1. Escalating Cyber Threats
2. Increased Costs
3. Delayed Incident Response
4. Compliance and Regulatory Risks
5. Innovation and Competitive Disadvantage
6. Outsourcing Concerns
7. Education and Skill Gap
Oreta has found that many organisations misconfigure MFA policies in their Microsoft 365 cloud environments. This can allow attackers to bypass MFA and gain unauthorised access to sensitive data.
Here are some of the most common MFA misconfigurations:
- Enabling MFA for only some users. This leaves users who are not required to use MFA vulnerable to attack.
- Allowing users to bypass MFA for certain applications or devices. This can make it easier for attackers to gain access to sensitive data.
- Not enforcing MFA for all sign-in attempts. This can allow attackers to gain access to an account by simply guessing the user’s password.
Organisations should carefully review their MFA policies to ensure that they are properly configured. They should also regularly test their MFA policies to ensure that they are working as intended.
Conditional Access Policies (CAPs) are a powerful tool for controlling access to Microsoft 365 and Azure AD resources. However, CAPs can be complex to configure and manage, and misconfigurations can lead to security vulnerabilities.
We have observed several CAP issues that can be used to bypass MFA. These issues include:
- Using the wrong conditions in a CAP rule. For example, a CAP rule that only applies to users in the United States could be bypassed by an attacker who logs in from another country.
- Excluding certain users or devices from a CAP rule. For example, a CAP rule that requires MFA for all users could be bypassed by an attacker who uses a device that is excluded from the rule.
- Not enforcing MFA for all sign-in attempts. For example, a CAP rule that requires MFA for all sign-in attempts could be bypassed by an attacker who uses a compromised password to log in.
Permitting Mobile Devices
To mitigate this risk, it is important to enforce MFA for all users, regardless of the device they are using. Additionally, organisations can implement additional security measures such as Mobile Device Management (MDM) or Mobile Application Management (MAM) compliance.
Unintentionally Permitting Linux Devices
Exempted Service Accounts
During penetration tests, Oreta consultants have found service accounts that have been in use since 2010 and have passwords like “Password1.” This is a major security risk.
To mitigate this risk, organisations should use Conditional Access Workload Identities (CAWI) to block untrusted external authentication events for service accounts. CAWI allows organisations to define policies that require service accounts to only authenticate from trusted locations.
In addition, organisations should use a privileged access management (PAM) solution to ensure that service accounts are secure. PAM solutions can help to manage service account passwords, enforce least privilege, and audit access to service accounts.
Opt-In Selective Enforcement
To mitigate this risk, MFA enforcement should be set to opt-out by default. This means that all users will be required to use MFA, unless they are explicitly exempted. Any exemptions should be carefully considered and audited.
By setting MFA enforcement to opt-out by default, organisations can help to ensure that all users are protected, regardless of when they joined the organisation.
Oreta ran a red team/blue team exercise on a client in the finance industry. In a red /blue team exercise, the red team is made up of offensive security experts who try to attack an organisation’s cybersecurity defences. The blue team defends against and responds to the red team attack. On a red team, Oreta obtained username and password credentials via a password spray. On authenticating to Microsoft 365 it was found that MFA was enforced through the browser. Typically, the tool MFASweep (dafthack, 2022) is executed to find low-hanging fruit in CAPs – by mimicking a mobile device – but this did not result in a bypass on this test. What is important to remember is that CAP is evaluated holistically. Many rules may be evaluated during a given authentication event. As a result, Oreta testers were able to brute-force combinations of known devices, applications, and Microsoft login endpoints to find the combination of CAP to obtain access. Upon authenticating with a Linux user agent and a spoofed “Windows Config Designer” source application ID to the Microsoft Graph API endpoint, the CAP were satisfied and provided the consultant access to the organisations cloud without the need for MFA.
- Exclusive by default
- Clear in purpose
- Properly labelled
- Consistently applied with minimal exceptions
- Regularly audited to detect abnormal login flows.
Contact us now to evaluate your MFA policies.
What is Essential 8?
The growing importance of the Essential 8 stems from various factors, primarily driven by the rapidly evolving threat landscape. In recent years, attackers have adopted highly sophisticated methods to infiltrate organisations’ systems and compromise data. The ACSC received over 76,000 cybercrime reports, an increase of nearly 13 per cent from the previous financial year. This equates to one report every 7 minutes, compared to every 8 minutes last financial year. In response to these escalating threats, the Essential 8 offers a comprehensive set of controls that empower businesses to effectively counter and mitigate such risks. Consequently, the following reasons highlight why the Essential 8 has emerged as a crucial component in bolstering cybersecurity:
- Empowers businesses to remain current and proactive in countering emerging threats.
- Encompasses an extensive array of controls, effectively mitigating diverse security risks.
- Endorsed by multiple government and industry organizations, lending it unwavering credibility and legitimacy.
- Effortlessly implementable and maintainable, rendering it an ideal solution for organisations of any scale.
While the Essential 8 does not function as an impenetrable titanium shield and cannot ensure absolute immunity to cyber-attacks for organisations, its implementation can significantly raise the bar for attackers, making their success far more challenging. For those seeking to enhance their organisation’s cyber security posture, the Essential 8 serves as an excellent starting point. By adopting the Essential 8 practices, organisations can substantially bolster their defences against potential attacks.
Implementation of the Essential Eight Maturity Model
The Essential Eight Maturity Model comprises the following eight strategies:
- Application control: ensures only corporate approved software applications can be executed on a computer, protecting against the execution of malicious applications.
- Patch applications: applying vendor patches or other vendor mitigations prevents known vulnerabilities in applications from being exploited.
- Configure Microsoft Office macro settings: limits macro programs embedded in Microsoft Office files from executing, thereby preventing potential malicious activity.
- User application hardening: limits the use of potentially exploitable user application functionality to only what is required and removes particularly vulnerable software altogether.
- Restrict administrative privileges: limits the unnecessary provision of administrative privileges, reducing the potential for these to be exploited by adversaries to gain full access to computers and data.
- Patch operating systems: applying vendor patches or other vendor mitigations prevents known vulnerabilities in operating systems from being exploited.
- Multi-factor authentication: requires users to present multiple authentication credentials to log in, rather than just using a passphrase, thereby preventing adversaries logging in as a user if they know the user’s passphrase.
- Regular backups: making a copy of data, software, and configuration settings, storing it securely and periodically testing the ability to restore it, enables data and computers to be restored after an incident such as ransomware or computer hardware failure.
The Essential Eight Maturity Model recommends that organisations implement the Essential Eight using a risk-based approach. Where the strategies cannot be implemented, these exceptions should be minimised, and compensating controls should be used to manage the resulting risk. If the gap is effectively mitigated, the entity may self-assess their maturity against that strategy.
The Essential 8 is a valuable set of security controls that can help organisations protect themselves against cyber threats. By implementing these controls, organisations can make it much more difficult for attackers to succeed.
If you are interested in learning more about the Essential 8 or would like a no obligation chat contact us now.
Find out more about Oreta’s cybersecurity services here.
Ransomware attacks have witnessed a staggering surge of nearly 500% since the commencement of the COVID-19 pandemic, highlighting the urgent need for Australian businesses to reassess their IT infrastructure and bolster their security measures. This will enable them to enhance their defences against meticulously targeted cyber-attacks. To determine whether your business requires a security reassessment, here are seven indicators that your IT infrastructure is susceptible to a cyber-attack:
Outdated software and hardware
Organizations must prioritize and proactively manage their software and hardware upgrades. It is imperative to have a dedicated IT team that remains vigilant in conducting regular compliance checks to ensure the company remains ahead of the curve.
It is crucial for passwords to be complex, incorporating uppercase and lowercase letters, special characters, and numbers, while avoiding dictionary words. Additionally, it is important to encourage employees not to reuse passwords across multiple sites. Here are some steps that businesses can take to ensure their employees use strong and secure passwords:
- Employee education
- Don’t share passwords
- Get a password manager
- Change password regularly through business wide policies
- Make passwords stronger
- Use two factor authentication
Lack of employee training
In 2020, Marriott Hotels & Resort experienced an internal compromise where hackers accessed two employee passwords, resulting in unauthorized access to 5.2 million private records. Unfortunately, it took two months for Marriott’s cybersecurity systems to detect the breach, highlighting the importance of regular regulatory compliance and cyber security training to prevent such incidents from occurring. With third-party assessments and consultation such as Oreta’s Cyber Training and Awareness solution, Marriott Hotel & Resorts could have reduced the chances of the breach overall.
Insufficient network segmentation
However, by dividing a large network into smaller sub-networks through network segmentation, the attack surface is reduced. This segmentation isolates network traffic within the sub-networks, impeding lateral movement. If a network perimeter is breached, the sub-networks act as barriers, preventing attackers from spreading laterally throughout the entire network. With cyber-attacks growing increasingly sophisticated, network segmentation becomes a vital measure to limit the impact of an attack by making it more challenging for cyber criminals to navigate through your network.
Lack of patching
Lack of back-up and recovery plans
Without a backup and recovery plan, organizations lack a clear understanding of recovery times (recovery time objective or RTO) and recovery points (recovery point objective or RPO), both of which are crucial in the event of an attack. RTO represents the maximum acceptable downtime for an application, computer, network, or system following an unforeseen disaster, failure, or similar event. On the other hand, RPO defines the acceptable period within which an enterprise’s operations must be restored following a disruptive event.
Failing to proactively plan for these contingencies exposes businesses to greater losses and long-term consequences, including diminished customer loyalty and damage to brand reputation. Therefore, having a backup and recovery plan in place is essential for safeguarding against potential disruptions and minimizing the impact on the organization.
Cyber-attacks pose a significant threat to businesses and organizations of all sizes, with cybercriminals showing no discrimination. Recognizing the signs of vulnerability in your IT infrastructure can help you take proactive measures to protect your systems and sensitive data. By identifying weaknesses, implementing robust security measures, and training employees in security best practices, you can reduce the risk of a cyber-attack and mitigate potential damages. It is essential to stay informed about the latest threats and security trends, regularly review, test, and update security plans such as Incident Response Plans (IRP), Business Continuity Plans (BCP), and Disaster Recovery Plans (DRP). Remaining vigilant is key to ensuring the ongoing protection of your IT infrastructure.
If you want to be proactive rather than risking on having to be reactive with your security, contact us now and have a no obligation chat with out security team.
Find out more on Oreta’s cyber security services here.
Cyber threats and attacks are on the rise globally with the pacific region becoming a hot spot with malicious actors targeting governments, organisations, and individuals. During the 2020–21 financial year, over 67,500 cybercrime reports have been made in Australia, an increase of nearly 13 per cent from the previous financial year.
2. Lack of Cyber Security Awareness
There is a significant lack of awareness amongst individuals and organisations regarding the importance of Cyber security thus, making them more vulnerable and prone to cyber-attacks. Australian Cyber Security Centre reported that 82% of all breaches involved ‘the human element’ (the use of stolen credentials, phishing, misuse, or human error) in 2022.
3. Resourcing shortage
Australia has a shortage of cyber security experts and trained professionals. The lack of skilled cyber security professionals makes it difficult for organisations to implement and manage effective cyber security measures. There is an anticipated 38% growth in workforce shortages in Australian cybersecurity, outstripping forecasts for care and software development.
4. Inadequate IT infrastructure
Many businesses in the pacific region have outdated cyber security infrastructure thus making them an easy target for cyber-attacks. 40% of Australian IT leaders admitted to failing the security compliance audit in the Thales cyber report, 2021.
5. Continuous compliance
As cyber-attacks are becoming more advanced and ever evolving, this reflects in constant change and updates of the security regulations and laws. This makes it difficult for organisations to keep up and meet the changing requirements of insurance. Cyber insurance premiums soar 80% in 2022 as claims surge, following a 20 percent increase in the cost of cover in each of the previous two years.
6. Digital transformation
With digital transformation technologies such as Internet of Things (IOT), Artificial Intelligence (AI) and Blockchain being adopted at a rapid pace, businesses are now more vulnerable than ever. Integrating newly established systems and platforms provides a levy for new cyber risks and challenges. Annual Cyber Threat Report found that the cost of a security breach cost $39,000 for small businesses, $88,000 for medium businesses, and over $62,000 for large businesses. An average increase of 14% per cyber-crime report.
To address these cyber security challenges, organisations in the pacific region need to invest in security education, strategy re-evaluation and most importantly a team of security experts. Prioritising the development and implementation of effective cyber security policies, regulations, and infrastructure can position organisations to improve and reinforce their security posture. Keeping up to date and sharing information among cyber security experts and like-minded businesses in the region is also crucial in helping organisations stay ahead of cybersecurity risks and threats.
At Oreta we believe in being proactive than reactive, protect your data and reputation and contact us now.
How does phishing mail work and what impact does it have on businesses?
In the era of the technological boom, phishing scams are no longer badly formatted emails, but precisely targeted attacks (Spear Phishing) backed with the analysis of human behaviour in getting people to click. Fraudsters have taken cyberattacks to new levels of success, fooling even the savviest of employees. With the widespread phenomenon of automated click behaviour, it becomes hard for staff to police every email increasing the chances of a security breach. Employee errors are the #1 gateway to ransomware disasters, leading top tier businesses to adopt Endpoint Detection and Response to solidify their security posture.
“Phishing, the most common threat vector, is involved in 36% of data breaches.”
According to Verizon’s 2021 Data Breach Investigations report.
What is EDR and why is it the best?
EDR is an integrated solution that records real-time activities and events taking place on endpoints and all workloads with rule-based automated response and analysis capabilities. This provides the security teams with in-depth visibility they need to uncover incidents that may not otherwise been detected. An EDR solution provides continuous and comprehensive visibility into what is happening on endpoints in real time.
Modern EDR architecture tightly integrates with mail gateway solutions and firewall systems to detect, analyse, and block advanced threats before they reach employee inboxes. This in turn provides unified platform experience, including ransomware and other email viruses and URL’s. Organisations can detect malicious behaviour across all vectors and rapidly eliminate threats with autonomous response capabilities across enterprise attack surfaces.
The sophistication of modern malware is evolving at an increasing speed to which the traditional Antivirus (AV) signature-based detection is no longer effective. AV solution relies on the coded database of “bad” files to which they try match the recognised threat. However, due to the unique and everchanging malware infrastructure that is being pushed by scammers, these files can bypass antivirus undetectably. EDR on the other hand incorporates AV and other endpoint functionalities and can detect trends and other indicators of a successful incursion.
Companies have less than 30 minutes after employee error to prevent malicious ransomware moving laterally and infecting other devices. EDR has a quick response capability and can create an alert within a short time frame. For example, if an end user opens a spear phishing email and inputs their credentials to a seemingly legitimate website, the EDR solution will be able to monitor, alert the security team and prevent the attacker from logging into the endpoint- even under the guise of a legitimate sign in.
What should you look for in EDR solutions?
- Endpoint Visibility: Real-time visibility across all your endpoints allows you to view adversary activities, even as they attempt to breach your environment, and stop them immediately.
- Threat Database: Effective EDR requires massive amounts of telemetry collected from endpoints and enriched with context so it can be mined for signs of attack with a variety of analytic techniques.
- Behavioural Protection: Relying solely on signature-based methods or indicators of compromise (IOCs) lead to the “silent failure” that allows data breaches to occur. Effective endpoint detection and response requires behavioural approaches that search for indicators of attack (IOAs), so you are alerted of suspicious activities before a compromise can occur.
- Insight and Intelligence: An endpoint detection and response solution that integrates threat intelligence can provide context, including details on the attributed adversary that is attacking you or other information about the attack.
- Fast Response: EDR that enables a fast and accurate response to incidents can stop an attack before it becomes a breach and allow your organization to get back to business quickly.
- Cloud-based Solution: Having a cloud-based endpoint detection and response solution is the only way to ensure zero impact on endpoints, while making sure capabilities such as search, analysis and investigation can be done accurately and in real time.
To take your EDR a step further SentinelOne’s ActiveEDR provides analysts with real-time, actionable correlation and context and lets security analysts understand the full story of what happened in their environment. Storyline automatically links all related events and activities together an attack storyline with a unique identifier. This allows security teams to see the full context of what occurred within seconds rather than needing to spend hours, days, or weeks correlating logs and linking events manually. It is the most talked about solution in the cybersecurity world due to being the first EDR that is truly active.
ActiveEDR constantly draws stories of what is happening on the endpoint. Once it detects harm, it is capable of mitigating not only malicious files and operations but the entire ‘storyline’. ActiveEDR knows the full story, so it will mitigate this at run time, before encryption begins. It works by giving each of the elements in the story the same TrueContext ID. These stories are then sent to the management console, allowing visibility and easy threat hunting for security analysts and IT administrators.
Who can help me improve my security posture with EDR?
Partnered with wide spectrum of security experts Oreta provides you with a catered solution aligned with your business requirements and holistic vision. We do not consider ourselves a separate entity but an extension of your business with hand in hand guidance into the world of security.
Contact us now to find the perfect EDR solution for you.