August 2023 - Page 2 of 3 - Appunti dalla rete

18 Tips to Improve the Remote Network Security of Your Business

30.07.2023

Post-COVID-19, with the rise of remote work, business network security has become paramount. The rapid shift to remote work unveiled numerous network vulnerabilities, risking data breaches, financial losses, and reputational harm.

No longer is a simple firewall enough; today’s remote security includes technologies from VPNs to cloud measures and the zero-trust model. Besides these tools, it’s crucial to recognize risks, such as shared passwords, outdated software, and insecure personal devices.

Here are some of the best tips to enhance your business’s remote security, guaranteeing safe and streamlined operations.

What is Business Remote Network Security?

Business remote network security encompasses measures safeguarding a company’s digital assets accessed from remote locations. Securing these connections has become paramount with the growth of remote work and evolving digital landscapes.

Who is Responsible for Remote Network Security?

The responsibility for ensuring that your remote network stays secure primarily rests with SecOps. They can combat cybersecurity risks via strong access controls, monitor remote access, update rules, and test remote access operations.

Cybersecurity teams now lead and manage secure remote access policies, processes, and technologies, though traditionally, it’s a network team’s role.

SecOps has gained prominence amid increasing cyber threats and a remote workforce. Their roles include:

Sharing passwords
Usage of software that breaches an organization’s security standards
Personal devices without encryption
Negligible or absent patching practices

Key attributes of a proficient SecOps team include:

Diverse expertise: SecOps teams boast a mix of professionals.
Advanced tools: They use cutting-edge tools for real-time monitoring and quick threat detection and response.
Cloud security management: Secure and manage cloud resources.
Automation and AI integration: Use automation and AI to address modern threats quickly.
Adherence to best practices: SecOps teams follow best practices, staying proactive against emerging threats.

How Does Remote Network Security Work?

Remote network security allows users to access resources anywhere without risking data or network integrity.

The basics of remote access: Users must install the remote software on the target devices. Once active, users log in, choose the target device, and its screen gets mirrored.
Securing endpoints: Secure all endpoints (PCs, smartphones) on networks with updated antivirus and adherence to security guidelines. Equip employees with tools and knowledge for protection.
Minimizing attack surfaces: Remote access, while convenient, introduces vulnerabilities. Ransomware, for example, frequently targets remote desktop protocols (RDP). It’s essential to configure firewalls to respond only to known IP addresses.
Implementing multi-factor authentication (MFA): MFA enhances security with multiple identifiers like passwords and tokens, granting access to verified users only.
Using VPNs: VPNs secure connections on public Wi-Fi but update software to prevent vulnerabilities.
Monitoring and logging: For remote work, update SIEM and firewall to handle home logins. Record and monitor all remote sessions in real-time, triggering alerts for suspicious activity.
User education: Informed users significantly bolster cyber defenses. Employees require training to spot threats.
Policy updates and role-based access control (RBAC): Updating policies across all devices is vital. Also, it’s important to grant access based on roles.

Why is Remote Network Security Important?

Robust remote network security is essential as businesses embrace remote work’s benefits, like flexibility and cost savings, while facing significant cybersecurity challenges.

Protecting data and operations in remote work is vital for business continuity and reputation. Companies must prioritize safeguarding digital assets and networks from threats and breaches.

Unprecedented growth in remote work: Over the last 5 years, remote work has grown by 44%, challenging traditional corporate network security perimeters as operations expand online.
Vulnerability to data breaches: Remote work surge led to more data breaches. Proxyrack found healthcare breaches costing $9.23 million and the finance sector averaging $5.27 million.
Targeted attacks: The U.S. faces 7,221,177 incidents per million people, the highest globally. The average breach cost for U.S. companies is $9,050,000.
More than just financial loss: Data breaches inflict enduring financial and reputational harm, eroding customer trust. To preserve brand integrity and loyalty, companies must prioritize cybersecurity.
The human element: Remote employees are vulnerable to cyberattacks due to personal devices and unsecured networks. Mistakes like phishing or weak passwords risk breaches.
The need for proactive defense: Businesses need a proactive approach to tackle remote data breaches: train employees, use secure clouds, and update technology and systems.

Advantages of Remote Network Security

Securing your remote networks offers significant advantages to businesses, particularly in an era marked by escalating cyber crimes and the rise of remote work. Let’s explore the four main benefits of implementing robust security measures.

Secure Your Network Everywhere, on Any Device

Remote network security protects data and systems, blocking unauthorized access from the company or personal devices.

Improved Endpoint Protection

Vulnerable endpoints, such as laptops and smartphones, attract cybercriminals. Maintaining the security of your networks ensures all endpoints remain protected. We use VPNs, multi-factor authentication, and security tools to reinforce endpoint safety.

Secure Web Access for All Employees

Employees frequently access online company resources. This security encrypts online interactions, granting access only to authorized users.

Raise Awareness of Security Issues

Empowering employees with remote security fosters cyber awareness. Training, updates, and drills cultivate a vigilant defense against threats.

18 Tips to Improve Your Remote Network Security

The digital shift has propelled many businesses towards a remote work model. With this evolution comes a heightened need to prioritize the security of your remote networks.

Here are 18 strategies to bolster your defenses:

Protect Endpoints for All Remote Users

Secure all devices connecting to the network to reduce breach risks.

Reduce Attack Surface in Remote Work

Frequently update and patch software. Also, practice access limitation.

Use Multi-Factor Authentication

Strengthen security by mandating multiple identification forms before granting access.

Use Password Managers

Urge employees to adopt password managers.

Implement Single Sign-on Technology

Streamline login: utilize a single set of credentials for multiple applications.

Use VPNs

By encrypting internet traffic, Virtual Private Networks ensure confidential data transmission.

Adjust Logs and Security Information Tracking

Consistently revise and refresh logs to pinpoint and address anomalous or unauthorized actions.

Educate Your Employees and Contractors

Equip everyone with knowledge on contemporary cybersecurity threats and best practices to foster an informed, watchful team.

Create Clear Remote Work Policies

Craft clear-cut rules guiding employees’ interaction with company resources during remote work.

Build Intrusion Prevention and Detection Systems

Set up systems to check the network for malevolent activities. This ensures you’re using preventive measures against detected threats.

Use Firewalls

Position firewalls as protective barriers, scrutinizing incoming and outgoing traffic to safeguard against potential risks.

Encrypt and Back-up Data

Prioritize encryption of sensitive data and consistently back up crucial information to avert data loss.

Use Secure Software

Opt for reputable software that aligns with the organizational security benchmarks.

Implement an Identity Access and Management (Iam) Framework

With IAM, manage user identities and their access rights, ensuring that only vetted individuals can tap into particular resources.

Build Service-Level Agreements With Third-Party Vendors

Hold third-party associates to the same security standards as your company.

Ensure Mobile Security

Prioritize mobile device security as usage rises, safeguarding organizational data access.

Implement Direct Application Access Processes

Let users directly access applications without jeopardizing the security of the primary network.

Secure Specific Remote Work Devices

Ensuring the security of devices designated for remote work goes beyond the hardware; it’s about integrating sound policies, technologies, and procedures.

Here’s a concise breakdown:

Criteria: Establish straightforward criteria for determining which employees are eligible for remote access.
Technologies & features: Opt for secure technologies offering valuable features like encryption.
IT resource access: Deploy specific IT assets.
Network resources: Guarantees a secure connection.
IT personnel: Assign dedicated staff.
Emergency protocols: Have a quick response strategy for emergencies like security breaches.
Integration: Integrate remote access security with other data protection measures.

Technologies Used for Business Remote Network Security

In the evolving landscape of remote work, businesses leverage advanced technologies to fortify their network security. These technologies protect sensitive data and ensure seamless operations across distributed teams.

Here’s a closer look at some of the pivotal technologies in use:

Endpoint Security

Endpoint security safeguards all user devices in a network, which is crucial for remote work and personal device use. It defends against cyber threats, ensuring data integrity.

Virtual Private Networks (VPN)

Business VPNs safeguard data between user devices and the company’s network, which is vital for remote workers accessing company resources securely.

Zero Trust Network Access (ZTNA)

ZTNA: “Never trust, always verify” principle replaces perimeters. Every user and device is verified for network access. It’s not a VPN alternative, the two work hand in hand to secure your assets.

Network Access Control

The technology assesses and enforces network access policies based on device health, update status, and more for compliance.

Single Sign-on

SSO simplifies login across apps, enhances convenience, saves time, and reduces password-related breaches.

Secure Access Service Edge (SASE)

SASE: Cloud-based service combining network and security functions for modern businesses.

The Future of Business Security in a Remote World

The digital age demands remote network security for businesses. Global events shift to remote work and expose traditional vulnerabilities. This article provides insights and actionable tips on securing your networks to bolster your business operations.

With evolving technology come evolving threats. To keep your business secure and efficient, stay informed, proactive, and adaptable to emerging challenges. By adopting these tools and strategies, you’ll confidently navigate the future of remote work securely.

Looking for a secure and seamless digital future for your business? Click here to book a consultation and enjoy strengthened security, tailor-made remote work solutions, and a robust digital infrastructure.

Source :
https://www.perimeter81.com/blog/network/business-remote-network-security

Cloud VPN vs. Traditional VPN: Which One’s Best for Your Business?

16.08.2023

Are you struggling to decide between a cloud VPN vs. traditional VPN for your business?

You’re not alone. Many companies grapple with this decision, still determining which option best meets their needs.

The pain of making the wrong choice is real. Opt for a solution that doesn’t align with your business needs, and you could face slow connection speeds, increased security risks, or even inflated costs. Worse, you might be locked into a solution that doesn’t scale with your business, leading to even more headaches.

The world of VPNs can be complex and confusing, with each type boasting its features, benefits, and drawbacks. It’s easy to feel overwhelmed, unsure of which path to take.

In this article, we’ll demystify the differences between cloud VPN vs. traditional VPN, providing you with the information you need to make an informed decision. We’ll explore how each type works, its advantages, and its key differences.

What is a Cloud VPN?

A Cloud VPN is a service that provides secure and private internet access to users. Cloud VPNs are hosted in the cloud, meaning they can be accessed from anywhere worldwide, making them an ideal choice for businesses with a remote workforce or multiple office locations.

Cloud VPNs are more scalable, flexible, and efficient than their traditional counterparts. They can quickly adapt to the needs of businesses, whether it’s accommodating growth, supporting mobile devices, or providing global accessibility.

This adaptability makes Cloud VPNs popular for companies looking to secure their data without sacrificing convenience or performance.

How Do Cloud VPNs Work?

Cloud VPNs create a secure pathway, an encrypted tunnel, between the user’s device and the internet. This tunnel acts as a safe conduit for data to travel, ensuring that all information passing through it’s protected from external threats such as hackers or malware.

When users connect to a Cloud VPN, their device communicates with the VPN server in the cloud. The server then encrypts the user’s data before it’s sent over the internet. This encryption makes the data unreadable to anyone who might intercept it, ensuring its security.

A Cloud VPN also masks the user’s IP address, replacing it with the IP address of the VPN server. This provides an additional layer of privacy, preventing third parties from tracking the user’s online activities or determining their physical location.

Types of Cloud VPNs

Businesses come in all shapes and sizes, and so do their networking needs. That’s why Cloud VPNs are versatile, offering different types to suit various requirements. Here are the two main types of Cloud VPNs:

Remote Access VPNs

Designed for the modern workforce, these VPNs allow individual users to securely access a private network from anywhere. Ideal for remote workers or teams spread across multiple locations, they ensure secure access to company resources.

Site-to-Site Connection VPNs

Site-to-site connection VPNs connect entire networks, providing a secure bridge for data to travel between different office locations or between a business and its partners or clients. Ideal for companies with multiple office locations.

The Main Benefits of Cloud VPNs

Cloud VPNs offer several advantages over traditional VPNs. These include:

Direct Cloud Access

Cloud VPNs provide direct access to cloud services, reducing latency and improving performance.

Global Accessibility

They are hosted in the cloud and can be accessed from anywhere worldwide.

Flexibility

They can be easily scaled up or down based on the needs of the business.

Scalability

They can support many users without the need for significant hardware investment.

Mobile Support

They are designed to work well with mobile devices, supporting the modern mobile workforce.

Cost Efficiency

They eliminate the need for expensive hardware and maintenance costs associated with traditional VPNs.

What is a Traditional VPN (remote VPN)?

A traditional VPN, also known as a remote VPN, is a technology that creates a secure connection over a less secure network between the user’s computer and a private network.

Remote workers widely use this technology to access company resources they wouldn’t otherwise be able to reach. It’s also used by individuals who want to ensure their online activity is private and secure.

How Do Remote VPNs Work?

A cloud VPN vs. traditional VPN comparison reveals how remote VPNs function. These systems create a secure tunnel between the user’s device and the VPN server. The data traveling through this tunnel is encrypted, offering a safe method for transmitting information between the remote user and the company network.

The VPN server, acting as a go-between, conceals your IP address and gives the impression that your traffic originates from its IP address. This covers your online activities from your ISP and creates the illusion that you’re located where the VPN server is. This can be particularly useful for accessing content that is region-restricted.

In a hosted VPN service, the server is maintained by a third-party provider, reducing the burden on your IT resources.

Advantages of Traditional VPNs

Traditional VPNs offer several benefits, including:

Security: Traditional VPNs use advanced encryption protocols to secure your data, protecting your information from hackers and other cyber threats.
Privacy: By masking your IP address, a VPN ensures that your online activities remain private.
Remote access: VPNs allow remote workers to securely access their company’s network from anywhere in the world.
Bypassing geo-restrictions: VPNs can make it appear as though you’re browsing from a different location, allowing you to access content that may be region-locked.
Cost-effective: Many VPN services are available at a relatively low cost, and the security benefits they provide can save businesses money in the long run by preventing data breaches.

Cloud VPN vs. Traditional VPN: the Main Differences

Regarding cloud VPN vs. traditional VPN, it’s essential to understand that both have strengths and weaknesses. However, the transition from traditional VPN to cloud VPN has really underscored how good the cloud is at addressing the limitations of traditional VPN technologies.

Cloud VPNs eliminate network choke points by allowing users to connect directly to the required network, whether cloud-based or on-premises. This direct connection reduces bandwidth consumption and latency, enhancing user experience.

Also, cloud VPNs centralize remote access security, simplifying setting up and maintaining security policies across all cloud platforms.

Unlike traditional VPNs, which have hard limits on bandwidth and user numbers, cloud VPNs can scale to meet changing business requirements. Still, as we delve deeper into the differences, you’ll see that the choice between cloud and traditional VPNs depends on your business’s needs.

Features

Cloud VPNs are known for their scalability, cost-efficiency, and enhanced security features. They’re implemented as cloud-based services, making them more flexible and globally accessible. On the other hand, traditional VPNs are network appliances that provide secure, remote access to company networks but may lack the flexibility and scalability of their cloud counterparts.

Performance

Performance is a key differentiator. Cloud VPNs, running in data centers, offer high-speed connections not limited by network speed, unlike hardware VPNs. They also eliminate backhaul, allowing users to connect directly to cloud-based networks, improving network performance and reducing latency.

Support

In terms of support, Cloud VPNs have an edge. They can quickly adopt new security features and vulnerability patches, making them more secure than on-premise VPNs. Traditional VPNs, however, may require more time and resources to implement such updates.

Pricing

Pricing is a significant factor in cloud VPN vs. traditional VPN. Cloud VPNs are generally more affordable, with usage-based VPN-as-a-Service (VPNaaS) fees being more cost-effective than the expenses associated with deploying, maintaining, and upgrading VPN hardware.

So, Which Should You Choose: A Cloud Vpn or a Traditional Vpn?

Choosing between a cloud VPN vs. a traditional VPN for your business largely depends on your specific needs and circumstances. However, it’s crucial to consider the evolution of technology and the increasing demand for robust, flexible, and secure networking solutions.

Cloud VPNs offer a more flexible and scalable solution than traditional VPNs. On the other hand, traditional VPNs have been a staple in the security landscape for decades.

However, as businesses adapt to an increasingly digital landscape, the demand for secure, remote access to resources is rising. This has led to the emergence of alternatives to both cloud VPN and traditional VPN.

Two such alternatives are:

Zero Trust Network Access (ZTNA): This modern approach to network access enhances security by verifying every connection attempt and limiting access privileges to only what users need to perform their tasks. This reduces the risk of data breaches and ensures a secure network environment.
Software-Defined Perimeter (SDP): Offering a flexible, scalable, and secure solution, the SDP model creates a dynamic, individualized perimeter for each user. This adaptability ensures robust security without compromising user experience, making it an attractive business option.

We offer a comprehensive solution that implements the Zero Trust model, providing businesses with a secure, flexible, and scalable alternative to both Cloud VPN and Traditional VPN. This solution combines the strengths of both ZTNA and SDP, ensuring that your business is equipped with the most robust and adaptable network security measures available today.

Ready to secure your business’s digital infrastructure and enhance your network’s performance? Want to benefit from a solution that aligns with your specific needs? Book a demo today!

Source :
https://www.perimeter81.com/blog/network/cloud-vpn-vs-traditional-vpn

What network ports are used by Synology DSM services?

Last updated: Aug 10, 2023

Details

The operations of DSM services require specific ports to be opened to ensure normal functionality. In this article, you can find the network ports and protocols required by DSM services for operations.

Resolution

Setup Utilities

Type	Port Number	Protocol
Synology Assistant	9999, 9998, 9997	UDP

Backup

Type	Port Number	Protocol
Active Backup for Business	5510 (Synology NAS)¹	TCP
Active Backup for Business	443 (vCenter Server and ESXi host), 902 (ESXi host), 445 (SMB for Hyper-V host), 5985 (HTTP for Hyper-V host), 5986 (HTTPS for Hyper-V host)	TCP
Data Replicator, Data Replicator II, Data Replicator III	9999, 9998, 9997, 137, 138, 139, 445	TCP
DSM 5.2 Data Backup, rsync, Shared Folder Sync, Remote Time Backup	873, 22 (if encrypted over SSH)	TCP
Hyper Backup (destination)	6281 (remote Synology NAS), 22 (rsync with transfer encryption enabled), 873 (rsync without transfer encryption)	TCP
Hyper Backup Vault	6281, For DSM 7.0 or above: 5000 (HTTP), 5001 (HTTPS)	TCP
DSM 5.2 Archiving Backup	6281	TCP
LUN Backup	3260 (iSCSI), 873, 22 (if encrypted over SSH)	TCP
Snapshot Replication	5566 (Advanced LUNs and shared folders)	TCP
Snapshot Replication	3261 (Legacy Advanced LUNs)	TCP

Download

Type	Port Number	Protocol
BT	For DSM 2.0.1 or above: 16881, For DSM 2.0.1-3.0401 or below: 6890-6999	TCP/UDP
eMule	4662	TCP
eMule	4672	UDP

Web Applications

Type	Port Number	Protocol
DSM	5000 (HTTP), 5001 (HTTPS)	TCP

Mail Service

Type	Port Number	Protocol
IMAP	143	TCP
IMAP over SSL/TLS	993	TCP
POP3	110	TCP
POP3 over SSL/TLS	995	TCP
SMTP	25	TCP
SMTP-SSL	465	TCP
SMTP-TLS	587	TCP

File Transferring

Type	Port Number	Protocol
AFP	548	TCP
CIFS/SMB	smbd: 139 (netbios-ssn), 445 (microsoft-ds)	TCP/UDP
CIFS/SMB	Nmbd: 137, 138	UDP
FTP, FTP over SSL, FTP over TLS	21 (command), 20 (data connection in Active Mode), 1025-65535 (data connection in Passive Mode)²	TCP
iSCSI	3260, 3263, 3265	TCP
NFS	111, 892, 2049	TCP/UDP
TFTP	69	UDP
WebDAV	5005, 5006 (HTTPS)	TCP

Packages

Type	Port Number	Protocol
Audio Station	1900 (UDP), 5000 (HTTP), 5001 (HTTPS), 5353 (Bonjour service), 6001-6010 (AirPlay control/timing)	TCP/UDP
C2 Identity Edge Server	389 (LDAP), 7712 (HTTP), 8864	TCP
C2 Identity Edge Server	53	UDP
Central Management System	5000 (HTTP), 5001 (HTTPS)	TCP
CIFS Scale-out Cluster	49152-49252	TCP/UDP
CIFS Scale-out Cluster	17909, 17913, 19998, 24007, 24008, 24009-24045, 38465-38501, 4379	TCP
Cloud Station	6690	TCP
DHCP Server	53, 67, 68	TCP/UDP
DNS Server	53 (named)	TCP/UDP
LDAP Server (formerly Directory Server)	389 (LDAP), 636 (LDAP with SSL)	TCP
Download Station	5000 (HTTP), 5001 (HTTPS)	TCP
File Station	5000 (HTTP), 5001 (HTTPS)	TCP
Hybrid Share	50051 (catalog), 443 (API), 4222 (NATS)	TCP
iTunes Server	3689	TCP
Log Center (syslog server)	514 (additional port can be added)	TCP/UDP
Logitech® Media Server	3483, 9002	TCP
MailPlus Server	1344, 4190, 5000 (HTTP), 5001 (HTTPS), 5252, 8500 – 8520, 8893, 9526 – 9529, 10025, 10465, 10587, 11211, 11332 – 11334, 12340, 24245, 24246	TCP
MailPlus web client	5000 (HTTP), 5001 (HTTPS)	TCP
Mail Station	80 (HTTP), 443 (HTTPS)	TCP
Media Server	1900 (UPnP), 50001 (content browsing), 50002 (content streaming)	TCP/UDP
Migration Assistant	7400-7499 (DRBD), 22 (SSH)³	DRBD
Note Station	5000 (HTTP), 5001 (HTTPS)	TCP
Photo Station, Web Station	80 (HTTP), 443 (HTTPS)	TCP
Presto File Server	3360, 3361	TCP/UDP
Proxy Server	3128	TCP
RADIUS Server	1812, 18120	UDP
SMI-S Provider	5988 (HTTP), 5989 (HTTPS)	TCP
Surveillance Station	5000 (HTTP), 5001 (HTTPS)	TCP
Synology Calendar	5000 (HTTP), 5001 (HTTPS)	TCP
Synology CardDAV Server	8008 (HTTP), 8443 (HTTPS)	TCP
Synology Chat	5000 (HTTP), 5001 (HTTPS)	TCP
Synology Contacts	5000 (HTTP), 5001 (HTTPS)	TCP
Synology Directory Server	88 (Kerberos), 389 (LDAP), 464 (Kerberos password change)	TCP/UDP
Synology Directory Server	135 (RPC Endpoint Mapper), 636 (LDAP SSL), 1024 (RPC), 3268 (LDAP GC), 3269 (LDAP GC SSL), 49152 (RPC)⁴, 49300-49320 (RPC)	TCP
Synology Drive Server	80 (link sharing), 443 (link sharing), 5000 (HTTP), 5001 (HTTPS), 6690 (file syncing/backup)	TCP
Synology High Availability (HA)	123 (NTP), ICMP, 5000 (HTTP), 5001 (HTTPS), 1234, 9997, 9998, 9999 (Synology Assistant), 874, 5405, 5406, 7400-7999 (HA)	TCP/UDP
Synology Moments	5000 (HTTP), 5001 (HTTPS)	TCP
Synology Photos	5000 (HTTP), 5001 (HTTPS)	TCP
Video Station	1900 (UDP), 5000 (HTTP), 5001 (HTTPS), 9025-9040, 5002, 5004, 65001 (for using the HDHomeRun network tuner)	TCP/UDP
Virtual Machine Manager	2379-2382 (cluster network), ICMP, 3260-3265 (iSCSI), 5000 (HTTP), 5001 (HTTPS), 5566 (replication), 16509, 16514, 30200-30300, 5900-5999 (QEMU), 2385 (Redis Server)	TCP
VPN Server (OpenVPN)	1194	UDP
VPN Server (PPTP)	1723	TCP
VPN Server (L2TP/IPSec)	500, 1701, 4500	UDP

Mobile Applications

Type	Port Number	Protocol
DS audio	5000 (HTTP), 5001 (HTTPS)	TCP
DS cam	5000 (HTTP), 5001 (HTTPS)	TCP
DS cloud	6690	TCP
DS file	5000 (HTTP), 5001 (HTTPS)	TCP
DS finder	5000 (HTTP), 5001 (HTTPS)	TCP
DS get	5000 (HTTP), 5001 (HTTPS)	TCP
DS note	5000 (HTTP), 5001 (HTTPS)	TCP
DS photo	80(HTTP), 443 (HTTPS)	TCP
DS video	5000 (HTTP), 5001 (HTTPS)	TCP
MailPlus	5000 (HTTP), 5001 (HTTPS)	TCP
Synology Drive	5000 (HTTP), 5001 (HTTPS)	TCP
Synology Moments	5000 (HTTP), 5001 (HTTPS)	TCP
Synology Photos	5000 (HTTP), 5001 (HTTPS)	TCP

Peripheral Equipment

Type	Port Number	Protocol
Bonjour	5353	UDP
LPR	515	UDP
Network Printer (IPP)/CUPS	631	TCP
Network MFP	3240-3259	TCP
UPS	3493	TCP

System

Type	Port Number	Protocol
LDAP	389, 636 (SLAPD)	TCP
MySQL	3306	TCP
NTP	123	UDP
Resource Monitor/SNMP	161	TCP/UDP
SSH/SFTP	22	TCP
Telnet	23	TCP
WS-Discovery	3702	UDP
WS-Discovery	5357 (Nginx)	TCP

Notes:

For the backup destination of Synology NAS, Hyper-V, or physical Windows/Linux/macOS devices.
The default range varies according to your Synology product models.
For the SSH service that runs on a customized port, make sure the port is accessible.
Only Synology Directory Server version 4.10.18-0300 requires port 49152.

New SEC Cybersecurity Rules: What You Need to Know

By: Greg Young – Trendmicro
August 03, 2023
Read time: 4 min (1014 words)

The US Securities and Exchange Commission (SEC) recently adopted rules regarding mandatory cybersecurity disclosure. Explore what this announcement means for you and your organization.

On July 26, 2023, the US Securities and Exchange Commission (SEC) adopted rules regarding mandatory cybersecurity disclosure. What does this mean for you and your organization? As I understand them, here are the major takeaways that cybersecurity and business leaders need to know:

Who does this apply to?

The rules announced apply only to registrants of the SEC i.e., companies filing documents with the US SEC. Not surprisingly, this isn’t limited to attacks on assets located within the US, so incidents concerning SEC registrant companies’ assets in other countries are in scope. This scope also, not surprisingly, does not include the government, companies not subject to SEC reporting (i.e., privately held companies), and other organizations.

Breach notification for these others will be the subject of separate compliance regimes, which will hopefully, at some point in time, be harmonized and/or unified to some degree with the SEC reporting.

Advice for security leaders: be aware that these new rules could require “double reporting,” such as for publicly traded critical infrastructure companies. Having multiple compliance regimes, however, is not new for cybersecurity.

What are the general disclosure requirements?

Some pundits have said “four days after an incident” but that’s not quite correct. The SEC says that “material breaches” must be reported “four business days after a registrant determines that a cybersecurity incident is material.”

We’ve hit the first squishy bit: materiality. Directing companies to disclose material events shouldn’t be necessary before there’s a mixed record of companies making materiality for public company operation. But what kind of cybersecurity incident would be likely to be important to a reasonable investor?

We’ve seen giant breaches that paradoxically did not move stock prices, and minor breaches that did the opposite. I’m clearly on the side of compliance and disclosure, but I recognize it is a gray area. Recently we saw some companies that had the MOVEit vulnerability exploited but had no data loss. Should they report? But in some cases, their response to the vulnerability was in the millions: how about then? I expect and hope there will be further guidance.

Advice for security leaders: monitor the breach investigation and monitor the analysis of materiality. Security leaders won’t often make that call but should give guidance and continuous updates to the CxO who are responsible.

The second squishy bit is that the requirement is the reporting should be made four days after determining the incident is material. So not four days after the incident, but after the materiality determination. I understand why it was structured this way, as a small indicator of compromise must be followed up before understanding the scope and nature of a breach, including whether a breach has occurred at all. But this does give a window to some of the foot-dragging for disclosure we’ve unfortunately seen, including product companies with vulnerabilities.

Advice for security leaders: make management aware of the four-day reporting requirement and monitor the clock once the material line is crossed or identified.

Are there extensions?

There are, but not because you need more time. Instead “The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.” Note that it specifically states that the Attorney General (AG) makes that determination, and the AG communicates this to the SEC. There could be some delegation of this authority within the Department of Justice in the future, but today it is the AG.

How does it compare to other countries and compliance regimes?

Breach and incident reporting and disclosure is not new, and the concept of reporting material events is already commonplace around the world. GDPR breach reporting is 72 hours, HHS HIPAA requires notice not later than 60 days and 90 days to individuals affected, and the UK Financial Conduct Authority (FCA) has breach reporting requirements. Canada has draft legislation in Bill C-26 that looks at mandatory reporting through the lens of critical industries, which includes verticals such as banking and telecoms but not public companies. Many of the world’s financial oversight bodies do not require breach notification for public companies in the exchanges they are responsible for.

Advice to security leaders: consider the new SEC rules as clarification and amplification of existing reporting requirements for material events rather than a new regime or something that is harsher or different to other geographies.

Is breach reporting the only new rule?

No, I’ve only focused on incident reporting in this post. There’s a few more. The two most noteworthy ones are:

Regulation S-K Item 106, requiring registrants to “describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.”
Also specified is that annual 10-Ks “describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”

Bottom line

SEC mandatory reporting for material cybersecurity events was already a requirement under the general reporting requirements, however the timelines and nature of the reporting are getting real and have a ticking four-day timer on them.

Stepping back from the rules, the importance of visibility and continuous monitoring are the real takeaways. Time to detection can’t be at the speed of your least experienced analyst. Platform means unified visibility rather than a wall of consoles. Finding and stopping breaches means internal visibility must include a rich array of telemetry, and that it be continuously monitored.

Many SEC registrants have operations outside the US, and that means visibility needs to include threat intelligence that is localized to other geographies. These new SEC rules show more than ever that that cyber risk is business risk.

To learn more about cyber risk management, check out the following resources:

Source :
https://www.trendmicro.com/en_us/research/23/h/sec-cybersecurity-rules-2023.html

Cybersecurity Threat 1H 2023 Brief with Generative AI

By: Trend Micro
August 08, 2023
Read time: 4 min (1020 words)

How generative AI influenced threat trends in 1H 2023

A lot can change in cybersecurity over the course of just six months in criminal marketplaces. In the first half of 2023, the rapid expansion of generative AI tools began to be felt in scams such as virtual kidnapping and tools by cybercriminals. Tools like WormGPT and FraudGPT are being marketed. The use of AI empowers adversaries to carry out more sophisticated attacks and poses a new set of challenges. The good news is that the same technology can also be used to empower security teams to work more effectively.

As we analyze the major events and patterns observed during this time, we uncover critical insights that can help businesses stay ahead of risk and prepare for the challenges that lie ahead in the second half of the year.

AI-Driven Tools in Cybercrime

The adoption of AI in organizations has increased significantly, offering numerous benefits. However, cybercriminals are also harnessing the power of AI to carry out attacks more efficiently.

As detailed in a Trend research report in June, virtual kidnapping is a relatively new and concerning type of imposter scam. The scammer extorts their victims by tricking them into believing they are holding a friend or family member hostage. In reality, it is AI technology known as a “deepfake,” which enables the fraudster to impersonate the real voice of the “hostage” whilst on the phone. Audio harvested from their social media posts will typically be used to train the AI model.

However, it is generative AI that’s playing an increasingly important role earlier on in the attack chain—by accelerating what would otherwise be a time-consuming process of selecting the right victims. To find those most likely to pay up when confronted with traumatic content, threat groups can use generative AI like ChatGPT to filter large quantities of potential victim data, fusing it with geolocation and advertising analytics. The result is a risk-based scoring system that can show scammers at a glance where they should focus their attacks.

This isn’t just theory. Virtual kidnapping scams are already happening. The bad news is that generative AI could be leveraged to make such attacks even more automated and effective in the future. An attacker could generate a script via ChatGPT to then convert to the hostage’s voice using deepfake and a text-to-speech app.

Of course, virtual kidnapping is just one of a growing number of scams that are continually being refined and improved by threat actors. Pig butchering is another type of investment fraud where the victim is befriended online, sometimes on romance sites, and then tricked into depositing their money into fictitious cryptocurrency schemes. It’s feared that these fraudsters could use ChatGPT and similar tools to improve their conversational techniques and perhaps even shortlist victims most likely to fall for the scams.

What to expect

The emergence of generative AI tools enables cybercriminals to automate and improve the efficiency of their attacks. The future may witness the development of AI-driven threats like DDoS attacks, wipers, and more, increasing the sophistication and scale of cyberattacks.

One area of concern is the use of generative AI to select victims based on extensive data analysis. This capability allows cybercriminals to target individuals and organizations with precision, maximizing the impact of their attacks.

Fighting back

Fortunately, security experts like Trend are also developing AI tools to help customers mitigate such threats. Trend pioneered the use of AI and machine learning for cybersecurity—embedding the technology in products as far back as 2005. From those early days of spam filtering, we began developing models designed to detect and block unknown threats more effectively.

Trend’s defense strategy

Most recently, we began leveraging generative AI to enhance security operations. Companion is a cybersecurity assistant designed to automate repetitive tasks and thereby free up time-poor analysts to focus on high-value tasks. It can also help to fill skills gaps by decoding complex scripts, triaging and recommending actions, and explaining and contextualizing alerts for SecOps staff.

What else happened in 1H 2023?

Ransomware: Adapting and Growing

Ransomware attacks are becoming sophisticated, with illegal actors leveraging AI-enabled tools to automate their malicious activities. One new player on the scene, Mimic, has abused legitimate search tools to identify and encrypt specific files for maximum impact. Meanwhile, the Royal ransomware group has expanded its targets to include Linux platforms, signaling an escalation in their capabilities.

According to Trend data, ransomware groups have been targeting finance, IT, and healthcare industries the most in 2023. From January 1 to July 17, 2023, there have been 219, 206, and 178 successful compromises of victims in these industries, respectively.

Our research findings revealed that ransomware groups are collaborating more frequently, leading to lower costs and increased market presence. Some groups are showing a shift in motivation, with recent attacks resembling those of advanced persistent threat (APT) groups. To combat these evolving threats, organizations need to implement a “shift left” strategy, fortifying their defenses to prevent threats from gaining access to their networks in the first place.

Vulnerabilities: Paring Down Cyber Risk Index

While the Cyber Risk Index (CRI) has lowered to a moderate range, the threat landscape remains concerning. Smaller platforms are exploited by threat actors, such as Clop ransomware targeting MOVEIt and compromising government agencies. New top-level domains by Google pose risks for concealing malicious URLs. Connected cars create new avenues for hackers. Proactive cyber risk management is crucial.

Campaigns: Evading Detection and Expanding Targets

Malicious actors are continually updating their tools, techniques and procedures (TTP) to evade detection and cast a wider net for victims. APT34, for instance, used DNS-based communication combined with legitimate SMTP mail traffic to bypass security policies. Meanwhile, Earth Preta has shifted its focus to target critical infrastructure and key institutions using hybrid techniques to deploy malware.

Persistent threats like the APT41 subgroup Earth Longzhi have resurfaced with new techniques, targeting firms in multiple countries. These campaigns require a coordinated approach to cyber espionage, and businesses must remain vigilant against such attacks.

To learn more about Trend’s 2023 Midyear Cybersecurity Report, please visit: https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/stepping-ahead-of-risk-trend-micro-2023-midyear-cybersecurity-threat-report

Source :
https://www.trendmicro.com/en_us/research/23/h/cybersecurity-threat-2023-generative-ai.html

The Journey to Zero Trust with Industry Frameworks

By: Alifiya Sadikali – Trendmicro
August 09, 2023
Read time: 4 min (1179 words)

Discover the core principles and frameworks of Zero Trust, NIST 800-207 guidelines, and best practices when implementing CISA’s Zero Trust Maturity Model.

With the growing number of devices connected to the internet, traditional security measures are no longer enough to keep your digital assets safe. To protect your organization from digital threats, it’s crucial to establish strong security protocols and take proactive measures to stay vigilant.

What is Zero Trust?

Zero Trust is a cybersecurity philosophy based on the premise that threats can arise internally and externally. With Zero Trust, no user, system, or service should automatically be trusted, regardless of its location within or outside the network. Providing an added layer of security to protect sensitive data and applications, Zero Trust only grants access to authenticated and authorized users and devices. And in the event of a data breach, compartmentalizing access to individual resources limits potential damage.

Your organization should consider Zero Trust as a proactive security strategy to protect its data and assets better.

The pillars of Zero Trust

At its core, the basis for Zero Trust is comprised of a few fundamental principles:

Verify explicitly. Only grant access once the user or device has been explicitly authenticated and verified. By doing so, you can ensure that only those with a legitimate need to access your organization’s resources can do so.
Least privilege access. Only give users access to the resources they need to do their job and nothing more. Limiting access in this way prevents unauthorized access to your organization’s data and applications.
Assume breach. Act as if a compromise to your organization’s security has occurred. Take steps to minimize the damage, including monitoring for unusual activity, limiting access to sensitive data, and ensuring that backups are up-to-date and secure.
Microsegmentation. Divide your organization’s network into smaller, more manageable segments and apply security controls to each segment individually. This reduces the risk of a breach spreading from one part of your network to another.
Security automation. Use tools and technologies to automate the process of monitoring, detecting, and responding to security threats. This ensures that your organization’s security is always up-to-date and can react quickly to new threats and vulnerabilities.

A Zero Trust approach is a proactive and effective way to protect your organization’s data and assets from cyber-attacks and data breaches. By following these core principles, your organization can minimize the risk of unauthorized access, reduce the impact of a breach, and ensure that your organization’s security is always up-to-date and effective.

The role of NIST 800-207 in Zero Trust

NIST 800-207 is a cybersecurity framework developed by the National Institute of Standards and Technology. It provides guidelines and best practices for organizations to manage and mitigate cybersecurity risks.

Designed to be flexible and adaptable for a variety of organizations and industries, the framework supports the customization of cybersecurity plans to meet their specific needs. Its implementation can help organizations improve their cybersecurity posture and protect against cyber threats.

One of the most important recommendations of NIST 800-207 is to establish a policy engine, policy administrator, and policy enforcement point. This will help ensure consistent policy enforcement and that access is granted only to those who need it.

Another critical recommendation is conducting continuous monitoring and having real-time risk-based decision-making capabilities. This can help you quickly identify and respond to potential threats.

Additionally, it is essential to understand and map dependencies among assets and resources. This will help you ensure your security measures are appropriately targeted based on potential vulnerabilities.

Finally, NIST recommends replacing traditional paradigms, such as implicit trust in assets or entities, with a “trust but verify” methodology. Adopting this approach can better protect your organization’s assets and resources from internal and external threats.

CISA’s Zero Trust Maturity Model

The Zero Trust Maturity Model (ZMM), developed by CISA, provides a comprehensive framework for assessing an organization’s Zero Trust posture. This model covers critical areas including:

Identity management: To implement a Zero Trust strategy, it is important to begin with identity. This involves continuously verifying, authenticating, and authorizing any entity before granting access to corporate resources. To achieve this, comprehensive visibility is necessary.
Devices, networks, applications: To maintain Zero Trust, use endpoint detection and response capabilities to detect threats and keep track of device assets, network connections, application configurations, and vulnerabilities. Continuously assess and score device security posture and implement risk-informed authentication protocols to ensure only trusted devices, networks and applications can access sensitive data and enterprise systems.
Data and governance: To maximize security, implement prevention, detection, and response measures for identity, devices, networks, IoT, and cloud. Monitor legacy protocols and device encryption status. Apply Data Loss Prevention and access control policies based on risk profiles.
Visibility and analytics: Zero Trust strategies cannot succeed within silos. By collecting data from various sources within an organization, organizations can gain a complete view of all entities and resources. This data can be analyzed through threat intelligence, generating reliable and contextualized alerts. By tracking broader incidents connected to the same root cause, organizations can make informed policy decisions and take appropriate response actions.
Automation and orchestration: To effectively automate security responses, it is important to have access to comprehensive data that can inform the orchestration of systems and manage permissions. This includes identifying the types of data being protected and the entities that are accessing it. By doing so, it ensures that there is proper oversight and security throughout the development process of functions, products, and services.

By thoroughly evaluating these areas, your organization can identify potential vulnerabilities in its security measures and take prompt action to improve your overall cybersecurity posture. CISA’s ZMM offers a holistic approach to security that will enable your organization to remain vigilant against potential threats.

Implementing Zero Trust with Trend Vision One

Trend Vision One seamlessly integrates with third-party partner ecosystems and aligns to industry frameworks and best practices, including NIST and CISA, offering coverage from prevention to extended detection and response across all pillars of zero trust.

Trend Vision One is an innovative solution that empowers organizations to identify their vulnerabilities, monitor potential threats, and evaluate risks in real-time, enabling them to make informed decisions regarding access control. With its open platform approach, Trend enables seamless integration with third-party partner ecosystems, including IAM, Vulnerability Management, Firewall, BAS, and SIEM/SOAR vendors, providing a comprehensive and unified source of truth for risk assessment within your current security framework. Additionally, Trend Vision One is interoperable with SWG, CASB, and ZTNA and includes Attack Surface Management and XDR, all within a single console.

Conclusion

CISOs today understand that the journey towards achieving Zero Trust is a gradual process that requires careful planning, step-by-step implementation, and a shift in mindset towards proactive security and cyber risk management. By understanding the core principles of Zero Trust and utilizing the guidelines provided by NIST and CISA to operationalize Zero Trust with Trend Vision One, you can ensure that your organization’s cybersecurity measures are strong and can adapt to the constantly changing threat landscape.

To read more thought leadership and research about Zero Trust, click here.

Source :
https://www.trendmicro.com/en_us/research/23/h/industry-zero-trust-frameworks.html

ChatGPT Highlights a Flaw in the Educational System

By: William Malik – Trendmicro
August 14, 2023
Read time: 4 min (1014 words)

Rethinking learning metrics and fostering critical thinking in the era of generative AI and LLMs

I recently participated in a conversation about artificial intelligence, specifically ChatGPT and its kin, with a group of educators in South Africa. They were concerned that the software would help students cheat.

We discussed two possible alternatives to ChatGPT: First, teachers could require that students submit handwritten homework. This would force students to at least read the material once before submitting it; Second, teachers could grade the paper submissions no higher than 89 percent (or a “B”), but that to get an “A,” the student would have to stand in front of the class and verbally discuss the material, their research, their conclusion, and answer any questions the teacher or other classmates might ask. (With that verbal defense of the ideas, the teacher might even waive the requirement for paper submission at all!)

The fundamental problem is that the grading system depends on homework. If education aims to teach an individual both a) a body of knowledge and b) the techniques of reasoning with that knowledge, then the metrics proving that achievement is misaligned.

One of the most quoted management scientists is Fredrick W. Taylor. He is most known for saying, “If you can’t measure it, you can’t manage it.” Interestingly, he never said that – which is fortunate because it is entirely wrong. People always manage things without metrics – from driving a car to raising children. He said: “If you measure it, you’ll manage it” – and he intended that as a warning. Whenever you adopt a metric, you will adjust your assessment of the underlying process in terms of your chosen metric. His warning is to be very careful about which metrics you choose.

Sometime in the past forty years, we decided that the purpose of education is to do well on tests. Unfortunately, that is also wrong. The purpose of education is to teach people to gather evidence and to think clearly about it. Students should learn how to judge various forms of evidence. They should understand rhetorical techniques (in the classical sense – how to render ideas clearly). They should be aware of common errors in thinking – the cognitive pitfalls we all fall into when rushed or distracted and logical fallacies which rob our arguments of their validity.

Large Language Models (LLMs) aggregate vast troves of text. Those data sources are not curated, so LLMs reflect the biases, logical limitations, and cognitive distortions in so much of what’s online. We are all familiar with early chatbots that were easily corrupted – the Microsoft chatbot Tay was perverted into being a racist resonator. (See “Twitter taught Microsoft’s AI Chatbot to be a Racist A**hole in Less than a Day” from The Verge, March 24, 2016, at https://www.theverge.com/2016/3/24/11297050/tay-microsoft-chatbot-racist accessed Aug 2023.)

LLMs do not think. They scan as much material as possible, then build a set of probabilities about which word is most likely to follow another word. If the word “pterodactyl” occurs in a text, then the next most likely word might be “soaring,” and “flying” might be in second place. If ChatGPT gets the word “pterodactyl” as input, it will put “soaring” next to it. This may look plausible to a person reading the output, but it cannot be correct. Correctness implies some kind of comprehension and judgment. ChatGPT does neither. It merely arranges words based on their statistical likelihood in the LLM’s database. We are now learning that LLMs that ingest computer-generated content become even more skewed – augmenting the likelihood of one word following another by rescanning the previous output. Over time, LLMs fed AI-generated content will drift farther and farther from actual human writing. The oft-mentioned hallucinations that LLMs generate will become more common as the distillation and amplification of the more likely subset of words leads to a contracted pool of possible machine-generated responses. Eventually – if we are not able to prevent LLMs from ingesting already-processed content – the output of ChatGPT will become more and more constrained, which, taken to the extreme, will yield one plot, one answer, one painting, and one outcome regardless of the specific input. Long before then, people will have abandoned LLM-based efforts for any activity that requires creativity.

Where can LLMs help? By sorting through bounded sets of information. That means an LLM trained on protein sequences could rapidly develop a most likely model for a protein that could attack a particular disease or interrupt an allergic reaction. In that case, the issue isn’t seeking creativity but rapidly scanning a set of nearly identical data overreactions to find the few that stand out enough to make a difference. A human doing this kind of work would quickly grow bored and likely make errors. LLMs can help science move quickly through vast quantities of data in closed domains. But when looking at an unbounded domain (art, poetry, fiction, movies, music, and the like), LLMs can only build average content, filling in the space between works. Artists seek to reach beyond the space their prior work defined.

The core problem with LLMs may be unsolvable. At this point, various organizations are exploring ways to tag AI-generated content (written and graphic) so humans can spend a moment assessing the accuracy and validity of the material. Of course, message digests can be corrupted and watermarks forged. A bad actor might maliciously tag authentic content as AI-generated. Recent developments include malicious ChatGPT variants designed to create BEC and phishing email content,

Students will always look for a shortcut, and that habit is difficult to overcome. In business, it will also be tempting for bureaucrats to use tools to simplify their tasks. How will your firm incorporate LLMs safely into your business processes? Organizations should consider how they will audit their internal procedures to ensure that LLM outputs are incorporated appropriately into communications. Imagine the potential for harm if some publicly traded company was found to have used an LLM to develop its annual financial report!

What do you think? Let me know in the comments below, or contact me @wjmalik@noc.social

Source :
https://www.trendmicro.com/en_us/research/23/h/chatgpt-flaw.html

OT Security is Less Mature but Progressing Rapidly

By: Kazuhisa Tagaya – Trendmicro
August 14, 2023
Read time: 2 min (638 words)

The latest study said that OT security is less mature in several capabilities than IT security, but most organizations are improving it.

e asked participants whether OT security for cybersecurity capabilities is less mature or more mature than IT in their organizations with reference to the NIST CSF.

As an average of all items, 39.5% answered that OT has a lower level of maturity. (18% answered OT security is more mature, and 36.4% at the same level)

Categorizing security capabilities into the five cores of the NIST CSF and aggregating them for each core, the most was that Detect is lower maturity in OT security than in IT. (42%)

Figure1: What security capabilities in OT are lower than IT (NIST CSF 5 Core)

Furthermore, looking at the specific security capabilities, the score of “Cyber event detection” is the most(45.7%).

Figure2: What security capabilities in OT are lower than IT (detail)

The OT environment has more diverse legacy assets, and protocol stacks dedicated to ICS/OT, making it difficult to implement sensors to detect malicious behavior or apply the patches on the assets. The inability to implement uniform measures in the same way as IT security is an obstacle to increasing the maturity level.

Detection in OT: Endpoint and Network

The survey asked respondents about their Endpoint Detection and Response (EDR) and Network Security Monitoring (NSM) implementations to measure their visibility in their OT environments. They answered whether EDR (including antivirus) was implemented in the following three places.

Server assets running commercial OS (Windows, Linux, Unix): 41%
Engineering (engineering workstations, instrumentation laptops, calibration and test equipment) assets running commercial OS (Windows, Unix, Linux): 34%
Operator assets (HMI, workstations) running commercial OS (Windows, Linux, Unix): 33%

In addition, 76% of organizations that have already deployed EDR said they plan to expand their deployment within 24 months.

We also asked whether NSM (including IDS) was implemented at the following levels referring to the Purdue model.

Purdue Level 4 (Enterprise): 30%
Purdue Level 3.5 (DMZ): 36%
Purdue Level 3 (Site or SCADA-wide): 38%
Purdue Level 2 (Control): 20%
Purdue Levels 1/0 (Sensors and Actuators): 8%

Like EDR, 70% of organizations that have already implemented NSM said they have plans to expand implementation within 24 months.

In this survey, EDR implementation rates tended to vary depending on the respondent’s industry and size of organization. The implementation rate of NSM was relatively high in DMZ and Level 3, and the implementation rate decreased according to the lower layers. But I think it is not appropriate to conclude the decisive trend from the average value in the questions, because there are variations in the places where they are implemented EDR and NSM depending on the organization. The implementation rate shown here is just a rough standard. Where and how much to invest depends on the environment and decision-making of the organization. Asset owners can use the result as a reference to see where to implement EDR and NSM and evaluate their implementation plans.

To learn about how to assess risk in your OT environment to invest appropriately, please refer to our practices of risk assessment in smart factories.

Reference:
Breaking IT/OT Silos with ICS/OT Visibility – 2023 SANS ICS/OT visibility survey

Source :
https://www.trendmicro.com/en_us/research/23/h/ot-security-2023.html

Top 10 AI Security Risks According to OWASP

By: Trend Micro
August 15, 2023
Read time: 4 min (1157 words)

The unveiling of the first-ever Open Worldwide Application Security Project (OWASP) risk list for large language model AI chatbots was yet another sign of generative AI’s rush into the mainstream—and a crucial step toward protecting enterprises from AI-related threats.

For more than 20 years, the Open Worldwide Application Security Project (OWASP) top 10 risk list has been a go-to reference in the fight to make software more secure. So it’s no surprise developers and cybersecurity professionals paid close attention earlier this spring when OWASP published an all-new list focused on large language model AI vulnerabilities.

OWASP’s move is yet more proof of how quickly AI chatbots have swept into the mainstream. Nearly half (48%) of corporate respondents to one survey said that by February 2023 they had already replaced workers with ChatGPT—just three months after its public launch. With many observers expressing concern that AI adoption has rushed ahead without understanding of the risks involved, the OWASP top 10 AI risk list is both timely and essential.

Large language model vulnerabilities at a glance

OWASP has released two draft versions of its AI vulnerability list so far: one in May 2023 and a July 1 update with refined classifications and definitions, examples, scenarios, and links to additional references. The most recent is labeled ‘version 0.5’, and a formal version 1 is reported to be in the works.

We did some analysis and found the vulnerabilities identified by OWASP fall broadly into three categories:

Access risks associated with exploited privileges and unauthorized actions.
Data risks such as data manipulation or loss of services.
Reputational and business risks resulting from bad AI outputs or actions.

In this blog, we take a closer look at the specific risks in each case and offer some suggestions about how to handle them.

1. Access risks

Of the 10 vulnerabilities listed by OWASP, four are specific to access and misuse of privileges: insecure plugins, insecure output handling, permissions issues, and excessive agency.

According to OWASP, any large language model that uses insecure plugins to receive “free-form text” inputs could be exposed to malicious requests, resulting in unwanted behaviors or the execution of unauthorized remote code. On the flipside, plugins or applications that handle large language model outputs insecurely—without evaluating them—could be susceptible to cross-site and server-side request forgeries, unauthorized privilege escalations, hijack attacks, and more.

Similarly, when authorizations aren’t tracked between plugins, permissions issues can arise that open the way for indirect prompt injections or malicious plugin usage.

Finally, because AI chatbots are ‘actors’ able to make and implement decisions, it matters how much free reign (i.e., agency) they’re given. As OWASP explains, “When LLMs interface with other systems, unrestricted agency may lead to undesirable operations and actions.” Examples include personal mail reader assistants being exploited to propagate spam or customer service AI chatbots manipulated into issuing undeserved refunds.

In all of these cases, the large language model becomes a conduit for bad actors to infiltrate systems.

2. Data risks

Poisoned training data, supply chain vulnerabilities, prompt injection vulnerabilities and denials of serviceare all data-specific AI risks.

Data can be poisoned deliberately by bad actors who want to harm an organization. It can also be distorted inadvertently when an AI system learns from unreliable or unvetted sources. Both types of poisoning can occur within an active AI chatbot application or emerge from the large language model supply chain, where reliance on pre-trained models, crowdsourced data, and insecure plugin extensions may produce biased data outputs, security breaches, or system failures.

With prompt injections, ill-meaning inputs may cause a large language model AI chatbot to expose data that should be kept private or perform other actions that lead to data compromises.

AI denial of service attacks are similar to classic DOS attacks. They may aim to overwhelm a large language model and deprive users of access to data and apps, or—because many AI chatbots rely on pay-as-you-go IT infrastructure—force the system to consume excessive resources and rack up massive costs.

3. Reputational and business risks

The final OWASP vulnerability (according to our buckets) is already reaping consequences around the world today:overreliance on AI. There’s no shortage of stories about large language models generating false or inappropriate outputs from fabricated citations and legal precedents to racist and sexist language.

OWASP points out that depending on AI chatbots without proper oversight can make organizations vulnerable to publishing misinformation or offensive content that results in reputational damage or even legal action.
Given all these various risks, the question becomes, “What can we do about it?” Fortunately, there are some protective steps organizations can take.

What enterprises can do about large language model vulnerabilities

From our perspective at Trend Micro, defending against AI access risks requires a zero-trust security stance with disciplined separation of systems (sandboxing). Even though generative AI has the ability to challenge zero-trust defenses in ways that other IT systems don’t—because it can mimic trusted entities—a zero-trust posture still adds checks and balances that make it easier to identify and contain unwanted activity. OWASP also advises that large language models “should not self-police” and calls for controls to be embedded in application programming interfaces (APIs).

Sandboxing is also key to protecting data privacy and integrity: keeping confidential information fully separated from shareable data and making it inaccessible to AI chatbots and other public-facing systems. (See our recent blog on AI cybersecurity policies for more.)

Good separation of data prevents large language models from including private or personally identifiable information in public outputs, and from being publicly prompted to interact with secure applications such as payment systems in inappropriate ways.

On the reputational front, the simplest remedies are to not rely solely on AI-generated content or code, and to never publish or use AI outputs without first verifying they are true, accurate, and reliable.

Many of these defensive measures can—and should—be embedded in corporate policies. Once an appropriate policy foundation is in place, security technologies such as endpoint detection and response (EDR), extended detection and response (XDR), and security information and event management (SIEM) can be used for enforcement and to monitor for potentially harmful activity.

Large language model AI chatbots are here to stay

OWASP’s initial work cataloguing AI risks proves that concerns about the rush to embrace AI are well justified. At the same time, AI clearly isn’t going anywhere, so understanding the risks and taking responsible steps to mitigate them is critically important.

Setting up the right policies to manage AI use and implementing those policies with the help of cybersecurity solutions is a good first step. So is staying informed. The way we see it at Trend Micro, OWASP’s top 10 AI risk list is bound to become as much of an annual must-read as its original application security list has been since 2003.

Next steps

For more Trend Micro thought leadership on AI chatbot security, check out these resources:

Source :
https://www.trendmicro.com/en_us/research/23/h/top-ai-risks.html

The Current Security State of Private 5G Networks

By: Trend Micro
August 18, 2023
Read time: 3 min (931 words)

Private 5G networks offer businesses enhanced security, reliability, and scalability. Learn more about why private 5G could be the future of secure networking.

Source :
https://www.trendmicro.com/en_us/research/23/h/private-5g-network-security.html