Vulnerability Scanning & Penetration Testing: Overview

Vulnerability scanning is the act of identifying weaknesses and potential vulnerabilities in network devices, such as firewalls, routers, switches, servers, and applications. It is automated, business-wide and focuses on finding potential and known vulnerabilities on the network or an application level.

Vulnerability scans can regularly run on any number of IT assets to make sure that known vulnerabilities are detected and patched. Thus, you can quickly eliminate serious vulnerabilities to protect your business data.

An effective way to remediate vulnerabilities is to follow the vulnerability management lifecycle.

The Vulnerability Management Lifecycle is a cybersecurity best practice that helps strengthen the organization’s readiness to foresee and handle cyberattacks.

Briefly, it provides the following benefits:

  • Prioritization of available IT assets
  • Computer system vulnerability awareness
  • Assessment and remediation of weaknesses

Vulnerability management can be included in patch management for effective patching.

As expected, the necessary tools are usually run by network administrators or IT security staff with good networking knowledge.

Penetration Testing

Penetration tests are simulated cyberattacks against a computer system to check for exploitable vulnerabilities.

The scope of penetration testing is narrow and there is always a human factor involved. It requires an extremely experienced person to conduct this type of testing. Good penetration testers, at some point during their testing, create scripts, change parameters of an attack or tweak settings of the tools they are using.

Penetration testing (pen testing) involves breaching attempts of any application system, such as application protocol interfaces (APIs), servers (frontend/backend) to uncover vulnerabilities like excessive data exposure or broken function level authorization, etc.

Insights provided by the penetration test can be used to patch detected vulnerabilities followed by improving your IT security policies.

Pen testing could target an application or a network, but specific to a function, department, or number of assets (usually based on risk and asset importance). The whole infrastructure and all applications can be tested, but that is not practical in the real world mainly because of cost and time.

Spending a lot of money on low-risk IT assets, which may take a few days to exploit, is not feasible.

Penetration testing requires highly skilled personnel that can exploit new vulnerabilities or discover ones that are not specific to normal business operations.

Pen testing can take from a few days to a couple of weeks. It is often conducted once a year and has a higher-than-average chance of causing outages.

Companies should maintain reports on crucial equipment and should investigate any changes in open ports or services. Vulnerability scanners like Rapid7, Nessus, GFI LANGuard, Qualys, Retina alert network defenders when unauthorized changes are made to the environment. Comparing detected changes against change-control records will help determine if the change was authorized or if there is a cybersecurity threat, such as a malware infection or a staff member violating security protocols.

Penetration testing satisfies some of the compliance requirements for security auditing procedures, including SOC2 and PCI-DSS. Certain standards, such as PCI, can be satisfied only by using a certified web application firewall (WAF). However, it doesn’t make pen testing less useful due to its benefits and ability to improve the WAF configuration.

Testing Methods

Internal testing

In this scenario, a pen tester with access to an application behind its firewall simulates an attack by a malicious insider. A starting scenario can be an employee whose login information were stolen because of a successful phishing scheme.

Targeted testing

In a targeted test, the pen tester and the security personnel work together sharing the same strategy. This is a valuable training exercise that provides a security team with real-time feedback from an attacker’s standpoint.

External testing

External pen testing, also known as Black Box penetration testing, target the IT assets of a company that are visible on the internet, as for instance, the organization website, email and domain name servers, etc. The tester’s goal is to gain unauthorized access and extract sensitive data.

Blind testing

In a blind test, the tester is only given the name of the organization that’s being targeted. This gives security personnel first-hand experience into how an actual cyberattack would take place.

Double-blind testing

In a double-blind test, the security staff is not aware of the simulated attack. So, they won’t have any time to double check their defenses before an attempted breach.

Routine check for vulnerabilities

Fortunately, a routine check for vulnerabilities will lead to frequent upgrades for patches. This will help your computer system stay on top of the latest threats that develop in the realm of cybersecurity. However, vulnerability scanning and penetration testing are both crucial to an efficient cybersecurity strategy.

Real Estate

Education

The Importance of IT Asset Management in Security

IT asset management is a crucial component to the foundation of cybersecurity operations across businesses of all types.

What is IT asset management?

IT asset management is the process of continuously identifying the IT assets that your organization utilizes and the potential security risks that affect each one.

Assets could be traditional devices, like desktops and servers, or they could be specialized IoT, Internet of Medical Things (IoMT), industrial internet of things (IIoT), or software-defined resources, like a company-owned domain or a cloud-based database.

Any device, resource or service that exists within your IT portfolio could be vulnerable in case of a cyber-attack and can lead to a breach of the individual connected device, and probably your entire network, in case attackers use one compromised resource as a starting point to launch a broader attack.

Why is it important?

Asset management will empower your entire organization with the visibility it needs to build a comprehensive IT security strategy that mitigates threats quickly and proactively. Such an approach delivers many benefits:

With a strong IT asset management process in place, businesses can deploy new IT services or resources without letting security become a problem because their cybersecurity asset management process will catch potential vulnerabilities.

Secondly, IT asset management helps ensure that security teams detect threats before they escalate. By continuously monitoring your IT portfolio for new deployments and risks, teams don’t have to wait until they detect an active attack to respond.

Thirdly, if an attack does occur, asset management will provide the security team with an inventory of assets and risks that the team can use to gain context, to understand what went wrong and when. Teams have an up-to-date record that they can refer to immediately.

IT asset management places organizations in a stronger position to identify and quickly react to security risks. Although it is only one component of an effective cybersecurity strategy, it’s impossible, in most cases, to apply a proactive security strategy without asset management in place.

Poor IT asset management

Lack of asset management, or poor implementation of it creates a huge risk for the overall business. When data or systems are made unavailable by a breach, the business may not be able to operate. Not only will such disruptions harm the organization’s reputation, but they also have serious financial consequences: IT downtime costs businesses around $5,600/minute, on average.

Poor IT asset management also makes it difficult to maintain an accurate inventory of IT resources. Without knowing what exists where, your team will have to guess about where the most serious risks lie, which is a poor use of time and money.

Keystones of the process

IT resources and security risks come hand in hand and in so many forms. IT asset management is a process that involves a range of activities that vary from one business to another depending on the types of assets at stake. Following are the keystones of the process.

Vulnerability management: asset management helps detect and address vulnerabilities, as for instance outdated software running on a connected device.

Cloud security: IT asset management includes the identification of cloud resources that are vulnerable due to unpatched software, poor configuration, lack of access control, etc.

Device discovery and protection: identifying network endpoints and assessing each one for vulnerabilities, the cybersecurity team can take the necessary steps to address the issues in a timely manner. As for instance, to isolate the insecure endpoints until the issue is fixed.

Incident response: providing the incident response team with the information it needs to determine the cause of the incident and to quickly remediate.

Cybersecurity policy enforcement: if a resource violates security policies that your IT security team has defined, asset management enables quick discovery and remediation of the issue. When new resources are added to the network that match a particular device profile and security policy, they are automatically protected.

The reality is that all the resources described above change frequently. So, network devices may come and go as application instances spin up and cloud services may change their configurations continuously as they scale. Therefore, IT asset management processes must be performed regularly, in real-time, to keep up to date with evolving environments.

Conclusion

IT asset management is the foundation of a proactive, end-to-end security strategy. It plays a major role in security operations across a variety of verticals. It’s vital not just for software companies, but for any organization that relies on software and hardware to power its daily operations, which almost every business does today, because almost every company is now a technology company.

StratusPointIT Ranked #68 On 2021 CRN Fast Growth 150 List

StratusPointIT is a Channel Futures MSP 501 Winner!

The Importance of Multi-factor Authentication

Protect against credential theft.

NOTE: According to Verizon 2021 Data Breach Investigations Report, over 80% of hacking-related breaches are caused by stolen or weak passwords.

Business resources can be compromised by credential theft even if those resources have not been targeted initially. This might happen if a user utilizes a similar username and password (or a slightly different password) across multiple accounts. Even if their login information might be carefully protected at work, these could be stolen from a less secure account (e.g. free email service) and later used in a cyberattack.

Up to a certain point, password complexity does help combat brute force attacks and credential theft techniques in which a series of possible passwords are tested on a list of known usernames. But because modern authentication systems lock the user out after a few incorrect login attempts, attackers can only try a handful of passwords for each account. They usually succeed when they stumble upon an account whose extremely simple and popular password matches their guess.

Multi-factor authentication (“MFA”) helps make stolen credentials useless because MFA requires a user to enter a second form of identification for access, usually a temporary code sent securely to a separate device like the user’s smartphone, so under those circumstances a stolen password on its own is not enough to break an account.

Enabling MFA whenever possible is probably the most effective action IT departments can take to combat credential theft.

Achieve regulatory compliance.

The use of MFA is not yet mandatory for every industry. However, two-factor authentication (“2FA”) is a needed security measure to comply with restrictions in some key industries such as healthcare, finance, defense, government, and few other sectors.

Healthcare

The Health Insurance Portability and Accountability Act (HIPAA) was created to protect the privacy of individual healthcare information. According to HIPAA, healthcare organizations need to implement measures to enforce password security. The act does not dictate the implementation of 2FA but requires organizations to implement password security best practices.

Finance

The finance industry is using the 2FA technology for years. Each time you use an ATM, you are using 2FA – you need both your PIN and your credit/debit card to access your bank account. As more financial services are now online, financial organizations need this layer of security to protect their customers and their sensitive information.

Any organization that processes and stores card payment information also must comply with PCI-DSS. This means they may have to go a step further and provide more than just two authentication factors to ensure their security.

With millions of text passwords available online because of various data breaches, no organization should consider itself immune to a data breach, therefore 2FA, or even better, MFA, can mitigate the risk.

Defense

The US Military uses 2FA authentication via the Common Access Card (CAC) issued to active-duty military personnel, selected reserve, US Department of Defense (DoD) civilian employees and contractor personnel.

Law Enforcement

US Law Enforcement agencies who utilize the Criminal Justice Information Services (CJIS) require MFA to access the National Crime Information Center (NCIC). These examples further demonstrate the real-world application of MFA.

NOTE: Single-factor authentication systems are no longer able to provide the level of security needed to keep vital data safe and secure.

Reduce risk of data breaches.

MFA helps prevent some of the most common and successful types of cyberattacks, including phishing, credential stuffing, keyloggers, brute force and reverse brute force attacks, man-in-the-middle (MITM) attacks, etc.

By implementing MFA, you will be able to protect not only your sensitive apps, but also your virtual private network/s (VPNs).

Here are a few reasons why you should secure your VPN with MFA to ensure trusted access:

-for protection against credential theft

-for achieving regulatory compliance

-for enabling consistent access security for both on-premises and cloud applications

-for gaining visibility into all devices

-for enforcing granular access security policies.

At StratusPointIT, your business IT security is our top priority. Let us be your IT security partner.

Why cybercriminals target SMBs even more this year?

Major breaches always make the headlines, but there are increasingly more breaches that won’t make the headlines, and those are cyberattacks that target small and medium organizations.

Expectedly, large companies have the resources to implement complex IT security solutions, monitoring systems and high-tech equipment. Unfortunately for SMBs, the consequences of a breach can be severe because they are less able to handle the costs and damage.

Small businesses are vulnerable because they often do not have the budget for security measures and sometimes don’t understand the risk they face. Also, many small businesses overlook the value of the information they store, wrongly believing it to be of little interest to anyone.

Here are the main reasons why hackers prefer small organizations even more in 2021:

Untrained Staff

This is the most vulnerable and overlooked area for SMBs, especially in the pandemic when some industries were deeply affected, budgets were cut, people were laid off, etc.

However, some of the biggest hacks we have ever seen were not the result of expert hackers infiltrating complex security systems. Surprisingly, the cybercriminals simply tricked employees into handing over their sensitive information.

NOTE: According to a survey conducted by ConnectWise in 2020, over half of SMBs surveyed (57%) report lacking cybersecurity experts in their organization and 52% agree they lack the in-house skills necessary to properly deal with IT security issues.

There are often signs of social engineering and phishing attempts, but many people are not prepared to spot them. A little cybersecurity training can go a long way in keeping your organization safe.

At StratusPoinIT, we provide access to training videos and newsletters focused on numerous IT areas, we create and run phishing simulations to test your employees’ awareness to potentially harmful emails, from who opened, clicked, entered credentials, etc.

Lack of Cybersecurity Systems

Since the pandemic started, transactions, communications, data storage, etc. have taken an even more drastic shift into the cyber world, and hackers have taken notice.

It is time for businesses to react accordingly. Every small business should invest in a secure cyber environment. Without one, you expose your business to a huge risk.

So, consider improving the security of all the vulnerable connected elements such as: workstations, mobile devices, servers, and networks.

At StratusPointIT, we scan, analyze, and remediate network vulnerabilities. We ensure you have leading business-class firewalls installed with proper security controls, log-based intrusion detection supported by a Security Operations Center (SOC), active-device monitoring and alerting, etc.

Unsecured Accounts

In 2021, the email service remains a common way of spreading malware, and with more of us working from home, the risks are higher now. Therefore, you should implement an email protection solution to help your business and employees defend against the latest threats, from spear-phishing, ransomware, impersonation, and other targeted attacks.

NOTE: When setting up your passwords, do not use personal information or predictable combinations.

Passwords should not be the only line of defense especially for key accounts. Always enable multi-factor authentication (MFA) when possible. Even if your password is compromised, cybercriminals will have another, much more difficult defense line to breach.

No Action Plan

While hackers might not know whether you have a cybersecurity plan in place or not, they will find out soon enough.

Here are just a few of the questions you should ask yourself in the unfortunate event of a cyberattack:

How will you know your organization is being hacked?

How will you respond to your customers if their information is compromised?

Will you shut down your entire network if you discover a breach?

How will you mitigate the impact of a cyberattack?

Therefore, it is crucial to consult with a managed IT provider that bridges infrastructure and security services to provide you a complete solution and get your cybersecurity plan in place.

Insufficient Upkeep

Even if you install the latest and most effective cybersecurity system and train all your employees to spot phishing attempts, you are only covered for a limited amount of time.

Hackers are constantly discovering new vulnerabilities. Therefore, organizations should constantly train their staff and keep their hardware and software up to date.

Final thoughts

Small businesses can be easy targets for cybercriminals in 2021. Any personably identifiable information like phone numbers, email addresses, or credit card details is valuable to hackers who can use it to commit frauds or sell it on the dark web. Don’t let that happen and make sure your business is protected.

CEO Fraud Prevention

CEO fraud is a type of cyberattack in which the attacker impersonates a CEO or other executive. Hackers will most often use the CEO’s email account, or an email address that looks very similar to the CEO’s to trick a targeted employee into transferring them sensitive information or money.

Like other types of Business Email Compromise (BEC) attacks, CEO fraud attacks are very difficult for employees and legacy solutions to catch.

However, there are ways to prevent those sneaky attacks. The best plan is to combine training, cybersecurity policies, and technology.

Raise employee awareness.

Security is everyone’s responsibility. This means everyone regardless of department or role must understand how CEO frauds are pulled off by providing real-world examples to point out common red flags.

NOTE: A CEO fraud will always use seniority and urgency to motivate the target to make a certain action.

It is important to point out the lack of spelling errors. Poor spelling is usually a phishing indicator, but nowadays hackers pay more attention to details. They do a better job alluring their victims and hiding their tracks, so it is unlikely to make any spelling or grammar errors in the process.

Also, you may notice personal touches. Attackers go to great efforts to research their targets through hacking or simply by using publicly available information.

The following persuasive elements should always make you take a closer look.

The sender’s email address

Domain impersonation is a common tactic for CEO fraudsters. They shall use a very similar domain name. For instance, if the original is rsmbank.com, the one they will use is rsnbank.com in order to create confusion. Changing just one letter will be even harder to spot on mobile increasing their success rate.

The sense of urgency

The subject line, the ongoing meeting, the late invoice. Creating a sense of urgency is the general rule in social engineering attacks. Panicked people almost always will make poor decisions.

The authoritative tone

Expressions like “please send/pay immediately” are commonly used. There is a reason hackers prefer to impersonate CEOs. They are in a position of power, and people tend to do what they say without any prior check.

Playing on the target’s trust

“I am counting on you”. Everyone wants to be chosen to do a favor for a manager, director, etc.

Check the sender’s email address for inconsistencies and remember that corporate email addresses can also be hacked or spoofed.

Take a step back and think: is this really something the CEO is likely to request so urgently?

NOTE: Always verify the payment destination. Do not pay an invoice unless you know the money’s going to the right place.

While these are important lessons for your staff, training your employees regularly is paramount. Educating your staff on how to recognize CEO frauds and what to do in case they detect such attacks is therefore crucial.

Humans are often led by emotions, and they are not good at spotting the small clues that might reveal a fraudulent email. Sometimes, even security specialists can’t.

Implement best cybersecurity practice.

Beyond staff training, every thriving organization takes an all-round approach to cybersecurity that minimizes the risk of a serious impact from an attack.

Here are few very important security measures that will help protect company data from CEO frauds:

Create a system where employees can easily verify wire transfers, especially the large ones, ideally via phone.

Buy domains that are like your company’s brand name to prevent domain impersonation.

Protect all corporate email accounts and devices using multi-factor authentication (MFA).

Regularly test and patch all your software.

Ensure employees maintain strong passwords and change them frequently.

Closely monitor corporate financial accounts for any irregularities such as missing deposits, external payments, etc.

Deploy an email security solution.

All the above are extremely important cybersecurity controls, but let’s take a closer look at the final suggestion: email security solutions.

Deploy an intelligent email security solution.

Because CEO fraud attacks usually take place via email (about 90% of all phishing attacks follow this model), installing email security software is one of the most effective steps you can take to prevent this type of cybercrime.

Our solution provides real-time protection against social engineering attacks like whaling, CEO frauds, or W-2 frauds. Contact us today for more relevant information.

Data Privacy Trends To Expect In 2021

In 2020, organizations faced some of the most drastic challenges to a business environment in the digital age. Companies were forced to quickly adapt, cultivate resiliency and creativity, beside focusing on meeting their customers’ expectations.

According to a study conducted by Gartner, just 12% of more than 1,500 respondents believe their businesses were prepared to face the disruption last year, but with tech adoption accelerating as a result, more businesses will turn to digital operations, products, and ecosystems to stay profitable and relevant.

Data privacy has become the #1 expectation for every consumer across the globe, growing into something more than a set of rules and regulations driven by compliance standards, but rather one of the main pillars of brand recognition and customer loyalty.

With digital adoption, more and more sensitive customer and business data are being generated, as a result, so the ramifications for data privacy can only rise.

The Context

The COVID-19 pandemic has had a major impact on data privacy and cybersecurity mainly because of the social distancing that has changed both our personal and professional lives.

One of the consequences of this pandemic was that more and more consumers opted out of in-person shopping, relying heavily on the digital marketplace. So, organizations will have everything to gain by ensuring proper data protection to maintain customer loyalty.

Nowadays, more healthcare data is being collected than before, in many cases by organizations who never have previously collected this type of information. Organizations are collecting health data to support public health outcomes, causing growing concerns in how this data is being used and hold.

More Privacy Laws

Most websites these days, and this is one of the first things you are likely to see when loading a website, will notify you about data cookies, aspects like how the website is collecting your data, what it intends to do with it, for how long your data is hold, etc. Also, you are given the option to accept or reject these data usage terms.

Those terms are a direct consequence of the EU’s General Data Protection Regulation (GDPR), which although drafted in the European Union, it imposes obligations to every organization in case it targets or collects data from people residing in EU countries.

So, expect far-reaching data privacy legislation like the GDPR and the California Consumer Privacy Act (CCPA) to come into force in more regions this year, responding to an ever-greater need of privacy protection.

Gartner data suggests that by 2023, 65% of the world’s population will have their personal data covered under some form of modern privacy regulation, up from 10% in 2020.

Data Privacy Automation

With new privacy laws coming into force, different legislation, and compliance procedures in different territories, will make it difficult for companies to keep track of which laws they must adhere to.

This has led developers to create software to automate data privacy. These can range from management platforms to handle privacy requests to filters and preference settings tools.

In 2021, we can only expect the trend of data privacy automation to become more widespread, with more software solutions being developed and more organizations purchasing automated data privacy and management solutions.

Better User Awareness

Cyber hygiene advocates have repeatedly highlighted how end users are often the weakest link in the chain allowing, either by accident or with intent, data security breaches at their organizations. This has further aggravated in 2020 as employees became familiar with the work-from-home processes.

Notorious cyberattacks such as the ones against SolarWinds and FireEye, also the Cambridge Analytica – Facebook scandal have brought the issue of data privacy to the public’s attention on a scale that has not been seen before.

Users are now actively concerned about how their data is being captured, how it is used and have even shown that they are willing to leave extremely popular platforms like WhatsApp if they feel their data is not safe.

Such data awareness is good for the user, but it could be bad for some organizations that are not transparent about which third parties are able to access sensitive data or refuse to give clients full control over what cookies they can enable.

Users are constantly discovering how much information is collected about them (spending habits, IPs, usernames, emails, etc.) how that data is used, and how cyberattacks put that information at risk.

More Data Security & Privacy Jobs

With the long-term changes brought on by the Covid-19 pandemic, along with new data privacy regulations, organizations will probably face several security challenges, driving the demand for cybersecurity talent even more.

The pandemic has changed the workplace, forcing companies to quickly adapt. The rush to support a remote workforce has led many organizations to take a leap of faith into the cloud and are now facing new security challenges having to support hybrid work environments.

Conclusion

While not all organizations are required to comply to certain data protection standards such as HIPAA, or data privacy laws like the CCPA, they should still follow data protection competencies as it is essential for them to build and maintain an environment of trust.