What do you think could be your username and password’s worth to a hacker? According to CIO Africa, the latest threat and data research by Microsoft revealed that the average price for 1,000 hacked username password pairs is roughly $0.97. So what’s more, stealing 400 million username and password combinations in bulk will earn a cybercriminal about $150.
There can be little doubt why cybercriminals have our passwords in their sights. This is particularly the case in Africa, where businesses are more prone to cyberattacks than anywhere else in the world. According to one report, Kenya ranked second in Africa, suffering 28.3 million cyberattacks. South Africa ranked first with 32 million attacks.
With weak passwords, password spraying, and phishing as the access point for most attacks, identity is the new target for cyberthreats. Hence, for organizations looking to protect themselves against the threats, preventing their identity from being misused or stolen, is now the greatest priority.
As part of the first edition of Cyber Signals, Microsoft’s new quarterly cyber threat intelligence brief, they keep a keen eye on the dangers of the soaring mismatch in the scale of identity-focused attacks about levels of organizational preparedness.
The brief, which gives an expert perspective into the current threat landscape, is believed to be a valuable resource to Chief Information Security Officers in Kenya. During their navigation of the constantly changing threat landscape.
It aggregates insights they see from their research and security teams on the frontlines, including analysis from their 24 trillion security signals combined with the intelligence they track by monitoring more than 40 nation-state groups and 140 threat groups.
The recently released research indicates that though threats have been increasing fast over the past two years, there has been low adoption of powerful identity authentication, including multifactor authentication and passwordless solutions. Just 22 percent of Microsoft’s Cloud Identity Solution, Azure Active Directory, users had implemented strong identity authentication protection as of December 2021.
However, the effects of a data breach are now front of the mind for many businesses. According to Liquid Intelligent Technologies, Kenyan businesses have found out that almost 71 percent of their cyberattacks were data breaches. As a result, 90 percent of IT decision-makers in Kenya have stimulated their cybersecurity posture in response to the shifting threat landscape.
The Middle East and Africa (MEA) organizations are paying closer attention to digital identities. Because as it stands, confirming user identities with an extra layer of security is a major priority over the next six to 18 months for 60 percent of businesses in MEA. Understanding the danger that comes with remote work and increased digitization, another 75 percent of companies in MEA are actively investing in identity and access management.
The right multifactor authentication (MFA) and passwordless solutions can come in handy in preventing a variety of threats. And according to Cyber Signals, basic security hygiene still protects against 98 percent of attacks.
There are four important recommendations for organizations that need to boost their level of security.
The first one is to enforce zero-trust to reduce risk through practices such as MFA and passwordless upgrades as part of the security baseline. They can start with privileged accounts to quickly gain protection, then expand from there.
The second one is to prevent passwords from getting into the wrong hands by enabling MFA. They can take this a step further by excluding passwords and, at the same time, eradicating administrative privileges through passwordless MFA.
Although passwords are a primary target for attacks, they’ve been the most important layer of security for everything in our digital lives for a long time. People are required to create complex and unique passwords, recall them, and change them frequently, but this is highly inconvenient, and no one likes doing that. Eventually, a passwordless future is a safer future.
The third recommendation is to regularly review account privileges. Privileged-access accounts, if hijacked, become strong weapons attackers can use to get greater access to networks and resources. Your security teams should frequently audit access privileges, using the principle of least privilege granted to enable employees to get jobs done.
The fourth fundamental aspect of your security hygiene should be to properly review all tenant administrator users or accounts tied to delegated administrative privileges. This will enable your organization to verify the authenticity of users and their activities. Your security team should then disable or remove any unused delegated administrative privileges.
It’s also important to appreciate that attackers are always raising the bar. But leading with identity-focused solutions such as enforcing MFA, adopting passwordless solutions, and creating conditional access policies for all users dramatically increases protection for your devices and data as well. Because identity is the new battleground, then zero trust is the must-have weapon for fighting back.
In addition, it’s also beneficial to have and implement the following tips.
6 Important Tips For Receiving and Responding to Third-Party Security Disclosures
The first notification of your next threat or breach might come from outside your organization. Hence, it’s necessary to have these preparations in place, to be able to effectively respond to inbound security intel.
Organizations such as large companies often don’t learn about an intrusion or breach of their systems until an outside party like a security researcher, law enforcement agency, or business partner warns them about it. The broadening range of attack methods, the increasing use of open-source components, and the adoption of cloud services have quite expanded the attack surface at many organizations. And made it difficult for security teams to discover threats on their own.
SolarWinds for instance did not know that intruders had invaded its systems and disseminated malware through its software until security vendor FireEye notified the company about the breach.
SolarWinds is one of the companies where a breach remained undetected for several months because nobody noticed it internally. So, processes for receiving and responding to inbound security intelligence, whether it’s a breach notification or information concerning a new significant threat from external parties have proved to be crucial in recent years
“Anyone who creates products or services that have a cyber element to them should have an intake process so that external entities can report potential issues that could have an impact on their product or services,” says John Hellickson, CxO adviser, cyber strategy at Coalfire.
Here, according to him and other stakeholders, are the six tips for effectively implementing such a capability:
1. Institute a Defined Policy for Vulnerability Disclosures
Ensure you communicate your organization’s policies for vulnerability disclosures to any exterior entity that wants to report a security or privacy issue, says Pete Lindstrom, vice president of security research with IDC. Make known the organization’s expectations for how to report vulnerabilities responsibly and provide an email address, phone number, or another way in which an external party can report a security or privacy interest.
Clarify how the report or the information will be handled, investigated, and resolved. Make them aware of how long it might take to vet and resolve the issue, so they know the information has not been ignored.
Communicate to the third party the organization’s policy for compensating them for their information, in case you have one. If not, make sure that the third party knows there will be no compensation for the information, Lindstrom notes.
“Managing the expectation of the third party is going to be crucial to your success and your reputation. Public-acing actors are not operating on your timeline. So, they must know exactly what to expect when they contact the organization with security or privacy tip,” he added.
Scott Crawford, research director, information security at S&P Global Market Intelligence, advises that organizations should take advantage of directions such as that contained in the ISO/IEC 30111 standard to formulate their vulnerability handling practices. Such standards can guide how to establish rules of engagement when dealing with third-party vulnerability disclosures including rules about acceptable disclosures and exceptions, he said.
2. Put in Place an Internal Vulnerability Strategy
Regardless of whether or not you anticipate receiving security intelligence from an external source, it’s often a good idea to have an internal, formal application security and vulnerability management strategy in place, Lindstrom says.
Organizations need to implement best practices like regular vulnerability scanning and prompt security patching to lessen the risk and likelihood of external parties finding and reporting vulnerabilities in the first place.
“You should be actively seeking to make this an important part of your security program,” he says.
“You need to get your act together internally before you can start thinking about engaging with outside researchers.”
“Additionally, it’s good practice for organizations to perform dry runs on example scenarios that may be product specific to involving the executive team and legal counsel depending,” says Hellickson. “Tabletop exercises also are a great source of security awareness education as well.”
3. Incorporate a Mechanism for Responding to External Tips
Ensure that your incident management team has a plan for responding to security disclosures from external entities like bug hunters, business partners, law enforcement, or customers. Just as an enterprise incident handling team has procedures for responding to alerts received from internal security tools, computing systems, network sensors, and other sources, they also need some for investigating and responding to security intelligence from an outside source, says Hellickson. “Every incident handling and response process should have a clearly defined process to prioritize, vet, and triage any given source of intelligence to the point of resolution.”
The process should have defined escalation processes built-in, where team members have identified ahead of time their role and duties for such incidents, Hellickson says.
Given the abundance of cyberattacks, every organization should have a defined incident handling and response plan that details the step-by-step procedure for receiving information about a possible incident and for triaging it appropriately.
Incident management teams need to be prepared to down everything if needed to respond to a vulnerability disclosure in production code, says Kevin Dunne, president at Pathlock. “Left unresolved, these vulnerabilities will often be sold on the black market and can be exploited if not remedied quickly.”
4. Get Ready to Incorporate Other Stakeholders
The IT/security organization has to be in control of the mailbox or phone number that receives tips from external sources. They should also be in the best form to investigate and remedy any reported issues. However, it’s important to have a plan in place to quickly engage members from other groups across the industry if needed. That’s because there’s no telling how events might play out when engaging with an external security researcher or bug hunter, Lindstrom says.
For instance, a researcher might want to be compensated for revealing a vulnerability. But the organization has no clear policy for handling such disclosures. In such a case, the security team might need someone from the legal department on hand to negotiate with the researcher.
Carelessly handling vulnerability disclosures can hurt an organization’s reputation and brand. So having members from the communication and marketing team can also be useful, Lindstrom says. “There are a lot of moving parts when it comes to handling vulnerability disclosures,” he says. “A lot of the risk revolves around the communication and reputation aspect of the whole thing.”
5. Think of Signing Up for Managed Vulnerability Coordination/Bug Bounty Programs
Big organizations and those with major public profiles should assess the possibility of signing up with organizations such as HackerOne and BugCrowd, which coordinate various vulnerability disclosures. Such programs provide external parties with a place for reporting vulnerability discoveries or privacy breaches responsibly.
Vulnerability disclosure programs give organizations a great way to outsource the whole problem, Crawford from S&P Global Intelligence says. While such programs do not eradicate the need for a well-defined internal incident response capability, they can assist in handling the initial processes of receiving and responding to external vulnerability researchers and communicating with them. The programs offer third-party researchers and bug hunters a structured means to find bugs in an organization’s applications and services in a way that minimizes risk to the organizations, he says.
Many companies today solicit information from independent third-party researchers by way of published bug bounty or vulnerability programs says Dunne. “The companies that can solicit information the most easily are usually those that have one or more consumer-facing services. So, industries like hospitality, retail, travel, and consumer finance often have the strongest programs,” he says.
“Organizations who receive unsolicited intelligence from third-party researchers, but don’t have a process for formally acknowledging it, should strongly consider putting one in place,” Dunne says. Even if your organization doesn’t provide a bounty for identified exploits and vulnerabilities, it is a good idea to have a plan for responding and acknowledging disclosures and for communicating remediation plans to researchers and customers alike. “When exploits are reported but nothing is done, it is bad for the business,” he says. “Failing to acknowledge exploits essentially communicates that the organization is not taking security seriously, and it doesn’t value its customers’ data.”
6. Clearly State the Scope When Asking for Threat Intelligence
Companies contracting a vulnerability disclosure program or soliciting intelligence from independent researchers and bug hunters should carefully think through several critical issues, Dunne says. For instance, they need to decide if they want to make the program public to everyone or only to selected researchers.
They also have to identify the types of security issues or privacy issues they are most interested in uncovering. They need to have a plan in advance for testing a reported security issue. “Will the testing be done in the production environment? Or in a separate clone of production which is maintained for researchers?” he says.
Similarly, they have to decide in advance if they are willing to offer a reward or other compensation for vulnerability disclosure and whether that reward will be a standard fee or will go up based on the severity of the issue. “Is it more than the researcher might get by selling it on the black market?”
Cyber threat FAQs
Where Do Cyber Intelligence Analysts Collect Data?
Cyber threat intelligence analysts survey private and public sites to learn what criminals are doing. Just as an FBI agent may send someone to physically infiltrate a criminal gang, cyber intelligence analysts “hang out” in the digital underground, getting to know criminal tactics.
The digital underground comprises many online sites, marketplaces, and forums where criminals share information and tactics. This includes the darknet, the deep web, hacker forums, social media sites, and text sharing sites such as Pastebin and Pastie.
For example, if a cyber intelligence analyst sees that someone is selling your customer’s Social Security Numbers, your employees’ log-in credentials, or countless other details online, they can warn you, and you can take action before the fraud occurs. At the same time, these analysts also learn about the newest tactics and techniques used by criminals, and this information is leveraged to enhance your position against fighting fraud.
What Are the Steps in Cyber Intelligence?
Cyber intelligence can be divided into five major steps:
Planning — Summarizing the goals that you want to meet with your cyber intelligence. For example, if your goal is to reduce check fraud, you will collect data that reduces that risk.
Collections and processing — Developing your data acquisition strategy and implementing procedures and automated collection tools.
Analysis — Analyzing the data you have collected.
Production —Make sure that the data the cyber analysts are collecting meets your objectives and addresses the threats to your organization.
Dissemination and feedback — Using the collected data to make actionable decisions and give feedback on its usefulness.
Cyber intelligence is not a fixed process. It needs to be constantly refined to be effective, and once these five steps have been finalized, the process starts over again depending on the usefulness of the data and the feedback of the organization using the data in its fight against crime and bank fraud.
What Are the Types of Cyber Threat Intelligence?
There are three types of cyber threat intelligence:
Strategic cyber threat intelligence looks at future and emerging threats to inform long-term decisions.
Operational cyber threat intelligence analyzes the historic capabilities and motivations of fraud artists and helps you decide how to allocate resources against real and perceived threats.
Tactical cyber threat intelligence looks at interactions between an active attack and an imminent threat and helps you determine which tactics to use right now.
What Are the Benefits of Cyber Threat Intelligence?
Cyber threat intelligence helps with early detection. In most cases, cyber intelligence spots attack before they occur and helps financial institutions engage in proactive responses. In case an attack happens, cyber threat intelligence provides a rapid breach response, which is crucial for minimizing the damage and recovering the risked data as quickly as possible.
Cyber threat intelligence helps you to easily discover what info has been compromised, the source and scope of the breach, the attack instigator, and the steps you can take to minimize the harm.
Eventually, cyber threat intelligence can keep all the stakeholders in your financial institution informed of the risks. When decision-makers appreciate the potential threats and repercussions of bank fraud, they become more willing to invest in solutions.
