sterling-admin

Reading Time: 3 minutes

The last part of the “most common cyber vulnerabilities” series covers “security misconfiguration,” a dangerous and insidious vulnerability that can have a catastrophic impact, if not mitigated properly. The earlier parts of the series deal with other fatal security vulnerabilities—injection flaws, buffer overflows, sensitive data exposure, and broken authentication.  

Security misconfiguration can be dangerous at times because it is easy to detect misconfigured web servers and applications and then exploit them. This article not only introduces you to the vulnerability but ensures that you take away secure ways to avoid it from happening. 

Security Misconfiguration 

Whenever the implementation of security controls for a server or a web application fails or is met with errors, it is referred to as a security misconfiguration. Sometimes a safe environment of an organization built by several professionals (systems administrators, DBAs, or developers) is left with vulnerable gaps. These security loopholes then lead the organization to grave risks. The occurrence of failure of security safeguards can occur at any level of the application stack. From the platform of the web application to its web server and web application server; it also includes its database (containers or storage), framework, custom code, and pre-installed VMs. The perpetrators get to these vulnerabilities through unauthorized access to default accounts, rarely accessed web pages, not frequently updated applications, unprotected files and folders, directory listings, and so on. Once the system falls prey to the vulnerability, the sensitive data might get stolen or altered, and to recover from such a situation is a time-consuming and costly affair. 

A few typical examples of security misconfiguration are listed below:  

• Applications and products under production phase in debug mode 
• Running unwanted services on the system 
• No proper configuration for accessing the server resources and services  
• Leaving default keys and passwords as it is 

• Incorrect exception management—can disclose unauthorized data, including stack traces 
• Using default accounts with default credentials 

Do I Have a Security Misconfiguration?  

There is a fair chance that you have security misconfigurations in your production environments. The problem is quite evident among all the levels of the application stack. Traditional data centers face one of the most common security misconfigurations, which is not changing the default configurations. It results in unexpected network behavior of the web application. With hybrid data centers and cloud environments, the problem is more challenging because of the inclusion of complex applications, operating systems, and frameworks. The constant updations of these environments make it difficult to devise the right safeguards for security. While in the absence of the right amount of visibility, heterogeneous environments are more susceptible to fall prey to this security flaw. The advanced forms of threats generating out of security misconfiguration are:  

• Creating new and unwanted administration ports for an application—it increases the possibility of remote attacks 

• Outbound network connections to several Internet services—the app can behave abnormally in a critical environment 
• Legacy applications (not much in fashion these days)—this offers an accessible entry point for attackers to mimic the non-existing app to establish an unauthorized connection 

Impacts of Security Misconfiguration 

Such vulnerabilities offer cybercriminals an easier way to gain unauthorized access to system data or its functionalities. There’s a possibility that security misconfiguration can also lead to complete system compromise. If the compromised data or application is sensitive, then such kind of flaw can damage the reputation and economy of the organization. 

Real-Life Damages by Security Misconfiguration 

The following examples from recent years will help you to understand the drastic effect of this common flaw: 

Case 1: Accidental S3 Data Leaks by AWS 

The data of around 14 million Verizon subscribers were exposed on an unsecured Amazon S3 bucket. Under this massive data exposure of 2017, the phone numbers and account PINs of the customers were compromised. The data was accessible and downloadable to anyone who can get their hands on the right web address [1]. 

Case 2: Accenture Exposed 137 GB of Data 

The misconfigured security aspect of servers hosted on Amazon’s S3 storage led to 2018’s compromise of highly sensitive data of Accenture. The Key Management System of Accenture was out in public and would have allowed an attacker to gain complete access to the encrypted data of the organization. The exposed servers contained various customer credentials and private keys to sign in, which were stored in plaintext [2]. 

Six Security Installation Processes Can Prevent Security Misconfiguration 

Correctly implement the below-stated security installations to save your sensitive data from accidental exposure: 

1. Different environments—Development, Quality Assurance, and Production; all of them should be identically configured. Also, manage unique credentials to access all these environments. Introducing automation to the repeatable hardening process will minimize your effort and limit the chance of errors.  
2. Keep only useful features on the platform. Using additional features and components increase the attack surface of the application. It would be recommended to remove all the unused features and frameworks from the app. 
3. Regularly updating the app plays a vital role in keeping the application secure from the cybercriminals. Releasing required patches and security notes (whenever needed) is an essential part of the patch management process. Also, review cloud storage (especially, AWS S3 buckets) permissions.  
4. Sending security directives (such as security header) to the clients should be a regular process. 
5. An automated process should be launched to review all the settings and configurations of each environment.  
6. Wisely devise the architecture of the application to avoid security misconfiguration. Compartmentalizing the entire architecture into important segments can help you to separate various components. 

The inappropriate implementation of security controls of a web application results in security misconfiguration. Thus, using smart defensive ways can save you from such a mishappening. 

Conclusion 

Security misconfiguration is a persistent problem, but awareness of the company’s security policy can minimize the risk. Along with that, releasing regular patches for the application and required network security measures counts as some of the best practices. To outsmart cyber attackers, organizations need to update their security measures from time to time. Otherwise, the repercussions will not only affect the organizations but also impact the customers who blindly trust them. 

Reading Time: 4 minutes

As organizations are adopting new ways to contain the increasing volume of cybersecurity threats and attacks, incident handling has become one of the prominent solutions. It is the process of identifying, investigating, analyzing, and managing security incidents in real time. The method mitigates ongoing security incidents as well as it is capable of avoiding potential cyber threats.  

Incident handling requires a combination of tools, knowledge of different domains, and human-driven analysis. The incident handling process gets invoked whenever an incident occurs. After which, the first responders investigate the scope of the incident to devise a plan for mitigation. That is why organizations are not adequately prepared for the fight against cyber attacks until they have an incident handling team onboard. It is the most effective way to contain low-level attacks to massive network security breaches while keeping the recovery cost and time at its minimum. From policy violations to data breaches or any other form of security compromises, all fall under security incidents. 

Incident Handling in Five Steps 

It is crucial to have an incident handling plan that can take care of multiple security aspects of an IT infrastructure. The ISO/IEC Standard 27035 laid out a five-stage process for the same, discussed as follows: 

1. Preparation

Be prepared with an incident management policy to deal with multiple forms of incidents. It also demands to have a dedicated team in place. 

2. Identification

Monitor your security infrastructure for any possible security incidents. If the team comes across any suspicious activity or behavior, report that immediately. 

3. Assessment

Assess the incident to determine a suitable plan to address the situation. For instance, release a patch for the identified bug in the application or software, or collect digital evidence to resolve the data breach and more. 

4. Respond

Based on your previous step, respond to the incident with a proper investigation to contain it, and resolve the issue. 

5. Learn Lessons

Document the key learnings of the entire experience for future use. Also, update your process with the required changes. 

How Does Incident Handling Work? 

Incident response (IR) is a customized plan that varies from one organization to another. However, all the IR plans still follow a few general steps. The first step of all these IR plans can be “full IT infrastructure scanning” or “in-depth investigation.” Under which, the professional needs to hunt for any abnormality in the system. Anything suspicious should be taken into consideration, even the unusual behavior of authorized users.  

Consider an example, a server functioning slower than usual; this is a sign of abnormal behavior. The security team should assess whether the issue is associated with any security incident. In case if it is, the team must further evaluate the infected entity (in this scenario, it is the server). Determine the scope of the attack, collect other relevant information, and build a plan to resolve the incident. 

There are times when a security incident needs a public announcement or the involvement of law enforcement. For this, take the necessary steps to handle the issue at hand. 

Four Practices for Successful Incident Handling

Despite the size and type of business, every organization needs an incident handling plan. Incorporate the following practices in your plan so that it doesn’t have any loose ends:

1. Build an incident handling plan with proper regulatory policies. These supporting policies will guide the concerned team on how to detect, report, analyze, and respond to the incident. Creating a checklist for the planned actions will ease the entire process. Also, updating this plan regularly with the lessons learned would be of great help.
2. Build a team dedicated to incident handling and IR (such as CSIRT). The team should be clear about their respective roles and responsibilities. A clear RACI (Responsible, Accountable, Consulted, or Informed) chart will benefit the involved professionals. This chart will have the details of the accountable personnel. Also, the team should have functional roles in other departments, such as legal, finance, business operations, sales, and administration, at the time of crisis.
3. A comprehensive periodic training program is an essential element of an incident handling plan. Under this program, clearly, mention all the activities to be performed for the successful incident handling operations. All the involved procedures should be practiced with numerous test scenarios before putting it to use in real time. This program will evaluate the functional, operational, and tactical skills of the team.
4. The post-incident analysis is as vital as the entire incident handling process. Once the team has successfully handled a security incident, learn from the failures, and adopt the successful elements. Update the existing incident handling plan, if required.

For the situations needing a collection of digital and forensic evidence, try including below-mentioned practices:

• Draft a suitable policy for evidence collection so that the evidence should be acceptable in the court of law.
• The plan should be flexible enough to employ forensics whenever evidence collection, analysis, investigation, and reporting are considered. Flawed evidence collection can result in substantial damages, and so, it is a compulsion that this specialized function should be performed with undivided attention.
• Appoint professionals with hands-on experience. It would be of great advantage.

Tips for Mature Incident Handling Process

For the proactive incident handling plan, also consider the following tips:

• Have different checklists and templates in place. This step will be useful for operational maintenance response. The team might need to deal with different configurations, which requires separate guides for start-up, shutdown, restoration, and more.
• Report the management and concerned stakeholders regarding financial metrics. The management and stakeholders should be aware of the recovery cost savings and the level of productivity.
• Regularly test and evaluate your IR plan. It’s crucial that you analyze what did and didn’t go well with the existing plan. To check your IR plan, you can start with paper test, tabletop exercises, and simulated attacks.
  • Under the paper test, check the documentation if there are any discrepancies or some step or some other detail is missing.
  • As per tabletop exercises, stakeholders run through several incident scenarios to review and practice actions defined in the plan.
  • A fully simulated attack brings the team closer to real-world situations. It helps the team to understand their roles as well as the procedures to carry out their responsibilities.

A sound and robust incident handling not only reduces the recovery cost and time but also contributes to lowering the potential liabilities and minimizing the damage to the organization. For all of this to happen correctly, organizations need to have all the necessary tools to alert, analyze, and mitigate the incident.

Reading Time: 5 minutes

In today’s digital landscape, top-notch network security solutions are the need of the hour. Apart from concrete anti-malware programs and different cybersecurity solutions, having a proper network security plan with a good firewall is a must.

Traditional firewalls protect the internal network against the incoming traffic. They have been serving as the first line of defense in network security for almost the past three decades. Over this period, they evolved to become—traditional, next-generation, hardware, and software, to name a few. Like any other cybersecurity solutions, the firewalls have transformed since its initial years, thus making it challenging for network owners to decide upon the appropriate firewall to use as per their requirements. Choosing a wrong firewall can leave your network and data susceptible to various types of cyber threats.

All About Firewall

A firewall can be defined as either a hardware or a software program, designed to block all unwanted incoming traffic while allowing authorized communications to flow freely. As a security enhancement mechanism, the firewall filters out the flagged data packets as per the defined rules and standards. In simpler words, a firewall acts as a shield between the private network and the Internet to protect the former from unauthorized access.

A few basic facts about firewalls may be listed as follows:

• Without a firewall, your internal network is under constant threat of unauthorized access, security breach, and data theft.
• A firewall sometimes even prevents outgoing traffic from visiting certain websites or web pages to keep it safe from the unsafe environment.
• The rules need to be defined by the administrator of the network to block unnecessary traffic from entering.
• Routers vs. Firewalls—A router and a firewall are not the same. A router directs the traffic to the desired target without blocking any incoming traffic, except Access Control List (ACL). In fact, routing is one of the functions of a firewall with the primary objective of blocking unusual traffic.

Different Types of Firewalls

Organizations have several different types of firewalls to choose from, which are:

1. Proxy Firewall

A proxy firewall filters out flagged messages at the application layer to protect the resources of a private network. Its add-on functionalities include content caching and provision of security for direct connections between internal and external networks. It is also known as an application firewall or gateway firewall.

2. Stateful Inspection Firewall

A firewall blocking incoming traffic based on state, port, and protocol is known as stateful inspection firewall. Such firewalls monitor an active connection throughout its different states to check which network packet should be allowed to pass.

3. Unified Threat Management (UTM) Firewall

A UTM firewall combines the features of a traditional firewall with various other security aspects. Usually, this UTM appliance offers the functionalities of gateway antivirus, intrusion detection, and prevention, which are loosely coupled together. Such firewalls are ideal for small- to medium-sized enterprises.

4. Next-Generation Firewall (NGFW)

Next-Generation Firewalls are designed to block modern-day cyber threats, such as advanced malware and application-layer attacks. However, this firewall should also be capable of performing the standard stateful inspection.

5. Threat-Focused NGFW

Apart from the functions of a traditional NGFW, threat-focused NGFW offers advanced threat detection and remediation. It also knows which assets are more prone to risk with a complete context awareness report. It can respond to attacks using intelligent security automation and is capable of handling various other security-related issues.

Why Do You Need Firewalls?

If you are doubtful and are still looking for more reasons to install a firewall, look at the following benefits of having an active firewall:

• No More Unauthorized Remote Access

Consider a scenario where a cyber attacker can access your entire data and private accounts remotely; this can be prevented by disabling the “remote desktop access” feature of the firewall. Note that this feature is not capable of blocking manually allowed third-party applications to use your data. Also, if some malware program is pre-installed in your system, which usually comes along with other security issues—like Trojans, keyloggers, and backdoors, then a firewall is incapable of protecting your network and data.

Note: As firewalls are designed to block malicious apps from gaining access to the private network, there is a probability that a few trustworthy software and applications can also be blocked.

• Blocking Unwanted Messages

Anti-spam feature of firewall helps in controlling, detecting, and preventing unwanted messages, which can contain spam, viruses, or any other threats. This responsibility makes it crucial to keep your firewall active and appropriately configured. If not done correctly, you will be an easy target for cyber attackers.

• Safe Online Gaming Experience

Online gaming brings potential cybersecurity risks while being one of the most significant developments in the gaming world. McAfee has recently reported in its survey “Game Over” that 75 percent of PC gamers are concerned about the security aspect of future gaming. [1] This problem has a great solution—firewall installation.

Mostly, firewalls are designed to configure themselves according to the requirements of the game. It will update the firewall with a suitable title, software type, and any other required attribute. The “Gaming Mode” of most of the games helps the gamers to automate the security-related configurations. They will also get the option of changing the firewall application settings to manual.

• Filtering Out Immoral Content

With all the above-listed pros, firewalls can protect directories and folders from ransomware and can even block specified online locations. This setting usually comes under parental control, but this feature is similar to the roles and responsibilities of a firewall too.

Firewall Rules

Firewalls follow the fundamental constraint of matching the incoming traffic with the defined rules to allow it to get through. The following instances give you a closer look at how firewall rules are applied:

Example 1: Accept established incoming traffic to the public network interface on port 80 and 443, which stands for HTTP and HTTPS web-based traffic.

Hypertext Transfer Protocol (HTTP) is an “application layer protocol” responsible for presenting information rather than focusing on how data gets transferred from one point to the other. HTTP is suitable for those websites that do not hold sensitive information. On the contrary, HTTPS (or “secure http”) allows authorized access and secures transactions. Note that HTTP and HTTPS don’t pay attention to the transfer of data.

Example 2: Reject incoming traffic from public networks on port 22 (SSH).

The SSH protocol (or “Secure Shell”) allows secure remote login. It offers several features like authentication, communication security, and integrity with robust encryption. SSH is a substitute protocol for other login protocols, such as telnet and rlogin, which not protected in nature. It can also be used in place of FTP, which is again an insecure file transfer protocol.

That’s how the firewall rules are applied to avoid unwanted network traffic.

Cybercriminals targeting small- to large-scale businesses—this has become a common cybersecurity issue. To avoid this, you should prepare yourself with a line of defense containing a properly configured firewall, the one that can fulfill the security requirements of your organization. Choose between hardware and software firewalls or install both to add an extra layer of security. A proactive firewall can protect your organization from various malware attacks and unauthorized intrusions.

Become a Certified Network Defender

EC-Council’s Certified Network Defender (CND) teaches you secure firewall configuration among other network security protocols and controls to achieve defense-in-depth security. The program will help you protect, defend, and respond to network security threats. Learn more about the certification by visiting https://www.eccouncil.org/programs/certified-network-defender-cnd/

Reading Time: 5 minutes

There’s a lot to think about when you start a new business. Between concerns about production methods, information flow, order fulfillment, and marketing, it’s easy for security to get lost in the shuffle. The thing to remember is that cybersecurity is as important, if not more so, than the rest. Think of it like this. If cyber attackers are breaking into your site left and right, you don’t really have a business.  

These eight suggestions are indispensable tools to protect what you are building and ensure you a strong shot at success.  

1. Don’t Rely on a Single Program to Protect the Network

Startups don’t always have a lot of cash, so no one blames them for trying to keep expenses as low as possible. Skimping on security, however, is not a good strategy. In fact, poor security could end up costing quite a bit of money.  

Invest in more than one program to protect your network and the devices attached to it.  

Non-negotiables would be a security suite with a robust anti-virus program, firewall, and virtual private network (VPN). We’ll talk about those last two later. For now, we’d like to encourage you to find a software suite that checks for malware, ransomware, spyware, plus keeps a sharp eye out for viruses. [1] [2] [3]  

2. Update Those Security Programs Regularly

Purchasing and installing security programs is only the beginning. They need to be updated on a regular basis. It’s not overkill to do so daily.  

Most programs can be set to do this automatically, though that doesn’t mean you can’t manually check for updates any time you like. For example, go ahead and schedule automatic updates for a couple of hours before your employees come in each day. At the same time, implement a procedure for them to manually check for updates during the last hour of their work days. Between the two, your programs will always be ready to utilize the most up to date security releases.  

3. Remember Up There When We Mentioned a VPN?

Just a few short years ago, VPN services were only for secret agents and tech geeks. But as the daily parade of data breaches, identity theft, new regulations (GDPR we’re talking about you), and government intrusions continues to stroll past, only an extremely injudicious business owner would shrug off considering the idea.  

So, what does this wondrous acronym do? Simply put, it creates an encrypted connection to the internet over which the data associated with your business online activity flows. Forward-looking businesses that already have a VPN installed reap the benefits of a slimmer chance that a cyber attacker will be able to 1) even find your data or 2) be able to read it – state of the art encryption protocols present code that would take the best computer on earth a few billion years to crack. [4] 

The problem is that advanced encryption tends to slow online browsing, so don’t be afraid to read a cross-section of VPN reviews as part of the process of separating the good from the bad or, in this case, the fast from the slow. [5] Some lower quality services have been known to log user data (that’s bad) and either cough it up to government requests (that’s also bad) or sell it to advertisers (that’s downright ugly).  

4. Make the Most of Your Web Host’s Security Features

How much do you know about the security protection provided by your web host? Many of the better services provide a number of ways to keep your pages from being corrupted or information collected from visitors being hijacked.  

Talk with the web host support staff and see what new security measures they may have added since you first signed up. Many add new features regularly that will make your security measures even stronger.  

5. Network SegmentationIs Your Friend

There are those who believe that network segmentation is one of the most powerful ways to strengthen a business network. [6] The rationale is that in the event of some type of breach, it’s possible to limit the damage to one segment. Instead of a cyber attacker being able to wander through your network at will, the action is contained. That provides more options for removing the threat even as you protect the integrity of the remaining network segments.  

6. Never Assume Your BusinessIs Too Small to Target

Do you think that no one would waste time trying to break into your network simply because your business is smaller than the ones we see splashed across the headlines? Think again! Security threats aimed at smaller businesses are common and often lucrative. [7] To some extent, that’s because small business owners think they fly under the radar of cyber attackers and don’t need to beef up their security measures.  

The fact is cyber attackers and sometimes governments want to infiltrate and collect data from small businesses. [8] Assume your company is as much of a target as any major corporation. That attitude could prevent you from becoming another bankruptcy statistic.  

7. Invest in a Next Generation Firewall 

How old is the technology behind your deployed firewall?  [9] Even if it’s only a few years old, it could already be obsolete. The fact that it’s an effective barrier against older threats does not automatically mean it will protect you from more recent ones.  

This is another area that needs constant upgrades. Present generation firewalls offer greater protection and require more sophisticated strategies to breach, especially as artificial intelligence and machine learning technology make their way into the mix. That provides more time for your other safety safeguards to detect the activity and take action to block the threat.  

8. Review and Refine Your System GuidelinesAtLeast Twice a Year  

Technology moves quickly and that includes the development of viruses and other threats. What worked six months ago may not be enough to protect your network today. The only way to be sure is to schedule at least two reviews of your system guidelines annually. [10] Focus on how access is granted, procedures related to remote access, policies about using devices in the office, and anything else that has to do with network security.  

The Bottom Line 

It’s up to you to determine how to protect your network. Talk with a professional and develop a comprehensive approach. Remember that assessing the network setup and usage regularly will make it easier to know when upgrades are needed. While all this might seem like a lot of fuss and bother, the effort will pay off every time threat is detected and blocked and your business lives to operate another day without malware or virus interference. By the way, there’s a good chance your website is already under attack about 22 times per day. 

About the Author

Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with an emphasis on technology trends in cyber warfare, cyber defense, and cryptography.

Disclaimer: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of EC-Council.

Reading Time: 5 minutes

Digital identity is a significant component of any organization’s digital strategy. It ensures the delivery and security of systems, data, and applications. On the contrary, Identity and Access Management (IAM) is a framework designed for various business policies, processes, and technologies to manage digital identities. IAM framework enables IT managers to control user access to critical data while system administrators can regulate the role-based user access to systems/networks. It plays a critical role in the security plan as well as the productivity of the organizations. In simple words, IAM verifies how enterprises allow their staff to access pivotal data and applications. With different roles and responsibilities, every employee has its own set of requirements. Thus, IAM allows and limits the access of different employees according to their roles. Beyond that, access from different infrastructures (cloud, on-premise, and hybrid) and devices (tablets, smartphones, and laptops) is another concern of IAM. 

Understanding the Fundamentals of Identity and Access Management 

Identity and access management (IAM) defines and manages privileges provided to the account holders. IAM also looks after the cases in which the individuals will be granted or denied special privileges. The primary focus of IAM systems is to provide each individual (associated employees and customers) their own unique digital identity. This unique identity should be established, monitored, maintained, and modified under the “access lifecycle” of each individual.  

The three major pillars of identity and access management are:  

• Identification  
• Authentication 
• Authorization 

Whenever users try to access any resource or system, they would enter their authorized login credentials for identification. Their credentials then go through the authentication process. Authentication either uses basic knowledge-based mechanism, such as passwords or advanced techniques like multi-factor authentication. It can use biometrics. Once the authentication process is successful, IAM will initiate the authorization process. This process ensures whether the identified user is authorized to perform the intended operations. 

The general identity and access management policies include – 

• A mechanism to ‘identify’ the users and the roles they are entitled to perform 
• Protecting systems, applications, and data 
• Deploying correct levels of security as per the sensitivity of the data, systems, and locations 
• Adding/Removing/Revising the authenticated users of the IAM system 
• Adding/Removing/Revising the access rights of each registered user of the IAM system 

Key Benefits of Identity and Access Management (IAM) in Cybersecurity 

The four primary functions of identity and access management are the basis of how IAM can benefit us.  

1. Pure Identity Function 

The pure identity function is about creating, managing, and deleting the identified users to change the status of their access privileges. A ‘pure identity’ is represented by a set of axioms in a given namespace, which is generally associated with real-world entities.  

In simpler words, an entity (either real or virtual) can have multiple identities. Again, each of these identities can have multiple attributes, which can be unique in a given namespace. 

2. User Access (Log On) Function

User access function allows users to undertake a digital identity and to correspond all the access controls with it. For instance, a smart card assigned to a customer stores all the associated data and activities linked to offered services. The use of a single digital identity across various platforms simplifies the administrator’s task. It gets easy to monitor, verify, and manage the privileges of the customer.  

An organization when relies on the ‘user access’ function of IAM, focuses more on limiting and granting required privileges to the concerned users. 

3. Service Function

As organizations are adding new services for internal as well as external users (i.e., customers), the need for identity management becomes more important. Also, identity management has been separated from application functions. This step helps in managing a single digital identity for an individual, which can then be associated with his multiple activities. IAM is also evolving to control device access.  

It’s been noticed that every evoked service looks to access massive data (usually private data). In such a scenario, maintaining confidentiality requirements become a must. 

4. Identity Federation

Under this arrangement, one or more systems combine to form a single centralized unit. This unit then allows the user to log in after authenticating it against the participating systems. Such an arrangement is based on trust among all the participating systems. This setup is often known as the “Circle of Trust.” Identity federation has two dedicated systems – Identity Provider (IdP) and Service Provider (SP). So, when users request to access a service, IdP first authenticates users to allow them to use the services controlled by the SP. For that, a secure assertion, SAML assertions, is sent from IdP to SP. This statement verifies if users are reliable or not. 

How Can IAM Prevent a Cyber Attack? 

After the United States Office of Personnel Management (OPM) confirmed a data breach on June 2015, which affected nearly four million people; it released a list of practices on how IAM can prevent an organization from a cyber attack – 

1. Automating the access privilege provision

For every new employee addition, assign all the privileges based on their roles and business rules. It’s better to have workflow automation. Also, for every employee resignation or termination, ensure that all the privileges will be taken away automatically. This practice will help in limiting and preventing unnecessary privileges. 

2. Privileged Account Controls

Generally, the state-sponsored and organized attacks target the privileged accounts of the organization. Once a privileged account gets compromised, it increases the chances of a massive security breach. Social engineering and phishing attacks are some common ways of tricking privileged users in sharing their passwords. Such attacks can remain undetected for a longer period. A robust set of controls on such accounts can help in limiting the compromise of privileged accounts. 

3. Frequent Change in Passwords

Employees of the organization should be asked to frequently change their passwords, possibly once or twice in a month. This suggestion should be made compulsory for privilege account holders and administrators. Frequent change of passwords protects the organization from undetected breaches. 

4. Strong Password Policy

Increasing the complexity of a password makes it difficult to guess or crack. If enterprises prevent the use of weak passwords by enforcing every employee to fulfill some criteria while creating a password. Mandatory use of special characters, numbers, capital letters, makes a few great suggestions. Such a practice can work against the brute-force attack. 

5. Use of Multi-Factor Authentication

Adding an extra layer in security precautions, make a cybercriminal’s task difficult. Using OTP (One Time Password), token, and smart card for multi-factor authentication fortifies the security infrastructure.  

6. Rotation of Encryption Keys

Rotating encryption keys for databases mitigate the risk of identity theft. This is the most recommendable practice whenever a breach is suspected. Rotation of encryption keys should be scheduled regularly or can be done manually. 

7. Removal of Orphan Accounts

Any inactive or unmanaged account pose as a potential threat. Removing such accounts from the servers will help you to prevent a cyber attack. As idle accounts can be used for fraudulent activities, so does the idle servers. Scheduling a routine report for identifying all the inactive accounts will help in mitigating the risk. 

Identity and Access Management (IAM) can be considered a discipline which ensures all the right users get the authorized access to the critical systems and assets of the organization. It offers properly authenticated, authorized, and audited access privileges. This is possible with the provision of singular digital identity for every individual, who can then use this identity for managing multiple accounts. It also uses several practices to avoid potential threats from transforming into colossal cyber attacks. Editor’s Note:Reviewed by Dr. Ranjeet Kumar Singh CEO of Sherlock Institute of Forensic Science India.

Reading Time: 5 minutes

The multi-platform game Fortnite has become a fixture in popular culture over the last few years, with hundreds of millions of people playing the battle royal competition on a regular basis. [1] The game has also created a boost in the e-sports market, as the best Fortnite players in the world are now making a career out of professional gaming.

But like with any popular technology, there will always be nefarious individuals looking to profit from unsuspecting consumers. Since the early days of the internet, cyber attackers have targeted the applications or platforms that had the widest user base and now Fortnite players are experiencing that pain.

In this article we’ll examine the latest form of cyberattack that is hitting the Fortnite community and provide tips for recovering from this malware and avoiding it in the future.

Malware by Deception
The cyberattack being targeted at Fortnite players is a type of ransomware which involves a cyber attacker locking or encrypting all the data on your computer and then displaying a message on-screen that demands a cash or Bitcoin payment. [2] In theory, if you submit the payment as requested, then the cyber attacker will remove the lock on your files.

Fortnite players are being tricked into installing this malware because of it being marketed as a cheat pack. Cyber attackers are posting download links across the web and telling Fortnite players that installing the package will give them an auto-aiming tool and the option to discover other users on the game map.

In reality, the fake cheat pack is actually a well-known ransomware ransomware encrypting agent known as Syrk. [3] When installed, the malware automatically disables your computer’s security features and then loops through your entire local hard drive to make it impossible to open any files. As of now, the Syrk virus that is affecting Fortnite players is specific to the Windows operating system. Players on console platforms do not have to be as concerned about it.

Recovering from an Attack

When you first detect that your computer has become infected with ransomware due to a malicious Fortnite package, it’s important to act quickly. First, disconnect your computer from the rest of your local network. Otherwise there is a chance that the virus could spread to other devices.

The good news about the Syrk form of ransomware is that it’s based on a piece of open-source software. As a result, many countermeasures have been developed and are available for public use. [4] The easiest solution is to search for a file called “-pw+.txt” or “+dp-.txt” in your local Windows folder. The decryption key is stored there and can be entered on the ransomware screen to remove the virus.

If you are unable to reverse the encryption of the Syrk virus, then the remaining approach is to wipe the local hard drive entirely and revert to a recent backup. This underlines the importance of capturing secured snapshots of your data on a regular basis so that no files are lost in case of a ransomware attack. [5]

How to Stay Safe
Education is the most critical factor when it comes to staying safe online, especially for children and teens who spend countless hours on devices playing games like Fortnite. [6] If they do not know about the threat of ransomware and how to identify a suspicious piece of software, then they become extremely vulnerable to cyberattacks.

The brilliant part of this style of attack is that it works because of the nature of the bait offered – ways to cheat at Fortnite. No matter how diligently you may fortify your security measures against the latest in malware, no matter how many steps you may have taken to ensure your online anonymity, none of that matters if you can’t resist clicking that tempting ransomware download link. [7] By doing that, you invite the bad guys right past every defensive measure.

Purchases and downloads for Fortnite should be made directly through the game’s main application. Players need to watch out for advertising pop-ups and email phishing scams that claim to offer bonuses or cheat codes. Before clicking on any link, check the URL it is pointing to and watch out for any domain that is not registered to the Fortnite developers.

Every computer in your home that connects to the internet should be set up with reliable antivirus software that scans your system on a regular basis and checks for definition updates. To make things more secure, consider adding a firewall to your network that will scan all traffic and block malicious software such as the Syrk virus. [8]

Other Targets of Ransomware
In recent years, ransomware has become one of the most popular strategies for cybercriminals across various industries and organizations. In a typical Fortnite attack, the cyber attacker has to pinpoint individual users. But in a corporate or government setting, all it takes is one employee who accidentally installs the malware and the entire office at risk. [9]

In particular, cyber attackers may look to launch social engineering attacks against local governments and healthcare providers. [10] Depending on the technological maturity of these organizations and their networks, there may be access loopholes that make it easy to spread ransomware. And because of the sensitive nature of their data repositories, cyber attackers can extort more money from them than a single Fortnite player who mows lawns after school.

Cybersecurity experts all agree that organizations should avoid paying ransoms to cyber attackers whenever possible. Simply put, there is no guarantee that the criminals behind an attack will ever release the encrypted files. Maintaining a disaster recovery (DR) plan can help you prepare for this type of situation and be ready to react appropriately. [11]

Final Thoughts

Cybercriminals are always looking for large groups of people on the internet who might be susceptible to attack. Sudden growth in a video game like Fortnite represents the exact opportunity that cyber attackers are after. It should be no surprise that ransomware viruses are now being designed to look like Fortnite add-ons and cheat packages.

Most of the Fortnite-based ransomware that has been discovered to date uses the Syrk form of malware, which can wreak havoc on the Windows operating system and bypass many of the security tools you have in place. The virus will essentially hold your local hard drive hostage in exchange for payment. All online gamers need to be aware of the ransomware threat and stay alert for suspicious links or downloadable files.

About the Author

Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with an emphasis on technology trends in cyber warfare, cyber defense, and cryptography.

Disclaimer: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of EC-Council.