RSR updates are new – the first batch was delivered at the beginning of this month. As Apple explained in a recent support document describing the updates, “They deliver important security improvements between software updates – for example, improvements to the Safari web browser, the WebKit framework stack, or other critical system libraries. They may also be used to mitigate some security issues more quickly, such as issues that might have been exploited or reported to exist ‘in the wild.'”

Because RSR updates are focused solely on urgent security patches, it makes sense to install them as quickly as possible. While they can be disabled, they’re delivered and applied automatically by default.

Although there was an install issue discussed on Reddit earlier this month when the first RSR updates was released, the problem Addigy describes appears to be both more persistent and more complex.

Stuck Updates and Unresponsive MDM

By checking customer environments in which its clients have macOS and iOS devices under management, Addigy found that some macOS devices end up in a “stuck” state in which the RSR update is delivered but never installed.

“More concerningly, there is no way for IT departments to know which machines are not implementing RSR updates without manually inspecting each machine and enabling the update,” Addigy warned today.

Critically, the stuck state also impacts the MDM stack on the affected device. “Addigy discovered the RSR wasn’t being implemented after finding that the MDM client binary gets stuck after executing the OSUpdateScan command and stops communicating with the Apple MDM Framework that Addigy follows,” the company said.

“If the MDM client on the device is unresponsive, necessary MDM actions are delayed, leading to potential security vulnerabilities in this critical RSR case,” the company added.

One in Four macOS Devices

According to Addigy, the issue affects only macOS devices, not iPhones or iPads, and impacts a quarter of all MDM-managed macOS environments. “As a result, all MDM vendors and customers are encouraged to audit their environments to ensure the critical RSR update is making its way onto every eligible machine under management,” the company said.

In response, Addigy has released a new MDM Watchdog utility that monitors the MDM framework on devices for the stuck condition described above and automatically fixes any in which it’s discovered.

“The stuck state condition we discovered within our customers’ environments affects one out of every four devices, so the impact to macOS environments in any enterprise is likely the same,” Addigy CEO Jason Dettbarn said in a statement.

Learn more about enterprise mobility management (EMM) and unified endpoint management (UEM) solutions

The post New Apple RSR Flaw Blocks MDM Functionality on macOS Devices appeared first on eSecurity Planet.

Yiling He of China’s Zhejiang University and Yu Chen of Tencent Security’s Xuanwu Lab are calling the attack BrutePrint, which they say can be used to hijack fingerprint images.

An attack like BrutePrint could present a significant threat to passkeys, an increasingly popular way to replace passwords with authentication methods like fingerprint authentication or face recognition.

And the attack is cheap to carry out. “The adversarial equipment is mainly a printed circuit board (PCB), which is inexpensive and universal,” the researchers wrote. “For specific smartphone models, adaptive flexible printed circuit (FPC) is required. The equipment costs around 15 dollars in total.”

Also read: Google Launches Passkeys in Major Push for Passwordless Authentication

Bypassing Attempt Limits

Simply put, BrutePrint acts as a middleman to bypass any attempt limits and to hijack fingerprint images. “Specifically, the bypassing exploits two zero-day vulnerabilities in smartphone fingerprint authentication (SFA) framework, and the hijacking leverages the simplicity of SPI [Serial Peripheral Interface] protocol,” the researchers wrote.

The two zero-days leveraged in the attack, either of which can be used to bypass attempt limits, are a Cancel-After-Match-Fail (CAML) flaw and a Match-After-Lock (MAL) flaw. “Instead of an implementation bug, CAMF and MAL leverage logical defects in the authentication framework,” the researchers wrote. “Therefore, it exists across various models and OSes.”

Trying the attack on 10 different smartphone models with updated operating systems, the researchers were able to go three times over the attempt limit on Touch ID – and they successfully enabled unlimited attempts on Android devices, clearing the way for brute-force attacks.

They tested the attacks on the following devices, covering iOS, Android, and HarmonyOS: Apple iPhone SE and iPhone 7, Samsung Galaxy S10+, OnePlus 5T and 7 Pro, Huawei P40 and Mate30 Pro 5G, OPPO Reno Ace, Vivo X60 Pro, and Xiaomi Mi 11 Ultra.

Also read: Mobile Malware: Threats and Solutions

Fingerprint Image Hijacking

For fingerprint image hijacking, the researchers took advantage of a weakness in fingerprint sensors’ SPI protocol to enable man-in-the-middle attacks.

“SFA sensors except Touch ID do not encrypt any data and lack mutual authentication,” they wrote. “Together with the frequency that is possible for injection, the situation leads SFA vulnerable to MITM attack on SPI.”

“Fingerprint image hijacking is feasible on all devices except for Apple, which is the only one that encrypts fingerprint data on SPI,” they added.

How to Respond to the BrutePrint Threat

To mitigate the CAMF flaw, the researchers recommended an additional error-cancel attempt limit setting – and more importantly, they urged vendors of fingerprint sensors to encrypt key data.

And it’s not just about smartphones – they warned that BrutePrint could also be applied to other biometric systems.

“The unprecedented threat needs to be settled in cooperation of both smartphone and fingerprint sensor manufacturers, while the problems can also be mitigated in OSes,” they wrote. “We hope this work can inspire the community to improve SFA security.”

Read next:

• The Best Password Managers for Business & Enterprises
• Best Identity and Access Management (IAM) Solutions
• Best Antivirus Software

The post A Threat to Passkeys? BrutePrint Attack Bypasses Fingerprint Authentication appeared first on eSecurity Planet.

In 2005, the open standard consortium OASIS released SAML 2.0 to broad appeal. As smart mobile devices boomed, so did the number of web applications and the need to address never-ending logins. SAML was essential to addressing this challenge and introduced single sign-on (SSO) as a reliable tool for individuals up to enterprise organizations. The other most common use of SAML is for federation networks between infrastructure not necessarily linked to web services.

This article looks at the SAML protocol, how it works, the involved parties, and where it fits in the evolution of identity and access management (IAM).

Table of Contents

• What is SAML?
• Service Providers and Identity Managers
• How Does SAML Work?
• Why is SAML Important?
• OAuth vs SAML
• IAM History: SAML in Context

What is SAML?

The Security Assertion Markup Language (SAML) manages transactions between web service providers and identity providers using the Extensible Markup Language (XML). These communications on the backend of username and password login processes ensure users get authenticated by the overarching identity manager and authorized to use the given web service(s).

Context: Authentication vs. Authorization

A foundational piece of the digital access puzzle is the difference between authentication and authorization. Authentication confirms user identity, and authorization grants specific rights to a web application, user, or device.

Read more: Best Privileged Access Management (PAM) Software

Service Providers and Identity Managers

Service providers and identity managers play a critical part in the federation process, allowing users access to specific data.

Service Providers

The exponential growth of applications serving consumer to enterprise IT needs and wants means a universe of service providers. Service providers are the organizations and web services offered to users through a valid request. Application and software developers are responsible for establishing the necessary backend database and protocol for storing and accepting user account credentials.

Popular service providers include top business application vendors like SAP, Microsoft, Oracle, Adobe, Google, and Salesforce.

Identity Managers

Identity managers offer organizations a system wherein a set of credentials can merge to become a federated identity for a specific user to access applications across platforms. Like directory services, organization administrators can control access to particular data with network user identity management.

Examples of popular enterprise identity provider systems include Microsoft and Azure Active Directory (AD), Lightweight Directory Protocol (LDAP), and Google Suite, while other vendors include Oracle, Okta, OneLogin, and Auth0.

Also read: Best Zero Trust Security Solutions

How Does SAML Work?

1. A user logs into the identity provider’s SSO.
2. The user submits a request for a privileged web page.
3. The service provider confirms user credentials with the identity provider.
4. The identity provider responds by validating the user.
5. The user accesses the web page requested.

Why is SAML Important?

Whereas web service providers have long played the role of identity managers, the emergence of identity providers offers users convenient access for storing credentials and, therefore, access to a list of accounts. SAML is the federated authentication and authorization process in this split of responsibilities, simplifying communication between parties.

Read more: How Machine Identities Can Imperil Enterprise Security

OAuth vs SAML

OAuth is also an example of a language web service providers use to communicate on behalf of users and applications, but they address different sides of the authorization-authentication coin.

SAML is a standard managing identity management and federation, including systems like SSO. OAuth is a pure authorization protocol that pairs with OpenID Connect (OIDC), which handles authentication.

SAML might be the more trusted and mature protocol of the two; however, OIDC is a newer authentication protocol designed for mobile and web applications. Another notable difference between the two languages is OAuth’s use of the JSON Web Token (JWT). While SAML uses XML, JWTs are more lightweight, self-contained, and include a digital signature for independent verification without the authorization server.

While SAML 2.0 remains widely in use, the growth of OAuth 2.0 paired with OIDC means it isn’t deployed nearly as much.

Learn more about OAuth 2.0 with OAuth: Our Guide to Industry Authorization.

IAM History: SAML in Context

In 2001, the Organization for the Advanced for Structured Information Standards (OASIS) began work on what would become an industry-first XML framework for exchanging authentication and authorization data. A year later, SAML 1.0 would become an official OASIS standard. In 2005, OASIS released 2.0, which gained widespread appeal for web developers and service providers by the end of the decade.

While SAML 2.0 led the way, the first two iterations of OIDC, OpenID, were released in 2006 and 2007 as alternative authentication protocols. The launch of OAuth 1.0 in 2010 and OAuth 2.0 two years later meant third parties had a deliberate protocol for authorizing secure, user-agent, delegated access. Rather than dealing with a separate protocol for authentication needs, the release of OpenID Connect in 2014 gave developers an added layer fulfilling initial access across accounts.

Despite the recent prevalence of OAuth and OIDC for authentication and authorization, SAML 2.0 remains a widely offered and used protocol for enterprise organizations.

Also read: Best Next-Generation Firewall (NGFW) Vendors

The post SAML: Still Going Strong After Two Decades appeared first on eSecurity Planet.

Internet of Things (IoT) devices are the smart consumer and business systems powering the homes, factories, and enterprise processes of tomorrow. By year-end, total IoT device installations will surpass 35 billion and extend to 55 billion by 2025.

Enterprise organizations recognize this shift and need to invest in device management and endpoint security capabilities. In 2016, $91 million was spent on IoT endpoint security solutions. Five years later, that number has skyrocketed to $631 million. With the growth of segments like industrial IoT (IIoT), Internet of Medical Things (IoMT), and industrial control systems (ICS), IoT security will continue to be critical to business continuity, vulnerability management, and threat remediation.

This article looks at the top IoT security solutions, current commercial features, associated risks, and considerations for organizations choosing an IoT vendor.

Jump to:

• Top IoT Security Vendors and Solutions
• Consideration for Choosing an IoT Security Solution
• What Are IoT Security Solutions?
• IoT Device Risks and Vulnerabilities
• IoT Security: Not Going Away

Top IoT Security Vendors and Solutions

• Armis
• Broadcom
• Cisco
• Cradlepoint
• Entrust
• Forescout
• Fortinet
• JFrog
• Overwatch
• Palo Alto Networks
• PTC
• Trustwave

Armis

Launched in 2015, Armis Security specializes in providing agentless IoT security for today’s enterprise infrastructure. The Armis Platform offers the behavioral analysis of billions of devices to inform the Armis Device Knowledgebase, which monitors and alerts administrators to anomalies in IoT device traffic. With Armis Standard Query (ASQ), operators can search and investigate vulnerabilities, services, and policies for managed and unmanaged devices, applications, and networks. As enterprises increasingly take on risks associated with IoT deployment, Armis Asset Management is the vendor’s separate solution providing visibility into devices across the hybrid infrastructure.

Armis’ solutions include cybersecurity asset management, OT security, ICS risk assessment, zero trust, and more. Armis was acquired at a $1 billion price tag by Insight Partners in January 2020, joining Insight’s other cybersecurity subsidiaries like SentinelOne, Perimeter81, Mimecast, and Tenable.

Armis Features

• Agentless, passive monitoring for seamless integration into existing infrastructure
• Robust device contextual details like model, IP/MAC address, OS, and username
• Threat intelligence feeds offering detection and response functionality
• Monitoring for an array of devices including IoT, industrial, medical, apps, and cloud
• Built-in playbooks for manual or automated responses to policy violations

Read more: New TCP/IP Vulnerabilities Expose IoT, OT Systems

Broadcom Symantec

Considering the IT giant’s network infrastructure and cybersecurity chops, it’s no surprise that Broadcom Symantec is also a leader in the IoT security market. Symantec’s Integrated Cyber Defense security bundles (XDR, SASE, and zero trust) contain all the necessary tools for monitoring and securing IoT devices.

Broadcom also offers a location hub microcontroller and System-on-a-Chip (SoC) systems for embedded IoT security for organizations handling product manufacturing. Explicit to the risks posed by IoT deployment, Symantec ICS Protection provides organizations with an enforcement driver, advanced ML, and threat intelligence. At the same time, Symantec CSP offers application allowlisting, system hardening, and anti-exploit techniques.

Broadcom Features

• Embedded IoT security for seamless over-the-air (OTA) management
• Powerful analytics engine for processing millions of IoT events
• Support for managed and unmanaged devices across hybrid infrastructures
• Monitor IoT performance for cloud, APIs, apps, devices, networks, and more
• Global threat intelligence informing endpoint policies and provisioning

Cisco

Enterprise networking vendor Cisco took a big step into the future of industrial security with the acquisition of French IoT company Sentryo, rebranded as Cyber Vision, in 2019. The resultant synergy has been optimal visibility into ICS networks through an adaptive edge monitoring architecture alongside Cisco’s existing security stack. In addition to Cyber Vision, the Cisco IoT Threat Defense also includes firewalls, identity service engines (ISE), secure endpoints, and SOAR.

Cisco’s industrial threat defense strategy helps organizations assess risk, identify relationships between systems, and deploy microsegmentation in the name of zero trust. Security administrators gain needed context into IoT and OT security events to leverage existing policies. The Forrester Wave for ICS Security Solutions released earlier this month for Q4 2021 placed Cisco atop the ICS/OT security industry.

Cisco Features

• Real-time visibility into industrial assets, communications patterns, and app flows
• Seamless integration with SOC platforms and SIEM and SOAR systems
• Alerts for hardware and software vulnerability detection and response
• Deployable as embedded equipment or an out-of-band SPAN collection network
• Deep packet inspection (DPI) for understanding context around behavior

Cradlepoint

Since 2006, Cradlepoint has grown into a dominant WAN, edge networking, and cloud solutions provider and was acquired by Ericsson in September 2020 for $1.1 billion. The Boise, Idaho-based vendor’s IoT solution is a part of its NetCloud Service, offering LTE and 5G-compatible wireless edge routers with a web-based platform to manage edge traffic and IoT services.

NetCloud for IoT offers remote management, dynamic routing protocols, zone-based firewalls, and extensibility for securing edge environments. Cradlepoint works with a universe of IoT devices, including medical equipment and smart buildings to kiosks and digital signage.

Cradlepoint NetCloud for IoT Features

• Dashboard offering visibility into accounts, groups, devices, usage, and analytics
• Connection manager offering WAN optimization, failover, and load balancing
• Routing capabilities for static and policy routes, traffic steering, and IP verification
• Support for IPv4 and IPv6, Quality of Service (QoS), and IP passthrough mode
• Advanced tools like in-band and out-of-band management and map locations

Read more: Cybersecurity Risks of 5G  – And How to Control Them

Entrust

With five decades of experience working with distributed technology solutions, Entrust is a market leader in certificate issuance, identity management, and digital security systems trusted globally by governments, banks, and enterprises. Entrust IoT Security relies on the vendor’s industry-recognized Public Key Infrastructure (PKI) solution. Entrust PKI includes Certificate Hub for granular control of digital certificates, Managed PKI Services to outsource certificate issuance and management, or Entelligence Security Provider for automating enterprise ID management. Entrust can secure the sensitive transactions needed for business continuity for enterprises and industrial organizations deploying IoT devices.

Beyond Entrust’s comprehensive device management offerings, its explicit edge device management products are IoT Identity Issuance and IoT Identity Management. These agent-based solutions can quickly onboard and configure new IoT devices and facilitate secure communication between apps, users, and appliances.

Entrust Features

• User-friendly portal for managing certificates from remote locations
• Access to key history, backups and recovery configurations, and more
• Secure, automated updates and upgrades with the latest security requirements
• Compatibility with leading enterprise mobility management (EMM) solutions
• Managed identity security, including encryption, digital signatures, and authentication

Forescout

Twenty years after its launch, Forescout is an industry leader in monitoring, analyzing, and securing the IoT and OT systems commonly dubbed the Enterprise of Things. Forescout’s IoT Security solution recognizes the value of zero trust principles and works to establish micro-perimeters for specific network segments, obfuscation techniques, and granular user privileges and access.

As a budding zero trust industry leader, the San Jose-based vendor can help manage risk across the hybrid infrastructure, including unmanaged services, Internet of Medical Things (IoMT) devices, and all IP-connected systems. As to how far the vendor has come – Forescout was acquired last year at a valuation of $1.9 billion by a private equity firm.

Forescout IoT Security Features

• Provision IoT devices by network segment with dynamic, behavior-based policies
• Agentless monitoring that can discover all physical or virtual IP-connected devices
• Access to the Forescout Device Cloud with over 12 million device risk profiles
• Discover all-IP connected physical and virtual machines in real-time
• Automate configuration management database (CMDB) for replication

Fortinet

Fortinet is addressing the newest frontier of cybersecurity with its FortiGuard IoT Service. With enterprise capacity, FortiGuard IoT processes 1.2 billion queries daily from thousands of new and existing devices. Leaning on its existing security stack, Fortinet’s strategy for addressing edge risk combines its next-generation firewall (FortiGate) and NAC (FortiNAC) in a lightweight SaaS solution. With LAN Edge, organizations can implement their SD-WAN strategy while bolstering edge networks.

FortiNAC is the vendor’s zero trust access solution providing agentless scanning, microsegmentation, and a multitude of profiling methods to determine the identity of devices. Fortinet firmly believes in a fabric-based approach to IoT security to manage the distributed threat posed by IP-enabled devices.

Fortinet Features

• Easy, automated onboarding for apps, users, and devices across infrastructure
• User and device profiling and denial of unsecured devices
• Compatible with 150 vendors offering flexibility with network device configurations
• Industry-leading NGFW for physical, virtual, and cloud systems
• Access to threat intelligence and research from FortiGuard Labs

JFrog

When it comes to end-to-end DevOps solutions, JFrog has been a notable vendor for almost a decade. With the acquisitions of Vdoo and Upswift over the summer, the Israeli-American software lifecycle company can continuously update and secure IoT devices as a budding DevSecOps solution. JFrog offers visibility across application and service lifecycles and can inform and automate security strategies addressing edge traffic and machines.

The JFrog Platform relies on a universal binary repository that records all dependencies, builds artifacts, and releases management details. This basis provides high availability and seamless multi-site replication for managing increasingly complex software deployments. For security and compliance, JFrog offers software composition analysis (SCA) for analyzing third-party and open source software, capable of scanning all major package types alongside a full REST API for seamless integration into existing infrastructure.

JFrog Features

• Support for on-premises, cloud, multi-cloud, or hybrid deployments
• Configure artifact metadata and search by name, archive, checksum, or properties
• Index and scan package types like Go, Docker, Python, npm, Nuget, and Maven
• Vulnerability intelligence to alert and inform remediation of bugs
• 24/7 support from the JFrog Research & Development team

Read more: Top Application Security Vendors

Overwatch

To guard an increasing number of IoT devices against brute force attacks, server application vulnerabilities, and escalated access, Overwatch specializes in IoT security through its ThreatWatch solution. Hailing from Little Switzerland (North Carolina), the vendor launched in 2015 to address the era of SD-WANs and edge connectivity. Threatwatch offers organizations security management analytics for network devices, threat monitoring, and resolution capabilities, as well as a visual map of all active connections.

For devices, the Overwatch agent is an edge-deployed security monitoring solution communicating with the Threatwatch platform to provide administrators with real-time traffic analysis. Administrators have visibility into active connections and can take remediation actions like rebooting or device locking when appropriate.

Overwatch Features

• Easy-to-use web interface for central management of agents and devices
• Lightweight, discreet agent resilient enough to block exploits
• API for communicating real-time threat assessment and mitigation to device agents
• Administrative access to analytics, data storage, and assessments
• Configure security policies for IoT devices and clusters with specific criteria

Palo Alto Networks

Palo Alto Networks is one of the most innovative global cybersecurity vendors, and its IoT strategy is no different. A part of Palo Alto’s Network Security vertical, the vendor approaches edge management with the IoT Security Lifecycle. All organizations must understand, assess, and mitigate IoT risks, detect known threats, and respond to anomalies. PAN’s IoT security framework includes EDR, ZTNA, vulnerability management, asset management, and NAC to provide end-to-end visibility.

With the vendor’s built-in playbooks, administrators can instantly resolve IoT security risks like resource-intensive API-led integrations and manual processes for ticket creation. In a single platform, it’s challenging to compete with the monitoring, prevention, and response capabilities PAN provides.

Palo Alto Networks IoT Security Features

• Pre-built integrations for existing IT systems like NAC, SIEM, and ITSM
• Machine learning and telemetry to inform risk assessment and remediation
• Lightweight cloud-delivered security service for easy deployment
• NAC or NGFW implementation for building a zero trust infrastructure
• Enhanced investigation and threat response for IT, IoT, OT, and Bluetooth devices

PTC

PTC is a longtime provider of computer-aided design (CAD) and product lifecycle management (PLM) software, and almost four decades after its launch, the vendor continues to serve industrial needs with the latest tech like augmented reality (AR) and IIoT solutions. PTC offers the ThingWorx Industrial IoT Solutions Platform as a bundle of tools or standalone solutions for IoT security.

Through Kepware and the ThingWorx Kepware Server, organizations can securely connect to OT systems, equipment, and plants typically siloed in niche protocols. Administrators can configure firewall policies by assigning access and permissions based on user roles. PTC’s solutions provide the necessary visibility and flexibility to deploy and manage hybrid, cloud, and on-premises systems.

PTC ThingWorx Features

• Remote asset monitoring, alerts, and analysis of trends in traffic and systems
• Pre-built apps and developer tools for deploying IoT applications
• Performance monitoring and management provides real-time analysis
• Machine-to-machine (M2M) linking, logic, and communication functionality
• Mitigate inefficiencies or risks posed by legacy industrial systems 

Trustwave

Chicago-based Trustwave is a leading managed security service provider (MSSP) with billions of security events logged every day. Twenty years in, the cybersecurity vendor has a global presence and the expertise to manage detection and response, security systems, compliance, applications, and databases.

Trustwave offers IoT security for implementers and manufacturers with the software and applications needed to monitor devices and the embedded components to extend protection to hardware. For implementer services, the vendor offers managed IoT monitoring and managed security testing for validating embedded systems. Product developers and manufacturers can conduct IoT product testing, including incident response.

Trustwave Features

• Penetration testing for investigating vulnerabilities of apps, servers, IoT, and cloud
• Scan and track all IP-enabled devices for adequate access control
• Personalized approach for managing organizations IoT systems and associated data
• Operational resilience with managed and automated compliance functionality 
• Access to vulnerability, threat, and exploit experts with Trustwave SpiderLabs

What Are IoT Security Solutions?

IoT security solutions are the software and embedded tools used to monitor edge devices, proactively detect threats, and facilitate remediation. As such, current IoT security solutions are a mix of standalone and bundle plans that include existing tools like EDR, encryption, IAM, EMM, and more to protect connected devices and networks.

What Are IoT Devices?

IoT is the broad label given to all devices capable of communicating with each other, often at short range with unique identities and few components outside its operational intent, including security features. Because of this, several organizations are building security into a new generation of IoT devices (embedded security) while other vendors offer agent-based software to monitor and protect IoT devices.

Examples of IoT devices include most consumer smart systems, autonomous machinery and vehicles, office appliances, and a multitude of healthcare devices.

Considerations for Choosing an IoT Security Solution

• How does the solution isolate IoT devices and access from critical segments?
• What protocols and tools are available for secure transactions? (TLS, encryption, Auth0)
• Are there embedded or built-in IoT security requirements to address exposure?
• What policy controls can administrators configure for unmanaged devices or users?
• Does the solution issue and manage secure credentials like PKI and code signatures?
• Can solution operators identify, categorize, and provision new devices?
• How does the solution establish trust between devices? (e.g., key injection or HSMs)

IoT Security Solution Features

• Network scanning, device identification, and discovery of active connections
• Identify users, data, devices, locations, and more to identify and assess risk categories
• Threat intelligence informs the status of malware and available patches
• Security gateways to isolate network segments between ports, servers, and IoT devices
• Baseline responses to anomalous behavior for individuals or clusters of devices
• Define and enforce policies across device and access types for hybrid infrastructures
• Automated onboarding, configuration, and threat response policies for new IoT devices
• Certificate issuance and management for granting secure credentials and access

Because securing IoT devices is a budding cybersecurity segment, the above list is not all-encompassing, and several vendors present unique approaches to addressing IoT security challenges.

IoT Device Risks and Vulnerabilities

Once isolated from other devices and an organization’s larger IT environment, IoT devices like sensors, doorbells, and printers are now at risk of compromise. With proper segmentation, organizations can avoid access to an IoT device turning into something more, but that won’t stop threat actors from using the device and others like it in a botnet attack.

Other identified risks associated with IoT device management include:

• Insufficient security or data protection capabilities for devices
• Inability to add additional security software
• Insecure interfaces easily accessible to a persistent threat
• Poor password protection with default credentials staying put
• Unreliable patch or update mechanism 
• Nonexistent or lacking inventory of IoT devices or monitoring IoT traffic
• A gap in IoT security management skills for edge systems
• Disparate management of IoT and OT systems creating data silos

IoT Security: Not Going Away

The proliferation of IoT devices means securing the next generation of IT environments will require IoT-specific security strategies and solutions. Organizations actively deploying IoT devices should be prudent about the security risks of insecure edge devices and proceed with caution.

Organizations need to visualize IoT assets under management, profile their risk, apply adequate protections, and monitor IoT traffic for unknown threats. Like so much else in cybersecurity, visibility informs action and strategy – making the upfront work of selecting an IoT security solution or assembly a strategy that much more valuable in avoiding unnecessary risk.

The post Top IoT Security Solutions appeared first on eSecurity Planet.

Now, remote work is likely here to stay even after the pandemic is gone. That means that the temporary solutions put in place over the last 18 months will need to give way to more permanent solutions.

Application access and device and network security are concerns that will remain for remote work. Application security can be improved through zero trust principles. Employee devices can be secured with endpoint security.

But what about home networks? Security and networking vendors have been rolling out solutions for home networks, and some are pretty attractively priced. The arrival of Wi-Fi 6 couldn’t have been better timed because secure Wi-Fi 6 routers are popping up everywhere, and some are being offered from some of the top cybersecurity companies.

The Best Wi-Fi 6 Routers for Small Offices

Wi-Fi 6 offers better concurrency capacity and low network latency, with the ability to accommodate many devices and activities on the router stress-free. Congestion tends to be the biggest problem with wireless networks, and Wi-Fi 6 promises relief there in addition to greater performance.

Not surprisingly, the Wireless Broadband Alliance (WBA) expects mass adoption of Wi-Fi 6/6E technology over the next year. Wi-Fi 6E builds on Wi-Fi 6 and has all of the functionality plus access to a new 6 GHz wireless band. By the end of 2022, the overwhelming majority of service providers, equipment manufacturers, and businesses throughout the world will have deployed Wi-Fi 6/6E, or plan to do so, according to the Wireless Broadband Alliance. Here, then, are our picks for the best Wi-Fi 6 routers for small offices, including specs, special features, and security protections.

Netgear Nighthawk RAXE500

Netgear’s Nighthawk RAXE500 is viewed by many as the best Wi-Fi 6E router. One of the reasons is its ability to quickly send and receive data in the 2, 4, 5, and 6 GHz bands. When in close proximity, with the combination of a 1.8 GHz quad processor and the new 6 GHz band, it has an edge that makes it the router with the fastest speed available on the market. Users who need more coverage at home can add the Nighthawk mesh extenders and still get an impressive amount of speed.

Remote workers who wish to simultaneously connect work-related systems and leisure appliances to the internet can now do so, with the ability to manage saturations with up to 200% greater available spectrum than dual band Wi-Fi routers. The RAXE500 also comes with five gigabit ports and two USB 3.0 ports for faster streaming, data backup, and painless access to stored files.

Even if you have to pay $99.99 annually after the first 30 days to get Netgear’s security, it offers a wide range of protection from cyber attacks and also includes a new security solution. For one, the Netgear Armor powered by Bitdefender—our top consumer antivirus pick and a top enterprise endpoint security tool too—scans all devices connected to it regularly, with the ability to predict, detect, and prevent any unusual attempt when you are surfing the internet. Other benefits of the  Bitdefender technology include VPN; protection even when users are connected to public Wi-Fi; and the ability to  track, lock, or wipe all data when stolen or lost.

Netgear’s Nighthawk RAXE500 comes at a starting price of $599. While it’s not the most affordable solution on the market, for home employees working with corporate data, it’s money well spent.

Netgear Orbi Whole Home Mesh Router (RBK853)

Remote workers in large buildings need look no further than Netgear’s whole home Orbi Mesh router (RBK853). This device has the ability to cover 7,500 square feet. With a power speed up to 6 Gbps—double that of 5 GHz and 2.4 GHz processors—about 100 devices in the home could connect simultaneously and still get an impressive internet experience. Those specs make it useful for small offices too.

The router offers a better CPU processor than other Netgear Orbi Mesh routers, with a powerful 2.2 GHz quad-core processor. It also comes with five ports that include one WAN port and four ethernet ports. As for its memory, it comes with a 512 MB NAND flash and 1 GB RAM.

With comprehensive antivirus and data theft protection for all connected devices, the security is almost as good as Netgear’s NightHawk RAXE500, but at no additional cost. At $999, though, it comes in on the high end of the market.

ASUS ROG Rapture GT AX11000

This router, which is the first 10 gigabit Wi-Fi 6 router, is the best gaming router for a reason. It was specifically made for gamers. Hence, it can also serve a strong purpose for remote workers who are power users. The router’s quality includes a quad-core CPU, eight antennas, 2.5G ports and DFS band. All these give the router all it needs to offer a powerful internet performance when in close range for a large number of devices connected simultaneously. Even when operating from a distance, its coverage of about 3,500 square feet lets it outperform many routers. This is something only a mesh designed router can do.

Its AI protection from Trend Micro—another favorite of ours—offers routine security assessments, malicious site blocking, two way IPS, and infected devices prevention. At $549, it appears pricey, but many users recommend this device because of its ability to cope with heavy usage.

TP-Link Archer AX6000

As much as the router is affordable compared to its counterparts, this dual-band router offers high-speed performance and 75% latency improvement to manage many devices connected in the house. Although it is not as fast as other expensive routers, it can still serve a strong purpose and maximize profit by saving costs for business users with home offices.

The TP-link mesh gives it the flexibility to create a seamless whole home coverage, with the ability to cover 4,000 square feet, at an affordable price of $272. It comes with an extremely powerful 1.8GHz 64-bit quad-core processor with two distinctive co-processors. It also comes with Trend Micro security that offers lifetime protection at no cost.

TP-Link Deco X20

At $219, the TP-Link Deco X20 stands as the most affordable mesh Wi-Fi router kit on this list.

Even at that, remote workers can enjoy an advanced mesh powered by Wi-Fi 6 that deliver an enhanced home coverage, speed, seamless roaming, and greatly reduced latency issues when connected to about 150 devices.

The router also comes with Trend Micro security for free, plus WPA3 and WPA2 PSK security protocols.

Palo Alto Okyo

The just-released Okyo Wi-Fi 6 security and router system is highly suitable for small business and home markets.

It’s priced at $349 a year and offers many benefits, such as malware, ransomware, phishing and remote attack protection, online activity monitoring, Wi-Fi 6 performance, support for 30 devices (or more for a modest fee), and the ability to discover devices on a network. The subscription pricing adds up over time, but since Palo Alto Networks has the best security on the enterprise market, it is well worth the investment in our judgement. You can sleep peacefully at night with Okyo powering your network.

Editor’s note: As of late 2022, the Okyo has been discontinued, but Fortinet, a Palo Alto rival with strong enterprise security, also offers a Wi-Fi 6 router worth considering.

ASUS RT-AX86U

Businesses that need something close to what the ASUS ROG Rapture GT-AX11000 offers but at a more affordable rate should check out the RT-AX86U. With Wi-Fi 6, enterprises in the hybrid job model can fully depend on the router for simultaneous transfer of  heavy data files in large quantities with minimum latency. The dual-band gaming router operates at an ultra fast speed of up to 5,700 Mbps, so it’s an impressive solution for users demanding a fast wireless network.

Even for larger premises, it leaves no dead spots. Its ASUS AI mesh support creates a flexible and easy whole home network using AI mesh supported routers. The remote concern for many arises when routers have to accommodate other home appliances. However, it isn’t an issue, since the dedicated gaming port on RT-AX86 series automatically prioritizes any wireless network connected to it. In addition to this solution, the adaptive QOS in the router removes all network bottlenecks and keeps the network running smoothly.

In terms of security, the ASUS AI protection is powered by Trend Micro technology with lifetime free commercial grade security for all devices connected to it at home. Generally, it’s worth noting that the ASUS RT-AX86U is more renowned for its capabilities and affordability than other gaming routers. Many users have expressed satisfaction and very few regrets; hence, the RT-AX86U is worth its price of $318.

Eero Pro 6

Whether in the family room, bedroom, or the study, being able to work from any range without much difference in the performance of network connectivity is what many mesh routers offer. Eero Pro 6, however, is unique because it offers these services with an unbeatable convenience.

With the true mesh technology, Amazon, the producer of the Eero Pro 6, says true mesh scans the home and optimizes for its layout, connected devices, and overall network usage. And with a tri-band enough to manage over 70 connected devices, the result is faster speed and greater coverage. This makes it a reliable choice for home and even small offices.

Unlike many Wi-Fi 6 routers that go through system adjustments when the bands or signal slips, the Eero Pro 6 automatically corrects itself. This is mainly with the aid of the true mesh technology, which steps in to balance the signal, ensuring it stays strong and undisputed. The router technology also maintains smart network privacy by using the latest WiFi security to provide individualized  encryption for keeping network and data safe.

Finally, it offers a number of specs that include: seven antennas, two ethernet ports, a 1.4 GHz quad-core processor and 1 GB RAM. A single unit goes for $229, the double pack goes for $339, and the three pack Eero Pro 6 is available at $599. Security costs extra, however.

The post The Best Wi-Fi 6 Routers Secure and Fast Enough for Business appeared first on eSecurity Planet.

In an amendment to the EU’s 2014 Radio Equipment Directive (RED), the European Commission noted that as wireless devices, from mobile phones to fitness trackers to smart watches, become increasingly embedded into everyday consumer and business life, they also become a greater security risk.

The goal of the amendment – called a “delegated act” – is to ensure that all wireless devices are safe before they are sold in the EU. Manufacturers will be required to adhere to the new cybersecurity safeguards when designing and producing these products. In addition, the amendment also will ensure greater privacy of personal data, prevent financial fraud, and improve resilience in European communications networks, according to EU officials.

“Cyberthreats evolve fast,” Thierry Breton, commissioner for the Internal Market, said in a statement. “They are increasingly complex and adaptable. With the requirements we are introducing today, we will greatly improve the security of a broad range of products, and strengthen our resilience against cyberthreats, in line with our digital ambitions in Europe.”

The U.S. has made some strides on IoT security at the federal level; it remains to be seen if the EU initiative will spur the U.S. to greater action or result in a general improvement in device security.

Common EU Security Standards

It’s also part of a larger EU effort to create a comprehensive set of common cybersecurity standards for products and services that come into the European market, Breton said.

That said, it will take a while for the market to see the results of the amendment, which was announced in late October. It will need the approval of the European Council and European Parliament and then undergo a two-month period of review and scrutiny. Once in place, manufacturers will have 30 months to begin meeting the new legal requirements, giving them until mid-2024 to bring the devices into compliance.

The amendment addresses the ongoing concern about security at a time when the use of wireless devices and the IoT market continue to increase sharply. According to market research firm IoT Analytics, global enterprise spending on the IoT – which includes tens of billions of intelligent, connected devices, from small sensors to large factory systems – is expected to hit $159.8 billion this year, a 24 percent year-over-year increase. In the coming years, it will expand more than 26 percent a year, the analysts said.

In addition, IDC analysts in July wrote that smartphone shipments in the second quarter increased 13.2 percent over the same period in 2020, with 313.2 million devices being shipped.

The adoption of 5G will bring new capabilities to mobile and IoT devices, further driving device growth – and raising new security concerns (see Cybersecurity Risks of 5G – And How to Control Them).

IoT Security Neglected

Many security experts have worried that device makers are more concerned with the features in the devices than with the security. EU officials noted in a statement that the COVID-19 pandemic increased the use of wireless devices for both professional and personal use, and that studies by the European Commission have found “an increasing number of wireless devices that pose cybersecurity risks. Such studies have for instance flagged the risk from toys that spy the actions or conversations of children; unencrypted personal data stored in our devices, including those related with payments, that can be easily accessed; and even equipment that can misuse the network resources and thus reduce their capability.”

None of that surprises John Bambenek, principal threat hunter with cybersecurity vendor Netenrich.

“Many manufacturers of IoT devices do not have experience in IT or system hardening,” Bambenek told eSecurity Planet. “The result has been devices with trivial vulnerabilities or flaws that have been solved for a decade or longer in traditional computing. This problem is compounded by the fact these devices act in the physical world, so the risks can be more profound.”

Also read: IoT Devices a Huge Risk to Enterprises

Device Maintenance Still Needed

Bud Broomhead, CEO at IoT security vendor Viakoo, told eSecurity Planet that while the EU’s initiative will ensure improvements in the initial security of a device, users will need to continue maintaining the systems over time.

“It’s never one and done,” Broomhead said. “New vulnerabilities are created every day by cybercriminals, leading to many IoT devices being installed with out-of-date firmware and other exploitable vulnerabilities.”

He pointed to a FireEye study showing the exploits have overtaken phishing attacks as the top threat to organizations. Given that, designing improved resilience into devices is increasingly important, Broomhead said.

Manufacturers should look at requirements like those in the EU RED amendment as an opportunity – rather than a burden – to build in more cybersecurity features. Bambenek agreed.

“Security has always been a cost to any product or technology,” he said. “Decades ago, we came to terms with the economic concept of externalization — dumping costs on third parties to maximize profits – and now we need to come to terms with risk externalization. No harm from these devices being hacked will fall to the manufacturer even though they are in the best position to address it.”

EU Amendment Applies to Many Devices

The new requirements in Europe will address a wide range of wireless devices, including mobile phones, tablets and other products that communicate over the internet, such as baby monitors and wearable equipment like smartwatches and fitness trackers. The devices will have to include features to ensure the protection of communications networks and ensure that the devices can’t be used to disrupt websites or similar services.

In addition, device makers will have to guarantee features are embedded that protect personal data and the protection of children’s rights will be a key part of the legislation. Other features that will need to be in place will have to minimize the fraud risk that comes with making electronic payments, such as better authentication control.

The amendment dovetails with the EU’s Cyber Resilience Act, which was announced recently by European Commission President Ursula von der Leyen, which would cover more products.

Both Bambenek and Broomhead said the rapid and automated update of device firmware should be required and that default or easy-to-guess passwords should be eliminated. Bambenek also said insecure remote access should not be allowed and there should be highly controlled restrictions on third-party apps. Access to user data also should be controlled and audited. Broomhead said the devices should be part of a zero trust model and that a way to deploy and manage certificates should be used to authenticate device identity.

He also said that both cyberthreats and the use of IoT devices are global issues and that a worldwide collaboration and sharing of best practices is needed to defend against bad actors. Bambenek added that the United States would do well to learn from what European lawmakers are doing.

“The EU has always had a stronger view of privacy than the U.S.,” he said. “Many of our tech leaders have openly said there should be no privacy rights. The U.S. needs to relearn the economic lessons of 100 years ago when it comes to letting corporations dump its costs on society.”

Further reading: Mobile Malware: Threats and Solutions

The post EU to Force IoT, Wireless Device Makers to Improve Security appeared first on eSecurity Planet.

Passwords are the most common authentication tool used by enterprises, yet they are notoriously insecure and easily hackable. But even when passwords are secure, it’s not enough. Recently, hackers leaked 87,000 Fortinet VPN passwords, mostly from companies who hadn’t yet patched a two-year-old vulnerability.

At this point, multi-factor authentication (MFA) has permeated most applications, becoming a minimum safeguard against attacks. End users tend to be careless with passwords, frequently reusing or sharing their passwords.

Jump to:

• What is multi-factor authentication?
• Rise of multi-factor authentication
• MFA can be hacked
• MFA use cases and considerations
• Where to look when MFA isn’t enough
  • Zero trust network access
  • Passwordless access
  • Privileged access management
  • Identity access management

In fact, 62 percent of professionals admitted to sharing passwords over text messages or email and 46 percent said their company shares passwords for accounts used by multiple people. When this is happening, it’s clear that organizations either aren’t using MFA or are finding ways around it.

Clearly, MFA can’t work for everything. Let’s take a look at some best practices for using multi-factor authentication and where you should look when it doesn’t fit the bill.

What is multi-factor authentication?

Multi-factor authentication, or MFA, is simply an umbrella term for verifying the identity of end-users with a password and at least one other form of authentication. Initially, security vendors only offered two-factor authentication. Two-factor authentication, called dual authentication or 2FA, added another level to a User ID and password. Since then, security vendors have introduced new methods for authentication, which can be layered to create a multi-factor authentication solution.

MFA incorporates at least two of three authentication methods, according to the PCI Security Standards Council:

• Something you know
• Something you have
• Something you are

An MFA security solution may also incorporate additional factors, such as geolocation data or a time component. Many services now send alerts or require additional authentication when you log into their service from a new device.

There are several options for achieving each method of authentication. Typically, “something you know” is simply a user ID and password, but MFA solutions can also require the end-user to submit a PIN or the answer to a secret challenge question, like the ones you often have to answer on your bank’s website.

“Something you have” traditionally required the use of tokens. A token acts as an electronic cryptographic key that unlocks the device or application, usually with an encrypted password or biometric data. Tokens are generally referred to as either “connected” or “disconnected.” Connected tokens are stored on hardware that holds a cryptographic certificate, key, or biometric data, such as an SD card on a phone, a USB token, tokens kept on smart cards, or an employee key fob. Disconnected tokens are generally only good for one use and can be delivered via RFID or Bluetooth, or users can manually enter them into the computer.

As websites have adopted MFA, “something you have” has expanded to mean the end user’s credit card or mobile phone, called mobile authentication. In mobile authentication, a one-time password (OTP) or PIN is generated and sent to the end user’s smartphone via text, although an added layer of security can be added by using an OTP app, a certificate, or a key stored on the phone. Mobile authentication is often seen as a cheaper and easier alternative to biometric authentication.

Biometric authentication

Identification by “something you are,” or biometric authentication, relies on either physical or behavioral characteristics. Physical characteristics include retina scans, iris scans, facial recognition, fingerprints, voice recognition, hand geometry, earlobe geometric, or hand vein patterns. Behavioral characteristics include keystroke dynamics, such as measuring the way a user types, how fast, or the amount of pause on a given key. While biometrics can require special equipment, some solutions simply leverage the sensors in smartphones.

Biometrics offers the most secure method of authentication, but there are problems. For example, some people’s fingers don’t always have enough minutiae points for the scanner to pick up, as is the case with workers who do heavy manual work with their hands, burn victims, or people with skin diseases. Attackers can also trick scanners simply by capturing the fingerprint. For more on the pros and cons of biometric solutions, as well as a list of select Biometric vendors, see Biometric Authentication: How It Works.

Passwords alone won’t cut it

The unfortunate reality is that many people are lazy with their passwords, and even when they aren’t, brute force attacks can crack many passwords in less than a day. And social engineering can crack even more considering how many people include the names of their families and birthdays. MFA is the bare minimum for securing networks and applications because passwords alone can be too easily hacked.

Two-factor authentication

The most common form of MFA is two-factor identification, sometimes referred to as dual authentication, two-step verification, or 2FA. Two-factor authentication combines a user ID, password, and at least one of two other methods for ensuring user identification. A common approach to 2FA is to require a one-time password (OTP) sent via SMS to a cell phone or a credit card number.

Twitter, Google, Microsoft, Apple, Facebook, and Amazon all use SMS to support two-factor authentication, although they can also use push notifications on smartphones. Two-factor authentication is also being deployed for mobile security and by Internet of Things companies such as Nest to secure IoT devices.

Rise of multi-factor authentication

In recent years, more companies have turned to multi-factor authentication solutions to address their security and compliance concerns. A 2021 survey found that approximately 49 percent of businesses adopted MFA in reaction to the COVID-19 pandemic. With more employees working from home, their data was more at risk from weaker networks and personal devices.

Stratistics MRC estimates that the global multi-factor authentication market will reach $13.59 billion by 2022, spurred largely by growth in e-commerce, the increase in online transactions, network security threats, and legislative compliance. Banking, financial services, and insurance industries constitute the largest share of adopters, with North America leading adoption, according to Orbis Research.

But despite early adoption rates, businesses are neglecting their cloud environments when it comes to MFA. According to Alexander Weinert, Director of Identity Security at Microsoft, only 11 percent of enterprise cloud users have adopted MFA. And because attackers look for the path of least resistance, that leaves the other 89 percent extremely vulnerable.

MFA can be hacked

While MFA can prevent a lot of attacks, motivated bad actors aren’t going to let one extra layer of protection stop them. And it’s not hard for them to use social engineering to get around it, or else phishing attacks wouldn’t be so popular.

One way attackers have started to circumvent MFA is by calling victims and convincing them that someone has hacked their account. They tell the person they’re going to initiate a password reset on their end. When the victim receives a one-time password, they read that code to the attacker. Then, the attacker has everything they need to take over the account for good.

Alternatively, attackers can intercept text messages or emails meant to deliver your one-time passcodes, preventing you from knowing that anything was amiss. Through channel-jacking, attackers can use a software-defined radio to route incoming messages away from the intended recipient and into their own devices.

MFA use cases and considerations

MFA isn’t just for e-commerce sites or employees. Before adopting a multi-factor authentication solution, consider these other scenarios and issues:

B2B vendors

In 2017, New York State introduced new financial regulations requiring banks, insurance companies, and other financial services companies to establish and maintain cyber security programs that meet specific standards — including examining security at third-party vendors. Yet 32 percent of IT professionals don’t evaluate third-party vendors for security, according to a NAVEX Global survey. Don’t be one of them.

Security experts advise IT professionals to protect the entire information pipeline since even fourth-party vendors can present a security risk. One way to mitigate the risk is to require that vendors include multiple authentication methods. Be sure to outline the restrictive use of access and any repercussions for unauthorized or negligent behavior.

VPN Authentication

More employees are accessing enterprise applications and data remotely, which poses a security risk even with VPNs. Be sure to include VPNs when evaluating MFA solutions. However, as we’ve seen, MFA can be hacked, so employ other security methods with your VPN security in addition to MFA, like zero trust and least privileged access.

MFA for services

VPNs and traditional log-ins aren’t the only way hackers can access corporate data, of course. That’s why companies should consider two-factor authentication for services, advised Veracode co-founder and CTO Chris Wysopal.  “If you’ve implemented two-factor authentication for remote access to your company, why aren’t you implementing two-factor authentication with all the services you’re using that also have access to your company’s data?” Wysopal told eSecurity Planet. “Try to keep parity with what you already thought was a good idea to do to yourself.”

We saw the effect third parties can have on data vulnerabilities with the SolarWinds breach in 2020. By accessing the SolarWinds network, the attackers gained a backdoor into thousands of networks using the service. MFA could potentially have added a layer of protection between the end-users and the threat.

Independence of the authentication

If security is a top concern, then look for a solution that offers out-of-band (OOB) authentication. Out-of-band authentication means that the authentication methods are delivered through a different network or channel, which adds another layer to the security. That might be as complex as requiring a physical token or as simple as sending a one-time password (OTP) via text to a smartphone.

One caveat: if the smartphone is also used to submit the OTP, you’ve lost the benefits of out-of-band, since the network is the same. That’s not a small issue, as many employees now use mobile devices to access corporate data, and smartphones can be lost or stolen fairly easily.

Where to look when MFA isn’t enough

As threats adapt, so too do security tools. While MFA can do a lot to protect your network, it won’t be enough for every scenario. MFA can’t protect servers, for example, because they contain too much and have too many entry points. Unlike applications that generally have just one way in (the login screen), servers might have different points of access for admins than they do users or applications.

Additionally, MFA doesn’t work when you’re looking at spoofed login pages, CEO fraud, or links to malware. Because authentication doesn’t matter in these scenarios, it won’t prevent an attacker from stealing your information or infecting your device with malware. Instead, you need other security measures in place to block these actions.

So, what should you have in place when MFA fails?

Zero trust network access

Employees shouldn’t be able to put in a password and access every piece of information on a network. They should only get access to the data and systems they need, and even with that, they’ll need to verify their identity before gaining entry. Zero trust network access (ZTNA) guards both the interior and exterior of a business’s network and keeps sensitive data more secure.

Zero trust protects against internal attacks that MFA can’t stop. Unfortunately, internal employees sometimes seek to use company data for their own gain, and they don’t need to get around MFA because they set it up. But, if ZTNA is in place, the employee won’t be able to access as much data, and they won’t be able to do as much damage. Additionally, abnormal behaviors, like accessing data late at night or from a different location, might automatically lock their account until IT investigates – a feature that’s also useful for stopping account takeovers.

Passwordless access

Clearly, passwords aren’t as secure as we’d like, but what’s the alternative? Passwordless authentication works with information that the person has, like biometrics, or something they possess instead of something they know, as it is with password authentication. Key fobs are an example of passwordless access.

It’s easier for individuals to use, meaning they don’t resort to shadow IT practices, and the IT department gets greater visibility into each person’s activity. It can also lower operating costs by reducing the amount of helpdesk resources you spend helping users reset their passwords and the number of successful phishing attempts.

Privileged access management

Privileged access management (PAM) is similar to zero trust in that each employee only gets access to what they need to do their job, but its focus is only on the sensitive data, rather than the network as a whole. Each employee has a different account level depending on how IT expects them to interact with the data and systems the company uses. For example, while an accountant might have privileged access to financial information, they likely wouldn’t get customer records.

PAM limits the number of internal users that have access to sensitive information, so IT can better control its use. Additionally, it applies to both people and applications, helping to protect against third-party vulnerabilities. While PAM may include MFA as a part of authentication, it goes further in providing greater account control and security.

Identity access management

Identity access management (IAM), like PAM, ensures that employees only get access to the information and systems they need, but unlike PAM, it’s not only concerned with sensitive data. Instead, it encompasses all of the systems on the network and provides an audit trail for compliance purposes. IAM provides a single management console that IT can use to monitor the activity on each account and investigate strange behaviors.

IAM, too, often includes MFA, but it doesn’t rely solely on authentication to protect your data. Instead, it uses MFA as the first line of defense and then implements other features to protect beyond the perimeter.

Overall, MFA is a great tool to incorporate into your cybersecurity infrastructure, but it can’t be the only one. It will stop a lot of attacks, especially by bad actors looking for the path of least resistance, but you’ll need other security measures in place to stop motivated attackers. Zero trust, passwordless access, IAM, and PAM are all good options to consider.

The post Multi-Factor Authentication (MFA) Best Practices & Solutions appeared first on eSecurity Planet.

Consumers and organizations are enthused about the operational benefits of more robust mobile connectivity, but the shift to 5G networks doesn’t come without risks. Service providers and 5G-enabled device manufacturers both have critical roles to play in the success and sustainability of this wireless network rollout. Beyond that, network administrators must be aware of 5G-enabled vulnerabilities and prepare for threat actors seeking to take advantage of a changing ecosystem.

Here we’ll discuss the most significant risks posed by 5G, how U.S. agencies are approaching the shift, what makes 5G different, and an analysis of deployment to date.

What Are the Cybersecurity Risks of 5G?

Exposing the Internet of Things (IoT) Universe

Consumer electronics, business, network appliances, and industrial IoT (IIoT) devices are all driving the exponential growth of IoT systems. 5G technology will improve some IoT use cases, thereby adding to the proliferation of IoT devices – a phenomena individuals and organizations aren’t prepared to fully defend in the immediate future.

IoT products are notoriously vulnerable appliances because the build prioritizes ease of use and connectivity. Whether it’s a misconfiguration or inadequate security or patching, new vulnerabilities found in IoT systems seem to make the news every week.

Unfortunately, threat actors can also take advantage of 5G’s enhanced connectivity, executing network attacks faster than ever before. Hackers can spread malware via IoT networks, disrupt supply chains in development, and use a fleet of routers as an IoT botnet to launch a DDoS attack.

Also Read: Cloudflare Fended Off Mirai Botnet DDoS Attack

Network Slice Compromise

One benefit of 5G technology that enterprises are sure to take advantage of is creating private wireless networks in a process dubbed “network slicing.” By multiplexing virtualized and independent logical networks on a physical network, organizations can isolate network segments to specific client verticals.

SAP National Security Services (NS2) CISO Ted Wagner told eSecurityPlanet that network slicing “adds complexity, which may lend itself to insecure implementation. There are no secure implementation guides or standards for network operators. Insecure implementations may result in unauthorized access to threat actors and potential data breaches.”

In instances where network administrators operate several slices, including shared and dedicated network functions, this hybrid approach creates a deficiency in mapping between the application and transport layer identities. To be successful, an attacker must gain access to the 5G Service Based Architecture. From there, the risks posed are data access and a DoS attack on other network slices.

Another attack vector to be aware of is the prospect of CUPS hijacking. The CUPS model, or Control and User Plane Separation, isn’t new, but it shows how 5G relies on more virtualized workloads and cloud-based systems. Because CUPS enables network slicing and can distribute resources throughout the network, its compromise also presents a severe risk.

Also Read: How to Implement Microsegmentation

Give and Take: NFV, SDN, and Microservices

Network Functions Virtualization (NFV) is a virtualized network infrastructure where typical network functions – like firewalls, routing, and SD-WAN – can be installed as software through abstraction. NFV consists of virtual machines or containers and offers reduced costs, flexibility, faster deployment, and automation capabilities.

So how does NFV relate to 5G? Using virtualization, NFV systems enable network slicing. Like so much else, virtualization comes with inherent risk, as several systems could be running and controlled on a single physical device.

Complementary to NFV, software-defined networking (SDN) separates the control plane from the forwarding plane. Great for microservices developing and deploying 5G, SDN also poses threats to the network like traffic spoofing and forwarding device attacks. API security will be a critical concern, as APIs linking microservices across multiple virtualized systems are vulnerable to compromise. This instance can result in NFV data breaches, resource exhaustion, or DDoS attacks.

Attacks at the Network Edge

Edge computing is the relatively new focus on traffic as close as possible to the client device and user. Naturally, IoT devices and the advanced connectivity via 5G are essential parts of edge computing’s evolution. And on the edge security front, secure access to devices, safe application use, threat detection, vulnerability management, and patching cycles are all edge security objectives.

Addressing concerns with multi-access edge computing (MEC), Wagner added, “The lack of a trusted computing environment of 5G components into the MEC could introduce unmitigated risk.”

One such threat posed for 4G that remains a source of concern for 5G is rogue base station (RBS) threats. Also known as international mobile subscriber identity (IMSI) catchers, an RBS spoofs a cell phone tower and diverts cell phone traffic to its desired location. This man-in-the-middle (MiTM) technique places the attacker between the mobile client and the mobile network. They can steal sensitive information, tamper with data, track users, execute packet injections, or cause DoS for 5G services.

Also read: Mobile Malware: Threats and Solutions

NTIA and CISA: Memos from the Feds

In a year where cybersecurity’s gotten its share of major media attention, the U.S. federal government is actively seeking opportunities to assist private and public organizations in meeting the cyber challenges of today.

The NTIA and CISA published reports defining the national strategy for effectively developing and implementing 5G infrastructure and the threat vectors posed by this change.

National Strategy to Secure 5G (NTIA)

The National Telecommunications and Information Administration (NTIA) released its National Strategy to Secure 5G implementation plan starting in January. The program includes four initiatives for U.S. interests now and in the years to come:

1. Facilitate domestic rollout of 5G: Research and develop advanced communications to maintain 5G leadership and incentivize and leverage trusted supply chain partners
2. Assess and identify 5G Infrastructure security principles: Evaluate risks and vulnerabilities of domestic/international suppliers, 5G infrastructure, and supply chains
3. Address 5G risks to U.S. infrastructure in deployment: Identify incentives and policies to close gaps, build economic viability, and incorporate the private sector
4. Promote responsible global development of 5G: Engage diplomatically with international partners to ensure risk mitigation, standards, collaboration, and more

Also read: Best Third-Party Risk Management (TPRM) Tools

5G Infrastructure Threat Vectors (CISA)

In May, the ever-growing Cybersecurity and Infrastructure Security Agency (CISA) published a white paper entitled, Potential Threat Vectors to 5G Infrastructure. Together, the report outlines established 5G threat vectors and threat scenarios for 1) policy and standards, 2) supply chains, and 3) 5G system architectures.

What is 5G? How is 5G Different?

4G LTE (Long-Term Evolution) and 5G NR (New Radio) are examples of radio access networks (RAN), where wireless device data can move from receiver to mobile core network services like the internet. Both protocols are owed to the Generation Partnership Project (3GPP), a consortium of international telecommunications standards organizations.

The above graphic shows how wireless capabilities like latency, average data transfer speeds, and bandwidth have changed over time.

Exponential growth in capabilities like lower latency, more substantial bandwidth, and higher average speeds present a new world of opportunities for mobile connectivity. Today’s RANs, using 5G frequencies, open the door for service providers to offer cloud gaming, extended reality (XR), and autonomous device management.

How 5G Goes Beyond 4G

5G adds a number of advancements over 4G:

• Data transfer rates up to 10 Gbps
• A new generation of satellites offering 100% coverage of Earth
• Lower latency that increases speeds from 20-50 milliseconds to less than 10ms
• Shorter frequencies and more band types mean 1000x bandwidth per unit area
• Up to 90% more energy efficient per traffic unit (Nokia)
• 5G can support up to 1 million devices per square kilometer, up from 4G’s 4,000 devices

Objectives for 5G Implementation

In September 2019, former FCC chairman Tom Wheeler and retired Rear Admiral David Simpson, USN, wrote Why 5G requires new approaches to cybersecurity for the Brookings Institute. Two years later, we reflect on their insights then and what’s changed.

At the time, implementation was on the horizon, while today, we are amidst 5G deployment globally. With federal officials’ recent uptick in cybersecurity strategy, the two overarching recommendations Wheeler and Simpson made were reasonably prudent. 

Incentivizing a Cyber Duty of Care

Companies everywhere must develop a culture where cyber risk receives treatment as an essential corporate duty – and further, organizations get rewarded for such behavior. To accomplish this, proposed solutions included:

• Proactive investment in cyber risk reduction for organizations of all sizes
• Utilizing cognitive technologies to combat more complex, software-based attacks
• Transparent access to up-to-date indicators of compromise (IoC) and threat intelligence
• More and robust cybersecurity processes to meet the needs of 5G network complexity
• Inserting security into the DevOps cycle, including design, deployment, and sustainment
• Implementing the NIST Cybersecurity Framework for best practices (see graphic below)

A New Cyber Paradigm

While public and regulatory agencies have long been reactive institutions, the speed of innovation in the digital age requires swifter action. Wheeler and Simpson’s second point was traditional public institutions must do the work to meet the prospects of an ever-digital society. These considerations include:

• Mandate standards for non-government suppliers considering integrated supply chains
• Increase inspection and certification of critical network and infrastructure devices
• Enhance consumer transparency about cyber risks with spec standards and labeling
• Recognize market shortcomings and develop incentives for cyber duty of care adoption
• Continue oversight and participate in the secure development of 5G with 3GPP
• Establish a more effective public-private partnership for collective security

Analyzing Progress and What’s To Come

Two years later, there’s much to cheer about and concerns that remain. Touching on the authors’ recommendations, here is where we stand today:

In June, the Ericsson Mobility Report projected over 580 million devices would have 5G subscriptions. By 2026, that number grows to near 3.5 billion 5G mobile subscriptions covering every region of the globe. Though full implementation won’t be fully realized for some time, CSPs and public and private stakeholders are all responsible for the sustainable development, deployment, and maintenance of 5G networks.

Between now and then, we continue to learn and develop adequate security systems to defend the next generation of wireless networks. Efforts like to shore up identity, leverage zero trust frameworks, and authenticate devices will remain best practices for the immediate future.

Also Read: Top Enterprise Network Security Tools for 2021

The post Cybersecurity Risks of 5G – And How to Control Them appeared first on eSecurity Planet.

Mobile malware statistics

McAfee recently published a report stating that mobile malware infections in the fourth quarter of 2020 surpassed 40 million after steadily climbing earlier in the year. More than 3 million of those attacks represented new types of malware.

Check Point published mobile security research showing that 46% of respondents experienced employees downloading at least one malicious app during 2020. Another finding was that 97% of organizations dealt with mobile threats that used various attack vectors.

Types of mobile malware

There are several different forms of mobile malware, including some that specifically target handheld gadgets.

• Adware: Though not all security professionals consider adware malicious, this threat category presents users with unwanted advertisements and may track their activities without consent. Security researchers at Kaspersky determined that it accounted for 61.43% of mobile malware detected in Q1 2021.
• Trojans: As is the case on desktop, trojans provide a backdoor, enabling an attacker to execute code or control a device remotely. One such Android malware type identified in early 2021 can gather and exfiltrate data ranging from phone contacts to text messages and browser data while remaining hidden from users.
• Keyloggers: Keyloggers, which also sometimes include screenscrapers, sit on a user’s device, logging all keystrokes in an attempt to find valuable information.
• Bank trojans: This type of malware is particularly attractive to mobile attackers, as it combines a trojan with a keylogger. In March 2021, security researchers detected a new bank trojan they named Vultur. The team confirmed it has keylogging and screen-recording capabilities.
• Ransomware: Though not nearly as common as it is on the desktop, ransomware  is a type of malware that will encrypt a user’s data and hold it for “ransom” until the attacker is paid.

How mobile malware infects users

There are a variety of mechanisms by which different forms of mobile malware infect and exploit mobile devices.

• Attacking known vulnerabilities: This is perhaps the most obvious form of attack, when attackers simply go after known issues. The challenge is that not all users can update their mobile operating systems as quickly as attackers put out mobile malware.
• Permissions abuse: Different forms of malware (often adware) can get on mobile devices when applications are granted unnecessarily high permission levels. One recent investigation of the top 1,020 Google Play Store apps found that many asked for potentially dangerous permissions. For example, 77% wanted to read external storage.
• Malware preinstalled on phones: Some mobile malware comes on phones out of the box. One report warned how this problem often affects developing nations and residents who use low-end devices. It also recently cropped up in the German market when new phones included mobile malware that could send malicious WhatsApp messages.
• Distribution through app stores: The vast majority of malware and malware-integrated apps come from third-party app stores. A 2020 report found that the Xiaomi app store was the most likely place to come across dangerous mobile apps. More well-known sites — such as Apple’s App Store and the Google Play Store — have stringent quality controls, and are less frequently impacted.

Mobile attacks beyond malware

While malware can often be a payload in a mobile attack, non-malware-based attacks often hit mobile users.

• Authentication attacks: Many different types of authentication attacks aim to steal user credentials or trick users into inputting their credentials into a fraudulent web page or app.
• Man-in-the-middle (MiTM): In a MiTM attack, the data stream from the app to the back-end web service is not properly configured for encryption, enabling an attacker to potentially intercept mobile traffic. This type of attack can occur in a Wi-Fi hotspot, for example.

Creating a mobile device policy

There are several different ways to keep mobile devices and users safe from mobile malware. For organizations, the best approaches often involve implementing a formal Bring Your Own Device (BYOD) or Enterprise Mobility Management (EMM) system.

Learn more about BYOD and EMM in the eSecurityPlanet guide to EMM.

When employers review BYOD device policies with their workforces, the coverage should explain how these devices and their content could pose dangers to a workplace network. Employee awareness helps minimize possible malware infections, whether workers clock in from an employer’s office or at home.

Educating employees on mobile threats

There are a few key things employees need to be understood when it comes to mobile malware. Following cybersecurity best practices is a business necessity since it reflects positively on companies and could lead to new customers.

Additionally, while it is possible to become infected with malware via the authorized, official Apple App Store or Google Play, it is significantly less likely. Users can also take precautionary measures to further reduce the risk. Jailbroken or rooted phones and getting software from unknown third-party sources is typically how most mobile malware exploits users.

It’s also useful to tell employees how certain industries may be more at risk for mobile malware than others. A 2020 report showed how three out of four phishing attempts targeting pharmaceutical employees also delivered malware to victims. Additionally, of those attacks, 35% tried to steal credentials.

Keeping your network safe from mobile malware

Mobile trojans can be used in some cases to create a zombie botnet that will attack a local network. Just like any other device connected to the network, mobile devices should always be monitored and logged for potentially malicious activities.

Beyond just monitoring, the implementation of a Network Access Control (NAC) solution that provides both pre-admission and post-admission monitoring of activity is recommended.

Mobile malware solutions

Unlike desktop software, which can come from any source, the default (and recommended) method to acquire mobile software is via an authorized app store. Both Apple and Google scan all applications in their respective app stores to detect any potentially malicious apps. Going a step further, Google Play Protect is a feature that periodically checks users’ phones for malware and alerts them.

Mobile malware solutions, much like their desktop counterparts, do anti-virus and anti-spyware/adware scanning. Some provide additional scanning to prevent or limit the risk of phishing, and some provide permissions warnings when an app is attempting to do something that requires more permissions than it should.

These are some of the vendors offering mobile security software and solutions:

• AVG Antivirus
• Kaspersky
• Eset
• Norton Security
• McAfee Mobile Security
• Bitdefender
• Malwarebytes
• Fortinet
• Avast
• Comodo Cybersecurity
• BullGuard
• IBM Security
• Sophos
• Lookout

Start fighting back against mobile malware

This overview emphasizes why mobile malware is a growing threat. Fortunately, IT professionals can successfully manage the risks by remaining aware of attack methods and taking proactive measures against them.

The post Mobile Malware: Threats and Solutions appeared first on eSecurity Planet.

Amnesty International and Forbidden Stories – a Paris-based nonprofit media group that works with journalists – said earlier this week that users of the Israeli-developed spyware were able to hack into iPhone 11 and iPhone 12 devices, as well as Android devices, of tens of thousands of people – including a number of world leaders. The software has even been linked to the disappearance of the United Arab Emirates’ Princess Latifa.

The software is designed to enable users to remotely extract data – emails, messages and photos – from the devices as well as record calls and activate microphones and cameras. They also can grab conversations that occur on such social media apps as WhatsApp. NSO Group has argued for years that Pegasus is meant to help governments and law enforcement agencies fight back against global threats like crime and terrorism, but it’s becoming apparent that the software has been weaponized by hostile parties too.

Journalists, Government Officials Targeted

As first reported in The Guardian, a large data leak unveiled a list of more than 50,000 phone numbers of people that were in the crosshairs of NSO customers dating back to 2016, including more than 180 journalists worldwide. The revelations suggest that some Pegasus users, such as authoritarian governments, were using the spyware to track people who weren’t criminals or terrorists.

That has included such people as French President Emmanuel Macron and hundreds of other state leaders and government officials, whose phone numbers were on the list obtained by Amnesty International and Forbidden Stories as part of the Pegasus Project. The Israeli government reportedly has created a group to oversee damage control while other governments in such places as Hungary and Saudi Arabia are under fire for using the spyware.

The impact of the burgeoning scandal continues to ripple. Top public cloud provider Amazon Web Services (AWS) disabled all accounts linked to the Israeli company.

Apple Under Fire

Apple, which for years has loudly touted the security of its iPhones, is coming under pressure to work more closely with other device makers to push back against technology like Pegasus.

In a statement to journalists, Apple officials argued that the company has worked with security experts outside of the company, which has resulted in the iPhone being “the safest, most secure consumer mobile device on the market.” They also looked to tamp down concern that the Pegasus situation is a widespread problem.

“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals,” the Apple statement said. “While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

However, Danna Ingleton, deputy director of Amnesty Tech, said in a statement that “Apple prides itself on its security and privacy features, but NSO Group has ripped these apart. Our forensic analysis has uncovered irrefutable evidence that through iMessage zero-click attacks, NSO’s spyware has successfully infected iPhone 11 and iPhone 12 models. Thousands of iPhones have potentially been compromised. … This is a global concern. Anyone and everyone is at risk, and even technology giants like Apple are ill-equipped to deal with the massive scale of surveillance at hand.”

Mobile Security, Privacy at Issue

Oliver Tavakoli, CTO at cybersecurity firm Vectra, told eSecurity Planet that “it’s clear that the iOS iMessage service is a bit of a mess from a security perspective.”

“Apple has added more and more functionality to it and every piece of functionality comes with the potential for exploitable vulnerabilities,” Tavakoli said. “Also, the fact that iMessage does not distinguish how it handles inbound messages from known contacts vs. perfect strangers opens phones up to exploitation from anywhere. Accepting processing messages from anyone is the equivalent of running a network connected to the internet with no firewall.”

To Setu Kulkarni, vice president of strategy at NTT Application Security, this is a moment to rally around tech companies as they push back against software like Pegasus, adding that the “the line between acceptable surveillance (if any) and privacy intrusion is very thin.”

“For Apple and other manufactures, this is a moment of reckoning to get further entrenched with the governments to create more checks and balances while they make their platform more impenetrable for bad actors,” Kulkarni told eSecurity Planet. “For lawmakers, this is a moment of reckoning as well to create consequences for misuse of such utilities.”

NSO Group Pushes Back

NSO Group officials in a statement denied the accusations in the initial report by Forbidden Stories, saying it is based on “wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of sources.” The company claimed that data given the group is “based on misleading interpretation of data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customer targets of Pegasus or any other NSO products.”

These services are available to anyone at any time and are commonly used by governments, they said.

However, NSO Group has also been linked to other privacy scandals, including the hacking of Amazon founder Jeff Bezos and journalist Jamal Khashoggi, a U.S. resident murdered in the Saudi embassy in Turkey. Both incidents occurred in 2018. A year later Facebook sued the company in a case involving a zero-day vulnerability in WhatsApp that targeted devices used by journalists, political activists and others. Google, Microsoft and Cisco Systems filed briefs supporting the lawsuit.

In 2020, the FBI began investigating the company for possibly spying on citizens and groups in the United States.

Spyware is Evolving

Researchers at Lookout, a endpoint-to-cloud security company, have watched Pegasus evolve since first spotting it in 2016, according to Chief Strategy Officer Aaron Cockerill.

“It has advanced to the point of executing on the target’s mobile device without requiring any interaction by the user, which means the operator only has to send the malware to the device,” Cockerill told eSecurity Planet. “Considering the number of apps iOS and Android devices have with messaging functionality, this could be done through SMS, email, social media, third-party messaging, gaming or dating apps.”

There is a trend where techniques used by the likes of NSO Group are being adopted by consumer-grade surveillance software and spyware vendors, which could lead to such powerful tools being put in the hands of many people. This is similar to the trend toward ransomware-as-a-service, which has made it possible for people with little experience to launch such attacks, he said.

“Mobile devices continue to be a primary attack vector for cyber criminals,” Cockerill said. “Mobile malware, surveillanceware and ransomware can take down infrastructure and track our every move as attackers target individuals where they are most vulnerable. Business executives with access to market data, technological research and infrastructure are highly valuable targets.”

As mobile devices like iOS and Android smartphones have become integral to daily life, “they need to be secured with as much – if not more – priority than any other device,” he said. “As smartphones continue to evolve, security continues to improve. However, so does the breadth and complexity of the existing software codebase, with millions of lines of code which need to be secured.”

Also read: How Zero Trust Security Can Protect Against Ransomware

The post Apple Security Under Scrutiny Amid Fallout from NSO Spyware Scandal appeared first on eSecurity Planet.