Differences between NGAV and EDR | A Comprehensive Guide 

Cybersecurity threats are no joke! Businesses of all sizes understand they need the right tools to keep intruders out of their systems. However, all those terms like NGAV and EDR can get confusing. 

“What’s the difference between NGAV and EDR?” you might wonder. “Do I need one or both?” In this guide, we’ll break down next-generation antivirus (NGAV) and endpoint detection and response (EDR), explore the nitty-gritty details, and help you determine the best way to protect your organization. 

What is NGAV? 

Think of NGAV as the advanced version of your traditional antivirus software. While classic antivirus is great at catching those well-known viruses, NGAV goes beyond just checking file signatures. It is a much smarter solution that uses diverse techniques to catch those pesky threats. 

How does NGAV Work? 

NGAV combines a whole bunch of methods to fight the bad guys: 

• Machine Learning and AI: It analyzes file behavior and patterns to determine whether something is fishy, even if it has not seen that exact malware before. 
• Behavioral Analysis: It tracks what programs and files do, looking for any out-of-the-ordinary behavior that could scream “danger!”. 
• Sandboxing: It puts suspicious files in a safe, isolated environment to see how they act – a clever way to avoid the risk of actual infection. 
• Cloud-Based Threat Intelligence: It taps into vast databases of the latest threats to stay one step ahead of cybercriminals. 

Benefits of NGAV 

• Catch Those Zero-Day Attacks: Sneaky new threats, called zero-day attacks, do not have signatures yet. NGAV goes beyond signatures, giving you a fighting chance against the unknown. 
• Stop Ransomware in its Tracks: Ransomware, which encrypts your files and demands a ransom, might slip past old-school antivirus, but NGAV’s behavioral analysis helps it spot and block suspicious file operations. 
• Less False Positives: NGAV’s smarter analysis helps cut down on those annoying false positives where harmless files get flagged, saving your IT team a lot of time. 

What is EDR? 

EDR is like a security ninja, always on the lookout for suspicious activity within your network. It focuses on what happens after a threat might have slipped through your first line of defense, like NGAV. 

How Does EDR Work? 

EDR does some cool things: 

• Continuous Monitoring: It keeps its eyes peeled 24/7, collecting data on endpoint activity (what your computers and devices are up to). 
• Deep Analysis: It does not just look at individual events; it connects the dots, spotting patterns and anomalies that could be part of a sophisticated attack. 
• Response Actions: EDR does not just alert you – It can help isolate infected machines, block malicious activity, and even roll back changes caused by malware. 

Benefits of EDR 

• Hunt Down Those Stealthy Threats: Even if something avoids your NGAV, EDR’s in-depth monitoring can pick up the clues and hunt the threat down. 
• Understand the Attack: EDR provides valuable forensic data, so you do not just stop an attack, you figure out how it got in to prevent similar ones in the future. 
• Faster Response: EDR’s automated actions help contain a threat before it wreaks havoc, minimizing potential damage and saving you precious time. 

What are the Differences Between NGAV and EDR? 

NGAV and EDR, while both crucial for cybersecurity, operate in fundamentally different ways for specific purposes. NGAV is your frontline defense, designed to stop as many threats as possible from entering your system in the first place. It uses a blend of signature-based detection (matching against known malware), behavioral analysis (monitoring suspicious actions), and increasingly, artificial intelligence, to predict and block attack attempts.  

In contrast, EDR assumes a breach could occur and focuses on everything that happens inside your network. It continuously monitors endpoint data, analyzes it for patterns and anomalies, and provides the in-depth tools needed to investigate, contain, and remediate even stealthy attacks that might bypass your initial defenses. 

Okay, now that we understand how NGAV and EDR each operate. Here is the breakdown of their core differences: 

Feature	NGAV	EDR	Explanation
Focus	Preventing threats from entering	Detecting threats already inside your network	NGAV is the gatekeeper, EDR is the internal surveillance system
Approach	Signature-based + Behavior + AI	Deep analysis of endpoint activity	NGAV looks for known bad patterns and suspicious behavior. EDR analyzes vast amounts of endpoint data looking for signs of compromise that might go unnoticed by NGAV.
Response	Block suspicious files, quarantine threats	Contain threats, provide remediation tools, detailed attack timeline	NGAV primarily stops known threats on sight. EDR helps contain those that slip through, giving security teams tools to track the attack’s path and fix what has been compromised.
Visibility	Limited view of attack	Comprehensive forensic data for thorough investigations	NGAV tells you something was blocked. EDR reveals how something got in, and how far it spread so you can eliminate all traces.

Let’s Use Analogy… 

Think of NGAV as a security guard at the entrance of a building. It checks everyone’s ID, looks in their bags, and refuses entry to any known bad actors. EDR, on the other hand, is like a network of security cameras and motion detectors inside a building. It is constantly looking for anything suspicious, even if those clever intruders manage to disguise themselves initially. 

NGAV, EDR, or Both? 

This is the million-dollar question, isn’t it? The truth is, they are not “either/or” choices, they are powerful when combined. 

• NGAV: Your First Line of Defense: NGAV is essential to block as many threats as possible and reduce the overall attack surface. 
• EDR: The Backup Plan, and So Much More: Even with the best NGAV, some threats might slip through. EDR kicks in as the safety net, providing in-depth visibility and the ability to respond before major damage is done. 

Here’s Why Both is Ideal: 

• Layered Security: Cyber threats are becoming more creative and sophisticated. It is best to have multiple layers of protection in place. 
• Full Detection and Response: NGAV stops most attacks, and EDR catches what slips through, offering swift containment capabilities. 
• Advanced Threat Intelligence: Combining the insights from both tools paints a more detailed picture of what is happening within your environment. 

What Should You Choose for Your Organization? EDR, NGAV, or Both? 

Deciding which solution (or combination) is right depends on factors specific to your business.  

Here is what to consider: 

• Risk Tolerance: How much risk is your company willing and able to absorb? Highly sensitive data or operations might require the added defense-in-depth strategy provided by both NGAV and EDR. 
• Budget: EDR solutions tend to be more expensive due to their complexity. If you are budget-constrained, starting with a robust NGAV and considering EDR as a future upgrade might be the way to go. 
• Technical Expertise: EDR often requires dedicated security personnel to effectively analyze the data it gathers, make decisions, and take appropriate actions. Alternatively, you can buy EDR and NGAV both as a managed service (MDR) from a security service provider. 
• Industry Regulations: Certain industries, like healthcare or finance, have stricter compliance requirements that might make EDR a necessity. 
• Size and Complexity of Your IT Environment: Larger, more complex networks benefit more from EDR tools due to the increased potential attack surface and the need for centralized visibility. 

The Bottom Line 

In today’s threat landscape, it is always best to go for the combined power of NGAV and EDR whenever possible. This provides proactive defense at the perimeter with a robust safety net for whatever breaches that initial layer. 

Summary 

NGAV is all about threat prevention. It helps keep the bad threats outside the gates. 

EDR is all about threat detection and response. It hunts down threats that manage to wiggle their way in, and it helps you stop them in their tracks. 

While your specific situation might dictate a different approach, in most cases, the synergy between NGAV and EDR provides the complete cybersecurity package needed for robust protection against the relentlessly evolving threats in today’s digital landscape. 

I hope this guide has helped clear up the confusion surrounding NGAV vs. EDR and given you a solid foundation for choosing the best security solutions for your organization. Remember, cybersecurity is an ever-evolving battle, so be sure to continually re-evaluate your needs and adapt your defenses accordingly! 

Telemetry: Revolutionizing Cybersecurity with Real-Time Insights 

In today’s interconnected digital landscape, the importance of cybersecurity cannot be undervalued. Organizations face increasingly sophisticated cyber threats. The need for proactive, data-driven approaches to detect, prevent, and respond to security incidents becomes important and vital. Among the arsenal of cybersecurity tools and methodologies, telemetry emerges as a pivotal component, revolutionizing the way security professionals safeguard critical assets and networks.

What is “Telemetry” in Cyber security? 

Telemetry, in the context of cybersecurity, refers to the automated collection, analysis, and transmission of real-time data from various sources across an organization’s IT infrastructure. It encompasses a wide array of information, including network traffic, system logs, endpoint activities, user behaviors, and application performance metrics. This wealth of data serves as a treasure trove for security analysts, enabling them to gain comprehensive visibility into the organization’s digital ecosystem. 

At the heart of telemetry’s significance lies its role in threat detection and prevention. By continuously monitoring and analyzing vast streams of data, telemetry allows for the identification of abnormal patterns, deviations from established norms, and potential security breaches. Anomaly detection algorithms, powered by telemetry data, raise immediate red flags upon detecting suspicious activities, facilitating swift responses to mitigate threats before they escalate. 

There are many areas where telemetry can contribute to organizations cyber security landscape. 

• Threat Detection and Prevention 
• Incident Response and Investigation 
• Enhanced Security Operations 
• Compliance and Risk Management 
• Decision Making and Strategy 

Threat Detection and Prevention:

Anomaly Detection: Telemetry data helps in detecting abnormal behavior or deviations from normal patterns within the network or systems. Unusual traffic, unexpected access attempts, or deviations in system behavior can be detected and investigated for potential threats. 

Intrusion Detection: Continuous monitoring through telemetry aids in identifying potential intrusion attempts, such as unauthorized access, malware activities, or other security breaches. 

Incident Response and Investigation:

Forensic Analysis: Telemetry data serves as a critical source of information during incident response and forensic investigations. It provides detailed logs and historical data that can help in understanding the timeline of events leading up to a security incident. 

Threat Hunting: Security teams use telemetry to proactively search for signs of potential threats or vulnerabilities within the network. It involves analyzing historical data to uncover hidden threats or vulnerabilities that may not be immediately apparent. 

Enhanced Security Operations: 

Visibility and Monitoring: Telemetry offers visibility into the entire network infrastructure, including endpoints, servers, applications, and cloud environments. It allows security teams to monitor and assess the security posture in real-time. 

Performance Monitoring: Telemetry data not only helps in identifying security threats but also aids in monitoring system performance, identifying bottlenecks, and optimizing resource allocation. 

Compliance and Risk Management: 

Compliance Monitoring: Telemetry data assists in maintaining compliance with regulatory standards by providing evidence of security controls and activities. It helps organizations demonstrate adherence to security standards and regulations. 

Risk Assessment: Analyzing telemetry data allows organizations to assess risks and vulnerabilities accurately. It helps in prioritizing security measures and implementing controls to mitigate potential risks. 

Decision Making and Strategy: 

Data-Driven Insights: Telemetry generates data-driven insights that aid in making informed decisions regarding cybersecurity strategies, resource allocation, and future investments in security measures. 

Continuous Improvement: Leveraging telemetry data enables organizations to continuously improve their security posture by identifying weaknesses, fine-tuning security controls, and adapting to emerging threats and attack vectors. 

CrowdStrike: Detections and Tainted Telemetry are Required for an Effective EDR Solution

CrowdStrike Falcon^® continuously collects comprehensive telemetry, even when malicious or suspicious activity is not being detected on the endpoint. This telemetry includes hundreds of different types of activity such as process creation, HTTP connections, service creation, logins, and many other event types. The CrowdStrike^® Falcon^® platform makes extensive use of this concept to streamline analysis. Falcon automatically surfaces for the analyst all existing telemetry that is connected to malicious detections. Tainted telemetry allows analysts to understand more threats faster than they could with a less-capable EDR solution. 

Cybereason: XDR Performance based on real-time telemetry

AI-driven Cybereason XDR can help organizations embrace an operation-centric approach to security. Cybereason understands that they’re at their best when they’re combined with Indicators of Behavior (IOBs) Organizations can use these subtle signs of compromise to defend themselves against threats—even if someone has never seen them before.

In conclusion, the significance of telemetry in cybersecurity cannot be overstated. Its role in proactive threat detection, incident response, compliance adherence, and data-driven decision-making positions it as an indispensable tool in the arsenal of cybersecurity measures. As organizations navigate the complexities of the digital realm, harnessing the power of telemetry emerges as a linchpin in safeguarding critical assets, mitigating risks, and fortifying defenses against evolving cyber threats.

The Stages of a Cyber Attack (Cyber Kill Chain)

Know your enemy by comprehending the strategy used by Hackers

Preventing a hacker from breaching your system is more complex than it sounds; there are multiple ways a hacker could breach a system. For us to prevent this, we need to understand how the hacker thinks, plans, and executes. Understanding the tactics and the information the hackers find intriguing should be a prioritized cybersecurity investment and effort. An overview of the stages of a cyberattack (which is also referred to as cyber kill chain) will provide you with an insight into the areas that should be assessed and prioritized in the organization’s strategy regarding cybersecurity.

Five Stages of a Cyber Attack

Phase One: Research and Reconnaissance

The 1st stage of a cyber-attack is where the hacker starts to research their target to collect as much information as possible. This phase can be known as ‘Footprinting’. Understanding the target, its location, types of information that the target holds, how the target is protected, and how the hacker can conduct the attack.

Hackers get Internet Protocol (IP) address details from publicly accessible sources and conduct scans to find out what hardware and software the target firm is utilizing. They verify the domain names using the online registration database maintained by the Internet Corporation for Assigned Names and Numbers (ICANN).

Hacking attempts will be more successful if hackers spend more time learning about the company’s personnel and IT infrastructure. Reconnaissance has been categorized into two types, and they would be Passive Reconnaissance and Active Reconnaissance.

Passive Reconnaissance

Using an open-source platform to gather information about the target without any direct engagement with the target can be known as Passive Reconnaissance. By doing a Passive Reconnaissance for a target, the user will try to collect useful information such as system data, used applications of the organization, employee names and emails, social media details, public records, and most importantly, domain details.

Types of useful information that are gathered by Hackers via Open Sources

• Public Records: Hackers will be using publicly available records to gain information about the organization. Public records, such as tax records, are used by attackers to learn more about the inner workings of the organization. Press releases, company stakeholders, and annual reports are also useful for gathering information about the target.
• Email Harvesting: Using a combination of collection methods, the attacker will collect email addresses of the organization to be used later in phishing campaigns and to crack login credentials. A combination of collection methods, web crawlers, directory attacks, illegal dark web purchases, or even taking advantage of the commonly used organizational email template ([First_Name]. [Last_Name] @[Oraganization_Name]).
• Social Media: LinkedIn, Facebook, Instagram, and X (formerly Twitter) are resources to gather details on your employees, their roles, and clues about their daily routines.
• Job Postings: The company’s technologies and applications are briefly described in job advertising, and the attacker can get a good understanding of the criticality of the position. With criticality, the attacker can get an understanding of the weaknesses and vulnerabilities that may exist.
• Domain Name Searches: Used to collect domain registration information and details about IP addresses. Online tools such as ‘WHOIS’ could be used in such tasks. Domain structure and weaknesses could be analyzed and used as a target to be exploited.

Active Reconnaissance

When the attacker directly engages with the target organization and its employees or systems to gather information, it is known as Active Reconnaissance. Compared to Passive Reconnaissance, Active Reconnaissance is harder to execute, and the information that will be gathered from it could be directly used to exploit weaknesses in any system of the organization. Typically, Active Reconnaissance will take the form of port or network scanners, and these scans will reveal and expose firewalls, network architecture, intrusion detection programs, or other security mechanisms that are being used to block entry and their weaknesses.

• Network Scan: By mapping the topology of the different hosts, servers, routers, and firewalls, the goal is to show how data travels through the network. The attacker makes an effort to locate and associate IP addresses with active hosts or computers that have replied to their queries. They may more precisely target the machines they want to check for ports using this approach.
• Port Scan: identifies the services that are accessible on the host ports of the target. There are several ways to do this, but the scan’s primary goal is to ascertain if the port is open, closed, or unresponsive. If a port is open, its answer will provide details allowing an attacker to locate certain services hosted on the port, such as the name and version of an application or the operating system. Versioning of the system name and configuration will provide an attacker with the knowledge they need to look for particular flaws or create new ones.

Phase Two: Weaponization

The completion of the Reconnaissance effort will start the weaponization phase. With the information gathered in the Reconnaissance phase, the attacker will develop techniques to exploit the defenses of the target, taking access to the attacker’s desired information. The kind of weaponization is determined by the hacker’s skills and information gathered in the reconnaissance phase. The next step for the attacker is to ready the stage for the attack by drafting phishing emails, creating, and posting fake websites (Watering Holes), and developing or acquiring malware. The attacker usually starts the attack after sufficient research and preparation have been completed for software and/or hardware vulnerabilities.

Phase Three: Gaining Access

Various points can connect to a network. Employees who click on an attachment in a phishing email and download malware are examples of potential weak points. Other vulnerabilities might arise when staff members are persuaded to divulge sensitive information, such as login passwords, or when one of your systems is improperly set up or patched, allowing an attacker to get past the defenses of your organization. It is possible that the attacker used a sophisticated search engine query to locate a login page on the public web and then used data gleaned from social media and password-cracking tools to guess the username and password. They are currently a part of your network.

Phase Four: Exploitation

The two goals of an attacker who has gained access to a system are to increase their privileges and maintain access. By escalating privileges for themself, a hacker can make modifications to the system that are typically banned for regular users or applications. Once they have gained access to a system, hackers will use a variety of techniques to increase their privileges, including:

• Use Valid Accounts: If an attacker managed to obtain the login information for one of your workers during the reconnaissance phase, they might use that knowledge to gain access to administrative accounts. People frequently use the same passwords or use usernames and passwords that are predictable and easy to guess.
• Manipulate Access Tokens: A Windows computer controls and enacts access control over individual processes by manipulating access tokens. A malicious actor can generate, copy, or utilize existing tokens in various ways to unlock restricted behaviors like software downloads.
• Leverage Windows UAC System: Through a set of default rights, the Windows User Account Control (UAC) mechanism controls access to certain software systems. An approved administrator account must seek and approve any further access. This system contains security flaws, and there are times when apps can execute commands with elevated rights or elevate their own privileges without using the UAC control mechanism. Even in secured folders, hackers use this flaw to launch attacks and carry out file actions.

The hacker will try to continue having access to the systems once they have gained access to the environment. Hackers can continue their presence using a variety of techniques, such as creating new user accounts, changing firewall settings, enabling remote desktop access, or adding a backdoor using rootkits or other malicious files, thanks to the ability to perform privileged commands.

Phase Five: Exfiltration

Once the objective of the hacker is achieved, they will leave the system or network, but a skilled hacker will make sure to cover their tracks. From an attacker’s perspective, this step is very important because they will have covered all their tracks by uninstalling the programs that were used during the attack, deleting any created folders, modify/edit/corrupt/delete audit logs so the attack cannot be traced back to the hacker. When an organization or individual detects an attack on their system or network, they will make future efforts to identify the root of the attack by involving law enforcement.

How can eBuilder Security help you?

A highly qualified team at eBuilder Security will be handling the Penetration Testing to identify vulnerabilities and how they could be exploited by hackers before they identify and do so. Various automated tools and manual testing will be conducted to complete a Penetration Test. Each application and environment are unique, and here at eBuilder Security, we use a unified methodology that addresses the requirements of Penetration Testing. By taking a dual approach of White-Box Testing and Black/Gray-Box Testing, we are determined to find the vulnerabilities and help you mitigate them.

Cybersecurity

What is cybersecurity?

Cybersecurity is a series of measures, technologies, and processes designed to protect computers, networks, devices, and information from unauthorized access, malicious activities, or accidental damage. These cyber-attacks are usually aimed at accessing, changing, or destroying sensitive information, disrupting businesses, and extorting money from consumers through ransomware. It is also known as information technology security or electronic information security. Security measures are essential in protecting digital assets from cyber threats. Measures to improve cybersecurity can be compared to health checks, which must be carried out regularly and routinely. Practicing good cyber hygiene is also an imperative part of effective cybersecurity.

Why is cybersecurity required?

Today, more and more information, both personal and business, is stored online. This makes it easier for unauthorized persons to access this information, which can cause damage in various ways. Cyberattacks can, for example, lead to the leakage of personal information, credit card details, and other valuable data. This information can then be used for identity theft, fraud, extortion attempts, and other crimes. Attacks can also hamper business operations, create data losses, and cause damage that can be both financial and brand-related. Therefore, cyber security is highly essential for safeguarding people and companies against spammers and cybercriminals.

What do the most common cyberattacks look like?

Many varieties of cyberattacks take place in the world today. Understanding the different types of cyberattacks makes it easier for us to protect our networks and systems against them. A cyberattack can be carried out in different ways. Some of the most common forms of cyberattacks are:

Malware (Malicious Software)

This is one of the most common types of cyberattacks. For example, malicious software can be distributed via email, social media, or other online channels and, in the next step installed on a computer without the user being aware of it. Malware can cause damage to computers and devices in a variety of ways, depending on the type of malware, such as viruses, adware, worms, trojans, and spyware.

Ransomware attacks

This type of attack involves a specific type of malware called ransomware, which utilizes malicious code to encrypt files on a computer or network so that they cannot be used. In the next step, the attacker demands a ransom to provide the decryption key to restore the files or network.

Phishing

Phishing attacks are the main source of ransomware distribution. This attack method involves a fraudster sending an e-mail message that appears to come from a trusted sender. For example, it can be designed as an email from a bank, an authority, a company, or even a private person. The purpose is to trick the recipient into giving out sensitive information, such as usernames, passwords, or other login details.

DDoS attacks

DDoS (Distributed Denial of Service) attacks aim to overload a website or server with traffic so that the website cannot be used. This can affect the company’s ability to do business and also cause reputational and brand damage.

Man-in-the-middle attacks

This type of attack involves an attacker exploiting insecure network configurations to gain access to communications between two devices. In the next step, the attacker can spy on communications and read the shared information. This can include both internal and external communications.

It is important to understand that cybersecurity is a continuous process within an organization. It is possible to compare cybersecurity with maintaining health and wellness, which is also an ongoing process. Similar to people getting vaccinated to prevent illnesses and be healthy, there are several concrete measures you can take to be secure in the case of cybersecurity. However, getting vaccinated is simply not enough to be healthy. Similarly, installing security software or using strong security equipment is not enough. It also requires wellness in the form of education and knowledge from users about the various threats that exist and how to avoid them. Companies and organizations should therefore develop a cybersecurity policy tailored to their specific needs.

What is the difference between cybersecurity and IT security?

IT security and cybersecurity are two terms that are often confused, but there is a certain difference between them.

IT security aims to protect the information technology (IT) used within the organization. This may include, for example, protecting computers, networks, servers, applications, and other digital devices from unauthorized access, malware, and other threats. IT security focuses on protecting the physical infrastructure used to support the organization’s digital operations.

Cybersecurity, on the other hand, is a broader concept that certainly includes IT security. It encompasses the protection of digital resources that are not necessarily part of the organization’s IT infrastructure. This can include the protection of cloud services, social media, mobile phones, and other devices used to manage your organization’s digital assets. Cybersecurity focuses on protecting your organization’s digital assets from threats, regardless of the source or type. Thus, cybersecurity has a broader scope than IT security and therefore has the widespread task of protecting the organization’s digital assets.

How can you improve your cybersecurity?

There are several relatively simple steps to take to increase your cybersecurity. Some of these are:

Use strong passwords

Use unique passwords for each account and use a combination of numbers, upper- and lower-case letters, and special characters.

Continuously update all software

Make sure that all applications on your computer, mobile phone, or other device are up-to-date with the latest security updates.

Use antivirus software

Install antivirus software on your computer and mobile phone, and make sure that they are up to date with the latest updates.

Use two-factor authentication(2FA)

Enable two-factor authentication on accounts for extra security.

Pay attention and be cautious with e-mails and links

Do not open e-mails from unfamiliar senders, and do not click on unknown links. A certain amount of caution is recommended.

Securely backup files

Regularly back up important files and documents to an authorized external location.

Be careful with personal information

Don’t post personal information, such as social security numbers or bank details, on the internet. Again, a certain amount of caution is recommended.

Use secure networks

Connect only to secure and reliable networks and avoid connecting to open and public Wi-Fi networks.

Be alert to social engineering

Beware of fraudsters trying to obtain personal information or steal money.

Self-education

It is important to educate yourself on cybersecurity and how to protect yourself and your equipment. This can be done by attending courses, reading blog posts, and cybersecurity news. Once again, this brings us back to practicing good cyber hygiene all around.

How can eBuilder Security help you with your cybersecurity?

eBuilder Security has several services to improve your cybersecurity level:

• We can help you implement an EDR solution to protect your devices. We’ve partnered with market leaders CrowdStrike and Cybereason to provide the best possible protection for all types of devices, from cloud to mobile. This can be combined with active threat hunting, where we connect 24/7 human threat hunting to your environment.
• We perform vulnerability scanning on your applications to find possible vulnerabilities, this is part of the health checks and continuous evaluation and improvement of their security culture.
• We perform penetration tests on your applications, which is a more advanced test than a vulnerability scan, as we test what we find and try to break into the application.
• We perform automated network penetration tests, which are useful in finding and testing the vulnerabilities in your network setup, and we also perform manual network penetration testing when more detailed testing is required.
• We can help you evaluate your security posture by conducting IT security-related reviews and audits.

Dangers Lurking on the Dark Web: Why You Should Stay Away

The internet is a huge collection of information with two main parts: the surface web, which is easy to access and where regular online activities happen, and the mysterious deep and dark web, hidden and full of fascination. This article will explore the details of these hidden parts of the internet, uncovering the dynamics that make them what they are.

Surface Web

The surface web refers to the accessible portion of the internet that can be explored using conventional search engines such as

• Searchable Content: Surface web is accessible via search engines. Information on this internet section is readily discoverable through search queries, enabling users to find a wealth of information with just a basic keyword search.
• Publicly Accessible Websites: Surface web websites are created for the public and cover a broad range of content, such as news, blogs, online stores, educational materials, and more, all available to a global audience.
• Interactive and Dynamic: The surface web contains dynamic and interactive content that adapts to user actions. This includes social media, forums, and various web apps, making the online space lively and responsive.

The surface web encompasses websites that are indexed and easily accessible to the public. This includes a wide range of platforms, from social media sites to news websites, representing the internet that most users engage in their daily online activities. Although the surface web is made up of many of the most popular .com, .net, and .org sites, it’s estimated that it represents only around 5% of the total content available on the internet, with the rest being found on the deep web or dark web. In a classic example, the surface web can be imagined as the tip of a large iceberg whose bulk remains hidden just under the surface.

Listed below are a few search engines used to access the surface web;

• Google
• Bing
• Yahoo

The deep web

The deep web refers to the part of the internet that is not indexed by standard search engines. It includes content that is behind paywalls, password-protected databases, private emails, and other materials that are not meant for public consumption. The deep web dwarfs the surface web, constituting around 90% of all websites. However, it’s essential to note that not all content in the deep web is inherently secretive or illegal, a few examples are listed below.

• Databases: Collections of files, whether publicly or privately safeguarded, exist independently without direct links to other sections of the internet. These collections can only be explored within their respective databases and are not searchable through external connections.
• Intranets: Intra-organizational networks designed for enterprises, governments, and educational institutions serve as private channels for internal communication and the management of various aspects exclusive to their respective organizations.
• Password-Protected Websites: Information that is accessible only behind login pages or protected by passwords is commonly referred to as being part of the deep web. This category encompasses a wide range of content, such as personal email accounts, online banking platforms, and other secure services.
• Dynamic Pages: Websites that change their content based on what users do, like when you search or fill out a form, are usually not shown in search engine results.

In the obscure realms of the web, one encounters more perilous content and activities. The “dark web,” situated at the distant extreme of the deep web, consists of Tor websites accessible exclusively through anonymous browsers. Most of the content on the deep web is legal and benign, while some activities require privacy and security, like confidential research, personal email, and financial transactions.

The dark web

The term “dark web” pertains to websites that remain unindexed and can only be reached through specialized web browsers. In comparison to the relatively small surface web, the dark web is recognized as a subset of the deep web. If we draw an analogy with an iceberg, the dark web would be analogous to the submerged tip at the bottom of the iceberg.

The Dark Web is primarily used to conceal illegal activities. Dark Web marketplaces offer the sale of stolen data and credentials, firearms, drugs, and illegal services. The Dark Web is also where cybercriminal gangs commonly congregate and plan their attacks. This also makes it a valuable source of information regarding emerging cybersecurity risks and data breaches.

• Surface web search engines like Google and other commonly used tools are incapable of indexing or presenting results for pages within the dark web.
• Traditional browsers cannot access it because of its distinct registry operator, and it remains even more concealed through a variety of network security measures such as firewalls and encryption.

Types of cybercriminal activities handled on the dark web

• Botnets
• Ransomware
• Darknet markets
• Bitcoin services
• Hacking groups and services
• Financing and fraud
• Terrorism

Why you should not explore the dark web without proper knowledge?

Illicit Activities:

The dark web has gained notoriety for being a platform where illicit activities, including but not limited to drug trafficking, weapons trade, hacking services, and various forms of cybercrime, thrive. Participation in such activities can result in severe legal repercussions.

Law Enforcement Monitoring:

International and local law enforcement agencies closely monitor the dark web for illegal activities. People involved in unlawful transactions or discussions might get into trouble with authorities if they get caught.

Malware and Scams:

The dark web is a hub for different kinds of malware, scams, and phishing schemes. Users might unintentionally download harmful software or become targets of scams, putting their personal information at risk.

Identity Theft:

The dark web serves as a marketplace where stolen personal information, such as credit card details, social security numbers, and login credentials, is traded. If users’ information is purchased and misused, they could fall prey to identity theft.

Financial Risks:

On the dark web, transactions commonly use cryptocurrencies. Users could encounter financial dangers, like scams or losing money because these transactions are usually irreversible.

Secure your IT system from supply chain attacks

What is an Information technology (IT) system? An IT system is a combination of hardware, software, and other equipment that are used to collect, store, process, and transmit data and information. As we can see various components are consolidated to complete an IT system. No IT system is completely built in-house without any third-party components. There are many suppliers involved from hardware to software implementation. It could involve various elements such as hardware, licensed software, freely available and open-source software components, or even outsourcing tasks to external parties. A security incident from one supplier may have a chain reaction on many components in an IT system. To ensure the security of the entire IT system, it is crucial to monitor third-party components and their security.

A supply chain attack, commonly referred to as a software supply chain attack or third-party supply chain attack, is a type of cybersecurity threat that focuses on exploiting vulnerabilities or weaknesses in the software, hardware, or services supplied by external vendors and suppliers. These attacks aim to breach the security measures of an organization by leveraging the trust placed in these third parties. Supply chain attacks can prove challenging to detect and mitigate due to their reliance on trusted partners, making them particularly insidious. Furthermore, these types of attacks have the potential to propagate across multiple organizations if a single supplier is compromised, leading to a cascading effect. Understanding the key features and aspects of supply chain attacks is crucial for effective IT security strategies.

Third-Party Involvement

Supply chain attacks take advantage of the trust relationship between an organization and its third-party suppliers, vendors, or service providers. These third parties are often seen as trusted sources, and their products or services are integrated into the organization’s environment.

Attack Vectors

There are several ways that attackers can breach the supply chain, such as:

• Malicious Software Insertion: Cybercriminals may inject malware or backdoors into software or firmware during the development, distribution, or update processes. This tainted software is then distributed to customers.
• Compromised Hardware: Attackers may tamper with hardware components or devices before they reach the customer. For example, malicious hardware implants can be added to servers or networking equipment.
• Vendor Accounts: Attackers may gain unauthorized access to vendor or supplier accounts, allowing them to manipulate software updates or distribute malicious updates.
• Software Dependencies: Supply chain attacks can target software dependencies, such as libraries or packages used by an application. If a compromised dependency is used, it can impact the security of the entire application. Keep this in mind if you are using open-source and third-party libraries for your software development.

Scope of Impact

Supply chain attacks can have a broad impact because many organizations may widely distribute and use compromised software or hardware. A single successful supply chain attack can affect numerous victims.

Stealthy Nature

These attacks are often stealthy and difficult to detect because the compromised components or software appear legitimate. Attackers may wait for an extended period before executing malicious actions, making attribution and detection more challenging.

Motivations

Attackers may have various motivations for supply chain attacks, such as seeking financial benefits, conducting espionage, data theft, causing disruptions, or compromising specific targets.

Here are examples of supply chain attacks and their impact on the affected systems and these are some real-world attack examples you should be aware of:

• SolarWinds Orion attack: One of the most notorious supply chain attacks in history is the SolarWinds Orion attack. In 2020, attackers compromised SolarWinds Orion, a popular network monitoring and management software platform. The attackers injected malicious code into Orion updates, which were then installed by thousands of organizations around the world. This allowed the attackers to gain unauthorized access to the computer systems and networks of various organizations, which included both government agencies and private companies.
• NotPetya ransomware attack: In 2017, the NotPetya ransomware attack targeted organizations in Ukraine and around the world. The attack was carried out through a compromised accounting software program called M.E.Doc. Once installed, NotPetya encrypted the files on infected computers and demanded a ransom payment. The cyber-attack resulted in extensive financial losses amounting to billions of dollars for businesses and organizations globally.
• CCleaner malware incident: In 2017, hackers compromised the CCleaner software update server and injected malicious code into the CCleaner installer. This malware was installed on over 2 million computers, giving the attackers access to these computers. The attack was attributed to a Chinese hacking group. The attack granted hackers access to data from over 2 million users, potentially enabling unauthorized control of the affected systems.

What should you do to mitigate possible supply chain attacks?

To mitigate the risks associated with supply chain attacks, organizations should:

• Conduct thorough due diligence when selecting and evaluating third-party vendors and suppliers.
• Monitoring suppliers: Organizations should monitor their suppliers for suspicious activity. Regularly assess and monitor the security practices of third parties. By doing so, we can effectively manage risks associated with third-party involvement and maintain the trustworthy nature of our operations.
• Segmenting networks: Organizations should segment their networks to prevent attackers from moving laterally within the network if a supplier is compromised. The goal is to minimize the attack surface and limit the potential widespread impact as much as possible.
• Integrate libraries and packages from trusted sources into your application. To ensure the security and reliability of your application, it is essential to incorporate libraries and packages from reputable sources. Before doing so, scan and validate these components to prevent any potential threats or errors.
• Implement strong access controls, authentication, and authorization mechanisms for third-party interactions. Organizations should implement strong authentication measures such as multi-factor authentication (MFA). By doing so, they can effectively prevent unauthorized access and safeguard sensitive information.
• Verify the integrity and authenticity of software updates and patches from trusted sources. There can be compromised server updates that give you malicious software updates without your notice.
• Implement network segmentation to limit the lateral movement of attackers within the network.
• Maintain up-to-date incident response and disaster recovery plans to respond quickly to potential supply chain compromises.
• Regular audits help organizations proactively identify and address these vulnerabilities, enhancing their overall security posture.
• Audits are not a one-time event; they should be part of an ongoing process of continuous improvement.
• Establishing effective security policies.
• Constant Monitoring and Incident Response Planning: Having a solid incident response plan (IRP) is crucial for rapidly identifying and addressing security breaches. Constant monitoring allows for early detection of suspicious activities within your network, while an IRP details the steps to take upon identifying an attack.
• Collaboration with security communities: Organizations should actively engage in security communities to remain informed about the latest threats and best practices for mitigating them. Exchanging information and collaborating with other organizations can help enhance overall cybersecurity posture across various industries.

Application Penetration Testing: What You Need To Know

Cybersecurity Concerns Today

The statistics in cybercrime predictions each year are daunting, and real-life incidents are paralyzing. If you can’t yet comprehend the full scale of the threat, here’s a compiled list of cybersecurity predicaments in statistics this year to lose your sleep over.

While cybercrimes themselves are reasons to worry, the level of sophistication that these crimes now employ is certainly something to be vexed about. Cybercriminals are increasingly technoid, sophisticated, well-funded, and unstoppable.

Consequently, safeguarding your simple enterprise now requires the expertise to combat the best of advanced technology as well as the knack to outwit the masterminds, human and otherwise.

While your trusted standard cybersecurity measures guard all your gates, there is always the risk of an unforeseen threat, with cybercriminals potentially launching an attack through your internet-facing interfaces. Which is the reason why Application Penetration Testing can save you some sleep.

What is Application Penetration Testing?

Penetration testing, or pentesting as known widely, refers to hacking into a system with the consent of authoritative parties, for the purpose of discovering weaknesses, faults, and vulnerabilities within the security of the system being tested. Consequently, application penetration testing refers to the process of identifying vulnerabilities and/or loopholes in an application, typically a web application.

Taking a proactive and strategic approach, pentesting emulates real-world cybercriminal tactics. This helps to uncover vulnerabilities before they are exploited, identify weak links in the security chain, and ensure the integrity of systems, networks, and applications in anticipation of potential attacks. 

Put simply, it is the equivalent of the time-tested stunt of getting into the gloves (or the hoodie!) of the hacker with the intent of breaking everything and anything that works.

“To know your enemy, you must become your enemy.”

Sun Tzu, The Art of War.

Pentesting Your Applications – The Scope

Having evolved and advanced from ethical hacking, penetration testing is carried out with explicit permission aimed at improving system security. However, pen testing differs distinctly from ethical hacking in its scope, objectives, and approaches, although they are related cybersecurity practices.

Ethical hackers, also known as “white hat hackers”, emulate the techniques and tactics used by malicious hackers, comprehensively covering a wide range of activities such as vulnerability assessment, code review, social engineering, including but not limited to penetration testing. 

Pentesters, on the other hand, use a methodical and systematic approach to test the security of a specific target. Possessing specialized skills, they are proficient in using penetration testing tools and techniques, such as exploiting software vulnerabilities, bypassing security controls, and escalating privileges.

The testing itself takes three different approaches: black-box testing (where testers have no prior knowledge of the target system), white-box testing (where testers have full access and knowledge of the system), and gray-box testing (a combination of both).

When extended to web and mobile applications, pentesting encompasses simulating attacks on a system externally as well as internally identifying vulnerabilities within, and uncovering potential exploits.

An essential component of a comprehensive cybersecurity strategy, application pentesting helps organizations fortify their cybersecurity defenses against malicious actors, using the very strategies that the threat actors themselves are likely to employ.

Not to mince words, it is a case of the offense becoming the defense – to save your ship from sinking.

Penetration Testing as a Service [PTaaS] – The Benefits

Even with all the benefits of penetration testing, it can be compelling not to outsource the service, especially if you have the know-how and in-house expertise.

In the arena of cybersecurity, however, you can never be certain of guarding your fort well. It is always better to have a third eye check on you, adding credibility to your cybersecurity posture.

Getting professional assistance helps you cover the following scenarios effectively:

• Real-World Testing: Penetration testers simulate real-world attack scenarios, allowing you to see how well your security measures hold up against actual threats. This realistic testing can uncover vulnerabilities that automated scanning tools might miss.
  
• Identify Hidden Vulnerabilities: Discover vulnerabilities and weaknesses in your systems, networks, and applications that may be unknown to your organization.
  
• Mitigate Insider Threats: Assess the effectiveness of your internal security controls against insider threats, helping you identify and address potential risks from employees or contractors with malicious intent or accidental mistakes.
  
• Compliance Requirements: Often industries and regulatory bodies require regular penetration testing as part of compliance with security standards and regulations (e.g., PCI DSS, HIPAA, GDPR). Hiring a professional penetration testing service can help ensure you meet these requirements.
  
• Security Awareness: Raise awareness about security within your organization. It can highlight the importance of cybersecurity best practices and encourage a security-conscious culture among employees.
  
• Third-Party Validation: Penetration testing results can be used to demonstrate your commitment to security to customers, partners, and stakeholders. It builds trust and credibility, especially when you can show that you regularly test and improve your security measures.
  
• Continuous Improvement: Regular penetration testing helps you continuously improve your security measures over time. It ensures that as your systems evolve and new threats emerge, your defenses remain robust with a third-party validation attesting that.

Then there’s the peace of mind – in knowing that you’ve taken all viable steps to accurately assess and proactively enhance the security of your enterprise, bringing in a sense of assurance to your leadership, employees, and stakeholders.

eBuilder Security’s Comprehensive Penetration Testing – The Methodology

eBuilder Security’s application pentesting methodology involves a comprehensive penetration testing service that covers vital aspects of the hardware, software, and data security of your enterprise. Our methodology comprises:

• Information Gathering: Collect, assemble, and unjumble all information pertaining to your business – looking for any loopholes to seep into your system. This includes your business requirements, your network of clientele, interaction circles, data at rest on-site and on cloud, data in-transit, online data-sharing web sources etc. leveraging phishing wherever possible.
  
• Assess & Analyze: Identify critical application pages and perform automated scans to identify vulnerabilities. Analyze, verify, and eliminate false positives from vulnerability analysis reports.
  
• Exploit & Penetrate: Attempt exploitation techniques on identified vulnerabilities and penetrate into the underlying infrastructure.
  
• Attack Persistently: Establish access, replicate attacks, and escalate privileges. Pivot through the network and penetrate into other critical servers like AD, Mail server, etc.

• Verification: After the security threats have been removed, verification tests are executed.

Last but not least, we provide a comprehensive report with the results, including a summary of all the risks discovered during the assessment categorized by their severity, their implications, and our recommendation on how to mitigate each risk.

eBuilder Security’s Application Penetration Testing Service – The Solution

Backed by 10+ years of experience and OSCP, CISSP, CEH, and OSCE certified consultants, our service combines the knowledge, methodology, processes, and toolsets of our expertise into a single platform for easy use and access.

Our application penetration testing evaluates the robustness of your security system with real-life simulation of hacking into the applications of your system, exploiting vulnerabilities to penetrate your network.

We help organizations perform penetration tests within their environment at any given time, satisfying both compliance requirements and meeting network security best practices. Let us try and attack you, so we can find and fix your vulnerabilities before a cybercriminal exploits them.

In today’s interconnected world, organizations of all sizes and industries rely heavily on large networks and external partners to drive their operations and are no longer able to be driven as siloed units. However, with the increase in cyber-criminal activities, the inherent risk associated with this enhanced connectivity – the potential for security breaches and data vulnerabilities, keeps growing. Let’s explore why every organization, regardless of size or industry, must prioritize and conduct comprehensive security audits.

Protecting Sensitive Data 

Data is now the lifeblood of almost all organizations. From personal data to financial data, sensitive information is a prime target for malicious actors. Securing this data from cyber criminals is a crucial task upon which the continuity of an organization depends. Conducting a security review is a proactive step towards safeguarding this data and preventing unauthorized access. 

Preventing Costly Data Breaches 

According to IMB, the average cost of a data breach this year (2023) has been 4.2 million Euros which is a 15% increase over the previous years. Data breaches can have catastrophic consequences for an organization. Beyond the immediate financial loss, they can lead to long-lasting damage to an organization’s reputation and customer trust. An organization can save substantial financial resources and maintain its public image by identifying and addressing vulnerabilities before they are exploited. A security review is an ideal precaution available for discovering issues and protecting your organization from data breaches.

Improving Security Posture 

By identifying weaknesses and vulnerabilities, a security review provides insights into the maturity of the security and privacy level of the organization and where improvements are needed. A security review provides a prioritized road map for the implementation of improvements which will ensure that the resources are allocated optimally and aligning the security posture with evolving risks and industry standards. 

Compliance with Legal Requirements 

With the skyrocketing of cybercrime, data protection laws and regulations are becoming more stringent globally and the European Union has also been strengthening the enforcement of the EU General Data Protection Regulation (GDPR) and its sanctions with time. Failure to comply can result in severe legal consequences and financial penalties. Fines for violating GDPR hit a record high this year just within the first 6 months.  

A new version of the Network and Information Security Directive (NIS2) was passed by the EU Council and the parliament which came into effect this year. The sectors covered by the directive have been widened and the requirements have been expanded with the new NIS2 directive. Higher Penalties were also imposed on the organization for failure to comply with the NIS2 directive.   

There can be other legal, regulatory, and compliance requirements you should adhere to depending on your industry. Security reviews ensure that your organization aligns with these laws, reducing the risk of legal action and financial liabilities. 

Building and Maintaining Public Trust 

Trust is a priceless asset in today’s market space. It is rare but once gained, it can be an invaluable strength to an organization. Customers, partners, and stakeholders behold organizations that proactively address security concerns more favorably. This trust can lead to enhanced business opportunities and enduring relationships. A security review demonstrates your commitment to safeguarding sensitive information and preserving the trust of those you serve. 

Ensuring Operational Continuity 

Security incidents can disrupt an organization’s daily operations, leading to downtime and affecting service delivery. A security review can help address vulnerabilities proactively, so the organization can ensure the continuity of its operations, essential for delivering services efficiently and maintaining customer satisfaction. 

Eliminating Third-Party Risks 

Often overlooked, organizations are often breached via a third-party supplier that has access to networks. According to Verizon, 62% of all data breaches occur via third-party suppliers. A security review can help organizations manage third-party risks and take proactive actions.  

Protecting Collective Interests 

If your organization collaborates with other entities, whether as a supplier or partner, you share a responsibility to protect not just your interests but also those of your collaborators and clients. Vulnerabilities in your systems could have broader implications. Conducting security reviews helps safeguard collective interests. 

Staying Ahead of Evolving Threats 

Cyber threats evolve continually. New vulnerabilities and attack methods emerge regularly. Regular security reviews enable your organization to stay ahead of these evolving threats, maintaining a strong security posture. 

Can you justify the budget spent on Security Review?

Investing in security reviews is more than just an expense, it’s an investment you make to protect your organization. While it may seem like a cost, it’s a proactive measure to safeguard your most important assets: data, reputation, and trust.

What you spend on regular security reviews will be just a fraction of the cost of a security breach even if you consider only the legal fees and cost of damage control . When the average cost of a corporate data breach stands at 4.2 million Euros, do you really want to take that risk? Plus, it exhibits your organization’s stance on taking security and compliance seriously.

In today’s world, where vulnerabilities are exploited regularly, allocating resources for security reviews is not just reasonable, it’s a responsible business decision.

How eBuilder Security Can Help You

eBuilder Security’s security review and audit service helps you to identify unknown security and privacy risks in your organization before an attacker does. Our reviews are performed by qualified consultants, and they can be customized to your specific requirements. We offer very competitive pricing for our security reviews, and you can also adjust the scope according to your budget. eBuilder Security’s standard methodology is based on ISO27001 standard and CIS critical security controls which is enhanced by our unique methodology. 

Following are our different security review service offerings: 

• Security Health Check: Reviews essential cyber hygiene practices of the organization and assesses the cybersecurity maturity level.
• Security Review and Audit: A complete security review and audit covering both security and privacy aspects including compliance and governance. 
• Audit/Review against a specific framework: Security Review/Audit against a specific Standard, framework, or regulations such as NIST, ISO27001, CIS Controls, GDPR, or PCI-DSS.  
• Custom Security Review: Security Review customized for the specific requirements of the organization.

Conducting security reviews is not merely a best practice, it is an absolute necessity today with rising security threats for the organization. Regardless of your organization’s size or industry, investing in security reviews is essential to proactively protect your information assets. Conduct periodic security reviews to have peace of mind on the future of your operation.

Endpoint Security

What is Endpoint Security?

Endpoint security, also known as endpoint protection, is a data security strategy that focuses on protecting the individual devices or “endpoints” on a network. An endpoint can be a computer, laptop, mobile phone, tablet, or any other device connected to the network.

The purpose of endpoint security is to prevent, detect, and respond to threats and attacks directed at endpoints. This includes malware protection, data breaches, data leaks, and other security risks.

Endpoint security solutions typically offer several different features to secure the endpoints. These may include:

• Antivirus and anti-malware protection: Detects and blocks malicious software, such as viruses, spyware, and trojans.
• Firewall: Controls and monitors network traffic to block unauthorized access and protect against intrusion attempts.
• Intrusion Detection System (IDS) and Intrusion Prevention System (IPS): Detects and blocks intrusion attempts and unauthorized access to the endpoints.
• Data Loss Prevention (DLP): Prevents sensitive information from leaking from endpoints by monitoring and controlling data transfer and usage.
• Application control: Provides the ability to manage and restrict the use of specific applications on the endpoints.
• Device control: Provides the ability to manage and restrict the use of external devices, such as USB drives and external hard drives, on endpoints.
• Vulnerability management: Identifies and patches vulnerabilities in operating systems and applications on the endpoints.
• Behavioral analytics and anomaly detection: Monitors activity on the endpoints and identifies anomalous behaviors that might indicate a security incident.

With the implementation of the right endpoint security solution, organizations can strengthen their network security by protecting every single device connected to the network. This is especially important in today’s work environment, where many employees use mobile devices and connect to the corporate network from different locations and networks.

Why is it important?

There are several important reasons why it is important to have endpoint security:

• Anti-malware protection: Endpoint security solutions include antivirus and antimalware features that help protect endpoints from malware. This is crucial because malware can cause serious damage to a single device and spread to other devices on the network.
• Data and privacy protection: By implementing endpoint security solutions, you can protect sensitive data from leaking from your endpoints. This may include personal data, trade secrets, financial information and other critical data. Endpoint security also helps ensure data integrity by preventing unauthorized modification or destruction of data on the endpoints.
• Network security: Endpoints often represent the weakest link in network security because they are more exposed to external threats and attacks. By having endpoint security solutions in place, you can strengthen the overall security of your network by protecting each individual device connected to the network.
• Device and application management: Endpoint security provides the ability to manage and control the use of devices and applications on the endpoints. This is especially important in corporate environments where employees may use various devices and applications that may pose security risks. By applying device control and application control, you can limit the risk of unauthorized or unsafe devices and applications being used on the network.
• Threat detection and response: Endpoint security solutions often include capabilities to detect and respond to threats and attacks in real time. This means you can identify security incidents and take quick action to limit the damage and prevent further spread of the threat.

In summary, endpoint security is essential to protect your devices, data, and network from malware, data breaches, and other security risks. By implementing appropriate endpoint security solutions, organizations can minimize security risks and ensure stronger and more reliable network security.

What is the difference between endpoint security and network security?

Endpoint security and network security are two different aspects of security that focus on different parts of an IT system. Here are the differences between the two:

Endpoint security:

Endpoint security is about protecting the individual devices (endpoints) that are connected to a network. These devices can be computers, laptops, mobile devices, servers, IoT devices, and so on. The goal is to ensure that every device is protected against malware, data leaks, and unauthorized access. Endpoint security solutions can include antivirus software, firewalls, device control, encryption, behavioral analytics, and other techniques that help prevent attacks and vulnerabilities on the devices themselves.

Network Security:

Network security, on the other hand, is focused on protecting the network itself and its communications. It is about ensuring that data sent between different devices and servers is protected and that the network is not exposed to attacks or unauthorized access. Network security includes technologies such as firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), Virtual Private Networks (VPNs), and network segmentation to isolate different parts of the network from each other.

How can we improve Endpoint Security?

To improve the endpoint security and increase the protection of the devices connected to a network, one can take several measures. Here are some key best practices:

• Update software and operating systems regularly: Make sure that all devices have the latest version of the operating system and other software, including antivirus and other security software. Updates often include important security fixes that patch known vulnerabilities.
• Use endpoint protection solutions: Invest in a robust endpoint security solution that includes antivirus, antimalware, firewalls, and other protection features. This type of software is specifically designed to protect devices from various threats and attacks.
• Use multi-factor authentication (MFA): Implement multi-factor authentication on all devices where possible. MFA requires the user to verify their identity through two or more authentication methods (such as password and mobile app), making it harder for unauthorized people to gain access to the device.
• Implement device and application management: Use policy-based management to control which devices and applications are allowed to connect to the network. This can help reduce the risk of unauthorized access and malware.
• Security awareness and education: Educate users on security best practices, including recognizing suspicious emails, links, and files. Users should be aware of the most common attack methods, such as phishing to avoid falling victim to them.
• Data encryption: Encrypt sensitive data on devices to protect it in the event that the device is stolen or lost. This makes it more difficult for unauthorized persons to access and use the information.
• Monitor and audit activities: Use logging and monitoring to track and detect suspicious activities on your devices and network. By quickly detecting and responding to threats, you can reduce damage and prevent further spread.
• Build an incident response plan: Have a clear plan for handling security incidents if they occur. This includes isolating infected devices, tracing the source of the attack, and taking steps to prevent similar events in the future.

By combining these measures, you can strengthen your endpoint security and reduce the risk of being exposed to various types of cyber threats and attacks. Managing security is a continuous process, so it’s important to be proactive and stay abreast of the latest threats and security solutions.

How can eBuilder Security help you with Endpoint Security?

• Managed Detection and Response is a service we provide with the help of several partners. We use their services within XDR and threat hunting to effectively find and neutralize threats in your environment. This is a fully managed service, which means that we handle the administration and management of the entire implementation and operation.
• We have several partners to help you with endpoint protection, we can offer EDR service from Cybereason or CrowdStrike and we can also offer you scans for networks or endpoints.

Information Security Awareness Training

IT Security Training

Training users in IT security is of crucial importance to ensure a robust and reliable IT environment in all organizations and operations. There are several reasons why it is important to invest time and resources in educating users about IT security:

• Human Weaknesses: Users are the weakest link when it comes to IT security. People are susceptible to social engineering, such as phishing emails and baiting. Through training, users can learn how to identify suspicious activities and manage them safely.
• Security Culture: Training creates a security culture where users become aware of the risks and understand that their actions have a direct impact on the organization’s security. This boosts the prospect of users taking security issues seriously and following best practices.
• Protect against threats and attacks: The IT landscape is full of various threats and attacks, such as malware, ransomware, data breaches, and identity theft. Through training, users can learn how to detect, report, and prevent such threats, reducing the risk of an incident occurring.

Cyber Security Training

IT Security Training and Cyber Security Training are essentially the same thing, and the terms can be used interchangeably. They both aim to educate users and professionals about security aspects related to information technology and internet-based systems. The differences in terms can be subtle and vary depending on the context, but in general, the two concepts are synonymous. Let’s look at some details:

IT Security Training

• IT security is about protecting information technology infrastructures, including networks, servers, computers, software, databases and data, from accidental and intentional threats and attacks.
• IT security training is focused on teaching users and professionals about security measures, best practices, risk management and incident management within the IT environment.

Cyber Security Training

• Cybersecurity focuses on protecting cyberspace, which encompasses everything digital and electronic connected to the internet, including computers, mobile phones, cloud services, and IoT devices.
• Cybersecurity training usually involves teaching users and professionals about security risks and threats specific to the digital world, such as malware, phishing, hackers, and other cyberattacks.

Information Security Awareness Training

While IT Security Training and Cyber Security Training are more technology-oriented and focus on the digital aspect of security, Information Security Awareness Training has a broader scope and includes all types of information that an organization manages, whether they are in digital systems or in physical documents. Information Security Awareness Training aims to build awareness of the importance of protecting sensitive information, no matter what medium it is in, to prevent accidental or intentional exposure or theft of information.

• Focuses on protecting information regardless of format or medium, including digital information, physical documents, oral information, etc.
• Focuses on teaching users about information classification policies, sensitive information management, permission controls, and secure data retention and deletion.

What can eBuilder Security help you with?

• We can help you with a situation analysis, and help you assess how aware your organization is and how it responds to threats today.
• We present Complorer, which is a market-leading Security Awareness product in the Nordics and helps organizations test and train their employees to improve their Security Culture.

SEO-Enhanced Attacks and Malvertising

SEO-amplified attacks

What is SEO?

SEO stands for “Search Engine Optimization” and aims to optimize a website or a web page to improve its visibility and placement in search engines’ organic search results. The goal of SEO is to increase traffic to the website by improving its visibility of relevant search terms and thus attracting more visitors.

What is an SEO Attack?

Hackers use SEO in the same way that companies use search engine optimization (SEO) to increase the rankings of certain terms to promote their products and drive traffic to a website.

This is done to boost the ranking of a malware website to send more victims in their path. Today, companies have become much better at blocking incoming attacks such as phishing or smishing through various types of security checks. Therefore, hackers are trying to trick users using novel techniques like the so-called watering hole attack, by making use of SEO.

Hackers can be seen using the same keywords as a regular company to get the malicious variant of a product or blog at the top of these search results. The Gootloader attack is one example. Using users who searched for “legal agreements”, hackers increased their ranking on this particular keyword to trick a user into downloading a free version of a legal agreement template.

Malvertising

What is SEM?

SEM stands for “Search Engine Marketing” and includes marketing strategies and techniques to promote a website through paid ads in search engine results. Unlike SEO, which focuses on improving organic search results, SEM is all about buying ad space and placing ads that appear when users search for specific search terms.

So, what is Malvertising?

Malvertising is a technique where hackers use SEM to promote digital ads injected with malicious code. Since SEM is closely related to SEO, Malvertising, and SEO attacks are usually used in combination with each other.

Hackers have found using paid search techniques for user-targeted ads to be advantageous in carrying out attacks and in fact, malvertising has recently been added as a new technology in MITRE ATT&CK. (https://attack.mitre.org/techniques/T1583/008/) These are most often used in connection with a so-called Drive-By attack where you use JavaScript to attack a user’s browser.

A recent example was when a campaign was launched for the popular 3D graphics software Blender, where one could search for this and the first 3 ads that appeared were malicious malware. It was only the 4th ad that was legitimate.  What makes it worse is that the landing pages are so good that it looks like it comes from the company in question.  Shown below are examples of such fake pages:

What can we do?

Although none of these technologies are new, we see that these attacks are increasing as we get better and better at having internal security controls. Hackers are trying to find new ways to exploit users. Therefore, users must be educated and made aware of these types of attacks in order to secure systems from cybercriminals. We have initiated this with our recently launched product, Complorer Security Awareness Training.

References

1. https://www.csoonline.com/article/575193/5-most-dangerous-new-attack-techniques.html
2. https://attack.mitre.org/techniques/T1608/004/
3. https://securelist.com/malvertising-through-search-engines/108996/

Phishing

Phishing is a type of cyberattack in which an actor tries to get users to reveal their personal or sensitive information, such as passwords, credit card information, or bank details, or to download something. The attacker often impersonates an organization or a person the user trusts, such as a bank, social network, or government agency.

Typically, phishing attacks are carried out via email, where the attacker sends out mass email messages to potential victims. Such email may look like a legitimate communication from a known organization and often contains links to fake websites designed to look like the original websites. When the user clicks on the link, they are often redirected to a fraudulent website where they are asked to enter their personal details.

Examples of Phishing

Phishing can also be carried out through other channels, such as text messages (SMS phishing or smishing), phone (vishing), or through the use of fake social media or apps. Here are some examples of phishing:

• Email phishing: This is the most widespread form of phishing. The attacker sends emails that appear to be from a legitimate organization, such as a bank or company. The message may prompt the user to click on a link that directs to a fake website asking them to enter their personal information.
• Website – Phishing: In this type of phishing, the attacker creates a fake website that appears to be a legitimate page, such as a fake login page for a popular platform or an ISP. Users are tricked into entering their login credentials, which are then collected by the attacker.
• Man-in-the-Middle (MITM) phishing: Here, the attacker creates a position between the user and a legitimate website or service. The attacker can monitor and gain access to the communications that occur between the user and the website, including login credentials and other sensitive data.
• Smishing: This type of phishing occurs through text messages (SMS). The user receives a message prompting them to reply or click a link. The link may lead to a fake website or to malware being installed on the user’s device.
• Vishing: In this type of phishing, attackers make use of telephones or mobile phones. A targeted user receives a call from someone pretending to be from an organization, such as a bank, and they try to trick the user into doing something harmful such as giving out their personal information or transferring money to an account.
• Spear phishing: This type of phishing is more targeted and personalized. The attacker collects information about their specific target, such as name, job title, or interests, and sends fraudulent messages tailored to appear more credible. It can be aimed at companies or individuals.

Attacks in the Nordic region

Phishing is one of the most rapidly growing hacker attack types in the world right now.

The Nordic region has also been affected by these attacks which is evident from the below examples:

• On December 16, 2021, Kalix municipality was hit by a serious hacker attack that resulted in their IT systems being knocked out. This attack led to significant disruptions in the municipality’s operations and forced them to switch to manual ways of working. The situation required immediate intervention by municipal staff to deal with the ongoing crisis.
• On March 19, 2019, the Norwegian company Norsk Hydro suffered a major hacker attack that had serious consequences for their global business. The attack was classified as a ransomware attack and the malware used was identified as LockerGoga.  The effects of the attack were extensive. The company’s computer systems and network were affected, leading to major disruptions in production and daily operations. Many of the company’s sites were forced to switch to manual and analog processes to continue operating.

Both these attacks began with a phishing attack. The purpose of phishing is to steal users’ sensitive information and then misuse it, for example by committing financial fraud, identity theft, or spreading malicious software as in the Kalix and Norsk Hydro cases.

Tips and tricks

To avoid being victims of a phishing attack, here are some tips you can follow:

• Be careful about clicking on links: Avoid clicking on links in unsolicited emails, text messages, or social media. If you receive a message prompting you to click on a link, first check the sender by going directly to their official website or contacting them directly.
• Double-check the identity of the sender: Be skeptical of emails that appear to come from known organizations or individuals. Phishing can use advanced techniques to mimic senders, so check spelling, grammar, and the sender’s email address carefully.
• Be careful when sharing personal information: Legitimate organizations will rarely request personal information via email or text messages. Never give out your password, account number, or credit card information to anyone who requests it through insecure channels.
• Use strong and unique passwords: Use unique and strong passwords for each online account you have. Combine uppercase and lowercase letters, numbers, and special characters to create complex passwords that are hard to guess. Also, use a reliable password manager tool to manage your passwords securely.
• Be careful when downloading attachments: Be skeptical of attachments in emails, especially if they come from unknown senders. Do not download or open attachments if you are not sure of their authenticity.
• Update your devices and software: Keep your operating systems, browsers, and other applications up to date with the latest security patches. These patches patch known vulnerabilities and reduce the risk of falling victim to attacks.
• Be careful when sharing information on social media: Be careful about the type of personal information you share on social media. Scammers can use this information to target you in phishing attacks.
• Use security software: Install and update a reliable antivirus and security software on your devices. These programs can help detect and block phishing attempts as well as other malicious activities.

Why Security Awareness?

Security awareness plays a crucial role in protecting against phishing attacks. Here are some key reasons why security awareness is important:

• Identify suspicious communications: By being aware of phishing techniques and common characteristics, you can more easily identify suspicious emails, text messages, or other forms of communication that may be fraudulent. By being vigilant, you can avoid falling for phishing attempts.
• Avoid clicking on malicious links: Hackers often use links to trick users into fake websites or to download malware. By being aware of the risks, you can be wary of clicking on links in messages.
• Update knowledge and protection techniques: By being aware of the latest phishing techniques and vulnerabilities, you can stay up-to-date and take appropriate steps to protect yourself. By learning about new methods used in phishing, you can adapt your behavior and use effective safeguards, such as security software and strong passwords.

What can eBuilder Security help you with?

• We can help you with a situation analysis, how aware your organization is, and how it responds to threats today.
• Complorer is a market-leading security awareness product in the Nordics and helps organizations test and train their employees to improve their security culture.

What Is A Vulnerability?

Are you under attack?

The Finnish Parliament Attack, the Estonian Government Attack, and the Greek Natural Gas Distributor Attack are some of the most recent large scale cyber attacks we have heard about in 2022. An exploitable vulnerability must always be present, for a cyber attack to take place. Attackers exploit vulnerabilities in computer systems and networks to obtain unauthorized access to computer systems. This article musters some of the most important facts on vulnerabilities starting off with an introduction to the topic followed by some historical facts pertaining to the rise of vulnerabilities. In addition, the article discusses the differences between the commonly and interchangeably used terms, vulnerability and weakness. 

Vulnerabilities – Know them to fight them

A vulnerability in the context of computers is any flaw in a system, design, or code that can allow attackers to exploit a frail computer system.

Just as a malfunction of a doorknob, a failure in a security camera, or even a loose brick in a wall may create a possibility for a burglar to gain access to assets inside a house, a vulnerability or a weakness in an information system may create a possibility for a malicious attacker to gain access to information assets and thereby exploit them for their own benefit.

This not only relates to a possible attack but also most importantly, to the level of difficulty or ease of breaking into a system.  

A large number of different, common vulnerabilities have been exposed to date. CVE, short for Common Vulnerabilities and Exposures, is a public database of information system vulnerabilities and exposures launched by MITRE corporation. It has identified over one hundred thousand common vulnerabilities starting from 1999 and, several thousands are discovered each year.

A hardware vulnerability is a flaw that can be exploited by an attacker through remote or physical access to the hardware of the system. If any weakness in a system can allow a hacker to insert new code into the program, it creates a hardware vulnerability.

Some examples of common hardware vulnerabilities are Rowhammer, Directory Traversal, Thunderclap, Foreshadow, etc.

Human vulnerability refers to the weaknesses caused by the mistakes of human beings. Humans play a major role in the security of cyber assets. The innate nature of humans to make mistakes proves the fact that humans are the weakest link in the cybersecurity sphere. 

Some main causes for human vulnerabilities are lack of security awareness, inattentiveness, and not adhering to policies and procedures. 

A network vulnerability is any flaw in hardware, software, or even processes that can be exploited by attackers to gain access and sabotage a network. As any device connected to the network can be used as an entry point, network vulnerabilities have been widespread.

There are a number of network vulnerabilities exploited by attackers. Malware, outdated software, and Misconfigured Firewalls or Operating Systems to name a few.

Regarded as highly threatening and damaging, application vulnerabilities are rising in popularity among the hacker community, surpassing all other kinds of vulnerabilities. This is due to the abundance of web applications accessed and paraded by the massive global reach of the Internet. Application vulnerabilities are flaws in an application that make way for attackers to exploit the application.

SQL Injection (SQLi), Cross-Site Scripting (XSS), and Cross-site Request Forgery (CSRF) are some examples of common application vulnerabilities.

Some common causes for vulnerabilities are weak passwords, errors in the code of programs, the complexity of systems, unrestricted user input, etc.

How it all began

The computer has come quite a long way from the earliest machines manufactured in the 20^th century which took up whole rooms and used vacuum tubes as their basic components.   

These early machines consisted purely of hardware components. Ada Lovelace laid the foundation for the development of software by composing an algorithm for what would have been the first piece of software, alongside Charles Babbage’s invention of the Analytical Engine, in the 19^th century. However, the idea was not applied until the mid-1940s, when modern computers were invented. Therefore, hardware vulnerabilities and human vulnerabilities can be considered to be the earliest computer-related vulnerability types.

Although the idea of networking had been around since the early 80s, it was not until the establishment of ARPANET that the concept flourished, laying the foundation for the notion of the ‘Internet’. ARPANET (Advanced Research Projects Agency Network) was the first packet-switched Wide Area Network and was founded by the US Department of Defense.

The unleashing of the Morris worm in 1988 by Robert Tappan Morris is considered to be the very first attack experienced by the internet. It was a large scale outbreak that affected a number of prestigious colleges and research centers. Although Morris admitted that he did not have any malicious intent and that he only developed the program to get a count of the number of devices connected to the internet, he was arrested as the first person convicted under the 1986 Computer Fraud and Abuse Act. 

The worm exploited several vulnerabilities for its swift spread:

• A hole in the debug mode of the Unix mail program
•  A bug in the “finger” program that identified users connected to the network
• Users who set up unprotected network logins with no passwords

Thanks to the Morris worm, flaws in the security of ARPANET were exposed and the victim organizations were keen on building security measures to protect themselves from any more attacks. The development of the first firewall by a researcher at a NASA center in California is one such advantageous consequence of the Morris worm. 

Web applications play a crucial role in our lives today. Regardless of the profession, age, location, or status, each of us tends to obtain the benefit of a few or more web apps, be it for business optimization, knowledge acquisition, communication, or even for entertainment. The development of web application concepts began in the early 1990s with simple, static HTML web pages. Just as with the development of any technology, the dark side associated with it also developed at a similar pace (cybercriminal activities in this case). It is evident that even at the earliest stage of web applications, there have been several vulnerabilities although not as frequent as today.

Cross-site scripting [XSS] is a common application vulnerability reported to have been exploited since the 1990s and the term ‘cross-site scripting’ was introduced at the beginning of the year 2000. SQL injection, another such contemporary vulnerability, is reported to have been publicly disclosed for the first time in 1998.

Therefore, it is clear that whichever technology is used, a person with a strong intent and desire to sabotage a system will always find a vulnerability to creep in. This is why cybersecurity is important and why it is never too much.

What is the difference between a vulnerability and a weakness?

We find the 2 words, vulnerability, and weakness, often used interchangeably, in the context of security. However, MITRE organization identifies the 2 terms apart with a subtle change of meaning. It identifies weaknesses as errors that cause vulnerabilities. Weaknesses cannot be used by attackers directly unless it results in a vulnerability. Vulnerabilities are defined as flaws in a system that can be directly exploited by a hacker to enter the system or network.  

CWE and CVE are two separate standards defined by MITRE and stand for ‘Common Weakness Enumeration’ and ‘Common Vulnerabilities and Exposures’ respectively. CVE denotes a specific instance of a vulnerability within a system. And CWE refers to a type of software weakness, rather than a specific instance of vulnerabilities within a system. Basically, CWE can be introduced as a “dictionary” of software vulnerabilities, and CVE as a list of known instances of vulnerability for specific products or systems.

Below are a few examples of weaknesses from the CWE list:

CWE ID	Name
CWE-787	Out-of-bounds Write
CWE-79	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE-89	Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
CWE-20	Improper Input Validation
CWE-125	Out-of-bounds Read

Below are a few examples of vulnerabilities from the CVE list:

CVE ID	Vulnerability Type	Description
CVE-2022-38493	DoS	Rhonabwy 0.9.99 through 1.1.x before 1.1.7 doesn’t check the RSA private key length before RSA-OAEP decryption. This allows attackers to cause a Denial of Service via a crafted JWE (JSON Web Encryption) token.
CVE-2022-38392	DoS	A certain 5400 RPM OEM hard drive, as shipped with laptop PCs in approximately 2005, allows physically proximate attackers to cause a denial of service (device malfunction and system crash) via a resonant-frequency attack with the audio signal from the Rhythm Nation music video.
CVE-2022-38359	CSRF	Cross-site request forgery attacks can be carried out against the Eyes of Network web application, due to an absence of adequate protections.
CVE-2022-38188	Exec Code XSS	There is a reflected XSS vulnerability in Esri Portal for ArcGIS version 10.9.1 which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.
CVE-2022-38193	Exec Code	There is a code injection vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass strings which could potentially cause arbitrary code execution in a victim’s browser.

How vulnerabilities become a threat to us

Following the global pandemic COVID-19, the trend of remote working has increased resulting in an exponential growth of cyber-criminal activities. Therefore, awareness of vulnerabilities is imperative. Lack of knowledge about vulnerabilities and assuming that your systems are free from any flaw is unwise and risky. So, in this case, ignorance isn’t bliss!

It is quite reckless to presume that your company, business, or website is too trivial for criminals to notice. Not hearing about cyberattacks on small or medium-sized companies does not mean that they do not take place. In fact, innumerable attacks take place on small companies that we do not get to hear about, only because they are not headline-worthy. Therefore, being well-versed in vulnerabilities is always beneficial.

A cybercriminal can have one of several motivations to carry out an attack. He would be trying to assume the victim’s identity to carry out a monetary transaction. A hacker can take down a website for a personal grudge or even simply to show off that he is able to. The most common and the most overwhelming motive is money. A hacker can take charge of your cyber assets and demand a hefty sum of money to release your assets. But the most perturbing fact is not knowing whether they would keep their word, even after paying the ransom.

Whichever the motivation is, it is obvious that vulnerabilities are not to be taken lightly as they can leave your business or organization seriously damaged. Cybersecurity is not to be regarded as an optional amenity but rather as a priority.

Is there a solution?

In a time where the most attention of cybercriminals is focused on web applications, securing them has become a tremendous task. But luckily there are hundreds of solutions out there assuring your applications’ protection from hackers. The only challenge is to select the best out of them. This may vary according to your organizational requirements, policies, and views. But whatever the nature or the size of your organization is, ultimately you would be looking for a good product that is cost effective, highly secured, and requires less manual intervention for its operation.

Application Vulnerability Scanning and Penetration Testing are 2 such solutions for ensuring that your applications are free from vulnerabilities.

Application Vulnerability Scanning is the process of scanning an application proactively for any exploitable vulnerabilities that might be existing in a system.

eBuilder Security provides Application Vulnerability Scanning service as a regular security health check. eBuilder Vulnerability scanning service entails a number of key benefits like high detection & accuracy, low monthly cost, and not being bound with licenses.  With our service, you are not required to have an internal team, and as data is stored in a private cloud in Sweden, we can assure the highest protection of your data. Another unique feature of eBuilder Vulnerability Scanner is its convenient scalability on tap service.

Our service can detect vulnerabilities early on compared to a penetration test which is a less frequent and lengthy process. A vulnerability scan can take anything from a few minutes to a few hours depending on the size and complexity of the application. It can also be conducted at a fraction of the cost of a penetration test and can be run daily or weekly. Hence if a new vulnerability is present, it will be automatically detected faster than via any other detection mechanism.

Affordability and less time consumption are two other advantageous features of vulnerability scanning over pentests.

An Application Penetration Test is a comprehensive approach to identifying the weaknesses and vulnerabilities in an application that can be exploited by a hacker and this is executed using a real-life simulation of an attack. Experienced pentesters carry out the task of performing real-life simulation attacks to look at an application through the point of view of an attacker and hence identify any hidden vulnerabilities.

With the eBuilder Penetration Testing service, you can get your applications tested manually by specialists following a tested and proven methodology to simulate a real-life hacker attack.  

Although not cost effective as vulnerability scans, pentests provide a more detailed analysis of the overall application’s vulnerability status.

Network Penetration Testing is an exercise where a real-life attack is simulated to gain information about any existing vulnerabilities in your network that can be exploited by an attacker to gain access to your network.

eBuilder provides Automated Network Penetration Testing combining the knowledge, methodology, processes, and toolsets of a team of security consultants into a single, deployable platform for organizations of all sizes. eBuilder helps organizations perform penetration tests within their environment at any given time, satisfying both compliance requirements and meeting network security best practices. This platform is automated and is based on a framework that continuously improves over time.

Having sessions to promote security awareness among your employees is an ideal way to reduce the impact of Human vulnerability. Running an effective Security awareness training program is time and resource intensive, requiring dedicated personnel and being up to date with threats and cyber security trends. As a solution, eBuilder offers Complorer Security Awareness Training. Here Security Awareness is offered as a Managed Service where you can unburden yourself from all administration and management responsibilities.

Vulnerabilities and attackers snooping around them would never cease to exist. Safeguarding information systems is therefore vital for the success of any organization. Our goal at eBuilder Security is to let you focus on your core business while we take care of your cyber security.

Why Multifactor Authentication and complex passwords are not enough?

What is Session hijacking?

Session hijacking is an attack that involves an attacker going after the session tokens that are stored locally on your computer web browser. These session tokens store the credentials that have been validated in an SQLite database (assuming you are using Chrome/Chromium). So, every request that goes to the same domain in the future will have a lookup in the database and if found, will be sent back with the request to allow you to access the site without being prompted for a login. While promoting ease of use these session tokens can be hijacked and copied to an external system by an attacker, circumventing all other security controls.

This is normally done via some kind of phishing or malware attack where the attacker sends an email posing as someone in your company or preying on your fear or with a reward system to get you to open a link or attachment that they sent you. These emails are usually called phishing if it’s a wide attack or spear phishing if it’s aimed at you or your organization specifically.

There was a recent incident when a famous social media platform was hacked this way. It is an ongoing problem for them where creators are hacked almost daily in this way. All clever security controls are circumvented when someone emails you posing as a sponsor or as a supplier emailing you a quote to get you to open an attachment.

What we can do

There are three improvements recommended by eBuilder security:

• A Zero Trust Architecture will help you limit any potential damage from an attack. If an attacker is able to gain access, this will limit the access they have, for example looking over who is allowed to Read, Write, and Delete, to start with, or even application access.

• Cybersecurity threats are constantly evolving, so it’s essential to stay informed on the latest attack techniques and how to prevent them. This is not only important for admins or security professionals but more so for the users since they are the attack vector the threat actors are aiming for. Today having a well-managed security awareness program is a must. It will help you find risk users and to contain them or at the very least try to educate your employees about existing and new threats. It should be a continuous process so that when new threats are discovered such as QRLJacking or in this case Session hijacking, they are included and employees are educated in a manner simple and easy for every employee.

• To enforce policies on your suppliers to have session timeouts, to require elevation (Windows Access Rights), and to require reauthentication in case of certain actions such as delete or update.

References:

1. https://owasp.org/www-community/attacks/Session_hijacking_attack
2. https://www.neowin.net/news/linus-tech-tips-youtube-channels-were-hacked-due-to-a-session-hijacking-attack/
3. https://cyolo.io/blog/mitre-attck/lateral-movement-what-it-is-how-zero-trust-protects-you-from-it/
4. https://www.cisecurity.org/controls/security-awareness-and-skills-training
5. https://owasp.org/www-community/attacks/Qrljacking

IT security

IT security is undoubtedly an important area for those in today’s digital world. While more companies and organizations use IT to handle sensitive information and communications, it is important to have adequate security to protect critical resources. Here we will briefly explain what IT security is, what the most common threats are, and what solutions are available to deal with these threats.

What is IT security?

IT security is a combination of methods, technology, and processes that aim to protect digital resources against unauthorized access, use, change, or disposal. IT security can be described as a concept that encompasses several different areas. Some of these areas are network security, data protection, privacy, and backup.

What are the most common threats associated with IT security?

There are many threats to IT security, both internal and external. Here are some of the most common threats:

Malware: Malware, or malicious code, is one of the biggest threats to good IT security. It can enter the system via infected files, emails, or web links. Malware can cause everything from annoying pop ups to the theft of personal information and, in the worst case, destroy the entire system.

Ransomware: This is a type of malware that blocks access to data and requires a lot of money to unblock it. It can be both costly and time-consuming and can also cause significant damage to companies and organizations, both in terms of money and reputation.

Social engineering: It is a technique in which cybercriminals manipulate other people to gain access to sensitive information or a protected system. It can be through phishing, spear-phishing, or other methods.

DDoS attacks: DDoS (Distributed Denial of Service) attacks are when a large amount of traffic is sent to a site or server to overload it and prevent users from accessing a system. This may affect the company’s or organization’s ability to do business and cause damage to the company’s brand.

Insider threat: This type of threat occurs when an employee or any other person with access to sensitive information uses it improperly. It can be intentional or unintentional, in the latter case, as a result of genuine mistakes.

Solutions to protect against threats

There are several methods to protect against IT security threats. Here are some of the most common ones:

Antivirus or EDR: An antivirus is one of the most basic security measures that you can take. It protects your computer from malware by detecting and removing viruses and other malware.

Firewall: A firewall is a security barrier that prevents unauthorized traffic from entering your network or computer. It can block malicious traffic as well as identify and stop potential threats before they reach your system.

Encryption: Encryption is a process that protects data from unauthorized access by converting it into a form that can only be read by the person who has the correct password or crypto key. It is important to protect sensitive information, such as trade secrets, passwords, or bank details.

Backup and recovery: This is a process in which a copy of data is created and stored in an alternate location. As a result, data can be restored if the original data is lost or damaged as a consequence of a cyberattack.

Software update: Keeping software up-to-date is an important security measure. Threats are constantly evolving and, over time, are becoming increasingly advanced. Software companies are therefore updating their applications with new features and security updates to protect against these new threats. Without software updates, you will not benefit from these new protection features.

Education and awareness: Education and awareness are also important for good IT security. Employees should be continuously trained in the latest threats and how to recognize and avoid them, for example, by not clicking on suspicious links or opening unknown emails.

Summary

IT security is an extremely important area for companies and organizations that use technology to handle sensitive information. There are many threats to IT security, such as malware, social engineering, ransomware, DDoS attacks, and insider threats. There are also many solutions to protect against these threats, including anti-virus software, firewalls, encryption, backup and recovery, software updates, and education and awareness. By taking these security measures, companies and organizations can increase their ability to protect themselves against these types of threats, thereby protecting their digital resources and minimizing the risk of cyberattacks.

How can eBuilder Security help you with your IT security?

eBuilder Security provides several services to improve your IT security. The following are some of them:

• We perform vulnerability scanning on your applications to find possible vulnerabilities and continually monitor and improve your security posture.
• We perform penetration tests on your applications, which is a more advanced test than a vulnerability scan, as we exploit what we find and try to break into the application.
• We can help you implement an EDR solution to protect your devices. We have partnered with market leaders CrowdStrike and Cybereason to provide the best possible protection for all types of threats, from cloud to mobile. This can be combined with active threat hunting, where we perform 24/7 human threat hunting in your environment.

What is NIS/NIS2?

The NIS Directive, short for Network and Information Systems Directive, is an EU legislation aimed at improving the cybersecurity of critical infrastructure and essential services such as energy, transport, banking, and healthcare in EU member states in order to protect citizens and businesses from the increasing threat of cyber attacks. Here, organizations are required to execute appropriate measures to ensure the security of their network and information systems, prevent and minimize the impact of cyber attacks, and report significant incidents to the relevant authorities.

The European Union (EU) passed the NIS Directive in 2016 and it became effective in May 2018. The Directive was supposed to be implemented by the member states of the EU into their national laws by the 9th of May, and 21 more months were given to fully comply with the Directive’s requirements.

Due to increased threats, the EU issued NIS2 Directive 2022/2555 in November 2022 when it had the requirement to better prepare the member states for cyber attacks.

WHAT are the major differences between the NIS and NIS2 Directives?

NIS2 is a revision of the original NIS Directive, updating and expanding the scope of the original Directive to cover a wider range of essential services and digital service providers. NIS2 builds on the original NIS Directive but significantly expands the categories of organizations that fall within the scope of the law, imposes new and more granular security and incident reporting rules, and creates a stricter enforcement regime. The member states of the EU are required to implement the NIS2 Directive into their national laws.

The main differences between the original NIS Directive (passed in 2016 and already in place) and the NIS2 Directive (passed in 2022) are:

1. Scope: The NIS2 Directive is an expansion of the scope of the original NIS Directive to cover a wider range of essential services and digital service providers, including cloud computing services, online marketplaces, and search engines, among others.
2. Incident reporting: The NIS2 Directive introduces a harmonized reporting obligation for serious incidents across all EU member states, with clear criteria for what constitutes a serious incident. The original NIS Directive only required reporting of incidents affecting essential services.
3. Coordination and cooperation: The NIS2 Directive establishes a stronger coordination and cooperation framework between EU member states, the European Union Agency for Cybersecurity (ENISA), and the European Commission.
4. Cybersecurity certification: The NIS2 Directive introduces a voluntary cybersecurity certification scheme for digital service providers and operators of essential services.  

WHEN does NIS2 come into force?

The new EU-wide cyber law, Directive 2022/2555 (NIS2), entered into force on Monday, January 16, 2023. Member states now have until October 18, 2024, to transpose the new directive into their respective national laws. Unlike GDPR, which is a regulation that is the same for all of the EU, NIS2 will be implemented differently in all member states.

WHO does NIS2 apply to?

The NIS2 Directive applies to operators of essential services and digital service providers in the European Union (EU) member states.

Operators of essential services include companies and organizations in sectors like energy, transportation, health, banking, water supply, waste management, and others that are critical to the functioning of society and the economy.

Digital service providers comprise search engines, online marketplaces, and cloud computing services that play a critical role in the functioning of the digital single market.

The Directive intends at improving the overall cybersecurity posture of the EU and protecting citizens and the economy from harm caused by cyber attacks by mandating these organizations to take appropriate measures to secure their network and information systems and to report serious incidents to the relevant authorities. 

HOW does NIS2 apply to city governments, government authorities, and the public sector in general?

An average city government is necessitated to take the required steps to protect its information systems and networks that support the delivery of essential services to citizens under the NIS2 Directive. This may include implementing security controls, conducting risk assessments, and having incident response plans in place to deal with cyber incidents.

In certain ways, NIS2 is not largely deviated from the first NIS directive, but it has resulted in a renewed focus on cybersecurity issues. Failure to comply with the NIS2 Directive could result in significant fines, and more importantly, loss of public trust and confidence in the city’s ability to deliver essential services securely. The NIS2 Directive also mandates city governments to report serious cyber incidents to the relevant authorities. 

What are the major steps in becoming NIS2 compliant?

To become compliant with the NIS2 directive several key steps must be followed:

1. Assessment: Assess your current network and information systems comprehensively to identify any vulnerabilities and assess the current level of security.
2. Risk management: Implement a risk management program that includes risk assessment, risk mitigation, and risk monitoring.
3. Implementation of security measures: Implement appropriate technical and organizational measures to secure your network and information systems, such as access controls, encryption, incident response planning, and security awareness training. (Appropriate measures are explained further down in the following chapters)
4. Regular security testing: Regularly test the effectiveness of your security measures, such as penetration testing, vulnerability scanning, and security audits.
5. Incident response planning: Develop and implement an incident response plan to ensure that you are prepared to respond quickly and effectively to security incidents.
6. Monitoring and review: Continuously monitor your network and information systems to identify any new threats or vulnerabilities, and regularly review and update your security measures to ensure they remain effective.
7. Documentation: Keep accurate and up-to-date documentation of your security measures and security incidents.

It is worth noting that this is not a one-time activity but should rather be an ongoing process to maintain compliance with the NIS2 directive. Organizations must review and update their security measures continuously to ensure they remain effective in the face of evolving security threats.

What are the challenges when implementing NIS2?

Implementing the NIS2 Directive could present several challenges for organizations and governments:

1. Compliance costs: Organizations may face significant costs in complying with the NIS2 Directive’s requirements, including the implementation of appropriate technical and organizational measures to ensure the security of their network and information systems. eBuilderSecurity offers many of the necessary preventive security measures as a service, thereby reducing costs. Buying preventive measures as a service reduces the cost of expensive licenses.
2. Technical complexity: Implementing the NIS2 Directive’s requirements could be technically complex, especially for organizations with large and complex information systems and networks. eBuilderSecurity offers many of the necessary preventive security measures as a service, thereby moving the technical complexity from the customer to eBuilder Security.
3. Harmonization: The implementation of the Directive’s requirements may vary between countries. Therefore ensuring harmonization of the implementation of the NIS2 Directive across EU member states may be challenging. Different member states may interpret the directives differently as they are implemented into the local laws of the member states.
4. Incident reporting: Implementing the NIS2 Directive’s incident reporting requirements could be challenging, especially for organizations that have not previously had incident reporting procedures in place.
5. Cybersecurity certification: Implementing the NIS2 Directive’s voluntary cybersecurity certification scheme may also be challenging, as organizations need to demonstrate compliance with the Directive’s requirements and undergo a rigorous evaluation process.   

In summary, implementing the NIS2 Directive could be challenging for organizations due to compliance costs, technical complexity, harmonization, incident reporting, and cybersecurity certification requirements. However, these challenges should be outweighed by the benefits of improved cybersecurity and protection. The complexity can also be reduced by procuring many of the “appropriate measures” as a service. Prevention is always a lot cheaper than recovery.

What is meant by “Appropriate Measures”?

The term “appropriate measures” in the NIS2 Directive signifies technical and organizational measures that are to be implemented by organizations to ensure the security of their network and information systems. These measures help reduce and prevent the impact of security incidents, such as cyber attacks, on their operations and the personal data of their users.

Examples of appropriate measures include:

1. Security Awareness Training – Human error often acts as a significant factor in security incidents, like data breaches. Organizations are able to reduce the risk of security incidents caused by human error, by offering employees trainings on how to identify and respond to potential security threats.
2. Application Vulnerability Scanning – Application vulnerability scanning is the process of identifying security vulnerabilities in software applications, such as web applications and mobile apps. By conducting application vulnerability scanning, organizations can identify security weaknesses and take steps to remediate them before they are exploited by malicious actors.
3. Network Penetration Testing – the process of simulating an attack on an organization’s network and information systems to identify security vulnerabilities. By conducting network penetration testing, organizations can identify security weaknesses and take steps to remediate them before they are exploited by malicious actors.
4. End Point Protection – Endpoint protection helps organizations prevent, detect, and respond to security incidents that occur on their endpoints. Its importance lies in the fact that endpoints are often the first point of entry for malicious actors who try to gain access to an organization’s network and information systems.
5. Access control – Implementing procedures and controls to manage who has access to network and information systems, and what actions they can perform.
6. Encryption – Encrypting sensitive data, such as personal data, to protect it from unauthorized access or theft.
7. Firewall – Implementing firewalls to control access to and from the organization’s network and information systems.
8. Software updates – Keeping software up-to-date with the latest security patches and updates to address known vulnerabilities.
9. Incident response planning – Developing and implementing a plan to respond to security incidents, such as cyberattacks, and minimize their impact.
10. Regular security assessments – Regularly assessing the security of the organization’s network and information systems, identifying vulnerabilities, and taking steps to remediate them.
11. Penetration Testing – Penetration testing involves simulating an attack on a network or system in order to identify any security weaknesses that an attacker could exploit. By performing regular penetration testing, organizations can identify and address security risks before they are exploited by attackers.

To summarize, ‘appropriate measures’ are technical and organizational measures that must be implemented by organizations to ensure the security of their network and information systems and prevent and minimize the impact of security incidents, such as cyber attacks. The specific appropriate measures will depend on the specific risks faced by the organization and the data it processes, but shortly, it is difficult to see a scenario where the above measures are not required.

Security Awareness Training

Security awareness training is a typical ‘appropriate measure’ and a low-hanging fruit in implementing the NIS2 Directive.

Security awareness training is important because human error is often a significant factor in security incidents, such as data breaches. By providing employees with training on how to identify and respond to potential security threats, organizations can reduce the risk of security incidents caused by human error.

For example, security awareness training can cover topics such as phishing, password management, and the proper handling of sensitive information, among others. By providing employees with the knowledge and skills to recognize and respond to potential security threats, organizations can strengthen their overall security posture and reduce the risk of security incidents caused by human error.

Online security awareness training for all staff is a cost-efficient way to improve the security posture of any organization. eBuilder Security is offering online security awareness training that is based on nano-trainings i.e., short videos that can be viewed on essentially any mobile phone, tablet, or computer. Coupled with regular friendly Phishing attacks to measure the effectiveness of the training the security posture of the organization can be improved drastically.

Endpoint Protection

Endpoint protection refers to the security measures and technologies that protect an organization’s endpoints, such as computers, laptops, smartphones, and other internet-connected devices. These measures can include antivirus and antimalware software, firewalls, and endpoint detection and response (EDR) solutions, among others.

Organizations can prevent, detect, and respond to security incidents that occur on their endpoints, can reduce the risk of security incidents caused by malicious code, and strengthen their overall security posture by implementing endpoint protection. This is particularly important as endpoints are often the entry point for malicious actors looking to access the network and information systems of an organization.

Preventing malware from being installed on an endpoint, detecting malicious activity on the endpoint, and responding to security incidents by isolating infected endpoints and removing malicious code are some examples of endpoint protection solutions.

Traditional endpoint protection solutions often rely on signature-based detection methods, which can be less effective against newer and more sophisticated security threats. CrowdStrike is considered a next-generation endpoint protection solution, due to its cloud-based architecture, use of artificial intelligence and machine learning, and its focus on real-time threat detection and response.

There can be several ways in which next-generation endpoint protection solutions differ from traditional endpoint protection solutions. Next-generation endpoint protection solutions are often cloud-based, which enables organizations to receive real-time protection updates and provides the ability to respond to security incidents quickly. They also use advanced technologies such as artificial intelligence and machine learning to detect and prevent security threats, which helps to improve their accuracy and speed of response.

CrowdStrike’s cloud-based approach, use of artificial intelligence and machine learning, and focus on real-time threat detection and response make it a good example of a next-generation endpoint protection solution.

eBuilder Security offers Crowdstrike’s endpoint protection as a service. You should consider replacing your traditional endpoint protection with a more modern next generation AI-based endpoint protection.

 Application Penetration Testing

Application Penetration testing (pentesting) is the process of simulating an attack on an application in order to identify any security weaknesses that an attacker could exploit. Organizations can identify and address security risks before they are exploited by attackers, by performing regular penetration tests.

In addition, organizations should also implement other technical and organizational measures to protect their applications such as access controls, encryption, incident response planning, regular vulnerability scanning, and security awareness training, in order to comply with the NIS2 directive.

Organizations must ensure that their penetration testing is performed by qualified and experienced professionals and that their testing is carried out in accordance with industry best practices and ethical guidelines. eBuilder Security performs in depth penetration tests for numerous organizations in the Nordics.

Network Penetration Testing

Network penetration testing is the process of simulating an attack on an organization’s network and information systems to identify security vulnerabilities. By conducting network penetration testing, organizations can identify security weaknesses and take steps to remediate them before they are exploited by malicious actors.

Attempting to exploit known vulnerabilities, probing for vulnerabilities, and attempting to gain unauthorized access to systems and data are examples of some techniques that can be involved in network penetration testing.

Network penetration testing is an important component of a comprehensive cybersecurity program and can play a critical role in ensuring the security of an organization’s network and information systems. eBuilder Security offers Network Penetration Testing as a service. Scans can be run on a regular basis without a large investment in licenses.

Application Vulnerability Scanning

Application vulnerability scanning is the process of identifying security vulnerabilities in software applications, such as web applications and mobile apps. By conducting application vulnerability scanning, organizations can identify security weaknesses and take steps to remediate them before they are exploited by malicious actors.

Probing for vulnerabilities, attempting to exploit known vulnerabilities, and attempting to gain unauthorized access to systems and data are some examples of techniques that can be involved in application vulnerability scanning.

Application vulnerability scanning is an important component of a comprehensive cybersecurity program and can play a critical role in ensuring the security of an organization’s network and information systems. eBuilder Security offers Application Vulnerability Scanning as a service. There are no expensive licenses to be paid and no complex setup and maintenance of the scanning application. eBuilder Security handles all that for you as part of the service.

Security Review & Audit

A security review & audit functions as a maturity check for your organization. It gives you an action plan for the future and helps improve your posture. Companies that perform regular audits have shown to be more perceptive of their risks. Thus in case of a security incident, they are better placed to identify the most vulnerable places and immediately mitigate any issues as they are more competent in handling the situation.

Doing a review or an audit is not only a compliance check, but it also gives you a deeper understanding of your risks and indicates where you should focus your efforts most on.

Regularly testing the effectiveness of your security measures is an important step in becoming NIS2 compliant. eBuilder Security offers security review & audit which will be an important first step in evaluating the effectiveness of your existing processes and controls and identifying gaps in your current setup. Based on ISO 27001 standard and CIS controls, eBuilder Security’s audit process is complemented by our own unique methodology to achieve an end result that indicates your position with regards to ISO 27001 requirements as well as in overall cybersecurity hygiene.

Be NIS2 compliant with eBuilder Security 

When implementing ‘appropriate measures’ to secure your cyber assets you ought to try for the best solution available. But affording the best can be challenging. 

Partnered with the best in the industry, eBuilder Security prides itself on envisioning affordable top-notch Security as a Service (SECaaS) solutions, on tap, for all enterprises. Not just help you become compliant, but we also provide a number of tailored solutions carefully selected and gathered to cater to all your security needs. 

False Positive Vulnerabilities & How to Avoid Them

False Positive Vulnerabilities: What They Are, Why They Matter, and How to Prevent Them…  

False Positive Vulnerabilities seem like an innocuous mistake made by the vulnerability scanner, but the adversities the False Positive vulnerabilities present will significantly impact the organization

It is, therefore, of paramount importance that an organization identifies its vulnerabilities accurately so as to be securely ahead of the prevailing cyberthreats.

What is a False Positive Vulnerability? 

When a file or a setting has been flagged or alerted as malicious or vulnerable when it is not, it is known as a False Positive Vulnerability. Vulnerability Scanners will detect False Positive Vulnerabilities since the scanners can only access a limited amount of required information, preventing them from accurately determining whether a vulnerability actually prevails.  

Statistically, False Positives are known as ‘Type I’ errors for the reason that they scan the website for a specific condition and wrongly give an affirmative (positive) decision. False Negatives are known as ‘Type II’ errors and are the opposite of False Positives. False negatives scan the website for a specific condition and incorrectly give a negative decision when there is an actual vulnerability. False negatives have a direct impact on the security of the organization for the reason that vulnerabilities that are undetected cannot be resolved. False Positives and False Negatives are the two main types of errors associated with vulnerability scanners. This blog article focuses on False Positives in cybersecurity.

Why Do We Get False Positive Vulnerabilities

A False Positive vulnerability might be detected when the vulnerability scanners can only read the configuration information. For example, a vulnerability scanner that reads an Apache banner can only detect one version (version 2.3.46) that was installed from the HTTP banner, even if the latter version (version 2.3.46-29) is also installed and has a software fix that was backported. Another example would be the detection of the version of Secure Shell (SSH) that is installed when the vulnerability scanner reads the banner. However, the scanner would not detect the operating system or the patch level. If the vulnerability scanner could not determine the operating system while detecting that Secure Shell version 2 (SSH-2) is installed, accurately determining whether a vulnerability exists or not would be difficult for the vulnerability scanner.

False Positives; Investigate? or Ignore? 

Vulnerability scanners will scan entire websites and the domains that are specifically mentioned and produce a summary report regarding the vulnerabilities detected and methods of mitigating them. These detected vulnerabilities contain False Positive ones as well. The False Positives are a distraction from the actual vulnerabilities, resulting in wasted time, money, and resources. 

With False Positive vulnerability numbers increasing, companies tend to ignore alarms swifter than they would take time to consider them. For example, if 200 Cross-Site Scripting (XSS) vulnerabilities were detected by a vulnerability scanner and the first 20 variants were found to be False Positives by the security engineer or penetration tester, the possibility of assuming all detected XSS reports as False Positives and ignoring them is very high. This will create a significant security risk for the organization and for the clients of the organization since a real vulnerability could slip through without proper mitigations leaving the door open for malicious attackers. The organization could either assume and ignore all relevant vulnerabilities thinking all of them are False Positives, or the organization could go through all vulnerabilities, one by one, and clarify the real vulnerabilities and False Positive vulnerabilities. Both options mentioned above will have the same dilemmas, and they would either:

• All or a considerable amount of vulnerabilities be Real Vulnerabilities
• All or a considerable amount of vulnerabilities be False Vulnerabilities

Such scenarios put the organization in a challenging position, whether to employ time, resources, and money for going through all the vulnerabilities that are listed, since there might be a chance of discovering real vulnerabilities, or whether to assume and ignore all vulnerabilities are likely to be False Positives after considering the results of the first few scans; while exposing the organization for real vulnerabilities that might be on the ignored list.

What should you do to Reduce False Positives? 

The solution is to use a Vulnerability Scanning Service with a high accuracy rate. When choosing a Vulnerability Scanning Service, an organization should evaluate a number of vital factors, such as:

• How accurate the vulnerability scanner is;
• How many vulnerabilities can the scanner identify; 
• How the vulnerability scanner would help mitigating the identified vulnerabilities;
• How easy would it be to conduct/schedule a  vulnerability scan;
• How easy is it to add or remove targets/URLs;
• How much does it cost to conduct a vulnerability scan?

Why eBuilder Security’s Vulnerability Scanning Service?  

Detection of False Positives happens on ALMOST all vulnerability scanners, but the vulnerability scanning service provided by eBuilder Security stands out tall with a near 0% false positive rate, and with the capability to detect over 7000+ vulnerabilities including The OWASP Top 10. We have a 100% detection accuracy and 0% False Positives for Cross-Site Scripting (XSS) and SQL Injection (SQLi) Vulnerabilities with a leading Web Input Vector Extractor Teaser (WIVET) assessment score. 

Here at eBuilder Security, we provide Vulnerability Scanning as a Service partnering with Acunetix by Invicti, one of the best, if not the best vulnerability scanner around in these times. Our vulnerability scanning service can be obtained with a pay as you go plan providing you more flexibility to scale up and scale down as required.  With eBuilder Security, vulnerability scans can be conducted with a frequency of one scan per day/week, or month and can be customized according to the client’s requirements. You receive a detailed report after a scan with the identified vulnerabilities along with the actions and methods needed to be taken to mitigate them.

Our Vulnerability Scanning Service utilizes lightning-fast sensors that reveal the identified vulnerabilities in an instant after they have been detected; according to Acunetix itself, 90% of the scan results will be generated by the mid-way point of the scan, and the vulnerabilities will be prioritized automatically relevant for the risk level (from high to low risk vulnerabilities). 

A highly skilled team in eBuilder Security handles all the processes related to the vulnerability scanning services. With our service, you can either conduct your own scans and generate the required reports, or you can sit back and relax while the experts in eBuilder Security conduct the scans on behalf of you and provide the required reports for you in a secure manner.

CrowdStrike

CrowdStrike is renowned as a leader in providing innovative and high-quality solutions within the cybersecurity industry, something they have received great recognition for from both customers and industry experts. They are known for their high-performance cloud-based security solutions that offer comprehensive protection against advanced threats. CrowdStrike was founded in 2011 by George Kurtz and Dmitri Alperovitch. Both founders had previously worked for McAfee, another cybersecurity company. Based in Austin, Texas, the company is known for its ability to protect customers from cyberattacks by using technologies such as artificial intelligence, machine learning, behavioral analytics, and real-time security analytics.  

What services does CrowdStrike offer? 

CrowdStrike offers a wide range of cybersecurity services and solutions. These include, among others:  

Endpoint Protection: CrowdStrike offers cloud-based endpoint protection for PC, Mac, Linux, and mobile devices. This service includes behavioral analytics, machine learning, and artificial intelligence to detect and manage cyber threats in real time.  

Threat Intelligence: CrowdStrike has one of the most comprehensive threat intelligence databases in the industry. This enables the company to identify threats and attacks in real time and offer proactive protection.  

Incident Response: CrowdStrike offers incident response and management services to help customers manage and minimize damage from cyberattacks. The position also includes investigation and analysis of attacks as well as the development of preventive measures.  

Vulnerability Management: CrowdStrike also offers vulnerability analysis services to identify and report vulnerabilities in the customer’s network and systems. These vulnerabilities can then be remediated to prevent future attacks.  

Compliance: CrowdStrike also offers a range of solutions to help clients meet various compliance requirements, such as GDPR, PCI-DSS, and HIPAA.  

Why CrowdStrike? 

There are several factors that make CrowdStrike one of the most sought-after companies in cybersecurity:  

Cloud-based technology: CrowdStrike uses cloud-based technology that enables it to deliver high-performance security solutions in real time. This provides customers with an excellent level of protection with a high degree of scalability.  

Advanced technologies: CrowdStrike uses advanced technologies such as artificial intelligence and machine learning to detect threats in real time. This technology allows the company to quickly detect and stop threats before they cause damage. CrowdStrike OverWatch acts as an extra layer of security for customers by monitoring their network 24/7. The team behind OverWatch consists of experienced cybersecurity analysts who have access to CrowdStrike’s extensive threat intelligence database. This allows them to identify threats and vulnerabilities in real time and take quick action to stop them. One of the key features of CrowdStrike OverWatch is its ability to detect and stop advanced threats such as targeted attacks, ransomware, and other malware specifically designed to evade detection by traditional security software.

Threat intelligence: CrowdStrike has one of the most comprehensive threat intelligence databases in the industry. This database contains information about various types of threats, including malware attacks, and vulnerabilities. By using this database, CrowdStrike can detect and stop threats before they reach the customer’s network or system.  

Flexibility: CrowdStrike offers a range of solutions and services to suit different customer needs. The company can adapt its technology and solutions to meet different requirements, from small businesses to large organizations and public institutions.  

Proactive protection: CrowdStrike offers proactive security solutions that enable customers to protect their systems and networks before threats reach them. This provides a higher degree of protection and reduces the risk of injury.  

Vast experience: CrowdStrike was founded by experienced cybersecurity experts and has a team of highly skilled technicians and security analysts. The company also has a large network of partners and collaborates with other leading companies in cybersecurity.  

In summary, CrowdStrike is a leader in the cybersecurity industry. The company offers a range of solutions and services to suit different customers’ needs. By using advanced technologies such as artificial intelligence, machine learning, and threat intelligence, CrowdStrike can detect and stop threats in real time. This proactive approach to cybersecurity provides customers with a higher degree of protection and reduces the risk of damage from cyberattacks. They have developed a strong ability to detect and respond to threats in real time, providing customers with a higher degree of security and reducing the risk of damage from cyberattacks. 

CrowdStrike works closely with its partners and customers to help optimize their security system and ensure they have the right level of protection for their specific needs. In addition, the customer gets access to a variety of reports and analytics that provide a detailed picture of their security situation, including threats that have been detected and what actions have been taken to stop them. 

How can eBuilder Security help you with CrowdStrike? 

eBuilder Security has several services linked with CrowdStrike: 

• In our MDR service, CrowdStrike product suites are included where we use their XDR and threat hunting services to effectively find and neutralize threats in your environment. 
• With EDR as a service, we offer the possibility to leverage Falcon Prevent, which is CrowdStrike’s next-generation antivirus. 
• We can help you implement and also administer OverWatch which is their 24/7 daily monitoring service that analyzes and prevents intrusions daily. You get a specialist team that is up to date with the latest information. They showcased their expertise recently by being the first to detect and prevent the attack on 3CX. (https://www.securityweek.com/malware-hunters-spot-supply-chain-attack-hitting-3cx-desktop-app/)  

Navigating the Clouds – an Overview of Public Cloud and Private Cloud

Everything about the Cloud; Public and Private

Cloud computing has become a much needed asset today for organizations worldwide, with remote working, and working from anywhere (WFA) being a part of the new normal. With the types of cloud computing options available, selecting an efficient type that meets the exact requirements of a particular organization takes considerable time and effort. 

This article aims to shed some light on the said evaluation process by giving an overview of public cloud and private cloud, their differences, common concerns of cloud computing and the security challenges faced alongwith. It aims to help you understand public and private clouds considerably and outline how best a cloud platform should be selected for an organization.

What is Cloud Security?

The collaboration of a set of controls, policies, technologies, and procedures to protect cloud-based systems, infrastructure, and data is identified as Cloud Security, also known as Cloud Computing Security. The configuration of these security measures is to support supervisory compliance and protect cloud data and customer privacy; these configurations enable setting authentication rules for individual or multiple users and devices. Cloud security can be configured to the exact business requirement by authenticating access to filter traffic fittingly for the enterprise needs. Since these rules can be managed and configured in one place, IT teams are empowered to focus on other business areas while administration overheads are reduced. 

Delivery of cloud security functionalities depends on the cloud security solutions in place or on the individual cloud provider. However, the business owner and the solution provider will have a shared responsibility when it comes to the implementation of the cloud security processes. The Shared Responsibility Model is built up of three basic categories:

• Customer is fully responsible 
• Both customer and cloud service are responsible 
• Cloud service is fully responsible

Types of Cloud Computing

Cloud Computing can be divided into four main categories: Public Cloud, Private Cloud, Hybrid Cloud, and Community Cloud. 

Public Cloud: a service that is shared with multiple organizations using the public internet that is managed by a third-party service provider.  

Private Cloud: an on-demand infrastructure and computing service that is dedicated to a single-user organization. 

Hybrid Cloud: an infrastructure and computing service that is used as a mix of public and private clouds. The orchestration between the private cloud and the third party will be done by a Public Cloud Service. 

Community Cloud: a hybrid form of a private cloud that enables different organizations to work on a shared platform with multi-tenant platforms. 

Cloud services and cloud types are unique; choosing them would require a good understanding of your needs. Even if they are the same type, no two clouds are the same, and no two cloud services would be the exact same. But the understanding you can get about each Cloud Computing type and service would be helpful to your business according to how you plan on using them.

Public Cloud & Private Cloud

Providing IT infrastructure and services to the customers are the main responsibilities of Cloud Computing. There are five criteria that need to be fulfilled by a service for it to be known as a Cloud Service. They are as follows: 

1. On-demand self-service: the customers can decide on starting and stopping services without directly interacting with the provider. 
2. Broad Network Access: the service should be available for any device that is using any network.
3. Resource Pooling: a pool of resources is created and dynamically allocated by the provider to the customers.
4. Rapid Elasticity: the provided services by the provider should be quick and easily expandable.
5. Measure Services: the usage of service should be measured and charged accordingly by the provider.  

1. Public Cloud:

The Public cloud is a service that is shared with multiple organizations using the public internet that is managed by a third-party service provider. Server resources such as storage, applications, virtual machines, etc., are shared by the cloud service provider over the internet to the general public. For example, the cloud is being used by Google to run some of its applications such as YouTube, Google Docs, Google Sheets, Google Drive, etc. The ownership, deliveries, and operations are done by external cloud Service providers over the public internet. 

If your company needs an infrastructure to host a large number of customers and work on projects that have different organizations, a Public Cloud would be a suitable option.

2. Private Cloud:

The Private Cloud is an on-demand infrastructure and computing service that is dedicated to a single-user organization. The service provider makes all resources public over the internet, but the connectivity is only supported over a private network. This network only has authentic users and single-occupant architecture. For example, Google runs some of its applications on the Public Cloud (applications such as YouTube, Google Docs, Google Sheets, Google Drive, etc.), but the back-end data of those applications are not available to the public since that type of data and applications are run on a Private Cloud. Only over a private network are the infrastructure and services deployed and maintained, and the software and hardware are dedicated only to a private company.

If your company needs an infrastructure that has high security, high performance, and privacy because of its flexibility and best adaptability, a Private Cloud would be a desirable option.

Difference between Public Cloud & Private Cloud

It’s crucial to do your homework before selecting a cloud solution to make sure that it will accommodate both your own workload and the demand of your company.  

Top 03 Cloud Security Challenges in 2022

Due to technological advancements and how user-friendly the technology has become, nearly every person and organization has adopted cloud computing to varied degrees in both their personal and professional lives. It has been predicted that a record-breaking 60% of organizations will be using an external cloud provider’s managed service offering by 2022, doubling from 30% in 2018 -a trend that is likely to continue this year. However, with this adoption of the cloud comes the need to ensure that the organization has the capability of protecting against the top threats in Cloud Security.

Data Loss/Leakage

One of the many advantages of the cloud is that it makes sharing data stored in the cloud environment easier. This data on a Public Cloud environment could be accessed directly over the public internet, and it includes the ability to share the data within the environment with other parties by use of direct email invitations or by sharing a public link to the data. 

(Note: To access data on a Private Cloud, the user should have access to the necessary private network.) 

Sharing data with the use of public links or setting up a cloud-based repository for the public makes it accessible to whoever has the link; on the other hand, this makes it vulnerable to anyone with knowledge of the link. With the advancement of technology and the internet, there are tools to be found that exist specifically for searching the world wide web for unsecured cloud deployments. 

Cloud Misconfiguration 

An unencrypted data store that is left exposed to the general public is known as a Cloud Misconfiguration. All the global users of the same cloud platform could expose cloud data, leaving encryption keys and user credentials in open repositories. Cloud Misconfiguration could occur with any gaps, glitches, or errors that could expose the cloud environment to risk during cloud adoption.

Cloud Security misconfiguration is one of the most common cloud challenges in the present world since it allows anyone to access the store without any type of authentication over the internet. For example;

• A data set that belonged to Experian Credit Bureau that contained about 123 million American households’ private data was exposed due to a Cloud Misconfigured on Amazon S3 Storage Bucket in 2017.
• 3.5 million records, including Personally-Identifying Information (PII), were accidentally exposed by an LA-based non-profit organization, Los Angeles County 211, due to a Cloud Misconfigured on Amazon S3 Storage Bucket in 2018. 

Inside Threats

An organization could be threatened by outsiders and insiders. Out of those two types of threats, inside threats are considered more dangerous since they are already inside the organization’s system. The cost to address an insider security problem has increased 34% since 2020, from $11.45 (117.19 SEK) million in 2020 to $15.38 (157.42 SEK) million in 2022. Insider-led incident frequency has also increased by 44% in 2022.

Insider threats could lead up to several other security challenges for an organization, such as misconfigured cloud servers, other employees within the organization falling prey to phishing emails, and employees storing sensitive and critical company data and figures on their own insecure personal devices.

Common Cloud Computing Questions

Which cloud type should I use?

The decision about a cloud type is up to the person and the business, depending on the specific requirements of each.  

• Public Cloud: Predictable computing needs, apps, and services necessary to perform general IT and business operations, and environments with high volume workloads or fluctuating demands might be suited for a public cloud.
• Private Cloud: Private clouds may be well suited to handle highly classified sensitive data and for you to have more control over your data and the underlying infrastructure.

Which cloud is safest?

There is no correct answer to this question.

• Public Cloud: Due to multi-tenancy and numerous access points, public clouds tend to be subjected to a wider range of security threats. Public clouds often split the security responsibilities, and that single vulnerability in any split part could have an impact on the individual or organization. However, reputed public cloud providers have sophisticated mechanisms in place to identify and combat these threats.
• Private Cloud: Can be more secure than a public cloud, but that depends on how strong the cloud provider’s security is; Private clouds are more secure when they can only be accessed from their own network and only fewer people know about it.

But still, most would say that the answer to this question would be, “it depends!” and it is not wrong. Choosing a cloud type should be considered from the organization’s perspective, considering the advantages and disadvantages of each cloud type. 

Which cloud costs more?

This is a loaded question; since if you talk about the raw cost and the cost it will save in the future with cloud challenges rapidly rising, the answers would be different.

• Public Cloud: Usually, the individual or the organization has to pay for what they have used in a public cloud, though public clouds such as Massachusetts Open Cloud does not charge for tenants.
• Private Cloud: Whoever sets up a private cloud is usually responsible for purchasing or renting new hardware and resources to scale up the security and services.

Conclusion

Every organization’s cloud strategy must cooperatively go with a security strategy with the continuous growth of cloud adoption. Businesses will continue to shift to cloud infrastructures assuming remote working and working from anywhere as part of the new normal. It is now more vital for organizations to have a reliable, strong, and robust cloud security strategy in place to host a safe and secure cloud infrastructure irrespective of the ongoing cyber threats. It is also helpful for organizations to prevent overspending or misspending on cloud security controls when they have a strategy in place.

eBuilder SECaaS Solutions – Keeping Guard On Your Enterprise

Cost of Susceptibility 

September 2022 – With a good portion of 2022 gone by, we continue to tread carefully with evermore vigilance in the terrain of cybersecurity. For there is no sleep time where security is concerned. 

Last year had us kept on our toes with the infamous ransomware attack on Kaseya^[2] in July, followed up closely by the Kalix municipality debacle in December. This year is no different. All facts and figures point to an exponential growth in cybercrime and mounting ransomware claims^[5] in recent times.  

Caught Unawares

In early July 2021, Kaseya^[3], an IT infrastructure management solutions supplier for Managed Service Providers (MSP) got busted by a high-risk menacing ransomware attack, abruptly paralyzing as many as 1500 small, medium and large-scale business enterprises running on their services. This attack on a vulnerability in Kaseya software had a direct impact on over 1 million devices globally. The victims found themselves being demanded ransoms of large sums ranging from $50,000 to as much as $5 million, rendering them helpless at the mercy of the attackers. Popular Swedish supermarket chain Coop was forced to close about 700 of its stores for over a week as checkout was made unavailable due to the strike, a living nightmare for the reputable branched network retailer. 

Similarly, the attack on the Kalix municipality had over a hundred systems rendered unusable instantly. While all of the systems had to be rebuilt, the municipality had to resort to paper-based operations for weeks. 

Out There – Or, Right Here?

This year^[6] begins with more news on security breaches^[7]. The ransomware stage set keeps getting better with evolving scripts, plot twists, and actors playing hard with what they are good at, stretching as far as Ransomware as a Service (RaaS) being made available for a price, if you may. Organized cybercrime has infiltrated itself into our everyday systems and has already made it into our backyards, as we speak. It, therefore, is only a matter of time before we hear the knock on our door. 

To have it laid down in numbers, the cost of cybercrime felonies worldwide that we would have to put up with by 2025 is predicted to be around $10.5 trillion annually^[4], as per the concluding statistics by Cybersecurity Ventures, the leading researcher in the global cyber economy. 

However, the cost of a security breach, unfortunately, does not confine only to the ransom and/or the financial burden of damage repair and resource replacements. It comes with the irrecoverable damage of a tarnished image and the loss of the hard-earned trust of loyal customers. And of potential business prospects in the future. 

How Safe Are We?

So Far So Good… Or Is It? 

Criminal plotting is manifold. And cybercriminals are no different. Armed with the latest technologies and gaining strategic advantage over the victims, they now employ sophisticated means to exploit system vulnerabilities seeking ransoms and extortions. Stealing, leaking, and/or selling sensitive information about the victimized systems is a common offense among cyber criminals. They can cripple entire networks rendering whole systems unavailable or obsolete. Or corrupt and/or encrypt your data. They may also use your computers to mine bitcoins or attack others. The endless possibilities could send chills down the spine of your IT system.

Cybersecurity vulnerabilities are concealed in all systems, in disparate forms invisible to the unassuming security administrators, manual testing, and periodic scanning. As technologies evolve with emerging trends, so does the corresponding attack vector scheming. Where once the ultimate protective measures were with device endpoint protection and network security, we are now thrust with the security of mobile and cloud technology, blowing off the precariously guarded perimeter-centric protection approach a few years ago. 

The Vulnerabilities 

With the volume and significance of critical data exposed to the internet today, web applications have become a prime target of attack, with every 3 out of 4 data breaches having targeted web apps. Often running on Javascript and/or on HTML 5, web-based apps and websites run a high risk of being exposed, intercepted, and compromised. The highly popular application programming interfaces (APIs) in recent times are not far behind, carrying an equally risky vulnerability within them. APIs have become an alluring target for attackers because of their inherent nature for exposing application logic and sensitive data such as Personally Identifiable Information (PII), as cited in the  Open Web Application Security Project (OWASP) API Security Top 10 2019^[9] report. This immediately shifts the scope of security outside that of the traditional network with potential risks such as formjacking, Document Object Model (DOM) tampering, session abuse, overlay attacks, and API abuse. Now you will need more than your average web application firewall (WAF) in your armor kit. 

This is where vulnerability scanning comes in handy. 

Our Forte – SECaaS On Tap

You know you should be prepared. Just how prepared you ought to be, is where our expertise fits into serving you. 

Envisioning affordable top-notch Security as a Service (SECaaS) solutions, on tap, for all enterprises, eBuilder Security, in partnership with Invicti, brings forth eBuilder Security Services, conveniently facilitating comprehensive vulnerability scanning with Acunetix. 

Invicti, dubbed a Challenger by 2022 Gartner Magic Quadrant in Application Security Testing (AST)^[10], caters distinctively to the requirements of present-day organizations covering all of their applications and APIs at scale. Selected by Invicti as one of the first Managed Security Service Providers (MSSP) of Acunetix in Europe and the leading MSSP partner in Sweden, eBuilder Security now offers Acunetix in flexible arrangements at affordable rates for enterprises. 

Renowned to be the most accurate vulnerability scanner around, Acunetix is leading the way in automated application security testing today. Based on DAST/IAST technology, Acunetix boasts superior precision combined with the lowest false positives in the industry. The award-winning Acunetix Vulnerability Scanner is trusted and used by prestigious organizations such as Forbes 500 business, NASA, and US Air Force, to name a few amongst 3400 odd. 

Robust with very high detection rates, our scans are run daily with detailed reports directly available for developer reference. Easily scalable and available on tap, you can pay as you go with the flexibility to add/remove endpoint targets as required. 

Our tested automation-focused approach to application security presents complete visibility, proven accuracy, enterprise scalability, and developer enablement to organizations across the globe. 

With over 20 years of providing secure Software as a Service (SaaS) solutions around the globe, eBuilder is proficient in solutions for Banking, Defense, and Telecommunications industries. Our esteemed client base includes the Swedish parliament, government agencies, and municipalities placing their trust in us in keeping their IT systems safe. 

To Do – Next

Sign up for our free trial which identifies a single web application to be scanned and tested for vulnerabilities. You can schedule a demo with our proficient team for setting up the scanning. Within our free trial plan, we run a scanning of your application with visibility into an executive summary report comprising vulnerabilities with insights on severity.

Feel free to reach out to our expert eBuilder Security team for your queries and concerns on your cybersecurity terrain.

References:

1. Image attribution: Detail of Painting of Soviet Defenders – Defence of Brest Fortress Museum – Brest – Belarus – picture by Adam Jones from Kelowna, BC, Canada. The Defense of Brest Fortress is known for its well-organized, resilient shielding despite being attacked with the element of surprise to the enemy’s advantage. 
   
2. The 2021 Kaseya Attack Highlighted The Seven Deadly Sins Of Future Ransomware Attacks:
   https://www.forbes.com/sites/forbestechcouncil/2022/01/25/the2021-kaseyaattack-highlighted-the-seven-deadly-sins-of-future-ransomware-attacks/?sh=194b52b15f75
   
3. Kaseya ransomware attack sets off race to hack service providers -researchers:
   https://www.reuters.com/technology/kaseya-ransomware-attack-sets-off-race-hack-service-providers-researchers-2021-08-03/ 
   
4. Cybercrime To Cost The World $10.5 Trillion Annually By 2025:
   https://cybersecurityventures.com/cyberwarfare-report-intrusion/
   
5. Ransomware: a call for enhanced resiliency:
   https://www.aig.com/content/dam/aig/america-canada/us/documents/business/cyber/aig-ransomware-global.pdf
   
6. 25+ cyber security vulnerability statistics and facts of 2022:
   https://www.comparitech.com/blog/information-security/cybersecurity-vulnerability-statistics/
   
7. Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know:
   https://www.forbes.com/sites/chuckbrooks/2022/06/03/alarming-cyber-statistics-for-mid-year-2022-that-you-need-to-know/?sh=727ba06c7864
   
8. Daunting cyber security statistics to know for 2022:
   https://www.cybertalk.org/2022/03/14/daunting-cyber-security-statistics-to-know-for-2022/
   
9. OWASP API Security Top 10:
   https://apisecurity.io/encyclopedia/content/owasp/owasp-api-security-top-10.htm
   
10. Invicti recognized as a Challenger in the 2022 Gartner® Magic Quadrant™ for Application Security Testing (AST):
    https://www.invicti.com/clp/resources/gartner-magic-quadrant-ast/