Unit 3 - DIGITAL DEVICES SECURITY Assignment Questions. Syllabus: Device and Mobile Security: End Point device and Mobile phone security, Password policy, Security patch management, Data backup, Downloading and management of third-party software, Device security policy. Tools and Technologies for Cyber Security: Authentication tools, firewalls, intrusion detection systems, and antivirus and encryption software. Cyber Security Best Practices: Cyber Security best practices, Significance of host firewall and Anti-virus, Managementof host firewall and Anti-virus, Wi-Fi security, Configuration of basic security policy and permissions. Device and Mobile Security: 1Q. Essay Question: Explore the importance of device and mobile security in today's digital landscape. Discuss the various threats and vulnerabilities faced by mobile devices, including malware, phishing attacks, and data breaches. Explain the significance of implementing security measures such as encryption, biometric authentication, and secure boot processes to protect against these threats. Additionally, analyze the role of user education and awareness in enhancing device security. Provide examples of best practices and case studies to illustrate effective strategies for mitigating risks to mobile and IoT devices. answer:Mobile Device Security refers to the measures designed to protect sensitive information stored on and transmitted by laptops, smartphones, tablets, wearables, and other portable devices. At the root of mobile device security is the goal of keeping unauthorized users from accessing the enterprise network. It is one aspect of a complete enterprise security plan. A Forrester Consulting Thought Leadership Spotlight Commissioned By VMware Simplify Your Zero Trust Journey Why is Mobile Device Security important? With more than half of business PCs now mobile, portable devices present distinct challenges to network security, which must account for all of the locations and uses that employees require of the company network. Potential threats to devices include malicious mobile apps, phishing scams, data leakage, spyware, and unsecure Wi-Fi networks. On top of that, enterprises have to account for the possibility of an employee losing a mobile device or the device being stolen. To avoid a security breach, companies should take clear, preventative steps to reduce the risk. What are the benefits of Mobile Device Security? Mobile device security, or mobile device management, provides the following: Regulatory compliance Security policy enforcement Support of “bring your own device” (BYOD) Remote control of device updates Application control Automated device registration Data backup Above all, mobile device security protects an enterprise from unknown or malicious outsiders being able to access sensitive company data. How does Mobile Device Security work? Securing mobile devices requires a multi-layered approach and investment in enterprise solutions. While there are key elements to mobile device security, each organization needs to find what best fits its network. To get started, here are some mobile security best practices: Establish, share, and enforce clear policies and processes Mobile device rules are only as effective as a company’s ability to properly communicate those policies to employees. Mobile device security should include clear rules about: What devices can be used Allowed OS levels What the company can and cannot access on a personal phone Whether IT can remote wipe a device Password requirements and frequency for updating passwords Password protection One of the most basic ways to prevent unauthorized access to a mobile device is to create a strong password, and yet weak passwords are still a persistent problem that contributes to the majority of data hacks. Another common security problem is workers using the same password for their mobile device, email, and every work-related account. It is critical that employees create strong, unique passwords (of at least eight characters) and create different passwords for different accounts. Leverage biometrics Instead of relying on traditional methods of mobile access security, such as passwords, some companies are looking to biometrics as a safer alternative. Biometric authentication is when a computer uses measurable biological characteristics, such as face, fingerprint, voice, or iris recognition for identification and access. Multiple biometric authentication methods are now available on smartphones and are easy for workers to set up and use. Avoid public Wi-Fi A mobile device is only as secure as the network through which it transmits data. Companies need to educate employees about the dangers of using public Wi-Fi networks, which are vulnerable to attacks from hackers who can easily breach a device, access the network, and steal data. The best defense is to encourage smart user behavior and prohibit the use of open Wi-Fi networks, no matter the convenience. Beware of apps Malicious apps are some of the fastest growing threats to mobile devices. When an employee unknowingly downloads one, either for work or personal reasons, it provides unauthorized access to the company’s network and data. To combat this rising threat, companies have two options: instruct employees about the dangers of downloading unapproved apps, or ban employees from downloading certain apps on their phones altogether. Mobile device encryption: Most mobile devices are bundled with a built-in encryption feature. Users need to locate this feature on their device and enter a password to encrypt their device. With this method, data is converted into a code that can only be accessed by authorized users. This is important in case of theft, and it prevents unauthorized access. What are the different types of Mobile Device Security? There are many aspects to a complete security plan. Common elements of a mobile security solution include the following: Enterprise Mobile Management platform: In addition to setting up internal device policies that protect against unauthorized access, it’s equally important to have an Enterprise Mobile Management (EMM) platform that enables IT to gather real-time insights to catch potential threats. Email security: Email is the most popular way for hackers to spread ransomware and other malware. To combat such attacks, it’s critical for businesses to be armed with advanced email security that can detect, block, and address threats faster; prevent any data loss; and protect important information in transit with end-to-end encryption. Endpoint protection: This approach protects enterprise networks that are remotely accessed by mobile devices. Endpoint security protects companies by ensuring that portable devices follow security standards and by quickly alerting security teams of detected threats before they can do damage. Endpoint protection also allows IT administrators to monitor operation functions and data backup strategies. VPN: A virtual private network, or VPN, extends a private network across a public network. This enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. VPNs’ encryption technology allows remote users and branch offices to securely access corporate applications and resources. Secure web gateway: A secure web gateway protects against online security threats by enforcing company security policies and defending against phishing and malware in real-time. This is especially important for cloud security as this type of protection can identify an attack on one location and immediately stop it at other branches. Cloud access security broker: A cloud access security broker (CASB) is a tool that sits between cloud service consumers and cloud service providers to enforce security, compliance, and governance policies for cloud applications. CASBs help organizations extend the security controls of their on-premises infrastructure to the cloud. How does Mobile Device Security complement existing application security and network security efforts? In addition to monitoring and protecting against malicious threats to a company’s data, mobile device security—when paired with an EMM platform and other network and application security solutions—enables an IT department to remotely manage users and their devices. This capability provides security for all mobile devices connected to a network, while giving IT the option to remotely disable unauthorized users and applications. An EMM also allows IT to remotely wipe company data from a lost or stolen device and to control device updates. All of these measures enhance security significantly. Making mobile devices secure is not a simple task, but it should be a high priority for any enterprise. To combat the growing threat of cyber-attacks, companies must continually audit their mobile security solutions and consider new security measures as they become available. Research Question: Conduct a comparative analysis of different mobile operating systems (e.g., Android, iOS) in terms of their security features and vulnerabilities. Investigate the security architectures, patching mechanisms, and app permission models employed by each operating system to protect user data and privacy. Evaluate the effectiveness of these security measures in mitigating common threats such as malware, unauthorized access, and data leakage. Furthermore, examine the impact of device fragmentation and software update practices on the overall security posture of mobile ecosystems. Based on your analysis, propose recommendations for improving the security of mobile devices across different platforms. answer:The operating systems Android and Apple iOS are the focus of cyber criminals, the comparative study of the same is of extreme importance because we can know their vulnerabilities and propose methods, policies, and security systems to protect data, mobile phones are small and embedded devices, with peculiar characteristics, allow text messaging and multimedia, because it has memory, processor, and an operating system, which allows greater use of confidential information, handling, and exchange of data between users, videos, and other collaborative work with various social networks, which enables failures in cyber security, the loss and theft of information, due to cybercrime that increases substantially, the mobile phone is vulnerable to cybercrime. The current researches focus on information security that has been very questioned about information theft that every day increases due to the greater number of users without information security education and use mobile devices. The operating systems such as Android and iOS from Apple are now the targets of attackers, besides being very common and this feature makes them easy prey, study of this kind for our society is extremely important, we need to have basic culture of information security, control of our passwords, email, social networks, malicious software, and spies, are the apex of the modern age and information, we must be very careful to avoid irreparable losses. However, we know that security for phones differs in relation to computers, in other words, viruses also differ in the form of attack, although there are compatible operating systems, but they differ in this perspective in which we refer, in the case of the Android operating system virus does not attack the iPhone system for a very simple issue, its core (kernel), that is, in the creation of systems there are different codings and languages and this way the virus is also made of programming language, to happen the attack needs to be made in the same language of the operating system, for this reason, it is important to study them separately (Figure 1). Figure 1.Virus attack on mobile operating system. Source: Quissanga [1]. Figure 1. Virus attack on mobile operating system. Source: Quissanga [1]. The choice of this topic was in order to know which of the operating systems Android and Apple iOS is more secure and to propose security measures to protect information, since we face many problems with data protection. Advertisement 2. Methodology This study was possible through my experience as a teacher in the discipline of information security, which allowed to make a systematic evaluation of the research, so we opted for qualitative research based on bibliographic reference, documentaries, and with quantitative techniques, which allowed to evaluate the study in detail, understand how is the care of existing information, present which of the operating systems is the safest as to data protection. Detect system vulnerabilities and present some contingency measures of cyber attacks. 2.1 Data collection The data collected systematically, investigating safety measures in mobile cellular telephony. The search was conducted in databases such as Google Academic® and Portal de Periódicos Capes. The current research is done in searches to Google Academic®, as described by Creswell [2]: It is a free database that provides breadth in the search for literature from various sources, such as theses, abstracts and articles, with the advantage of being able to obtain them in full. The Capes Periodicals portal was chosen because it offers access to articles from our Portuguese repertoire selected from over 15,000 international, national and foreign journals and 126 databases with abstracts of documents in all areas of knowledge (Portal de periódicos capes). Researches of the type generally used the collection of data. We also used the documentary research for living moments in question and being researcher already some time on the thematic of computer security, distributed system, operating systems. It allowed to know to find some expected results. Thus, it is pertinent the quote of Chaer, Diniz, and Ribeiro [3] “as the research technique composed by an approximately high number of questions presented in writing to people, having as objective the knowledge of opinions, beliefs, feelings, interests, expectations, experienced situations, etc.” 2.2 Data analysis Data analysis was performed descriptively, allowing us to assess, compare, and organize important aspects of the research. Data analysis regarding the comparative study of operating systems, in addition to being users of these systems, we have other academic and scientific knowledge acquired during training that led us to a comparative study in specific terms, to make a deep analysis of each operating system to find which one best responds to cyber attacks. It is notable that a reduced number of works on this theme, which makes the investigation and comparison with the characteristics of the results difficult. Advertisement 3. Computer viruses in cellular mobile telephony In today’s society, viruses and other malware have brought countless economic and financial losses. Their study is essential to prevent losses, the Android operating system and Apple iOS are the focus of our study, being the treatment of information thefts have been more by spyware, which sends information to a remote computer and thus be able to have all the information from the phone, banking credentials is the greatest interest. Quissanga [4] defines: […] computer viruses in mobile phones, which we can define as a malicious software made by programming language that infects the operating system and is hosted in the program and replicates to other parts of the system, corrupts and prevents the normal operation of the software or program from starting. However, phone viruses are not well known, some are more destructive, others less so, but all with the aim of obtaining confidential information from users without them realizing. For this reason, it is important to know the techniques used by cybercriminals, as you cannot be too careful. There are viruses with peculiar characteristics of biological viruses, they attack and weaken the boot system preventing its normal operation. However, the attacker has many skills to be able to use these fast viruses that we will mention later in Table 1. No. Virus/worm name/year (updated) Operating system 1. Cabir A (June 2004) Symbian 2. Caballo de Troya (March 2017) Symbian, Windows, Android and Mac OS X 3. CommWarrior (October 2018) Symbian and Android 4. Crossover (March 2011) Windows Mobile 5. Doomboot (July 2019) Symbian 6. Liberty (September 2007) Palm OS 7. RedBrowser (September 2017) J2ME 8. FlexiSpy (June 2019) Symbian and Android 9. Skuller (June 2004) Symbian 10. Gingermaster (April 2011) Android 11. Ikee (November 2009) iPhone OS (IOS) 12. DroidKungFu (June 2011) Android 13. Zitmo (April 2018) Symbian, Android 14. YiSpecter (April 2018) iPhone OS (iOS) Table 1. Computer viruses in cellular mobile telephony. Source: Quissanga [1]. However, it is important to make mention the behavior of cyber criminals, as Futurelearn [5] tells us: Talk Talk’s cyber attack saw the personal details of 157,000 customers, including credit card details, leaked in October 2015. As a result, the company lost around £60 million and more than 100,000 customers, but customers were also open to potential identity fraud: in some cases, fraudsters used the data to enable them to own up as Talk Talk engineers, contacting customers and persuading them to install malware on their machines. In this research, we have the idea of differentiating in a very simplistic way the security between the Android and Apple iOS operating systems, which have been much discussed regarding their security, as it is already known that they are the most used systems, but we think that no matter the social status, everyone can have an Android phone or iPhone. In this way, the attacker will prepare himself for the creation of malicious “software,” by knowing properly the programming language and the critical places, vulnerable to take advantage of any precise information that suits him. However, it is necessary to create security mechanisms both at the company level and at the user level. Sometimes we wonder who is responsible and we always look for a guilty party, we should think that information security is a worldwide concern, it can bring states problems, nations can fight, and companies can go bankrupt, because of information security failure. It is known that there are irreparable damages, some are moral, psychological, ethical, cultural, material, and financial. When information is leaked that is classified as legal or state secret, it can facilitate or favor one party and harm another. Previous studies do not show us conclusively that there is a real protocol to follow for the security of information in these operating systems, just as there is no best security strategy, so the most important thing is preventive measures. Because the moment any system is launched on the market is exactly when cyber criminals study the vulnerabilities for the attack. The spread of viruses in mobile phones today is already a reality, several complaints made by users are noted, as well as mobile phone companies, concerned with creating antivirus to disseminate these virtual plagues. It is possible to verify some forms of virus transmission, which can be: by email through social networks, sometimes appearing as advertising, contact with images of doubtful origin, infected videos, visits to suspicious websites, unprotected wireless network without a secure password, the installation of malicious software, the use of infected memory card as secondary infection, although there is a difference for each operating system regarding the form of virus transmission due to its kernel (core). According to Martinelli [6], “Every operating system has a core called kernel which delimits its functions. It is one of the reasons that makes a mobile virus not spread easily to other devices, due to the different versions and internal structure of the various mobile operating systems.” Faced with this reality we see that it is not always the user who fails, but also some companies do not properly protect their customers’ information. In this respect we propose some viruses in mobile phones, as to the operating systems, their origin and attacks on the respective systems described in Table 1 by Quissanga [1]: The viruses in mobile phones originated very recently, so given their specificity, they are not so well known, but in Table 1 we prefer to mention some peculiar characteristics regarding the operating system they attack. This table mentions the different viruses, their origin, the year in which they were discovered, as well as which operating system they attack, as can be seen in the first Cabir A virus, discovered in 2004 by the company F-Secure, but it attacked the Symbian operating system, after which the fastest viruses that attack Android and Apple iOS began to appear. However, Le Thanh [7]: Although malware is growing rapidly, several ordinary users with easy access to their smartphone lack a basic understanding of the potential danger. Therefore, we need to classify samples according to similar characteristics, as well as collect more new malware to create malware families. Advertisement 4. Mobile operating systems: android and Apple iOS 4.1 Android The Android operating system is a platform developed by the Google group designed for mobile structure, being a free system allows many programmers to produce viruses for various attacks. Faced with this problem makes it vulnerable. “In the case of Android, the kernel was designed based on version 2.6 of the Linux kernel having similarity in its functionalities, such as security, memory management, process management, etc.” (Silva, cited by Leite e Reis [8]). Android is an operating system that has become very popular due to the number of phones sold, causing greater vulnerability regarding its handling if there is no information security culture and carelessness has taken over many users, in addition to other technological security procedures that should be strengthened in the development of iOS systems. According to Munhoz, quoted by Quissanga [1], “A new virus for Android has now emerged and can be doom for many people, because the malicious ‘software’ automatically performs ‘downloads’, including of paid ‘apps’ and games.” However, it is possible to have an overview of the risks that there are mobile operating systems, so it is more talked about viruses on computers, in this case, we see the relevance of its study by creating security policies to avoid virtual plagues. 4.2 iOS Apple’s operating system is extremely of Android which is a free system, iOS is closed and has many restrictions to prevent certain pests from affecting the system, manufactured by Apple’s kernel, the first iPhone was released in June 2007, and many phones were sold during its launch in the US, being the second in the world with the largest number of devices, has many peculiar features that attract its customers, its graphics and image resolution, the quality of photos are one of the preferences, but we do not mean that only these details, has others for the choice of one or the other, as well as some complaints from some customers, the form of protection of the shop, and the impediment of sending data via “bluetooth,” which on the one hand for some disadvantages, others see as being protection, since many viruses contaminate through the Bluetooth connection. However, we cannot say that the system is so robust from the security point of view as can be seen in Pandya and Stamp’s quote [9]: It is clear that the iPhone is a vulnerable device with several security flaws. The iPhone’s security philosophy itself has a significant flaw. Apple’s approach to making the iPhone a secure device was to reduce “the intensity of the device attack ‘or’ the exposure of the device to vulnerabilities.” To do this, Apple allowed write access only to a sandbox area on the file system and impermissible installation of third-party applications. The iOS systems allow cyber attacks, although different from Android, but the attacks affect and change the password of the system root, making Crack replicate information to the other host (host) without the user realizing, another way is when the attack is done in the App store, the fastest virus that can destroy the boot system is the Trojan horse very fast in the way of contamination. But the worrying thing is the spies (spywares) that monitor every process of the mobile phone to steal confidential information. 4.3 Describing vulnerabilities in operating systems: Android and Apple iOS Android is a secure system from the point of view of computer viruses, but it also has some vulnerabilities, however it is important to describe some incorrect practices of attacks and configuration changes: Android is based on the technology and programming languages java, kotlin, C, and C++, there are many developers, which makes it vulnerable; Unlock the Android root; Instal an application in APK format; Android is a system developed by Linux open platform that allows many developers; Bluetooth is one of the fastest ways of transmitting computer viruses; The play store on the mobile phone allows you to activate and instal systems outside of it, although that is not the responsibility of the developer, but of the user. For Apple’s iOS is also a secure operating system, but it is important to mention some incorrect practices: Allow a gaolbreak, this option will allow you to instal applications of unknown origin, which may be malware or spyware; Enable installation of the Unflod Baby Panda malware, which affects jailbroken devices. However, this seems to be simple information about vulnerability, but it is very important to know the security of the information of both, because they are the most popular phones, and if we compare the damage is fatal, it reminds us of the Panama Papers. According to the Terra website [10]: The leak of 11.5 million documents—the so-called Panama Papers from Panamanian law and consulting firm Mossack Fonseca, the world’s fourth largest offshore law firm, is said to have revealed details of hundreds of thousands of clients using overseas tax havens allegedly for tax evasion, money laundering, drug, and arms trafficking. Imagine thefts by espionage by videos, images, information, confidences, or the cloning of the credit card that produce an impact on the average, things that there is no price, in your company as to your reputation, sometimes we can be blackmailed millions of dollars, this does not worry? 4.4 Unsafe practices in mobile phones of systems: android and Apple iOS In this theme it is important to mention some unsafe practices of users, facilitating the crack to carry out cyber attacks, in this case the customers somehow contribute by not having basic education in information security. In this case the failures are not always related to the company that developed the mobile device, so when we talk about these two systems we can deduce that they are robust and safe regarding the attacks on computer viruses, with some specificities that differ them. However, it is necessary to know how we have failed, since each one of us has used an Android mobile phone or iPhone and knows how it works, but with some limitations of the information security processes, carelessness has been noticed in many users of mobile devices, which translates into huge economic losses, social engineering, cloning of credit cards on unshielded sites, are the focus of Hackers and Crackers to perform computer crime. For Futurelearn [5]: “Cyber security attacks take many forms, from obtaining personal information of users to attacking critical national infrastructure and obtaining proprietary data of companies.” However, we can name three forms of attacks: The attack is carried out by identifying the victims online; Generally the attack is on industrial plants; Finally it is done individually by target. Given this panorama, it is important to conclude this topic by touching on some harmful practices caused by carelessness, lack of knowledge, ignorance, among others, which allow computer theft in mobile phones: Opening suspicious emails (email spoofing, email spoofing) with spyware, malware and phishing that captures highly confidential information; Allow bank details to be diverted; Instal software on your phone on sites outside playstore, appstore, itunesstore and googlestore; Online purchases on websites of accredited companies, without the possibility of credit card cloning; Make it easier to change data in the phone database without authorization (Pharming); Use a server without anti-malware, anti-spyware, and firewall; Facilitating espionage (Sniffing), intersecting and monitoring data for information theft; Allow someone to check while you enter your password; Use social networks without the utmost caution for what you install and configure; Using the mobile device without a secure password. 4.5 Propose security measures in operating systems: android and Apple iOS “A saying used by people dealing with computer security issues goes as follows: A totally secure system is one that is switched off, locked in a vault and watched over by armed guards”(Ferreira [11]). Security measures can be in the scope of hardware (Physical) and software (Logical). There are several, but we will mention only a few, and we cannot forget four protocols for information security: Authenticity: the term allows us to accredit that it is authorized. The information must be used by the user and not someone else; Confidentiality: it is exclusively for authentic users; Integrity: the information provided must be passed on as it was designed to its recipient; Intimacy: only authorized persons may have contact with the information on the phone. 4.5.1 Measures can also be preventive, detective, and corrective Preventive measures: these are measures that precede a cyber attack, for example, controlling the entire mobile phone security system, assigning defaults and passwords, creating back-ups or redundant backups, installing anti-spyware and anti-spam; Making online purchases with credit cards on websites of companies that are shielded to avoid cloning: Use secure websites and email, make purchases in the appropriate shops: play store, appstore and itunesstore; Detective measures: this is when we carry out an audit process to analyze the mobile phone’s security weakness, the aim is to find possible vulnerabilities or cyberattacks for possible correction; Corrective measures: these are applied when there is any cybersecurity failure, they are solved in an emergent way, to avoid a lot of irreversible damage. 4.5.2 Logical safety policy Assign passwords that are difficult to decipher, with various combinations and changes, to prevent attack (Social Engineering), we suggest password management: KeePass; Use cryptographic techniques: hide codes to present information without being revealed; Recognise the secure web browser showing a padlock and the word S in the link, that is, the non-secure one shows the following: http, the secure one shows: https; Test your web browser using a free Panopticlick tool; We suggest Privacy Badger which is a website blocker in case your website is being targeted by spies; For information protection in case you want to permanently delete unwanted or old information without the possibility of recovering it, we suggest the File Shredder tool; For WiFi technology, modern WPA encryption is recommended.2 In case of phone calls we propose the Signal app encrypts the calls prevents the communication from being leaked; We suggest you use the VeraCrypt tool to encrypt your important documents; Firewall: instal in Noroot firewall, to block suspicious sites or deny, or allow selectively. Very important for information security; Honey pot: is a security system tester, also used to preserve the network from cyber attacks; Virtual Private Network (VPN): is using with noroot, are responsible for creating authenticity, privacy and integrity of data, combined with cryptographic technology. Medranda [12] makes mention about the level of security used in social networks: The first category studied was the level of security of social networks, considering the choice and use of the security password used by students in social networks, 112 students responded that they used the same password for all, but not for email or mobile phone, which represented 67.5% of the total. 21.8% (35 students) they mentioned that it differs depending on the social network and also different from the email address and mobile phone PIN. The lowest percentage corresponded to the use of the password for everything (social networks, email and mobile phone) 8.1%. However, we can observe that social networks are now the focus for many contaminations and cyber attacks. According to Tumejormovil [13] “In fact, according to 2017 studies, 67.1% of mobile phones worldwide have Android and, specifically in Spain, 90%, so it is shown that it is a good operating system and could quietly be the best on the market.” As we said before by the numbers of users in mobile cellular devices, the control must be jointly, the company does its part in implementing security and the customer must follow the same security protocol to avoid security collapse. For Rina [14] “iOS Mobile Operating System: iOS (formerly called iPhone OS) is from Apple Inc. It has the second largest installed base worldwide in smartphones, but the largest profits due to aggressive price competition between Android-based Manufacturers.” Yes, iOS has a lot of audience, despite its restrictions and some bureaucratic processes that on the other hand is a security mechanism that is often not understood, a very simple example the Bluetooth on Android is not possible to send to iOS, the withdrawal of any information on the iPhone is difficult compared to Android. Inside briefly we can explain that these two largest world markets (OS) are evolving and expanding as iOS to include versions of many features that are in Android. Meanwhile, Android gets a technical overhaul that it needs to match iOS in terms of speed and battery life (Haseeb [15]). In other words, the Android operating system has many versions and many mobile devices on the market, the two operating systems try to solve some differences, now Android tries to find technology to overcome or match a feature that iOS has the battery life, that there are already also mobile phones Android mobile phones with acceptable battery life. Advertisement 5. Results and discussion Android and iOS operating systems regarding computer viruses are safe, but each one has its vulnerability, because we cannot say we are totally safe, from the point of view of comparison with the two operating systems Android and Apple iOS, the latter presents greater protection of the security system, Since Apple’s iOS was made by a different programming language than Android, we know that there are specific attacks for a particular operating system, for example, Android tends to be more vulnerable than iOS, by having an open platform that translates into a considered number of developers, otherwise the permission of the installation outside the play store. Android and iOS operating system are the most preferred of cyber attacks as they have many users. As for cyber attacks, social networks are now the focus for many contaminations. In the path of information security in Apple iOS operating system takes a better approach Alvarez [16] “To protect its users from malicious apps, Apple has introduced a vetting process which ensures that all apps follow Apple’s privacy rules before they can be made available through the App Store.” In this security theme for iOS, there has been another investment from the PiOS tool, which does statistical analysis to find information from Objective-C source code and Mach-Obinaries data flowcharts. This tool has been successful in checking for information leaks on mobile devices. We can note that some insecure practices by users make it easier for Crack to carry out cyber attacks. Carelessness has been noted in many users of mobile devices, which causes the cloning of credit cards that translates into economic and financial losses. It is not always the user who fails, but also some companies do not properly protect customer information. It is important that companies promote basic training on information security techniques to employees. However, to have security, it is necessary to use the protocols: authenticity, confidentiality, integrity, and intimacy. As for the measures of always: Preventive, detective, and corrective. Regarding the security policy, we suggest some applications already mentioned previously to be able to protect the computer systems. Tools and Technologies for Cyber Security: 1Q. Case Study Question: Select a recent cyberattack incident and analyze the tools and technologies that were utilized by the attackers. Describe the attack vector, the tools employed (e.g., malware, penetration testing frameworks, exploit kits), and the techniques used to exploit vulnerabilities. Evaluate the effectiveness of the defensive measures in place at the targeted organization and assess the lessons learned from the incident. Based on your analysis, propose recommendations for enhancing the organization's cybersecurity posture, including the adoption of specific tools and technologies to prevent similar attacks in the future. answer:A cyberattack – also known as a cybersecurity attack – is any form of malicious activity targeting IT systems and/or the attackers or threat actors using them to gain unauthorized access to systems and data they contain. Criminals typically are looking to exploit an attack for financial gain, but in other cases the aim is to disrupt operations by disabling access to IT systems. Threat actors can be anyone from a single person attempting to obtain stolen credentials and hold them for ransom to a state-sponsored contingent looking to disrupt operations on foreign soil. Whatever the motivations, most IT networks – and the people that maintain them – will experience some type of attack over the course of their lives and must be prepared. Cybersecurity Threat Categories Before diving into specific types of cyberattacks, let's first discuss some of the motivations behind why threat actors would look to wreak havoc on a security organization. Cybercrime This category includes efforts by threat actors to profit from malicious attacks, and can be subcategorized into actions like direct financial theft, use of stolen credit card information, dark-web marketplaces for information obtained via data breach, or even hijacking computing resources for activities like crypto-jacking to mine cryptocurrencies. Disruption This category includes attempts to disrupt the operations of organizations by attacking their IT and operational technology (OT) infrastructure to damage it, temporarily shut it down, or hold it for ransom. Espionage This category includes cyberattacks backed by state agencies that are part of broader intelligence and/or military activities. This can cover actions like spying on a foreign government to steal confidential data to further strategic or financial advantages. Unintentional Threats According to the Cybersecurity & Infrastructure Security Agency (CISA), this category includes: "Negligence – An insider of this type exposes an organization to a threat through carelessness. Negligent insiders are generally familiar with security and/or IT policies but choose to ignore them, creating risk for the organization. Examples include allowing someone to “piggyback” through a secure entrance point, misplacing or losing a portable storage device containing sensitive information, and ignoring messages to install new updates and security patches. Accidental – An insider of this type mistakenly causes an unintended risk to an organization. Examples include mistyping an email address and accidentally sending a sensitive business document to a competitor, unknowingly or inadvertently clicking on a hyperlink, opening an attachment in a phishing email that contains a virus, or improperly disposing of sensitive documents.” Often there is considerable overlap between these top-level categories. For example, state-based operatives frequently hand over newly obtained documents or discovered vulnerabilities to cybercriminals to use in malware, ransomware, and other cyberattacks. Common Types of Cyberattacks When a criminal is trying to hack an organization, they won't try something novel unless absolutely necessary. They draw upon common hacking techniques that are known to be highly effective, such as malware or phishing. Whether you're trying to make sense of the latest data-breach headline in the news or analyzing an incident in your own organization, it helps to understand different cyberattack vectors. Malware Malware refers to various forms of harmful software, such as viruses and ransomware. Once it is in your computer, it can wreak all sorts of havoc, from taking control of your machine, to monitoring your actions and keystrokes, to silently sending all sorts of confidential data from your computer or network to the attacker's home base. Attackers will use a variety of methods to get malware into your computer, but at some stage it often requires the user to take an action to install the malware. This can include clicking a link to download a file, or opening an email attachment that may look harmless (like a document or PDF), but actually contains a hidden malware installer. Ransomware Ransomware is a form of malware that encrypts data on infected IT systems. It demands a ransom in exchange for a code that will – hopefully – decrypt the infected system. The ransom payment usually goes to an anonymous address using Bitcoin. Adware Adware is a type of malware that displays unwanted ads on end-user devices to generate revenue from advertisers. It often will be installed on user devices after tricking people into clicking a link. Adware then displays the ads and simulates user clicks to defraud advertisers into thinking that legitimate users are interacting with their ads. They then pay the cybercriminals for these clicks. Crypto-Jacking Crypto-jacking is a type of malware that uses the resources of the infected IT systems to “mine” for cryptocurrencies. This steals the attacked system's computing resources by running at a high load to generate income for the remote attackers. They’ll then make money from the sale of the cryptocurrencies generated on the infected system. Phishing In a phishing attack, an attacker may send you an email that appears to be from someone you trust, like your boss or a company you do business with. The email will seem legitimate, and it will have some urgency to it (e.g. fraudulent activity has been detected on your account). In the email, there may be an attachment to open or a link to click. Upon opening the malicious attachment, you'll unknowingly install malware in your computer. If you click the link, it may send you to a legitimate-looking website that asks you to log in to access an important file – except the website is actually a trap used to capture your credentials. Spear Phishing Spear phishing is a highly targeted variant of phishing that uses a fake email or message from a supposedly important individual to trick a person within the same organization or a partner organization. Spear phishing attempts hope to use the extra authenticity – albeit imposter authenticity – of the sender to trick people into providing information they shouldn't. SQL Injection Attack A structured query language (SQL) injection attack specifically targets servers storing critical website and service data. It uses malicious code to get the server to divulge information it normally wouldn’t. SQL is a programming language used to communicate with databases, and can be used to store private customer information such as credit card numbers, usernames and passwords (credentials), or other personally identifiable information (PII) – all tempting and lucrative targets for an attacker. Cross-Site Scripting (XSS) Cross-site scripting (XSS) attacks also involve injecting malicious code into a website, but in this case the website itself is not being attacked. Instead, the malicious code only runs in the user's browser when they visit the attacked website, where it directly targets the visitor. One of the most common ways an attacker can deploy an XSS attack is by injecting malicious code into a comment or a script that could automatically run. Botnets Botnets are widespread groups of devices that have been compromised and hijacked by cybercriminals. The threat actors use them to target IT systems with distributed DoS attacks or other attack types. Denial-of-Service (DoS) Denial-of-service (DoS) attacks flood a website with more traffic than it’s built to handle, thereby overloading the site’s server and making it near-impossible to serve content to visitors. It’s possible for a denial-of-service to occur for non-malicious reasons. For example, if a massive news story breaks and a news organization’s site is overloaded with traffic from people trying to learn more about the story. Man In The Middle Attack A man in the middle (MITM) attack occurs when cybercriminals intercept and alter network traffic flowing between IT systems. The MITM attack impersonates both senders and receivers on the network. It aims to trick both into sending unencrypted data that the attacker intercepts and can use for further attacks or financial gain. Session Hijacking Session hijacking occurs when an attacker hijacks a session by capturing the unique – and private – session ID and poses as the computer making a request, allowing them to log in as an unsuspecting user and gain access to unauthorized information on the web server. If everything goes as it should during any internet session, web servers should respond to your various requests by giving you the information you're attempting to access. Credential Reuse Credential reuse occurs when someone uses the same credentials on multiple websites. It can make life easier in the moment, but can come back to haunt that user later on. Even though security best practices universally recommend unique passwords for all applications and websites, many people still reuse their passwords. This is a fact attackers will readily exploit, thereby turning those reused passwords into compromised credentials. Insider Threats Not all cyber threats originate from external sources. Data and other sensitive information like login credentials can leak from inside organizations. This can occur via malicious staff activity or – more frequently – due to an unintended action. An example of such a mistake could be sending an email containing an unencrypted attachment to the wrong recipient. How to Prevent Cyberattacks We could cover thousands of tactics and tips for preventing cyberattacks at scale, but let's zoom in and take a look at some key examples: Phishing Awareness Training Educate employees on why phishing is harmful and empower them to detect and report phishing attempts. This type of training includes emailing simulated phishing campaigns to employees, monitoring results, reinforcing training, and improving on simulation results. Ongoing security awareness training for staff is also vital, so they know how to spot the most recent versions of suspicious emails, messages, or websites. Encrypt Data All data at rest on servers or devices and in transit over the network should be encrypted. If an attacker does get access to data or intercepts it, strong encryption should render it unreadable. Compromised Credentials Detection Leverage user and entity behavior analytics (UBA) to create a baseline for normal activity on your network. Then, monitor how administrator and service accounts are being used, which users are inappropriately sharing credentials, and whether an attacker is already expanding from initial network compromise to move around and infiltrate other systems. Use Multi-Factor Authentication Implementing multi-factor authentication (MFA) for all systems is a crucial best practice. Requiring an additional piece of information in combination with a username and password protects systems if login details are exposed to cybercriminals. Additional tokens, specific device requirements, and biometrics are all examples of MFA that can be leveraged when logging into IT systems. Ransomware Prevention Create a three-point plan to prevent ransomware attacks. This includes minimizing an attack surface, mitigating potential impact once exposure has been detected, and debriefing to pinpoint existing plan gaps. From there, teams can rebuild systems, quarantine endpoints, change credentials, and lock compromised accounts. Use Endpoint Protection End-users are frequent targets for cybercriminals, both on their devices and via social-engineering attacks. All end-user devices should have endpoint security protection software deployed. This should integrate with a wider security information and event management (SIEM) tool that allows for organization-wide monitoring and analyses of threats. XSS Attack Prevention Institute a filtering policy through which external data will pass. This will help to catch malicious scripts before they can become a problem. This leads into creating a wider content security policy that can leverage a list of trusted sources that are able to access your web applications. Threat Intelligence Program Create a central hub that feeds all security-organization functions with knowledge and data on the highest-priority threats. Organizations rely heavily on automation to help scale a threat intelligence program by continuously feeding data into security devices and processes, without the need for human intervention. Implement Network Deception Technologies Deception technologies implement onto a network “dummy” applications, databases, and other IT systems. Any cyberattackers who breach the external firewalls will be tricked into thinking they have access to internal systems. In reality, the dummy systems are intended as honeypots to allow security teams to monitor the attacker's activities and gather data without exposing the production systems. Mobile Device Management Solution A lot of business activity now happens on laptops, smartphones, and tablets. Plus, many people use laptops for their work. The mobile nature of all these devices means they are at high risk for being lost and/or stolen. All mobile devices (including laptops) should be enrolled and managed in a mobile device management (MDM) solution. If a device is lost or stolen, it can be quickly wiped so that unauthorized users cannot access any data. Research Question: Investigate and compare different categories of cybersecurity tools and technologies used for threat detection, prevention, and incident response. Choose three categories (e.g., antivirus software, intrusion detection systems, threat intelligence platforms) and analyze the key features, functionalities, and deployment considerations for each category. Evaluate the strengths and limitations of popular tools within each category, considering factors such as scalability, ease of use, and integration capabilities. Finally, discuss emerging trends in cybersecurity technology, such as artificial intelligence and machine learning, and their potential impact on the effectiveness of cyber defense strategies. answer:Threat detection is an organization’s ability to monitor events in its IT environment and detect real security incidents. Threat prevention is the ability to block specific threats before they penetrate the environment or before they do damage. Detection and prevention go hand in hand—in order to prevent threats, you must be able to detect them in real time. Security organizations use sophisticated tools to detect and prevent threats. In the traditional security operations center (SOC), the main system used to collect threat data and detect threats was the security information and event management (SIEM) system. Increasingly, organizations are transitioning to eXtended Detection and Response (XDR), which can improve detection of evasive threats, automate investigation, and enable direct response to threats. On the prevention side, a range of advanced threat protection technologies that leverage artificial intelligence (AI) are helping detect threats, even if they do not match a known malware or attack signature. These include NGAV, user behavior rules, and ransomware protection. Get our Complete Guide How to Build a Security Framework Key frameworks for IT security programs Managing risk associated with security controls Addressing cyber insurance, cloud security, zero trust Work email* Advanced Threats Organizations are Facing There are a wide variety of threats that organizations must face in today’s rapidly evolving cybersecurity landscape. Some of the most common types of threats include: Advanced Persistent Threats (APTs) Advanced Persistent Threats or APTs are a type of cyber threat where an unauthorized user gains access to a network and stays undetected for a long time. This type of threat is often used to steal data over a prolonged period or to cause continuous damage to the targeted organization. APTs are typically orchestrated by groups that have significant resources and are highly skilled in exploiting vulnerabilities in systems. APTs are particularly dangerous because they employ a wide range of tactics to gain entry, remain hidden, and extract valuable information. They often involve complex malware and sophisticated evasion techniques that can bypass traditional security measures and remain undetected for extended periods. Zero-Day Exploits Zero-day exploits refer to a cyber threat where a hacker exploits a software vulnerability before the vulnerability becomes generally known. There are no specific defenses in place because the software’s creators are unaware of the vulnerability until the attack occurs. These attacks are particularly dangerous because they take advantage of the time gap between the discovery of a vulnerability and the release of a patch to fix it. This gives hackers an opportunity to exploit the vulnerability and potentially gain access to sensitive data or critical systems. IoT Vulnerabilities The Internet of Things (IoT) – a network of interconnected devices – presents a new frontier for cyber threats. These devices, ranging from smart home appliances to industrial control systems, are often not designed with security in mind, making them easy targets for cybercriminals. IoT vulnerabilities can result in the compromise of personal data, disruption of services, and even physical harm. The increasing reliance on IoT devices in both personal and business contexts makes addressing these vulnerabilities a critical issue. Fileless Malware Fileless malware is a type of cyber threat that operates in the computer’s memory rather than on the hard drive. This makes it extremely difficult to detect and remove, as traditional antivirus software typically scans the hard drive for malicious files. This type of malware is particularly dangerous because it can easily bypass traditional security measures. It can also persist on a system even after a reboot, making it a significant threat to organizations. Get our Complete Guide How to Build a Security Framework Key frameworks for IT security programs Managing risk associated with security controls Addressing cyber insurance, cloud security, zero trust Work email* Phishing and Social Engineering 2.0 Phishing and social engineering attacks have evolved significantly in recent years. Cybercriminals are now using more sophisticated tactics, such as spear phishing and whaling, to trick individuals into revealing sensitive information or performing actions that compromise security. These attacks often involve carefully crafted emails or messages that appear to come from trusted sources. They can lead to significant financial loss, data breaches, and damage to an organization’s reputation. Deepfakes and Information Manipulation Deepfakes, or artificially created, realistic images or videos, represent a new form of cyber threat. They can be used to manipulate information, spread disinformation, and cause harm to individuals or organizations. Deepfakes have the potential to undermine trust in digital content, manipulate public opinion, and even influence political outcomes. They pose a serious challenge to organizations and individuals alike, as they can be difficult to detect and counter. AI-Powered Attacks Artificial Intelligence (AI) is not only being used to boost security but also to enhance cyber threats. AI-powered attacks can analyze vast amounts of data, learn from previous attacks, and automate tasks, making them more efficient and harder to detect. AI-powered attacks can adapt to changes in security measures, identify vulnerabilities faster, and execute attacks at a scale and speed that humans cannot match. This makes them a grave threat to organizations and underscores the need for proactive security measures. How to Identify and Respond to Cyber Threats Effective threat detection depends on the maturity of your cybersecurity operation and the tools at your disposal. The more your environment grows, the greater the need for automated solutions that can help with advanced threat detection. Sophisticated cybercriminals targeting your organization are likely to be evasive and difficult to identify. For instance, you can never be certain if a hacker group or state-sponsored attacker has become interested in your organization. This has been the reason for many high-profile breaches. Security operations centers (SOCs) and security teams can detect and respond to cyber threats before they become active and affect the organization. Even so, you should still have an incident response plan in place for when an incident occurs. This allows your team to isolate, respond to, and bounce back from cybersecurity incidents. To arrange a timely and appropriate response, SOC teams must understand the particular cyber threat. Using frameworks such as MITRE ATT&CK can assist security teams with their understanding of adversaries and how they work, making threat response and detection faster. SOC analysts can also gain a significant advantage from using advanced tools including behavioral analytics (UBA) and threat hunting capabilities, which can help with proactive threat detection. XDR and the Evolution of Threat Detection Traditionally, threat detection was based on technologies like security information and event management (SIEM), network traffic analysis (NTA), and endpoint detection and response (EDR). SIEM systems collect security-data from across the enterprise and generate reports and security alerts, but they are limited in their ability to perform in-depth analysis of these events, and combine them into a meaningful attack story. Traditional SIEMs are also not able to directly respond to threats. NTA, EDR and similar solutions are highly effective at detecting threats in specific silos within the IT environment, and enable teams to rapidly respond to them. However, they are separate solutions, requiring complex integration, and cannot detect evasive threats that move between silos. Learn more in our detailed guides to: Network analytics Endpoint detection and response eXtended Detection and Response (XDR) is a new security paradigm that combines the strengths of traditional solutions. Like SIEM, it collects data from multiple security silos. Like NTA and EDR, it enables in-depth investigation and direct response to threats discovered in the environment. XDR collects in-depth data from networks, endpoints, cloud systems, email systems, and other resources. XDR uses artificial intelligence (AI) and threat intelligence to identify threats and construct a full attack story, which security teams can easily visualize, and quickly act upon. It integrates with IT systems and security tools, enabling security teams to identify an incident, investigate it, and rapidly respond from the same interface. Learn more in our detailed guides to: XDR Advanced threat detection Threat Prevention Solutions Here are some useful tools for detecting and preventing security threats. Next-Generation Antivirus (NGAV) NGAV solutions can help prevent both known and unknown attacks. To do that, NGAV solutions monitor the environment and respond to certain attack tactics, techniques and procedures (TTPs). NGAV technology is an evolution of traditional antivirus software. While traditional antivirus technology primarily relied on known file-based malicious software (malware) signatures and heuristics, NGAV technology offers a system-centric and cloud-based approach. NGAV technology employs predictive analytics powered by artificial intelligence (AI) and machine learning (ML) in combination with threat intelligence. These capabilities enable NGAV solutions to detect and prevent fileless non-malware attacks as well as malware. NGAV solutions can identify TTPs and malicious behavior from unknown sources, as well as collect and analyze endpoint data to identify root causes. Additionally, NGAV solutions can respond to emerging and new threats that previously went undetected. User Behavior Analytics (UBA) UBA solutions can track, collect and assess user activity and data using monitoring systems. UBA solutions can analyze historical data logs, such as authentication and network logs stored in log management and security information and event management (SIEM) systems. This information helps UBA solutions identify patterns of traffic associated with normal behavior as opposed to potentially malicious user behavior. It is important to note that UBA solutions cannot respond to threats. Rather, these solutions are designed to provide security teams with actionable insights. However, some solutions can be configured to automatically adjust the difficulty of authentication for users that exhibit anomalous behavior. Deception Technology Deception technology is designed to protect against threat actors that have managed to infiltrate a network. The goal is to prevent these actors from causing significant damage. To achieve this, deception solutions generate traps or decoys that mimic legitimate assets and deploy these traps across the infrastructure. A deception decoy can run inside a real or virtual operating system environment. Typically, these decoys are designed to trick threat actors into believing they found a way to escalate their privileges, access valuable assets, or steal credentials. Once the trap is triggered, notification alerts are pushed to a centralized deception server. Then, the server records the affected decoy as well as the attack vectors used by the threat actor. Ransomware Protection Advanced ransomware protection solutions can identify ransomware as it begins operating, and automatically respond, preventing it from encrypting your organization’s files. Ransomware can be highly evasive, so protection systems use advanced analytics to detect abnormal processes that are likely to be ransomware and block them. For example, solutions can detect memory strings from known ransomware solutions, detect rapid encryption of files, and prevent exfiltration using decoys that appear to be valuable data. Ransomware protection solutions can do more than just detect and immediately block a malicious process. They can execute built-in or customized playbooks to eradicate a ransomware threat from infected machines. Vulnerability Scanning Vulnerability scanners automatically and proactively attempt to identify application, security and network vulnerabilities. Scanning is typically performed by in-house IT staff or third-party security service providers. Threat actors also use vulnerability scanners when trying to identify points of entry into a network. A vulnerability scanning process typically includes the following: Detection and classification of system weaknesses within computers, networks and communications equipment. Predictions that assess the effectiveness of existing countermeasures in case of a certain threat or attack. Report generation—a report typically includes findings that can be further analyzed and interpreted to identify opportunities to improve the security posture of the organization. Threat Detection and Prevention Best Practices Risk Assessment The first step in threat detection and prevention is to conduct a thorough risk assessment. This process involves identifying potential risks, vulnerabilities, and threats that could impact the organization’s information systems. This includes identifying potential attack vectors, assessing the likelihood of a breach, and evaluating the potential impact on the organization. After identifying the risks, it’s essential to analyze and prioritize them based on their potential impact and likelihood of occurrence. This will help organizations focus their resources on addressing the most significant threats and vulnerabilities first. Prioritizing risks can be done using various methods, such as quantitative risk assessments, qualitative analysis, or a combination of both. Implement a Security Framework A security framework is a set of guidelines and best practices designed to help organizations establish and maintain a robust security posture. There are several well-known frameworks available, such as the NIST Cybersecurity Framework, ISO/IEC 27001, and the CIS Critical Security Controls. Organizations should choose a framework that aligns with their specific needs, industry regulations, and compliance requirements. While security frameworks provide a solid foundation for building a secure environment, it’s essential to customize them based on the organization’s unique needs and risk profile. This may involve adapting the framework’s guidelines to suit the organization’s size, industry, and specific threats or vulnerabilities. Customizing the framework will help ensure it is effective in addressing the organization’s unique security challenges. Incident Response Plan Developing an incident response plan is crucial for effective threat detection and prevention. An incident response plan outlines the steps an organization should take in the event of a security incident, including who should be notified, what actions should be taken, and how the incident will be investigated and resolved. Developing an incident response plan in advance will help organizations respond quickly and effectively to security incidents, minimizing the potential impact on their systems and data. Developing an incident response plan is not a one-time task. Organizations should regularly test and update their incident response plan to ensure it remains effective in addressing new and emerging threats. Regularly testing the incident response plan through tabletop exercises or simulated incidents will help organizations identify areas where the plan may need to be updated or revised. Security Awareness Training Providing security awareness training to employees is an essential component of threat detection and prevention best practices. Security awareness training educates employees on cybersecurity best practices, such as how to identify and report potential security incidents, how to create strong passwords, and how to avoid phishing scams. Providing regular training will ensure employees are aware of the latest threats and best practices for protecting the organization’s systems and data. Threat Detection and Prevention With Cynet Autonomous Breach Protection Cynet 360 is the world’s first Autonomous Breach Protection platform that natively integrates the endpoint, network and user attack prevention & detection of XDR with the automated investigation and remediation capabilities of SOAR, backed by a 24/7 world-class MDR service. End to end, fully automated breach protection is now within reach of any organization, regardless of security team size and skill level. XDR Layer: End-to-End Prevention & Detection Endpoint protection – multi-layered defense including NGAV, protecting against malware, ransomware, exploits and fileless attacks Network protection – protecting against scanning attacks, MITM, lateral movement and data exfiltration User protection – preset behavior rules coupled with dynamic behavior profiling to detect malicious anomalies Deception – wide array of network, user, file decoys to lure advanced attackers into revealing their hidden presence SOAR Layer: Response Automation Investigation – automated root cause and impact analysis Findings – actionable conclusions on the attack’s origin and its affected entities Remediation – elimination of malicious presence, activity and infrastructure across user, network and endpoint attacks Visualization – intuitive flow layout of the attack and the automated response flow MDR Layer: Expert Monitoring and Oversight Alert monitoring – First line of defense against incoming alerts, prioritizing and notifying customer on critical events Attack investigation – Detailed analysis reports on the attacks that targeted the customer Proactive threat hunting – Search for malicious artifacts and IoC within the customer’s environment Incident response guidance – Remote assistance in isolation and removal of malicious infrastructure, presence and activity Simple Deployment Cynet 360 can be deployed across thousands of endpoints in less than two hours. It can be immediately used to uncover advanced threats and then perform automatic or manual remediation, disrupt malicious activity and minimize damage caused by attacks. Get a free trial of Cynet 360 and experience the world’s only integrated XDR, SOAR and MDR solution. Cyber Security Best Practices: 1Q. Policy Development Question: Imagine you are tasked with developing a comprehensive cyber security policy for a medium-sized organization. Outline the key components that should be included in the policy, such as access control, data protection, incident response, and employee training. Discuss the importance of each component and provide examples of specific policies or procedures that could be implemented to mitigate cyber security risks. Additionally, address the challenges of policy enforcement and compliance monitoring within the organization. Finally, propose strategies for ensuring the ongoing effectiveness of the cyber security policy in the face of evolving threats and technologies. answer:Security threats are constantly evolving, and compliance requirements are becoming increasingly complex. Organizations must create a comprehensive information security policy to cover both challenges. An information security policy makes it possible to coordinate and enforce a security program and communicate security measures to third parties and external auditors. To be effective, an information security policy should: Cover end-to-end security processes across the organization Be enforceable and practical Be regularly updated in response to business needs and evolving threats Be focused on the business goals of your organization The 12 Elements of an Information Security Policy Related content: This is part of an extensive series of guides about information security. The importance of an information security policy Information security policies can have the following benefits for an organization: Facilitates data integrity, availability, and confidentiality —ffective information security policies standardize rules and processes that protect against vectors threatening data integrity, availability, and confidentiality. Protects sensitive data — Information security policies prioritize the protection of intellectual property and sensitive data such as personally identifiable information (PII). Minimizes the risk of security incidents — An information security policy helps organizations define procedures for identifying and mitigating vulnerabilities and risks. It also details quick responses to minimize damage during a security incident. Executes security programs across the organization — Information security policies provide the framework for operationalizing procedures. Provides a clear security statement to third parties — Information security policies summarize the organization’s security posture and explain how the organization protects IT resources and assets. They facilitate quick response to third-party requests for information by customers, partners, and auditors. Helps comply with regulatory requirements — Creating an information security policy can help organizations identify security gaps related to regulatory requirements and address them. 12 Elements of an Information Security Policy A security policy can be as broad as you want it to be, from everything related to IT security and the security of related physical assets, but enforceable in its full scope. The following list offers some important considerations when developing an information security policy. 1. Purpose First state the purpose of the policy, which may be to: Create an overall approach to information security., especially as touches standards, security requirements, and best practices adopted by the organization. Detect and preempt information security breaches such as misuse of networks, data, applications, and computer systems. Maintain the reputation of the organization, and uphold ethical and legal responsibilities and applicable governance. Respect employee and customer rights, including how to react to inquiries and complaints about non-compliance. 2. Audience Define the audience to whom the information security policy applies. You may also specify which audiences are out of the scope of the policy (for example, staff in another business unit which manages security separately may not be in the scope of the policy). 3. Information security objectives Guide your management team to agree on well-defined objectives for strategy and security. Information security focuses on three main objectives: Confidentiality — Only authenticated and authorized individuals can access data and information assets. Integrity — Data should be intact, accurate and complete, and IT systems must be kept operational. Availability — Users should be able to access information or systems when needed. 4. Authority and access control policy Hierarchical pattern — A senior manager may have the authority to decide what data can be shared and with whom. The security policy may have different terms for a senior manager vs. a junior employee or contractor. The policy should outline the level of authority over data and IT systems for each organizational role. Network security policy — Critical patching and other threat mitigation policies are approved and enforced. Users are only able to access company networks and servers via unique logins that demand authentication, including passwords, biometrics, ID cards, or tokens. You should monitor all systems and record all login attempts. 5. Data classification The policy should classify data into categories, which may include “top secret,” “secret,” “confidential,” and “public.” The objectives for classifying data are: To understand which systems and which operations and applications touch on the most sensitive and controlled data, to properly design security controls for that hardware and software (see 6.) To ensure that sensitive data cannot be accessed by individuals with lower clearance levels To protect highly important data, and avoid needless security measures for unimportant data 6. Data support and operations Data protection regulations — systems that store personal data, or other sensitive data — must be protected according to organizational standards, best practices, industry compliance standards, and relevant regulations. Most security standards require, at a minimum, encryption, a firewall, and anti-malware protection. Data backup — Encrypt data backup according to industry best practices, both in motion and at rest. Securely store backup media, or move backup to secure cloud storage. Movement of data — Only transfer data via secure protocols. Encrypt any information copied to portable devices or transmitted across a public network. 7. Security awareness and behavior Share IT security policies with your staff. Conduct training sessions to inform employees of your security procedures and mechanisms, including data protection measures, access protection measures, and sensitive data classification. Social engineering — Place a special emphasis on the dangers of social engineering attacks (such as phishing emails or informational requests via phone calls). Make all employees responsible for noticing, preventing, and reporting such attacks. Clean desk policy — Secure laptops with a cable lock. Shred sensitive documents that are no longer needed. Keep printer areas clean so documents do not fall into the wrong hands. Work with HR to define how the internet should be restricted both on work premises and for remote employees using organizational assets. Do you allow YouTube, social media websites, etc.? Block unwanted websites using a proxy. 8. Encryption policy Encryption involves encoding data to keep it inaccessible to or hidden from unauthorized parties. It helps protect data stored at rest and in transit between locations and ensure that sensitive, private, and proprietary data remains private. It can also improve the security of client-server communication. An encryption policy helps organizations define: The devices and media the organization must encrypt When encryption is mandatory The minimum standards applicable to the chosen encryption software 9. Data backup policy A data backup policy defines rules and procedures for making backup copies of data. It is an integral component of overall data protection, business continuity, and disaster recovery strategy. Here are key functions of a data backup policy: Identifies all information the organization needs to back up Determines the frequency of backups, for example, when to perform an initial full backup and when to run incremental backups Defines a storage location holding backup data Lists all roles in charge of backup processes, for example, a backup administrator and members of the IT team 10. Responsibilities, rights, and duties of personnel Appoint staff to carry out user access reviews, education, change management, incident management, implementation, and periodic updates of the security policy. Responsibilities should be clearly defined as part of the security policy. 11. System hardening benchmarks The information security policy should reference security benchmarks the organization will use to harden mission-critical systems, such as the Center for Information Security (CIS) benchmarks for Linux, Windows Server, AWS, and Kubernetes. 12. References to regulations and compliance standards The information security policy should reference regulations and compliance standards that impact the organization, such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Payment Card Industry Data Security Standard (PCI DSS), the Sarbanes-Oxley Act (SOX), and the Health Insurance Portability and Accountability Act (HIPAA). 9 best practices for successful information security policies Information and data classification — helps an organization understand the value of its data, determine whether the data is at risk, and implement controls to mitigate risks Developers, security, and IT operations — should work together to meet compliance and security requirements. Lack of cooperation between departments may lead to configuration errors. Teams that work together in a DevSecOps model can coordinate risk assessment and identification throughout the software development lifecycle to reduce risks. Security incident response plan — helps initiate appropriate remediation actions during security incidents. A security incident strategy provides a guideline, which includes initial threat response, priorities identification, and appropriate fixes. SaaS and cloud policy — provides the organization with clear cloud and SaaS adoption guidelines, which can provide the foundation for a unified cloud ecosystem and standards of configuration, especially for development environments. This policy can help mitigate ineffective complications and poor use of cloud resources. Acceptable use policies (AUPs) — helps prevent data breaches that occur through misuse of company resources. Transparent AUPs help keep all personnel in line with the proper use of company technology resources. Identity and access management (IAM) regulations — let IT administrators authorize systems and applications to the right individuals and let employees know how to use and create passwords in a secure way. A simple password policy can reduce identity and access risks. Data security policy — outlines the technical operations of the organization and acceptable use standards in accordance with all applicable governance and compliance regulations. Privacy regulations — government-enforced regulations such as GDPR and CCPA protect the privacy of end users. Organizations that don’t protect the privacy of their users risk fines and penalties, and in some cases court action. Personal and mobile devices — Nowadays, most organizations have moved business processes to the cloud. Companies that permit employees to access company software assets from any location from any device risk introducing vulnerabilities through personal devices such as laptops and smartphones. Creating a policy for proper security of personal devices can help prevent exposure to threats via employee-owned assets. Learn more about Information Security Scenario-Based Analysis Question: Analyze a hypothetical cyber security incident scenario and develop a set of best practices for preventing, detecting, and responding to such incidents. Describe the incident scenario, including the type of attack, the target system or data, and the potential impact on the organization. Based on the scenario, identify the key steps that should be taken by the organization to mitigate the immediate threat and minimize the impact on operations. Additionally, outline proactive measures that could have been implemented beforehand to prevent or mitigate the incident. Finally, discuss the importance of continuous monitoring, incident response planning, and post-incident analysis in improving cyber security resilience. answer:The Modern Incident Response Life Cycle diagram, pictured below, outlines the various processes involved once a cybercrime threat is identified. ModernIRLifeCycle Figure 1: Modern Incident Response Life Cycle Prepare The diagram starts on the left with the first step of incident response – to prepare. The Prepare phase involves implementing controls to prevent incidents from occurring in the first place. Detect and Identify The next phase of Detect and Identify kicks off the Observe, Orient, Decide, and Act (OODA) loop. Although this cycle is on the diagram once, it does not mean it will only be completed once during the detection phase of incident response. Every incident is different, meaning each incident should be treated independently. Contain and Eradicate From the OODA loop, the Contain and Eradicate phases are next. One important lesson from incident response is that it is difficult to predict how long these two phases will take, so setting a strict timeline or time limit can be difficult. These phases usually take longer than expected. Recovery After the Contain and Eradicate phases come Recovery. The Recovery phase is the process of implementing mitigations against the incident that has taken place and making sure that the threat is fully eradicated. Lessons Learned The final phase is Lessons Learned, but this does not mean the work ends there. Be sure all employees and involved individuals know where the organization made improvements and why those improvements will help protect the network in the future. Notice how Lessons Learned links to the beginning of the Life Cycle. There should be constant feedback between the end of one incident and the potential start of another. Uncovering the Most Common Incident Response Scenarios Now that the process for a Modern Incident Response Life Cycle has been discussed, below you will find the five most common incident response scenarios, as well as how to Protect, Detect, and Respond to each scenario. 5IRBlog-Phishing 1. Phishing Phishing is the #1 most common incident response scenario. It is most likely the initial compromise for ALL of the following scenarios. Now is the time, more than ever, to focus on training employees to be vigilant of malicious emails by implementing regular training and testing with company-wide phishing campaigns. Protect Security awareness training and testing. It's crucial that everyone at the company can recognize phishing emails and other social engineering methods. To enhance their awareness and get an understanding of your baseline, consider conducting a social engineering assessment. DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC). Implementing DKIM, SPF, and DMARC (all free!) will help prevent phishing emails from becoming an incident response situation. DMARC is an email authentication, policy, and reporting protocol. DKIM is an email authentication method that identifies forged email sender addresses. SPF is also an email authentication method; however, it detects the forging of sender addresses during email delivery. Email sandboxing. Sandboxing methods, such as Mimecast, add an extra layer of protection against malicious emails. Emails containing links or attachments can be tested before they reach a mail server. Multi-factor authentication (MFA). MFA is an authentication method in which a user is granted access to an application or system only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA will ensure an attacker cannot gain unauthorized access to any accounts in the network, even if the user provides those credentials through a phishing attack. Warn employees of MFA fatigue and remind them only to authenticate when actively trying to access an application or system. Detect Unexpected emails from known or unknown individuals. If the person or conversation seems out of the blue, be vigilant and confirm that the email is legitimate. Emails that contain links and/or attachments. Links and attachments can be a “back door” to your network. Remember, the hacker cannot get in unless you give them an opening. Also, look for spelling errors or unusual domains in emails you receive. Emails prompting extreme feelings. Phishing emails often push the user in the direction the malicious actor wants. If any email is trying to persuade or rush you into doing an action, resist the urge. Respond Quarantine. The malicious email should be quarantined from all accounts on the system. Be sure no one can access the email from your network until an administrator reviews it. SIEM. Check for any custom threat intelligence rules to add to your security information and event management method (SIEM). Indicators of compromise (IoC). Watch network alerts for indicators of compromise. Indicators of compromise arise when metrics found on a network stray from what we determine is “normal” traffic, thus indicative of a compromise. You can refer to SBS’ previous article on indicators of compromise for more information. 5IRBlog-Malware2. Malware The term malware refers to a broad category of harmful software often used to gain unauthorized access to a system or network. This can allow attackers to steal (exfiltrate) valuable data, intelligence, or other information. Protect Application whitelisting. Whitelisting specific applications ensures a device will only allow pre-approved applications to be installed, preventing malicious applications from being downloaded and installed. AV scans and endpoint protection. Use a solution with second-generation detection capabilities (behavioral analysis vs. detection by definition) that includes scripting control. Multi-factor authentication (MFA). Same as in the phishing scenario, MFA will ensure an attacker cannot gain unauthorized access to any accounts that are in the network. Detect Slow computer and Blue Screen of Death (BSOD). If your device seems to be running much slower or you receive an unexpected BSOD, these are common symptoms of malware on your device. Be sure to report such issues to your IT and IS staff. Dwindling storage space. If your device suddenly (and unexpectedly) runs out of storage, malware may be hiding in your system. Pop-ups or unwanted applications. Keep track of the applications installed on your device and pay attention if you get any confusing pop-ups. If you find any applications that you did not install on your system yourself, it could be malware camouflaging itself. Managed detection and response (MDR). MDR combines technology and human expertise to perform threat hunting, monitoring, and response. MDR can rapidly identify and limit the impact of threats without the need for additional staffing. Extended detection and response (XDR). XDR provides extended visibility, analysis, and response across endpoints, workloads, users, and networks over a consolidation of tools and data. Respond Key risk indicators (KRI). Key risk indicators act as a logging metric used to establish the upper and lower bounds of “normal” on networks or client-server infrastructures. Refer to the above article on indicators of compromise for more information on KRI. Contain and eradicate. Disconnect the computer from the network, but don’t power the device off. Work through the system and eradicate any malicious files or applications. 5IRBlog-Ransomware3. Ransomware Technically, ransomware is included under the malware umbrella we discussed above. However, ransomware deserves to be highlighted separately due to its destructive nature. Modern ransomware has taken a turn for the worse. Attackers are now dropping ransomware after being in a network for a while and gaining information and data. Ransomware covers an attacker’s tracks on their way out and distracts users while data is being exfiltrated. Protect: AV scans and endpoint protection. Use a solution with second-generation detection capabilities, including scripting control. Also, maintain all security patches on all workstations, servers, and network devices. Multi-factor authentication (MFA). MFA ensures a user would be notified if a malicious actor tried to log into an account. Suspicion. Take extreme caution with any email containing attachments and/or links. Ransomware can be masked in emails and links to look like safe attachments. Service accounts. Limit service accounts to only one service per service account. Passwords for services accounts should also be at least 15 characters long with high complicity and password entropy (a measurement of how unpredictable, and therefore un-guessable, a password is). Active Directory. Disable NTLM and NTLM v2 ciphers in Active Directory in favor of Kerberos v5 or higher. Business-approved connections. Only implement business-approved connections between VLANs. Uninstall. Decrease the attack surface on all workstations and servers by uninstalling applications and services that are not needed for business reasons. Data-level backup. Implement data-level backup for file shares and SQL databases so the latest data sets can be recovered if the server is compromised. The data needs to be restored from a date after the compromise. Administrator accounts. Rename the administrator account from its default name (Administrator). Do this in Group Policy. Also, use good admin account hygiene: do not browse the internet or use email while using an administrator account. This account is needed for specific and explicit business operations and the time required to perform that task. In addition, no standard users should have local administrative access, either. It is often estimated that 94% of Microsoft vulnerabilities arise due to local admin rights. Detect Unusual pop-ups on the device and encrypted files. As the most obvious sign of detection, ransomware will likely notify the user on the device and encrypt all files your device can see and access on your network. Firewall logs. Logs will show all activity of data being received and sent from outside of the network. Ensure your firewall logs are correctly configured and retained before an attack occurs, which will help investigate where external traffic is coming and going and when the attack occurred. Key risk indicators. Define key risk indicators, such as high disk usage on servers or workstations and user account logins during non-business hours to help detect a potential ransomware incident. Place an EDR/MDR solution to detect scripting on all servers. EDR is a tool that can be deployed to protect endpoints. MDR is a service that provides security monitoring and management across an IT environment. Maintain aggressive EDR/MDR policies on all activity and do not wholly whitelist or bypass the tool. Instead, work through each issue with the tool to keep its efficacy. Also, enable Windows Defender to run parallel with the EDR solution and have the Defender snap-in for MDR solutions. Apply application whitelisting and geolocation. Especially on all foreign applications and IP addresses in the firewall. Respond Detect. Detect a network intrusion before ransomware begins to encrypt files. As mentioned above, modern ransomware is caused by attackers already in the network. Monitor. Monitor key risk indicators and indicators of compromise vigilantly. It is essential to know what normal looks like on your network. “Know your normal” will be reiterated throughout this article to reinstate its importance. Anything outside your “normal” levels should raise red flags. Contain. Containment is a top priority in any incident response scenario. Creating an environment where nothing gets out of the network that is not approved and nothing runs on a workstation or server that isn’t approved is key to eradication. Managed Detection and Response (MDR). MDR combines technology and human expertise to perform threat hunting, monitoring, and response. MDR can rapidly identify and limit the impact of threats without the need for additional staffing. Extended Detection and Response (XDR). XDR provides extended visibility, analysis, and response across endpoints, workloads, users, and networks over a consolidation of tools and data. 5IRBlog-Internet 4. Internet-Facing Vulnerabilities Every device connected to the internet can be scanned for vulnerabilities from outside sources. Hackers do not specifically look for one victim of their scans; they set up scripts and scan every port and device they can. Any devices identified over the internet that can be exploited may become an attacker’s next victim. Protect AV scans and endpoint protection. Once again, use a solution with second-generation detection capabilities, including scripting control. Whitelist. Only whitelist the scripts your web apps use. Block everything else. DMZ. Implement a DMZ for anything you host locally. A DMZ is a separate, firewalled zone that protects the rest of your network from being accessed by internet traffic from the application or system you host. Burp Suite. Scan your websites with Burp Suite. Burp Suite can find SQL injection, cross-site scripting, and other potential security pitfalls in your websites. Geolocation blocking. If your organization doesn’t do business with companies in other countries, those countries should be blocked from accessing your web systems. Use your firewall or web application firewall (WAF), which helps protect web applications, to block everything you don’t do business with. Detect Audit your webservers, routers, and firewalls with penetration tests and vulnerability assessments regularly. Vulnerability assessments will identify any known external vulnerabilities, and penetration tests will determine if those vulnerabilities are exploitable, allowing an attacker to access your network from the outside. Use a web application firewall (WAF). A WAF helps monitor and block HTTP traffic to and from web applications. A WAF makes it possible to filter the content of specific web applications and protect the device from malicious content. Indicators of compromise. Know your organization’s indicators of compromise. Managed detection and response (MDR). MDR combines technology and human expertise to perform threat hunting, monitoring, and response. MDR can rapidly identify and limit the impact of threats without the need for additional staffing. Extended detection and response (XDR). XDR provides extended visibility, analysis, and response across endpoints, workloads, users, and networks over a consolidation of tools and data. Respond Indicators of compromise. Know your organization’s indicators of compromise. Contain. The organization is compromised if advisories gain access to your network due to known vulnerabilities. Be sure to disconnect compromised devices or network segments from the rest of your corporate network; doing so will ensure no lateral movement in your network movement can be performed by the attacker. Eradicate. Eradicate compromised devices or network segments. Be sure devices and segments are clear of any present malware. 5IRBlog-BEC 5. Business Email Account Takeover Business email account takeover occurs when a malicious user gains access to a legitimate user’s email account. For example, once an attacker gains access to the credentials from a phishing email sent out to employees, the attacker will have access to that user’s email. Protect Multi-factor authentication (MFA). See previous descriptions of MFA. External email access. Only enable external (outside your network) email access for the specific countries in which your employees work. Geolocation blocking. If your organization doesn’t do business with companies in other countries, those countries should be blocked from accessing your email systems. Use Conditional Access to block everything you don’t do business with. Detect User behavior analytics (UEBA) in the SIEM. Look for user logins at strange times or suspicious user activity. Another good idea is to set alerts for employees accessing their email accounts at strange times. Remember to ask yourself the same question - what does normal look like on your network? Email logging. Look out for unusual county code logins to cloud-based email accounts. Remember, by default, Office 365 and G-suite do not log strange country code logins and cloud-based email accounts. Be sure your organization’s email platform is licensed properly. Abnormal email rules. Be aware of missing or deleted emails. Other users might receive emails from the compromised account without the corresponding email in the sender’s Sent Items folder. The presence of inbox rules that the intended user or the administrator didn’t create. These rules may automatically forward emails to unknown addresses or move them to the Notes, Junk Email, or RSS Subscription folders. The user’s mailbox may also be blocked from sending mail, and the Sent or Deleted Items folders in Microsoft Outlook or Outlook on the web contain common hacked account messages. Global Address List. The user’s display name might be changed in the Global Address List. Unusual profile changes. Name changes, telephone number changes, postal code updates, and unusual credential changes, such as multiple password changes. OS interactive attempts. Look for strange OS interactive attempts in logs and IP address connection attempts that are out of the norm for the user. Respond Contain. Shut down the email account so that no users can access it. Change passwords and block access. Change all account passwords and block email access from countries where employees won’t log in. Examine. Look for what was in your email that got compromised. Remember that you may need to file a breach report for PII that is exposed. The Bottom Line: Know Your Normal Throughout this article, a few key terms were stated multiple times, but the bottom line is this: “Know Your Normal.” If you’re unfamiliar with key risk indicators and indicators of compromise that can help you identify when your network is not “normal,” please check out SBS’ previous article. Knowing when KRIs or IoCs arise in your devices or network is the first step in responding to an incident. Some organizations find themselves in a position where they cannot monitor or don’t know how to monitor their network. In this situation, investing in a platform that monitors your network is best. A SIEM supports threat detection, compliance, and security incident management by collecting and analyzing security events, including user entity behavior analysis (UEBA) and security orchestration automation response (SOAR). UEBA helps organizations notice abnormal behaviors, such as logins from unusual locations. SOAR assists with the actual response to cybersecurity incidents. A SIEM can also automate actions that would usually need to be performed manually by an analyst. Multi-factor authentication (MFA) is a recurring Protect control throughout this article, and it is one of the only factors proven to stop hackers from accessing accounts after obtaining a user’s credentials. Think of MFA as the hand-sanitizer of Protect controls – MFA prevents 99.9% of account compromises, according to Microsoft. Knowing what is normal on your network and implementing MFA will help your organization decrease risk while being mindful of anything abnormal. Remember, phishing attacks are the most common cause of all these incident scenarios, so be sure employees are trained and tested accordingly. Implement controls to Prevent, Detect, and Respond to incidents, and continue to mature your security maturity to keep your organization and customer data safe.