integration: Active Directory, CMDB, virtualization management tools, or SIEM system asset models. Most often, the built-in mechanism of non-agentless scanning is used to identify systems.

In the absence of an account or unsuccessful authentication, the host can be identified by indirect signs: responses from services, information in Active Directory, or using custom rules (for example, based on the specifics of host names).

If authorization is successful, inventory scripts collect information about configuration, security status, software, updates, and other system components. All inventory scripts are written in bash and PowerShell, which allows any technician to familiarize themselves with their content, modify them to suit their needs, or search for problems in case of any errors and incorrect data received.

We have provided Security Vision with the ability to obtain information about user and groups, virtualization, startup and much more. However, if this information is not enough, the system allows you to add the retrieval of any system properties available for machine collection. Such custom operations can be implemented both by adding the necessary calls to the regular inventory process, or by creating a manual operation available from the asset card.

Our customers are often faced with the fact that inventory data is not enough even in disparate systems. What is the criticality of this system? Is it a productive environment or a test environment? Who is the business owner and who is the technical administrator? The collection of this kind of information from users can be built directly in Security Vision. The workflow will independently send a letter to the employee responsible for the inventory and the owner of the system with a reminder that it is necessary to fill in the required parameters. The system interface for such user roles can be configured in such a way that only the necessary menus and objects will be available for viewing and filling.

Any information contained in Security Vision can be presented in the form of reports and dashboards. The dashboard builder allows you to customize drill-down actions, for example, display a detailed description of a selected category or navigate to another related dashboard. The use of this designer does not require technical knowledge: the formation of analytics is similar to pivot tables and graphs in Excel. However, for more advanced statistics, we left the possibility of writing your own SQL queries right in the designer interface.

This is just a small list of tools that enable the Security Vision platform to optimize and automate almost any information security process. The flexibility of each of the elements allows you to implement scenarios for specific tasks of your company, without resting on the limits of the product and contractual individual revision.

Security Vision brings people and systems together in a single solution. This approach allows to achieve an unprecedented level of automation even in those processes that previously required significant human resources. Stay tuned for updates on our website: in the following articles we will tell you more about the SGRC module and its functions for working with audits, risks and compliance assessment, we will tell you how you can build a process for managing vulnerabilities and updates in the Security Vision platform, and also explain how the data, uploaded to the platform as part of the MITER ATT & CK framework and related projects can help increase the maturity level of your SOC division.

Continue Reading

Security

Counterfeit chips are increasingly being identified in supply chains

Published

on

Many manufacturers are faced with the supply of counterfeit, substandard or used microcircuits.

Fighting the unprecedented global chip crisis, more and more electronics manufacturers are turning to third-party supply chains to meet demand. Many manufacturers are faced with the supply of counterfeit, substandard or used microcircuits.

According to Nikkei Asia, Japanese electronics manufacturer Jenesis was one of the hardest hit. Since the company could not purchase microcomputers from conventional sources, it placed an order through the website of the Chinese e-commerce giant Alibaba. Unfortunately, the chips that arrived did not turn on and were completely different from those ordered by Jenesis. Jenesis representatives were unable to contact the supplier following this incident.

This trend should be a warning to electronics manufacturers looking to buy chips. Manufacturers and authorized distributors keep records of chips sold by third parties, but no manufacturer guarantees these chips. In most cases, it is unclear how and where vendors store the chips. These situations make it easier for suspicious goods to enter supply chains, but it is difficult to trace the true source.

These can be chips taken from discarded equipment or recycled chips that do not meet quality standards, including chips with a forged manufacturer name or model number.

As of August, experts from Oki Electric Industry, a company specializing in the provision of chip validation services, said they had received about 150 requests for chip analysis. Many of them were from manufacturers of industrial and medical equipment. According to the results of 70 checks, it turned out that about 30% of the microcircuits were faulty.

Continue Reading

Most Popular