Attacks on 5G Infrastructure From Users’ Devices

By: Salim S.I.
September 20, 2023
Read time: 8 min (2105 words)

Crafted packets from cellular devices such as mobile phones can exploit faulty state machines in the 5G core to attack cellular infrastructure. Smart devices that critical industries such as defense, utilities, and the medical sectors use for their daily operations depend on the speed, efficiency, and productivity brought by 5G. This entry describes CVE-2021-45462 as a potential use case to deploy a denial-of-service (DoS) attack to private 5G networks.

5G unlocks unprecedented applications previously unreachable with conventional wireless connectivity to help enterprises accelerate digital transformation, reduce operational costs, and maximize productivity for the best return on investments. To achieve its goals, 5G relies on key service categories: massive machine-type communications (mMTC), enhanced mobile broadband (eMBB), and ultra-reliable low-latency communication (uRLLC).

With the growing spectrum for commercial use, usage and popularization of private 5G networks are on the rise. The manufacturing, defense, ports, energy, logistics, and mining industries are just some of the earliest adopters of these private networks, especially for companies rapidly leaning on the internet of things (IoT) for digitizing production systems and supply chains. Unlike public grids, the cellular infrastructure equipment in private 5G might be owned and operated by the user-enterprise themselves, system integrators, or by carriers. However, given the growing study and exploration of the use of 5G for the development of various technologies, cybercriminals are also looking into exploiting the threats and risks that can be used to intrude into the systems and networks of both users and organizations via this new communication standard. This entry explores how normal user devices can be abused in relation to 5G’s network infrastructure and use cases.

5G topology

In an end-to-end 5G cellular system, user equipment (aka UE, such as mobile phones and internet-of-things [IoT] devices), connect to a base station via radio waves. The base station is connected to the 5G core through a wired IP network.

Functionally, the 5G core can be split into two: the control plane and the user plane. In the network, the control plane carries the signals and facilitates the traffic based on how it is exchanged from one endpoint to another. Meanwhile, the user plane functions to connect and process the user data that comes over the radio area network (RAN).

The base station sends control signals related to device attachment and establishes the connection to the control plane via NGAP (Next-Generation Application Protocol). The user traffic from devices is sent to the user plane using GTP-U (GPRS tunneling protocol user plane). From the user plane, the data traffic is routed to the external network. 

Figure 1. The basic 5G network infrastructure

The UE subnet and infrastructure network are separate and isolated from each other; user equipment is not allowed to access infrastructure components. This isolation helps protect the 5G core from CT (Cellular Technology) protocol attacks generated from users’ equipment.

Is there a way to get past this isolation and attack the 5G core? The next sections elaborate on the how cybercriminals could abuse components of the 5G infrastructure, particularly the GTP-U.


GTP-U is a tunneling protocol that exists between the base station and 5G user plane using port 2152. The following is the structure of a user data packet encapsulated in GTP-U.

Figure 2. GTP-U data packet

A GTP-U tunnel packet is created by attaching a header to the original data packet. The added header consists of a UDP (User Datagram Protocol) transport header plus a GTP-U specific header. The GTP-U header consists of the following fields:

  • Flags: This contains the version and other information (such as an indication of whether optional header fields are present, among others).
  • Message type: For GTP-U packet carrying user data, the message type is 0xFF.
  • Length: This is the length in bytes of everything that comes after the Tunnel Endpoint Identifier (TEID) field.
  • TEID: Unique value for a tunnel that maps the tunnel to user devices

The GTP-U header is added by the GTP-U nodes (the base station and User Plane Function or UPF). However, the user cannot see the header on the user interface of the device. Therefore, user devices cannot manipulate the header fields.

Although GTP-U is a standard tunneling technique, its use is mostly restricted to CT environments between the base station and the UPF or between UPFs. Assuming the best scenario, the backhaul between the base station and the UPF is encrypted, protected by a firewall, and closed to outside access. Here is a breakdown of the ideal scenario: GSMA recommends IP security (IPsec) between the base station and the UPF. In such a scenario, packets going to the GTP-U nodes come from authorized devices only. If these devices follow specifications and implement them well, none of them will send anomalous packets. Besides, robust systems are expected to have strong sanity checks to handle received anomalies, especially obvious ones such as invalid lengths, types, and extensions, among others.

In reality, however, the scenario could often be different and would require a different analysis altogether. Operators are reluctant to deploy IPsec on the N3 interface because it is CPU-intensive and reduces the throughput of user traffic. Also, since the user data is perceived to be protected at the application layer (with additional protocols such as TLS or Transport Layer Security), some consider IP security redundant. One might think that for as long as the base station and packet-core conform to the specific, there will be no anomalies. Besides, one might also think that for all robust systems require sanity checks to catch any obvious anomalies. However, previous studies have shown that many N3 nodes (such as UPF) around the world, although they should not be, are exposed to the internet. This is shown in the following sections.


Figure 3. Exposed UPF interfaces due to misconfigurations or lack of firewalls; screenshot taken from Shodan and used in a previously published research

We discuss two concepts that can exploit the GTP-U using CVE-2021-45462. In Open5GS, a C-language open-source implementation for 5G Core and Evolved Packet Core (EPC), sending a zero-length, type=255 GTP-U packet from the user device resulted in a denial of service (DoS) of the UPF. This is CVE-2021-45462, a security gap in the packet core that can crash the UPF (in 5G) or Serving Gateway User Plane Function (SGW-U in 4G/LTE) via an anomalous GTP-U packet crafted from the UE and by sending this anomalous GTP-U packet in the GTP-U. Given that the exploit affects a critical component of the infrastructure and cannot be resolved as easily, the vulnerability has received a Medium to High severity rating.

GTP-U nodes: Base station and UPF

GTP-U nodes are endpoints that encapsulate and decapsulate GTP-U packets. The base station is the GTP-U node on the user device side. As the base station receives user data from the UE, it converts the data to IP packets and encapsulates it in the GTP-U tunnel.

The UPF is the GTP-U node on the 5G core (5GC) side. When it receives a GTP-U packet from the base station, the UPF decapsulates the outer GTP-U header and takes out the inner packet. The UPF looks up the destination IP address in a routing table (also maintained by the UPF) without checking the content of the inner packet, after which the packet is sent on its way.


What if a user device crafts an anomalous GTP-U packet and sends it to a packet core?

Figure 4. A specially crafted anomalous GTP-U packet
Figure 5. Sending an anomalous GTP-U packet from the user device

As intended, the base station will tunnel this packet inside its GTP-U tunnel and send to the UPF. This results in a GTP-U in the GTP-U packet arriving at the UPF. There are now two GTP-U packets in the UPF: The outer GTP-U packet header is created by the base station to encapsulate the data packet from the user device. This outer GTP-U packet has 0xFF as its message type and a length of 44. This header is normal. The inner GTP-U header is crafted and sent by the user device as a data packet. Like the outer one, this inner GTP-U has 0xFF as message type, but a length of 0 is not normal.

The source IP address of the inner packet belongs to the user device, while the source IP address of the outer packet belongs to the base station. Both inner and outer packets have the same destination IP address: that of the UPF.

The UPF decapsulates the outer GTP-U and passes the functional checks. The inner GTP-U packet’s destination is again the same UPF. What happens next is implementation-specific:

  • Some implementations maintain a state machine for packet traversal. Improper implementation of the state machine might result in processing this inner GTP-U packet. This packet might have passed the checks phase already since it shares the same packet-context with the outer packet. This leads to having an anomalous packet inside the system, past sanity checks.
  • Since the inner packet’s destination is the IP address of UPF itself, the packet might get sent to the UPF. In this case, the packet is likely to hit the functional checks and therefore becomes less problematic than the previous case.

Attack vector

Some 5G core vendors leverage Open5GS code. For example, NextEPC (4G system, rebranded as Open5GS in 2019 to add 5G, with remaining products from the old brand) has an enterprise offer for LTE/5G, which draws from Open5GS’ code. No attacks or indications of threats in the wild have been observed, but our tests indicate potential risks using the identified scenarios.

The importance of the attack is in the attack vector: the cellular infrastructure attacks from the UE. The exploit only requires a mobile phone (or a computer connected via a cellular dongle) and a few lines of Python code to abuse the opening and mount this class of attack. The GTP-U in GTP-U attacks is a well-known technique, and backhaul IP security and encryption do not prevent this attack. In fact, these security measures might hinder the firewall from inspecting the content.

Remediation and insights

Critical industries such as the medical and utility sectors are just some of the early adopters of private 5G systems, and its breadth and depth of popular use are only expected to grow further. Reliability for continuous, uninterrupted operations is critical for these industries as there are lives and real-world implications at stake. The foundational function of these sectors are the reason that they choose to use a private 5G system over Wi-Fi. It is imperative that private 5G systems offer unfailing connectivity as a successful attack on any 5G infrastructure could bring the entire network down.

In this entry, the abuse of CVE-2021-45462 can result in a DoS attack. The root cause of CVE-2021-45462 (and most GTP-U-in-GTP-U attacks) is the improper error checking and error handling in the packet core. While GTP-U-in-GTP-U itself is harmless, the proper fix for the gap has to come from the packet-core vendor, and infrastructure admins must use the latest versions of the software.

A GTP-U-in-GTP-U attack can also be used to leak sensitive information such as the IP addresses of infrastructure nodes. GTP-U peers should therefore be prepared to handle GTP-U-in-GTP-U packets. In CT environments, they should use an intrusion prevention system (IPS) or firewalls that can understand CT protocols. Since GTP-U is not normal user traffic, especially in private 5G, security teams can prioritize and drop GTP-U-in-GTP-U traffic.

As a general rule, the registration and use of SIM cards must be strictly regulated and managed. An attacker with a stolen SIM card could insert it to an attacker’s device to connect to a network for malicious deployments. Moreover, the responsibility of security might be ambiguous to some in a shared operating model, such as end-devices and the edge of the infrastructure chain owned by the enterprise. Meanwhile, the cellular infrastructure is owned by the integrator or carrier. This presents a hard task for security operation centers (SOCs) to bring relevant information together from different domains and solutions.

In addition, due to the downtime and tests required, updating critical infrastructure software regularly to keep up with vendor’s patches is not easy, nor will it ever be. Virtual patching with IPS or layered firewalls is thus strongly recommended. Fortunately, GTP-in-GTP is rarely used in real-world applications, so it might be safe to completely block all GTP-in-GTP traffic. We recommend using layered security solutions that combine IT and communications technology (CT) security and visibility. Implementing zero-trust solutions, such as Trend Micro™ Mobile Network Security, powered by CTOne, adds another security layer for enterprises and critical industries to prevent the unauthorized use of their respective private networks for a continuous and undisrupted industrial ecosystem, and by ensuring that the SIM is used only from an authorized device. Mobile Network Security also brings CT and IT security into a unified visibility and management console.

Source :

Electric Power System Cybersecurity Vulnerabilities

By: Mayumi Nishimura
October 06, 2023
Read time: 4 min (1096 words)

Digitalization has changed the business environment of the electric power industry, exposing it to various threats. This webinar will help you uncover previously unnoticed threats and develop countermeasures and solutions.

The Electric utility industry is constantly exposed to various threats, including physical threats and sophisticated national-level cyber attacks. It has been an industry that has focused on security measures. But in the last few years, power system changes have occurred. As OT becomes more networked and connected to IT, the number of interfaces between IT and OT increases, and various cyber threats that have not surfaced until now have emerged.

Trend Micro held a webinar to discuss these changes in the situation, what strategies to protect your company’s assets from the latest cyber threats, and the challenges and solutions in implementing these strategies.

This blog will provide highlights from the webinar and share common challenges in the power industry that emerged from the survey. We hope that this will be helpful to cybersecurity directors in the Electric utility industry who recognize the need for consistent security measures for IT and OT but are faced with challenges in implementing them.

Click here to watch the On-demand Webinar

Vulnerabilities in Electric Power Systems

In the webinar, we introduced examples of threats from “Critical Infrastructures Exposed and at Risk: Energy and Water Industries” conducted by Trend Micro. The main objective of this study was to demonstrate how easy it is to discover and exploit OT assets in the water and energy sector using basic open-source intelligence (OSINT) techniques. As a result of the investigation, it was possible to access the HMI remotely, view the database containing customer data, and control the start and stop of the turbine.

Figure1. Interoperability and Connected Resources
Figure1. Interoperability and Connected Resources

Cyberattacks Against Electric Power

Explained the current cyberattacks on electric power companies. Figure 2 shows the attack surface (attack x digital assets), attack flow, and ultimately, possible damage in IT and OT of energy systems.

An example of an attack surface in an IT network is an office PC that exploits VPN vulnerabilities. If attackers infiltrate the monitoring system through a VPN, they can seize privileges and gain unauthorized access to OT assets such as the HMI. There is also the possibility of ransomware being installed.

A typical attack surface in an OT network is a PC for maintenance. If this terminal is infected with a virus and a maintenance person connects to the OT network, the virus may infect the OT network and cause problems such as stopping the operation of the OT equipment.

To protect these interconnected systems, it is necessary to review cybersecurity strategies across IT, OT, and different technology domains.

Figure 2. Attack Surface Includes Both IT and OT
Figure 2. Attack Surface Includes Both IT and OT


We have organized the issues from People, Process, and Technology perspectives when reviewing security strategies across different technology domains such as IT and OT.

One example of people-related issues is labor shortages and skills gaps. The reason for the lack of skills is that IT security personnel are not familiar with the operations side, and vice versa. In the webinar, we introduced three ideas for approaches to solving these people’s problems.

The first is improving employee security awareness and training. From management to employees, we must recognize the need for security and work together. Second, to understand the work of the IT and OT departments, we recommend job rotation and workshops for mutual understanding. The third is documentation and automation of incident response. Be careful not to aim for automation. First, it is important to identify unnecessary tasks and reduce work. After that, we recommend automating the necessary tasks. We also provide examples of solutions for Process and Technology issues in the webinar.

 Figure 3. Need Consistent Cybersecurity across IT and OT
Figure 3. Need Consistent Cybersecurity across IT and OT

Finally, we introduced Unified Kill Chain as an effective approach. It extends and combines existing models such as Lockheed Martin’s Cyber KillChain® and MITER’s ATT&CK™ to show an attacker’s steps from initiation to completion of a cyber attack. The attacker will not be able to reach their goal unless all of these steps are completed successfully, but the defender will need to break this chain at some point, which will serve as a reference for the defender’s strategy. Even when attacks cross IT and OT, it is possible to use this approach as a reference to evaluate the expected attacks and the current security situation and take appropriate security measures in response.

Figure 4. Unified Kill Chain
Figure 4. Unified Kill Chain

The Webinar’s notes

To understand the situation and thoughts of security leaders in the Electric utility industry, we have included some of the survey results regarding this webinar. The webinar, held on June 29th, was attended in real time by nearly 100 people working in the energy sector and engaged in cybersecurity-related work.

When asked what information they found most helpful, the majority of survey respondents selected “consistent cybersecurity issues and solutions across IT and OT,” indicating that “consistent cybersecurity issues and solutions across IT and OT.” I am glad that I was able to help those who feel that there are issues in implementing countermeasures.

 Chart 1. Question What was the most useful information for you from today's seminar? (N=28)
Chart 1. Question What was the most useful information for you from today’s seminar? (N=28)

Also, over 90% of respondents answered “Agree” when asked if they needed consistent cybersecurity across IT and OT. Among those who chose “Agree”, 39% answered that they have already started some kind of action, indicating the consistent importance of cybersecurity in IT and OT.

 Chart 2. Do you agree with Need Consistent Cybersecurity across IT and OT? (N=28)
Chart 2. Do you agree with Need Consistent Cybersecurity across IT and OT? (N=28)

Lastly, I would like to share the results of a question asked during webinar registration about what issues people in this industry think about OT security. Number one was siloed risk and threat visibility, and number two was legacy system support. The tie for 3rd place was due to a lack of preparation for attacks across different NWs and lack of staff personnel/skills. There is a strong sense of challenges in the visualization of risks and threats, other organizational efforts, and technical countermeasures.

 Chart 3. Please select all of the challenges you face in thinking about OT cybersecurity. (N=55 multiple choice)
Chart 3. Please select all of the challenges you face in thinking about OT cybersecurity. (N=55 multiple choice)


The above is a small excerpt from the webinar. We recommend watching the full webinar video below if you are interested in the power industry’s future cybersecurity strategy.

Click here to watch the On-demand Webinar

In addition, Trend Micro reports introduced in the webinar and other reference links related to the energy industry can be accessed below.

Tech Paper
ICS/OT Security for the Electric Utility
Critical Infrastructures Exposed and at Risk: Energy and Water Industries

Electric utilities need to know cross domain attack

Electricity/Energy Cybersecurity: Trends & Survey Response

Source :

NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations

Release Date October 05, 2023
Alert CodeAA23-278A

A plea for network defenders and software manufacturers to fix common problems.


The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint cybersecurity advisory (CSA) to highlight the most common cybersecurity misconfigurations in large organizations, and detail the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations.

Through NSA and CISA Red and Blue team assessments, as well as through the activities of NSA and CISA Hunt and Incident Response teams, the agencies identified the following 10 most common network misconfigurations:

  1. Default configurations of software and applications
  2. Improper separation of user/administrator privilege
  3. Insufficient internal network monitoring
  4. Lack of network segmentation
  5. Poor patch management
  6. Bypass of system access controls
  7. Weak or misconfigured multifactor authentication (MFA) methods
  8. Insufficient access control lists (ACLs) on network shares and services
  9. Poor credential hygiene
  10. Unrestricted code execution

These misconfigurations illustrate (1) a trend of systemic weaknesses in many large organizations, including those with mature cyber postures, and (2) the importance of software manufacturers embracing secure-by-design principles to reduce the burden on network defenders:

  • Properly trained, staffed, and funded network security teams can implement the known mitigations for these weaknesses.
  • Software manufacturers must reduce the prevalence of these misconfigurations—thus strengthening the security posture for customers—by incorporating secure-by-design and -default principles and tactics into their software development practices.[1]

NSA and CISA encourage network defenders to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce the risk of malicious actors exploiting the identified misconfigurations.

  • Remove default credentials and harden configurations.
  • Disable unused services and implement access controls.
  • Update regularly and automate patching, prioritizing patching of known exploited vulnerabilities.[2]
  • Reduce, restrict, audit, and monitor administrative accounts and privileges.

NSA and CISA urge software manufacturers to take ownership of improving security outcomes of their customers by embracing secure-by-design and-default tactics, including:

  • Embedding security controls into product architecture from the start of development and throughout the entire software development lifecycle (SDLC).
  • Eliminating default passwords.
  • Providing high-quality audit logs to customers at no extra charge.
  • Mandating MFA, ideally phishing-resistant, for privileged users and making MFA a default rather than opt-in feature.[3]

Download the PDF version of this report: PDF, 660 KB


Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 13, and the MITRE D3FEND™ cybersecurity countermeasures framework.[4],[5] See the Appendix: MITRE ATT&CK tactics and techniques section for tables summarizing the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques, and the Mitigations section for MITRE D3FEND countermeasures.

For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.[6],[7]


Over the years, the following NSA and CISA teams have assessed the security posture of many network enclaves across the Department of Defense (DoD); Federal Civilian Executive Branch (FCEB); state, local, tribal, and territorial (SLTT) governments; and the private sector:

  • Depending on the needs of the assessment, NSA Defensive Network Operations (DNO) teams feature capabilities from Red Team (adversary emulation), Blue Team (strategic vulnerability assessment), Hunt (targeted hunt), and/or Tailored Mitigations (defensive countermeasure development).
  • CISA Vulnerability Management (VM) teams have assessed the security posture of over 1,000 network enclaves. CISA VM teams include Risk and Vulnerability Assessment (RVA) and CISA Red Team Assessments (RTA).[8] The RVA team conducts remote and onsite assessment services, including penetration testing and configuration review. RTA emulates cyber threat actors in coordination with an organization to assess the organization’s cyber detection and response capabilities.
  • CISA Hunt and Incident Response teams conduct proactive and reactive engagements, respectively, on organization networks to identify and detect cyber threats to U.S. infrastructure.

During these assessments, NSA and CISA identified the 10 most common network misconfigurations, which are detailed below. These misconfigurations (non-prioritized) are systemic weaknesses across many networks.

Many of the assessments were of Microsoft® Windows® and Active Directory® environments. This advisory provides details about, and mitigations for, specific issues found during these assessments, and so mostly focuses on these products. However, it should be noted that many other environments contain similar misconfigurations. Network owners and operators should examine their networks for similar misconfigurations even when running other software not specifically mentioned below.

1. Default Configurations of Software and Applications

Default configurations of systems, services, and applications can permit unauthorized access or other malicious activity. Common default configurations include:

  • Default credentials
  • Default service permissions and configurations settings
Default Credentials

Many software manufacturers release commercial off-the-shelf (COTS) network devices —which provide user access via applications or web portals—containing predefined default credentials for their built-in administrative accounts.[9] Malicious actors and assessment teams regularly abuse default credentials by:

  • Finding credentials with a simple web search [T1589.001] and using them [T1078.001] to gain authenticated access to a device.
  • Resetting built-in administrative accounts [T1098] via predictable forgotten passwords questions.
  • Leveraging default virtual private network (VPN) credentials for internal network access [T1133].
  • Leveraging publicly available setup information to identify built-in administrative credentials for web applications and gaining access to the application and its underlying database.
  • Leveraging default credentials on software deployment tools [T1072] for code execution and lateral movement.

In addition to devices that provide network access, printers, scanners, security cameras, conference room audiovisual (AV) equipment, voice over internet protocol (VoIP) phones, and internet of things (IoT) devices commonly contain default credentials that can be used for easy unauthorized access to these devices as well. Further compounding this problem, printers and scanners may have privileged domain accounts loaded so that users can easily scan documents and upload them to a shared drive or email them. Malicious actors who gain access to a printer or scanner using default credentials can use the loaded privileged domain accounts to move laterally from the device and compromise the domain [T1078.002].

Default Service Permissions and Configuration Settings

Certain services may have overly permissive access controls or vulnerable configurations by default. Additionally, even if the providers do not enable these services by default, malicious actors can easily abuse these services if users or administrators enable them.

Assessment teams regularly find the following:

  • Insecure Active Directory Certificate Services
  • Insecure legacy protocols/services
  • Insecure Server Message Block (SMB) service
Insecure Active Directory Certificate Services

Active Directory Certificate Services (ADCS) is a feature used to manage Public Key Infrastructure (PKI) certificates, keys, and encryption inside of Active Directory (AD) environments. ADCS templates are used to build certificates for different types of servers and other entities on an organization’s network.

Malicious actors can exploit ADCS and/or ADCS template misconfigurations to manipulate the certificate infrastructure into issuing fraudulent certificates and/or escalate user privileges to domain administrator privileges. These certificates and domain escalation paths may grant actors unauthorized, persistent access to systems and critical data, the ability to impersonate legitimate entities, and the ability to bypass security measures.

Assessment teams have observed organizations with the following misconfigurations:

  • ADCS servers running with web-enrollment enabled. If web-enrollment is enabled, unauthenticated actors can coerce a server to authenticate to an actor-controlled computer, which can relay the authentication to the ADCS web-enrollment service and obtain a certificate [T1649] for the server’s account. These fraudulent, trusted certificates enable actors to use adversary-in-the-middle techniques [T1557] to masquerade as trusted entities on the network. The actors can also use the certificate for AD authentication to obtain a Kerberos Ticket Granting Ticket (TGT) [T1558.001], which they can use to compromise the server and usually the entire domain.
  • ADCS templates where low-privileged users have enrollment rights, and the enrollee supplies a subject alternative name. Misconfiguring various elements of ADCS templates can result in domain escalation by unauthorized users (e.g., granting low-privileged users certificate enrollment rights, allowing requesters to specify a subjectAltName in the certificate signing request [CSR], not requiring authorized signatures for CSRs, granting FullControl or WriteDacl permissions to users). Malicious actors can use a low-privileged user account to request a certificate with a particular Subject Alternative Name (SAN) and gain a certificate where the SAN matches the User Principal Name (UPN) of a privileged account.

Note: For more information on known escalation paths, including PetitPotam NTLM relay techniques, see: Domain Escalation: PetitPotam NTLM Relay to ADCS Endpoints and Certified Pre-Owned, Active Directory Certificate Services.[10],[11],[12]

Insecure legacy protocols/services

Many vulnerable network services are enabled by default, and assessment teams have observed them enabled in production environments. Specifically, assessment teams have observed Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS), which are Microsoft Windows components that serve as alternate methods of host identification. If these services are enabled in a network, actors can use spoofing, poisoning, and relay techniques [T1557.001] to obtain domain hashes, system access, and potential administrative system sessions. Malicious actors frequently exploit these protocols to compromise entire Windows’ environments.

Malicious actors can spoof an authoritative source for name resolution on a target network by responding to passing traffic, effectively poisoning the service so that target computers will communicate with an actor-controlled system instead of the intended one. If the requested system requires identification/authentication, the target computer will send the user’s username and hash to the actor-controlled system. The actors then collect the hash and crack it offline to obtain the plain text password [T1110.002].

Insecure Server Message Block (SMB) service

The Server Message Block service is a Windows component primarily for file sharing. Its default configuration, including in the latest version of Windows, does not require signing network messages to ensure authenticity and integrity. If SMB servers do not enforce SMB signing, malicious actors can use machine-in-the-middle techniques, such as NTLM relay. Further, malicious actors can combine a lack of SMB signing with the name resolution poisoning issue (see above) to gain access to remote systems [T1021.002] without needing to capture and crack any hashes.

2. Improper Separation of User/Administrator Privilege

Administrators often assign multiple roles to one account. These accounts have access to a wide range of devices and services, allowing malicious actors to move through a network quickly with one compromised account without triggering lateral movement and/or privilege escalation detection measures.

Assessment teams have observed the following common account separation misconfigurations:

  • Excessive account privileges
  • Elevated service account permissions
  • Non-essential use of elevated accounts
Excessive Account Privileges

Account privileges are intended to control user access to host or application resources to limit access to sensitive information or enforce a least-privilege security model. When account privileges are overly permissive, users can see and/or do things they should not be able to, which becomes a security issue as it increases risk exposure and attack surface.

Expanding organizations can undergo numerous changes in account management, personnel, and access requirements. These changes commonly lead to privilege creep—the granting of excessive access and unnecessary account privileges. Through the analysis of topical and nested AD groups, a malicious actor can find a user account [T1078] that has been granted account privileges that exceed their need-to-know or least-privilege function. Extraneous access can lead to easy avenues for unauthorized access to data and resources and escalation of privileges in the targeted domain.

Elevated Service Account Permissions

Applications often operate using user accounts to access resources. These user accounts, which are known as service accounts, often require elevated privileges. When a malicious actor compromises an application or service using a service account, they will have the same privileges and access as the service account.

Malicious actors can exploit elevated service permissions within a domain to gain unauthorized access and control over critical systems. Service accounts are enticing targets for malicious actors because such accounts are often granted elevated permissions within the domain due to the nature of the service, and because access to use the service can be requested by any valid domain user. Due to these factors, kerberoasting—a form of credential access achieved by cracking service account credentials—is a common technique used to gain control over service account targets [T1558.003].

Non-Essential Use of Elevated Accounts

IT personnel use domain administrator and other administrator accounts for system and network management due to their inherent elevated privileges. When an administrator account is logged into a compromised host, a malicious actor can steal and use the account’s credentials and an AD-generated authentication token [T1528] to move, using the elevated permissions, throughout the domain [T1550.001]. Using an elevated account for normal day-to-day, non-administrative tasks increases the account’s exposure and, therefore, its risk of compromise and its risk to the network.

Malicious actors prioritize obtaining valid domain credentials upon gaining access to a network. Authentication using valid domain credentials allows the execution of secondary enumeration techniques to gain visibility into the target domain and AD structure, including discovery of elevated accounts and where the elevated accounts are used [T1087].

Targeting elevated accounts (such as domain administrator or system administrators) performing day-to-day activities provides the most direct path to achieve domain escalation. Systems or applications accessed by the targeted elevated accounts significantly increase the attack surface available to adversaries, providing additional paths and escalation options.

After obtaining initial access via an account with administrative permissions, an assessment team compromised a domain in under a business day. The team first gained initial access to the system through phishing [T1566], by which they enticed the end user to download [T1204] and execute malicious payloads. The targeted end-user account had administrative permissions, enabling the team to quickly compromise the entire domain.

3. Insufficient Internal Network Monitoring

Some organizations do not optimally configure host and network sensors for traffic collection and end-host logging. These insufficient configurations could lead to undetected adversarial compromise. Additionally, improper sensor configurations limit the traffic collection capability needed for enhanced baseline development and detract from timely detection of anomalous activity.

Assessment teams have exploited insufficient monitoring to gain access to assessed networks. For example:

  • An assessment team observed an organization with host-based monitoring, but no network monitoring. Host-based monitoring informs defensive teams about adverse activities on singular hosts and network monitoring informs about adverse activities traversing hosts [TA0008]. In this example, the organization could identify infected hosts but could not identify where the infection was coming from, and thus could not stop future lateral movement and infections.
  • An assessment team gained persistent deep access to a large organization with a mature cyber posture. The organization did not detect the assessment team’s lateral movement, persistence, and command and control (C2) activity, including when the team attempted noisy activities to trigger a security response. For more information on this activity, see CSA CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks.[13]

4. Lack of Network Segmentation

Network segmentation separates portions of the network with security boundaries. Lack of network segmentation leaves no security boundaries between the user, production, and critical system networks. Insufficient network segmentation allows an actor who has compromised a resource on the network to move laterally across a variety of systems uncontested. Lack of network segregation additionally leaves organizations significantly more vulnerable to potential ransomware attacks and post-exploitation techniques.

Lack of segmentation between IT and operational technology (OT) environments places OT environments at risk. For example, assessment teams have often gained access to OT networks—despite prior assurance that the networks were fully air gapped, with no possible connection to the IT network—by finding special purpose, forgotten, or even accidental network connections [T1199].

5. Poor Patch Management

Vendors release patches and updates to address security vulnerabilities. Poor patch management and network hygiene practices often enable adversaries to discover open attack vectors and exploit critical vulnerabilities. Poor patch management includes:

  • Lack of regular patching
  • Use of unsupported operating systems (OSs) and outdated firmware
Lack of Regular Patching

Failure to apply the latest patches can leave a system open to compromise from publicly available exploits. Due to their ease of discovery—via vulnerability scanning [T1595.002] and open source research [T1592]—and exploitation, these systems are immediate targets for adversaries. Allowing critical vulnerabilities to remain on production systems without applying their corresponding patches significantly increases the attack surface. Organizations should prioritize patching known exploited vulnerabilities in their environments.[2]

Assessment teams have observed threat actors exploiting many CVEs in public-facing applications [T1190], including:

  • CVE-2019-18935 in an unpatched instance of Telerik® UI for ASP.NET running on a Microsoft IIS server.[14]
  • CVE-2021-44228 (Log4Shell) in an unpatched VMware® Horizon server.[15]
  • CVE-2022-24682, CVE-2022-27924, and CVE-2022-27925 chained with CVE-2022-37042, or CVE-2022-30333 in an unpatched Zimbra® Collaboration Suite.[16]
Use of Unsupported OSs and Outdated Firmware

Using software or hardware that is no longer supported by the vendor poses a significant security risk because new and existing vulnerabilities are no longer patched. Malicious actors can exploit vulnerabilities in these systems to gain unauthorized access, compromise sensitive data, and disrupt operations [T1210].

Assessment teams frequently observe organizations using unsupported Windows operating systems without updates MS17-010 and MS08-67. These updates, released years ago, address critical remote code execution vulnerabilities.[17],[18]

6. Bypass of System Access Controls

A malicious actor can bypass system access controls by compromising alternate authentication methods in an environment. If a malicious actor can collect hashes in a network, they can use the hashes to authenticate using non-standard means, such as pass-the-hash (PtH) [T1550.002]. By mimicking accounts without the clear-text password, an actor can expand and fortify their access without detection. Kerberoasting is also one of the most time-efficient ways to elevate privileges and move laterally throughout an organization’s network.

7. Weak or Misconfigured MFA Methods

Misconfigured Smart Cards or Tokens

Some networks (generally government or DoD networks) require accounts to use smart cards or tokens. Multifactor requirements can be misconfigured so the password hashes for accounts never change. Even though the password itself is no longer used—because the smart card or token is required instead—there is still a password hash for the account that can be used as an alternative credential for authentication. If the password hash never changes, once a malicious actor has an account’s password hash [T1111], the actor can use it indefinitely, via the PtH technique for as long as that account exists.

Lack of Phishing-Resistant MFA

Some forms of MFA are vulnerable to phishing, “push bombing” [T1621], exploitation of Signaling System 7 (SS7) protocol vulnerabilities, and/or “SIM swap” techniques. These attempts, if successful, may allow a threat actor to gain access to MFA authentication credentials or bypass MFA and access the MFA-protected systems. (See CISA’s Fact Sheet Implementing Phishing-Resistant MFA for more information.)[3]

For example, assessment teams have used voice phishing to convince users to provide missing MFA information [T1598]. In one instance, an assessment team knew a user’s main credentials, but their login attempts were blocked by MFA requirements. The team then masqueraded as IT staff and convinced the user to provide the MFA code over the phone, allowing the team to complete their login attempt and gain access to the user’s email and other organizational resources.

8. Insufficient ACLs on Network Shares and Services

Data shares and repositories are primary targets for malicious actors. Network administrators may improperly configure ACLs to allow for unauthorized users to access sensitive or administrative data on shared drives.

Actors can use commands, open source tools, or custom malware to look for shared folders and drives [T1135].

  • In one compromise, a team observed actors use the net share command—which displays information about shared resources on the local computer—and the ntfsinfo command to search network shares on compromised computers. In the same compromise, the actors used a custom tool, CovalentStealer, which is designed to identify file shares on a system, categorize the files [T1083], and upload the files to a remote server [TA0010].[19],[20]
  • Ransomware actors have used the SoftPerfect® Network Scanner, netscan.exe—which can ping computers [T1018], scan ports [T1046], and discover shared folders—and SharpShares to enumerate accessible network shares in a domain.[21],[22]

Malicious actors can then collect and exfiltrate the data from the shared drives and folders. They can then use the data for a variety of purposes, such as extortion of the organization or as intelligence when formulating intrusion plans for further network compromise. Assessment teams routinely find sensitive information on network shares [T1039] that could facilitate follow-on activity or provide opportunities for extortion. Teams regularly find drives containing cleartext credentials [T1552] for service accounts, web applications, and even domain administrators.

Even when further access is not directly obtained from credentials in file shares, there can be a treasure trove of information for improving situational awareness of the target network, including the network’s topology, service tickets, or vulnerability scan data. In addition, teams regularly identify sensitive data and PII on shared drives (e.g., scanned documents, social security numbers, and tax returns) that could be used for extortion or social engineering of the organization or individuals.

9. Poor Credential Hygiene

Poor credential hygiene facilitates threat actors in obtaining credentials for initial access, persistence, lateral movement, and other follow-on activity, especially if phishing-resistant MFA is not enabled. Poor credential hygiene includes:

  • Easily crackable passwords
  • Cleartext password disclosure
Easily Crackable Passwords

Easily crackable passwords are passwords that a malicious actor can guess within a short time using relatively inexpensive computing resources. The presence of easily crackable passwords on a network generally stems from a lack of password length (i.e., shorter than 15 characters) and randomness (i.e., is not unique or can be guessed). This is often due to lax requirements for passwords in organizational policies and user training. A policy that only requires short and simple passwords leaves user passwords susceptible to password cracking. Organizations should provide or allow employee use of password managers to enable the generation and easy use of secure, random passwords for each account.

Often, when a credential is obtained, it is a hash (one-way encryption) of the password and not the password itself. Although some hashes can be used directly with PtH techniques, many hashes need to be cracked to obtain usable credentials. The cracking process takes the captured hash of the user’s plaintext password and leverages dictionary wordlists and rulesets, often using a database of billions of previously compromised passwords, in an attempt to find the matching plaintext password [T1110.002].

One of the primary ways to crack passwords is with the open source tool, Hashcat, combined with password lists obtained from publicly released password breaches. Once a malicious actor has access to a plaintext password, they are usually limited only by the account’s permissions. In some cases, the actor may be restricted or detected by advanced defense-in-depth and zero trust implementations as well, but this has been a rare finding in assessments thus far.

Assessment teams have cracked password hashes for NTLM users, Kerberos service account tickets, NetNTLMv2, and PFX stores [T1555], enabling the team to elevate privileges and move laterally within networks. In 12 hours, one team cracked over 80% of all users’ passwords in an Active Directory, resulting in hundreds of valid credentials.

Cleartext Password Disclosure

Storing passwords in cleartext is a serious security risk. A malicious actor with access to files containing cleartext passwords [T1552.001] could use these credentials to log into the affected applications or systems under the guise of a legitimate user. Accountability is lost in this situation as any system logs would record valid user accounts accessing applications or systems.

Malicious actors search for text files, spreadsheets, documents, and configuration files in hopes of obtaining cleartext passwords. Assessment teams frequently discover cleartext passwords, allowing them to quickly escalate the emulated intrusion from the compromise of a regular domain user account to that of a privileged account, such as a Domain or Enterprise Administrator. A common tool used for locating cleartext passwords is the open source tool, Snaffler.[23]

10. Unrestricted Code Execution

If unverified programs are allowed to execute on hosts, a threat actor can run arbitrary, malicious payloads within a network.

Malicious actors often execute code after gaining initial access to a system. For example, after a user falls for a phishing scam, the actor usually convinces the victim to run code on their workstation to gain remote access to the internal network. This code is usually an unverified program that has no legitimate purpose or business reason for running on the network.

Assessment teams and malicious actors frequently leverage unrestricted code execution in the form of executables, dynamic link libraries (DLLs), HTML applications, and macros (scripts used in office automation documents) [T1059.005] to establish initial access, persistence, and lateral movement. In addition, actors often use scripting languages [T1059] to obscure their actions [T1027.010] and bypass allowlisting—where organizations restrict applications and other forms of code by default and only allow those that are known and trusted. Further, actors may load vulnerable drivers and then exploit the drivers’ known vulnerabilities to execute code in the kernel with the highest level of system privileges to completely compromise the device [T1068].


Network Defenders

NSA and CISA recommend network defenders implement the recommendations that follow to mitigate the issues identified in this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST) as well as with the MITRE ATT&CK Enterprise Mitigations and MITRE D3FEND frameworks.

The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.[24]

Mitigate Default Configurations of Software and Applications
MisconfigurationRecommendations for Network Defenders
Default configurations of software and applicationsModify the default configuration of applications and appliances before deployment in a production environment [M1013],[D3-ACH]. Refer to hardening guidelines provided by the vendor and related cybersecurity guidance (e.g., DISA’s Security Technical Implementation Guides (STIGs) and configuration guides).[25],[26],[27]
Default configurations of software and applications: Default CredentialsChange or disable vendor-supplied default usernames and passwords of services, software, and equipment when installing or commissioning [CPG 2.A]. When resetting passwords, enforce the use of “strong” passwords (i.e., passwords that are more than 15 characters and random [CPG 2.B]) and follow hardening guidelines provided by the vendor, STIGsNSA, and/or NIST [M1027],[D3-SPP].[25],[26],[28],[29]
Default service permissions and configuration settings: Insecure Active Directory Certificate ServicesEnsure the secure configuration of ADCS implementations. Regularly update and patch the controlling infrastructure (e.g., for CVE-2021-36942), employ monitoring and auditing mechanisms, and implement strong access controls to protect the infrastructure.If not needed, disable web-enrollment in ADCS servers. See Microsoft: Uninstall-AdcsWebEnrollment (ADCSDeployment) for guidance.[30]If web enrollment is needed on ADCS servers:Enable Extended Protection for Authentication (EPA) for Client Authority Web Enrollment. This is done by choosing the “Required” option. For guidance, see Microsoft: KB5021989: Extended Protection for Authentication.[31]Enable “Require SSL” on the ADCS server.Disable NTLM on all ADCS servers. For guidance, see Microsoft: Network security Restrict NTLM in this domain – Windows Security | Microsoft Learn and Network security Restrict NTLM Incoming NTLM traffic – Windows Security.[32],[33]Disable SAN for UPN Mapping. For guidance see, Microsoft: How to disable the SAN for UPN mapping – Windows Server. Instead, smart card authentication can use the altSecurityIdentities attribute for explicit mapping of certificates to accounts more securely.[34]Review all permissions on the ADCS templates on applicable servers. Restrict enrollment rights to only those users or groups that require it. Disable the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag from templates to prevent users from supplying and editing sensitive security settings within these templates. Enforce manager approval for requested certificates. Remove FullControlWriteDacl, and Write property permissions from low-privileged groups, such as domain users, to certificate template objects.
Default service permissions and configuration settings: Insecure legacy protocols/servicesDetermine if LLMNR and NetBIOS are required for essential business operations.If not required, disable LLMNR and NetBIOS in local computer security settings or by group policy.
Default service permissions and configuration settings: Insecure SMB serviceRequire SMB signing for both SMB client and server on all systems.[25] This should prevent certain adversary-in-the-middle and pass-the-hash techniques. For more information on SMB signing, see Microsoft: Overview of Server Message Block Signing. [35] Note: Beginning in Microsoft Windows 11 Insider Preview Build 25381, Windows requires SMB signing for all communications.[36]
Mitigate Improper Separation of User/Administrator Privilege
MisconfigurationRecommendations for Network Defenders
Improper separation of user/administrator privilege:Excessive account privileges,Elevated service account permissions, andNon-essential use of elevated accountsImplement authentication, authorization, and accounting (AAA) systems [M1018] to limit actions users can perform, and review logs of user actions to detect unauthorized use and abuse. Apply least privilege principles to user accounts and groups allowing only the performance of authorized actions.Audit user accounts and remove those that are inactive or unnecessary on a routine basis [CPG 2.D]. Limit the ability for user accounts to create additional accounts.Restrict use of privileged accounts to perform general tasks, such as accessing emails and browsing the Internet [CPG 2.E],[D3-UAP]. See NSA Cybersecurity Information Sheet (CSI) Defend Privileges and Accounts for more information.[37]Limit the number of users within the organization with an identity and access management (IAM) role that has administrator privileges. Strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles, and policies.Implement time-based access for privileged accounts. For example, the just-in-time access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model) by setting network-wide policy to automatically disable admin accounts at the Active Directory level. As needed, individual users can submit requests through an automated process that enables access to a system for a set timeframe. In cloud environments, just-in-time elevation is also appropriate and may be implemented using per-session federated claims or privileged access management tools.Restrict domain users from being in the local administrator group on multiple systems.Run daemonized applications (services) with non-administrator accounts when possible.Only configure service accounts with the permissions necessary for the services they control to operate.Disable unused services and implement ACLs to protect services.
Mitigate Insufficient Internal Network Monitoring
MisconfigurationRecommendations for Network Defenders
Insufficient internal network monitoringEstablish a baseline of applications and services, and routinely audit their access and use, especially for administrative activity [D3-ANAA]. For instance, administrators should routinely audit the access lists and permissions for of all web applications and services [CPG 2.O],[M1047]. Look for suspicious accounts, investigate them, and remove accounts and credentials, as appropriate, such as accounts of former staff.[39]Establish a baseline that represents an organization’s normal traffic activity, network performance, host application activity, and user behavior; investigate any deviations from that baseline [D3-NTCD],[D3-CSPP],[D3-UBA].[40]Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them [M1047].Implement a security information and event management (SIEM) system to provide log aggregation, correlation, querying, visualization, and alerting from network endpoints, logging systems, endpoint and detection response (EDR) systems and intrusion detection systems (IDS) [CPG 2.T],[D3-NTA].
Mitigate Lack of Network Segmentation
MisconfigurationRecommendations for Network Defenders
Lack of network segmentationImplement next-generation firewalls to perform deep packet filtering, stateful inspection, and application-level packet inspection [D3-NTF]. Deny or drop improperly formatted traffic that is incongruent with application-specific traffic permitted on the network. This practice limits an actor’s ability to abuse allowed application protocols. The practice of allowlisting network applications does not rely on generic ports as filtering criteria, enhancing filtering fidelity. For more information on application-aware defenses, see NSA CSI Segment Networks and Deploy Application-Aware Defenses.[41]Engineer network segments to isolate critical systems, functions, and resources [CPG 2.F],[D3-NI]. Establish physical and logical segmentation controls, such as virtual local area network (VLAN) configurations and properly configured access control lists (ACLs) on infrastructure devices [M1030]. These devices should be baselined and audited to prevent access to potentially sensitive systems and information. Leverage properly configured Demilitarized Zones (DMZs) to reduce service exposure to the Internet.[42],[43],[44]Implement separate Virtual Private Cloud (VPC) instances to isolate essential cloud systems. Where possible, implement Virtual Machines (VM) and Network Function Virtualization (NFV) to enable micro-segmentation of networks in virtualized environments and cloud data centers. Employ secure VM firewall configurations in tandem with macro segmentation.
Mitigate Poor Patch Management
MisconfigurationRecommendations for Network Defenders
Poor patch management: Lack of regular patchingEnsure organizations implement and maintain an efficient patch management process that enforces the use of up-to-date, stable versions of OSs, browsers, and software [M1051],[D3-SU].[45]Update software regularly by employing patch management for externally exposed applications, internal enterprise endpoints, and servers. Prioritize patching known exploited vulnerabilities.[2]Automate the update process as much as possible and use vendor-provided updates. Consider using automated patch management tools and software update tools.Where patching is not possible due to limitations, segment networks to limit exposure of the vulnerable system or host.
Poor patch management: Use of unsupported OSs and outdated firmwareEvaluate the use of unsupported hardware and software and discontinue use as soon as possible. If discontinuing is not possible, implement additional network protections to mitigate the risk.[45]Patch the Basic Input/Output System (BIOS) and other firmware to prevent exploitation of known vulnerabilities.
Mitigate Bypass of System Access Controls
MisconfigurationRecommendations for Network Defenders
Bypass of system access controlsLimit credential overlap across systems to prevent credential compromise and reduce a malicious actor’s ability to move laterally between systems [M1026],[D3-CH]. Implement a method for monitoring non-standard logon events through host log monitoring [CPG 2.G].Implement an effective and routine patch management process. Mitigate PtH techniques by applying patch KB2871997 to Windows 7 and newer versions to limit default access of accounts in the local administrator group [M1051],[D3-SU].[46]Enable the PtH mitigations to apply User Account Control (UAC) restrictions to local accounts upon network logon [M1052],[D3-UAP].Deny domain users the ability to be in the local administrator group on multiple systems [M1018],[D3-UAP].Limit workstation-to-workstation communications. All workstation communications should occur through a server to prevent lateral movement [M1018],[D3-UAP].Use privileged accounts only on systems requiring those privileges [M1018],[D3-UAP]. Consider using dedicated Privileged Access Workstations for privileged accounts to better isolate and protect them.[37]
Mitigate Weak or Misconfigured MFA Methods
MisconfigurationRecommendations for Network Defenders
Weak or misconfigured MFA methods: Misconfigured smart cards or tokens In Windows environments:Disable the use of New Technology LAN Manager (NTLM) and other legacy authentication protocols that are susceptible to PtH due to their use of password hashes [M1032],[D3-MFA]. For guidance, see Microsoft: Network security Restrict NTLM in this domain – Windows Security | Microsoft Learn and Network security Restrict NTLM Incoming NTLM traffic – Windows Security.[32],[33]Use built-in functionality via Windows Hello for Business or Group Policy Objects (GPOs) to regularly re-randomize password hashes associated with smartcard-required accounts. Ensure that the hashes are changed at least as often as organizational policy requires passwords to be changed [M1027],[D3-CRO]. Prioritize upgrading any environments that cannot utilize this built-in functionality.As a longer-term effort, implement cloud-primary authentication solution using modern open standards. See CISA’s Secure Cloud Business Applications (SCuBA) Hybrid Identity Solutions Architecture for more information.[47] Note: this document is part of CISA’s Secure Cloud Business Applications (SCuBA) project, which provides guidance for FCEB agencies to secure their cloud business application environments and to protect federal information that is created, accessed, shared, and stored in those environments. Although tailored to FCEB agencies, the project’s guidance is applicable to all organizations.[48]
Weak or misconfigured MFA methods: Lack of phishing-resistant MFAEnforce phishing-resistant MFA universally for access to sensitive data and on as many other resources and services as possible [CPG 2.H].[3],[49]
Mitigate Insufficient ACLs on Network Shares and Services
MisconfigurationRecommendations for Network Defenders
Insufficient ACLs on network shares and servicesImplement secure configurations for all storage devices and network shares that grant access to authorized users only.Apply the principal of least privilege to important information resources to reduce risk of unauthorized data access and manipulation.Apply restrictive permissions to files and directories, and prevent adversaries from modifying ACLs [M1022],[D3-LFP].Set restrictive permissions on files and folders containing sensitive private keys to prevent unintended access [M1022],[D3-LFP].Enable the Windows Group Policy security setting, “Do Not Allow Anonymous Enumeration of Security Account Manager (SAM) Accounts and Shares,” to limit users who can enumerate network shares.
Mitigate Poor Credential Hygiene
MisconfigurationRecommendations for Network Defenders
Poor credential hygiene: easily crackable passwords Follow National Institute of Standards and Technologies (NIST) guidelines when creating password policies to enforce use of “strong” passwords that cannot be cracked [M1027],[D3-SPP].[29] Consider using password managers to generate and store passwords.Do not reuse local administrator account passwords across systems. Ensure that passwords are “strong” and unique [CPG 2.B],[M1027],[D3-SPP].Use “strong” passphrases for private keys to make cracking resource intensive. Do not store credentials within the registry in Windows systems. Establish an organizational policy that prohibits password storage in files.Ensure adequate password length (ideally 25+ characters) and complexity requirements for Windows service accounts and implement passwords with periodic expiration on these accounts [CPG 2.B],[M1027],[D3-SPP]. Use Managed Service Accounts, when possible, to manage service account passwords automatically.
Poor credential hygiene: cleartext password disclosure Implement a review process for files and systems to look for cleartext account credentials. When credentials are found, remove, change, or encrypt them [D3-FE]. Conduct periodic scans of server machines using automated tools to determine whether sensitive data (e.g., personally identifiable information, protected health information) or credentials are stored. Weigh the risk of storing credentials in password stores and web browsers. If system, software, or web browser credential disclosure is of significant concern, technical controls, policy, and user training may prevent storage of credentials in improper locations.Store hashed passwords using Committee on National Security Systems Policy (CNSSP)-15 and Commercial National Security Algorithm Suite (CNSA) approved algorithms.[50],[51]Consider using group Managed Service Accounts (gMSAs) or third-party software to implement secure password-storage applications.
Mitigate Unrestricted Code Execution
MisconfigurationRecommendations for Network Defenders
Unrestricted code executionEnable system settings that prevent the ability to run applications downloaded from untrusted sources.[52]Use application control tools that restrict program execution by default, also known as allowlisting [D3-EAL]. Ensure that the tools examine digital signatures and other key attributes, rather than just relying on filenames, especially since malware often attempts to masquerade as common Operating System (OS) utilities [M1038]. Explicitly allow certain .exe files to run, while blocking all others by default.Block or prevent the execution of known vulnerable drivers that adversaries may exploit to execute code in kernel mode. Validate driver block rules in audit mode to ensure stability prior to production deployment [D3-OSM].Constrain scripting languages to prevent malicious activities, audit script logs, and restrict scripting languages that are not used in the environment [D3-SEA]. See joint Cybersecurity Information Sheet: Keeping PowerShell: Security Measures to Use and Embrace.[53]Use read-only containers and minimal images, when possible, to prevent the running of commands.Regularly analyze border and host-level protections, including spam-filtering capabilities, to ensure their continued effectiveness in blocking the delivery and execution of malware [D3-MA]. Assess whether HTML Application (HTA) files are used for business purposes in your environment; if HTAs are not used, remap the default program for opening them from mshta.exe to notepad.exe.

Software Manufacturers

NSA and CISA recommend software manufacturers implement the recommendations in Table 11 to reduce the prevalence of misconfigurations identified in this advisory. These mitigations align with tactics provided in joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default. NSA and CISA strongly encourage software manufacturers apply these recommendations to ensure their products are secure “out of the box” and do not require customers to spend additional resources making configuration changes, performing monitoring, and conducting routine updates to keep their systems secure.[1]

MisconfigurationRecommendations for Software Manufacturers
Default configurations of software and applicationsEmbed security controls into product architecture from the start of development and throughout the entire SDLC by following best practices in NIST’s Secure Software Development Framework (SSDF), SP 800-218.[54]Provide software with security features enabled “out of the box” and accompanied with “loosening” guides instead of hardening guides. “Loosening” guides should explain the business risk of decisions in plain, understandable language.
Default configurations of software and applications: Default credentialsEliminate default passwords: Do not provide software with default passwords that are universally shared. To eliminate default passwords, require administrators to set a “strong” password [CPG 2.B] during installation and configuration.
Default configurations of software and applications: Default service permissions and configuration settingsConsider the user experience consequences of security settings: Each new setting increases the cognitive burden on end users and should be assessed in conjunction with the business benefit it derives. Ideally, a setting should not exist; instead, the most secure setting should be integrated into the product by default. When configuration is necessary, the default option should be broadly secure against common threats.
Improper separation of user/administrator privilege:Excessive account privileges,Elevated service account permissions, andNon-essential use of elevated accountsDesign products so that the compromise of a single security control does not result in compromise of the entire system. For example, ensuring that user privileges are narrowly provisioned by default and ACLs are employed can reduce the impact of a compromised account. Also, software sandboxing techniques can quarantine a vulnerability to limit compromise of an entire application.Automatically generate reports for:Administrators of inactive accounts. Prompt administrators to set a maximum inactive time and automatically suspend accounts that exceed that threshold.Administrators of accounts with administrator privileges and suggest ways to reduce privilege sprawl.Automatically alert administrators of infrequently used services and provide recommendations for disabling them or implementing ACLs.
Insufficient internal network monitoring Provide high-quality audit logs to customers at no extra charge. Audit logs are crucial for detecting and escalating potential security incidents. They are also crucial during an investigation of a suspected or confirmed security incident. Consider best practices such as providing easy integration with a security information and event management (SIEM) system with application programming interface (API) access that uses coordinated universal time (UTC), standard time zone formatting, and robust documentation techniques.
Lack of network segmentationEnsure products are compatible with and tested in segmented network environments.
Poor patch management: Lack of regular patchingTake steps to eliminate entire classes of vulnerabilities by embedding security controls into product architecture from the start of development and throughout the SDLC by following best practices in NIST’s SSDFSP 800-218.[54] Pay special attention to:Following secure coding practices [SSDF PW 5.1]. Use memory-safe programming languages where possible, parametrized queries, and web template languages.Conducting code reviews [SSDF PW 7.2, RV 1.2] against peer coding standards, checking for backdoors, malicious content, and logic flaws.Testing code to identify vulnerabilities and verify compliance with security requirements [SSDF PW 8.2].Ensure that published CVEs include root cause or common weakness enumeration (CWE) to enable industry-wide analysis of software security design flaws.
Poor patch management: Use of unsupported operating OSs and outdated firmwareCommunicate the business risk of using unsupported OSs and firmware in plain, understandable language.
Bypass of system access controlsProvide sufficient detail in audit records to detect bypass of system controls and queries to monitor audit logs for traces of such suspicious activity (e.g., for when an essential step of an authentication or authorization flow is missing).
Weak or Misconfigured MFA Methods: Misconfigured Smart Cards or Tokens Fully support MFA for all users, making MFA the default rather than an opt-in feature. Utilize threat modeling for authentication assertions and alternate credentials to examine how they could be abused to bypass MFA requirements.
Weak or Misconfigured MFA Methods: Lack of phishing-resistant MFAMandate MFA, ideally phishing-resistant, for privileged users and make MFA a default rather than an opt-in feature.[3]
Insufficient ACL on network shares and servicesEnforce use of ACLs with default ACLs only allowing the minimum access needed, along with easy-to-use tools to regularly audit and adjust ACLs to the minimum access needed.
Poor credential hygiene: easily crackable passwords Allow administrators to configure a password policy consistent with NIST’s guidelines—do not require counterproductive restrictions such as enforcing character types or the periodic rotation of passwords.[29]Allow users to use password managers to effortlessly generate and use secure, random passwords within products.
Poor credential hygiene: cleartext password disclosureSalt and hash passwords using a secure hashing algorithm with high computational cost to make brute force cracking more difficult.
Unrestricted code executionSupport execution controls within operating systems and applications “out of the box” by default at no extra charge for all customers, to limit malicious actors’ ability to abuse functionality or launch unusual applications without administrator or informed user approval.


In addition to applying mitigations, NSA and CISA recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. NSA and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Table 12–Table 21).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and NSA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.


The misconfigurations described above are all too common in assessments and the techniques listed are standard ones leveraged by multiple malicious actors, resulting in numerous real network compromises. Learn from the weaknesses of others and implement the mitigations above properly to protect the network, its sensitive information, and critical missions.


[1]   Joint Guide: Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default (2023),
[2]   CISA, Known Exploited Vulnerabilities Catalog,
[3]   CISA, Implementing Phishing-Resistant MFA,
[4]   MITRE, ATT&CK for Enterprise,
[5]   MITRE, D3FEND,
[6]   CISA, Best Practices for MITRE ATT&CK Mapping,
[7]   CISA, Decider Tool,
[8]   CISA, Cyber Assessment Fact Sheet,
[9]   Joint CSA: Weak Security Controls and Practices Routinely Exploited for Initial Access,
[10]  Microsoft KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS),
[11]  Raj Chandel, Domain Escalation: PetitPotam NTLM Relay to ADCS Endpoints,
[12]  SpecterOps – Will Schroeder, Certified Pre-Owned,
[13]  CISA, CSA: CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks,
[14]  Joint CSA: Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers,
[15]  Joint CSA: Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester,
[16]  Joint CSA: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite,
[17]  Microsoft, How to verify that MS17-010 is installed,
[18]  Microsoft, Microsoft Security Bulletin MS08-067 – Critical Vulnerability in Server Service Could Allow Remote Code Execution (958644),
[19]  Joint CSA: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization,
[20]  CISA, Malware Analysis Report: 10365227.r1.v1,
[21]  Joint CSA: #StopRansomware: BianLian Ransomware Group,
[22]  CISA Analysis Report: FiveHands Ransomware,
[23]  Snaffler,
[24]  CISA, Cross-Sector Cybersecurity Performance Goals,
[25]  Defense Information Systems Agency (DISA), Security Technical Implementation Guides (STIGs),
[26]  NSA, Network Infrastructure Security Guide,
[27]  NSA, Actively Manage Systems and Configurations,
[28]  NSA, Cybersecurity Advisories & Guidance,
[29]  National Institute of Standards and Technologies (NIST), NIST SP 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management,
[30]  Microsoft, Uninstall-AdcsWebEnrollment,
[31]  Microsoft, KB5021989: Extended Protection for Authentication,
[32]  Microsoft, Network security: Restrict NTLM: NTLM authentication in this domain,
[33]  Microsoft, Network security: Restrict NTLM: Incoming NTLM traffic,
[34]  Microsoft, How to disable the Subject Alternative Name for UPN mapping,
[35]  Microsoft, Overview of Server Message Block signing,
[36]  Microsoft, SMB signing required by default in Windows Insider,
[37]  NSA, Defend Privileges and Accounts,
[38]  NSA, Advancing Zero Trust Maturity Throughout the User Pillar,
[39]  NSA, Continuously Hunt for Network Intrusions,
[40]  Joint CSI: Detect and Prevent Web Shell Malware,
[41]  NSA, Segment Networks and Deploy Application-aware Defenses,
[42]  Joint CSA: NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems,
[43]  NSA, Stop Malicious Cyber Activity Against Connected Operational Technology,
[44]  NSA, Performing Out-of-Band Network Management,
[45]  NSA, Update and Upgrade Software Immediately,
[46]  Microsoft, Microsoft Security Advisory 2871997: Update to Improve Credentials Protection and Management,
[47]  CISA, Secure Cloud Business Applications Hybrid Identity Solutions Architecture,
[48]  CISA, Secure Cloud Business Applications (SCuBA) Project,
[49]  NSA, Transition to Multi-factor Authentication,
[50]  Committee on National Security Systems (CNSS), CNSS Policy 15,
[51]  NSA, NSA Releases Future Quantum-Resistant (QR) Algorithm Requirements for National Security Systems,
[52]  NSA, Enforce Signed Software Execution Policies,
[53]  Joint CSI: Keeping PowerShell: Security Measures to Use and Embrace,
[54]  NIST, NIST SP 800-218: Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities,

Disclaimer of Endorsement

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.


Active Directory, Microsoft, and Windows are registered trademarks of Microsoft Corporation.
MITRE ATT&CK is registered trademark and MITRE D3FEND is a trademark of The MITRE Corporation.
SoftPerfect is a registered trademark of SoftPerfect Proprietary Limited Company.
Telerik is a registered trademark of Progress Software Corporation.
VMware is a registered trademark of VMWare, Inc.
Zimbra is a registered trademark of Synacor, Inc.


This document was developed in furtherance of the authoring cybersecurity organizations’ missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.


Cybersecurity Report Feedback:
General Cybersecurity Inquiries: 
Defense Industrial Base Inquiries and Cybersecurity Services:
Media Inquiries / Press Desk: 443-634-0721, 

To report suspicious activity contact CISA’s 24/7 Operations Center at or (888) 282-0870. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

Appendix: MITRE ATT&CK Tactics and Techniques

See Table 12–Table 21 for all referenced threat actor tactics and techniques in this advisory.

Technique TitleIDUse
Active Scanning: Vulnerability ScanningT1595.002Malicious actors scan victims for vulnerabilities that be exploited for initial access.
Gather Victim Host InformationT1592Malicious actors gather information on victim client configurations and/or vulnerabilities through vulnerabilities scans and searching the web.
Gather Victim Identity Information: CredentialsT1589.001Malicious actors find default credentials through searching the web.
Phishing for InformationT1598Malicious actors masquerade as IT staff and convince a target user to provide their MFA code over the phone to gain access to email and other organizational resources.
Technique TitleIDUse
External Remote ServicesT1133Malicious actors use default credentials for VPN access to internal networks.
Valid Accounts: Default AccountsT1078.001Malicious actors gain authenticated access to devices by finding default credentials through searching the web.Malicious actors use default credentials for VPN access to internal networks, and default administrative credentials to gain access to web applications and databases.
Exploit Public-Facing ApplicationT1190Malicious actors exploit CVEs in Telerik UI, VM Horizon, Zimbra Collaboration Suite, and other applications for initial access to victim organizations.
PhishingT1566Malicious actors gain initial access to systems by phishing to entice end users to download and execute malicious payloads.
Trust RelationshipT1199Malicious actors gain access to OT networks despite prior assurance that the networks were fully air gapped, with no possible connection to the IT network, by finding special purpose, forgotten, or even accidental network connections.
Technique TitleIDUse
Software Deployment ToolsT1072Malicious actors use default or captured credentials on software deployment tools to execute code and move laterally.
User ExecutionT1204Malicious actors gain initial access to systems by phishing to entice end users to download and execute malicious payloads or to run code on their workstations.
Command and Scripting InterpreterT1059Malicious actors use scripting languages to obscure their actions and bypass allowlisting.
Command and Scripting Interpreter: Visual BasicT1059.005Malicious actors use macros for initial access, persistence, and lateral movement.
Technique TitleIDUse
Account ManipulationT1098Malicious actors reset built-in administrative accounts via predictable, forgotten password questions.
Technique TitleIDUse
Valid AccountsT1078Malicious actors analyze topical and nested Active Directory groups to find privileged accounts to target.
Valid Accounts: Domain AccountsT1078.002Malicious actors obtain loaded domain credentials from printers and scanners and use them to move laterally from the network device.
Exploitation for Privilege EscalationT1068Malicious actors load vulnerable drivers and then exploit their known vulnerabilities to execute code in the kernel with the highest level of system privileges to completely compromise the device.
Technique TitleIDUse
Obfuscated Files or Information: Command ObfuscationT1027.010Malicious actors often use scripting languages to obscure their actions.
Technique TitleIDUse
Adversary-in-the-MiddleT1557Malicious actors force a device to communicate through actor-controlled systems, so they can collect information or perform additional actions.
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB RelayT1557.001Malicious actors execute spoofing, poisoning, and relay techniques if Link-Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBT-NS), and Server Message Block (SMB) services are enabled in a network.
Brute Force: Password CrackingT1110.002Malicious actors capture user hashes and leverage dictionary wordlists and rulesets to extract cleartext passwords.
Credentials from Password StoresT1555Malicious actors gain access to and crack credentials from PFX stores, enabling elevation of privileges and lateral movement within networks.
Multi-Factor Authentication InterceptionT1111Malicious actors can obtain password hashes for accounts enabled for MFA with smart codes or tokens and use the hash via PtH techniques.
Multi-Factor Authentication Request GenerationT1621Malicious actors use “push bombing” against non-phishing resistant MFA to induce “MFA fatigue” in victims, gaining access to MFA authentication credentials or bypassing MFA, and accessing the MFA-protected system.
Steal Application Access TokenT1528Malicious actors can steal administrator account credentials and the authentication token generated by Active Directory when the account is logged into a compromised host.
Steal or Forge Authentication CertificatesT1649Unauthenticated malicious actors coerce an ADCS server to authenticate to an actor-controlled server, and then relay that authentication to the web certificate enrollment application to obtain a trusted illegitimate certificate.
Steal or Forge Kerberos Tickets: Golden TicketT1558.001Malicious actors who have obtained authentication certificates can use the certificate for Active Directory authentication to obtain a Kerberos TGT.
Steal or Forge Kerberos Tickets: KerberoastingT1558.003Malicious actors obtain and abuse valid Kerberos TGTs to elevate privileges and laterally move throughout an organization’s network.
Unsecured Credentials: Credentials in FilesT1552.001Malicious actors find cleartext credentials that organizations or individual users store in spreadsheets, configuration files, and other documents.
Technique TitleIDUse
Account DiscoveryT1087Malicious actors with valid domain credentials enumerate the AD to discover elevated accounts and where they are used.
File and Directory DiscoveryT1083Malicious actors use commands, such as net share, open source tools, such as SoftPerfect Network Scanner, or custom malware, such as CovalentStealer to discover and categorize files.Malicious actors search for text files, spreadsheets, documents, and configuration files in hopes of obtaining desired information, such as cleartext passwords.
Network Share DiscoveryT1135Malicious actors use commands, such as net share, open source tools, such as SoftPerfect Network Scanner, or custom malware, such as CovalentStealer, to look for shared folders and drives.
Technique TitleIDUse
Exploitation of Remote ServicesT1210Malicious actors can exploit OS and firmware vulnerabilities to gain unauthorized network access, compromise sensitive data, and disrupt operations.
Remote Services: SMB/Windows Admin SharesT1021.002If SMB signing is not enforced, malicious actors can use name resolution poisoning to access remote systems.
Use Alternate Authentication Material: Application Access TokenT1550.001Malicious actors with stolen administrator account credentials and AD authentication tokens can use them to operate with elevated permissions throughout the domain.
Use Alternate Authentication Material: Pass the HashT1550.002Malicious actors collect hashes in a network and authenticate as a user without having access to the user’s cleartext password.
Technique TitleIDUse
Data from Network Shared DriveT1039Malicious actors find sensitive information on network shares that could facilitate follow-on activity or provide opportunities for extortion.

Source :

The PQXDH Key Agreement Protocol

Revision 1, 2023-05-24 [PDF]

Ehren Kret, Rolfe Schmidt

Table of Contents

1. Introduction

This document describes the “PQXDH” (or “Post-Quantum Extended Diffie-Hellman”) key agreement protocol. PQXDH establishes a shared secret key between two parties who mutually authenticate each other based on public keys. PQXDH provides post-quantum forward secrecy and a form of cryptographic deniability but still relies on the hardness of the discrete log problem for mutual authentication in this revision of the protocol.

PQXDH is designed for asynchronous settings where one user (“Bob”) is offline but has published some information to a server. Another user (“Alice”) wants to use that information to send encrypted data to Bob, and also establish a shared secret key for future communication.

2. Preliminaries

2.1. PQXDH parameters

An application using PQXDH must decide on several parameters:

curveA Montgomery curve for which XEdDSA [1] is specified, at present this is one of curve25519 or curve448
hashA 256 or 512-bit hash function (e.g. SHA-256 or SHA-512)
infoAn ASCII string identifying the application with a minimum length of 8 bytes
pqkemA post-quantum key encapsulation mechanism (e.g. Crystals-Kyber-1024 [2])
EncodeECA function that encodes a curve public key into a byte sequence
DecodeECA function that decodes a byte sequence into a curve public key and is the inverse of EncodeEC
EncodeKEMA function that encodes a pqkem public key into a byte sequence
DecodeKEMA function that decodes a byte sequence into a pqkem public key and is the inverse of EncodeKEM

For example, an application could choose curve as curve25519, hash as SHA-512, info as “MyProtocol”, and pqkem as CRYSTALS-KYBER-1024.

The recommended implementation of EncodeEC consists of a single-byte constant representation of curve followed by little-endian encoding of the u-coordinate as specified in [3]. The single-byte representation of curve is defined by the implementer. Similarly the recommended implementation of DecodeEC reads the first byte to determine the parameter curve. If the first byte does not represent a recognized curve, the function fails. Otherwise it applies the little-endian decoding of the u-coordinate for curve as specified in [3].

The recommended implementation of EncodeKEM consists of a single-byte constant representation of pqkem followed by the encoding of PQKPK specified by pqkem. The single-byte representation of pqkem is defined by the implementer. Similarly the recommended implementation of DecodeKEM reads the first byte to determine the parameter pqkem. If the first byte does not represent a recognized key encapsulation mechanism, the function fails. Otherwise it applies the decoding specified by the selected key encapsulation mechanism.

2.2. Cryptographic notation

Throughout this document, all public keys have a corresponding private key, but to simplify descriptions we will identify key pairs by the public key and assume that the corresponding private key can be accessed by the key owner.

This document will use the following notation:

  • The concatenation of byte sequences X and Y is X || Y.
  • DH(PK1, PK2) represents a byte sequence which is the shared secret output from an Elliptic Curve Diffie-Hellman function involving the key pairs represented by public keys PK1 and PK2. The Elliptic Curve Diffie-Hellman function will be either the X25519 or X448 function from [3], depending on the curve parameter.
  • Sig(PK, M, Z) represents the byte sequence that is a curve XEdDSA signature on the byte sequence M which was created by signing M with PK’s corresponding private key and using 64 bytes of randomness Z. This signature verifies with public key PK. The signing and verification functions for XEdDSA are specified in [1].
  • KDF(KM) represents 32 bytes of output from the HKDF algorithm [4] using hash with inputs:
    • HKDF input key material = F || KM, where KM is an input byte sequence containing secret key material, and F is a byte sequence containing 32 0xFF bytes if curve is curve25519, and 57 0xFF bytes if curve is curve448. As in in XEdDSA [1]F ensures that the first bits of the HKDF input key material are never a valid encoding of a scalar or elliptic curve point.
    • HKDF salt = A zero-filled byte sequence with length equal to the hash output length, in bytes.
    • HKDF info = The concatenation of string representations of the 4 PQXDH parameters infocurvehash, and pqkem into a single string separated with ‘_’ such as “MyProtocol_CURVE25519_SHA-512_CRYSTALS-KYBER-1024”. The string representations of the PQXDH parameters are defined by the implementer.
  • (CT, SS) = PQKEM-ENC(PK) represents a tuple of the byte sequence that is the KEM ciphertext, CT, output by the algorithm pqkem together with the shared secret byte sequence SS encapsulated by the ciphertext using the public key PK.
  • PQKEM-DEC(PK, CT) represents the shared secret byte sequence SS decapsulated from a pqkem ciphertext using the private key counterpart of the public key PK used to encapsulate the ciphertext CT.

2.3. Roles

The PQXDH protocol involves three parties: AliceBob, and a server.

  • Alice wants to send Bob some initial data using encryption, and also establish a shared secret key which may be used for bidirectional communication.
  • Bob wants to allow parties like Alice to establish a shared key with him and send encrypted data. However, Bob might be offline when Alice attempts to do this. To enable this, Bob has a relationship with some server.
  • The server can store messages from Alice to Bob which Bob can later retrieve. The server also lets Bob publish some data which the server will provide to parties like Alice. The amount of trust placed in the server is discussed in Section 4.9.

In some systems the server role might be divided between multiple entities, but for simplicity we assume a single server that provides the above functions for Alice and Bob.

2.4. Elliptic Curve Keys

PQXDH uses the following elliptic curve public keys:

IKAAlice’s identity key
IKBBob’s identity key
EKAAlice’s ephemeral key
SPKBBob’s signed prekey
(OPKB1OPKB2, …)Bob’s set of one-time prekeys

The elliptic curve public keys used within a PQXDH protocol run must either all be in curve25519 form, or they must all be in curve448 form, depending on the curve parameter [3].

Each party has a long-term identity elliptic curve public key (IKA for Alice, IKB for Bob).

Bob also has a signed prekey SPKB, which he changes periodically and signs each time with IKB, and a set of one-time prekeys (OPKB1OPKB2, …), which are each used in a single PQXDH protocol run. (“Prekeys” are so named because they are essentially protocol messages which Bob publishes to the server prior to Alice beginning the protocol run.) These keys will be uploaded to the server as described in Section 3.2.

During each protocol run, Alice generates a new ephemeral key pair with public key EKA.

2.5. Post-Quantum Key Encapsulation Keys

PQXDH uses the following post-quantum key encapsulation public keys:

PQSPKBBob’s signed last-resort pqkem prekey
(PQOPKB1PQOPKB2, …)Bob’s set of signed one-time pqkem prekeys

The pqkem public keys used within a PQXDH protocol run must all use the same pqkem parameter.

Bob has a signed last-resort post-quantum prekey PQSPKB, which he changes periodically and signs each time with IKB, and a set of signed one-time prekeys (PQOPKB1PQOPKB2, …) which are also signed with IKB and each used in a single PQXDH protocol run. These keys will be uploaded to the server as described in Section 3.2. The name “last-resort” refers to the fact that the last-resort prekey is only used when one-time pqkem prekeys are not available. This can happen when the number of prekey bundles downloaded for Bob exceeds the number of one-time pqkem prekeys Bob has uploaded (see Section 3 for details about the role of the server).

3. The PQXDH protocol

3.1. Overview

PQXDH has three phases:

  1. Bob publishes his elliptic curve identity key, elliptic curve prekeys, and pqkem prekeys to a server.
  2. Alice fetches a “prekey bundle” from the server, and uses it to send an initial message to Bob.
  3. Bob receives and processes Alice’s initial message.

The following sections explain these phases.

3.2. Publishing keys

Bob generates a sequence of 64-byte random values ZSPK, ZPQSPK, Z1, Z2, … and publishes a set of keys to the server containing:

  • Bob’s curve identity key IKB
  • Bob’s signed curve prekey SPKB
  • Bob’s signature on the curve prekey Sig(IKB, EncodeEC(SPKB), ZSPK)
  • Bob’s signed last-resort pqkem prekey PQSPKB
  • Bob’s signature on the pqkem prekey Sig(IKB, EncodeKEM(PQSPKB), ZPQSPK)
  • A set of Bob’s one-time curve prekeys (OPKB1, OPKB2, OPKB3, …)
  • A set of Bob’s signed one-time pqkem prekeys (PQOPKB1, PQOPKB2, PQOPKB3, …)
  • The set of Bob’s signatures on the signed one-time pqkem prekeys (Sig(IKB, EncodeKEM(PQOPKB1), Z1), Sig(IKB, EncodeKEM(PQOPKB2), Z2), Sig(IKB, EncodeKEM(PQOPKB3), Z3), …)

Bob only needs to upload his identity key to the server once. However, Bob may upload new one-time prekeys at other times (e.g. when the server informs Bob that the server’s store of one-time prekeys is getting low).

For both the signed curve prekey and the signed last-resort pqkem prekey, Bob will upload a new prekey along with its signature using IKB at some interval (e.g. once a week or once a month). The new signed prekey and its signatures will replace the previous values.

After uploading a new pair of signed curve and signed last-resort pqkem prekeys, Bob may keep the private key corresponding to the previous pair around for some period of time to handle messages using it that may have been delayed in transit. Eventually, Bob should delete this private key for forward secrecy (one-time prekey private keys will be deleted as Bob receives messages using them; see Section 3.4).

3.3. Sending the initial message

To perform a PQXDH key agreement with Bob, Alice contacts the server and fetches a “prekey bundle” containing the following values:

  • Bob’s curve identity key IKB
  • Bob’s signed curve prekey SPKB
  • Bob’s signature on the curve prekey Sig(IKB, EncodeEC(SPKB), ZSPK)
  • One of either Bob’s signed one-time pqkem prekey PQOPKBn or Bob’s last-resort signed pqkem prekey PQSPKB if no signed one-time pqkem prekey remains. Call this key PQPKB.
  • Bob’s signature on the pqkem prekey Sig(IKB, EncodeKEM(PQPKB), ZPQPK)
  • (Optionally) Bob’s one-time curve prekey OPKBn

The server should provide one of Bob’s curve one-time prekeys if one exists and then delete it. If all of Bob’s curve one-time prekeys on the server have been deleted, the bundle will not contain a one-time curve prekey element.

The server should prefer to provide one of Bob’s pqkem one-time signed prekeys PQOPKBn if one exists and then delete it. If all of Bob’s pqkem one-time signed prekeys on the server have been deleted, the bundle will instead contain Bob’s pqkem last-resort signed prekey PQSPKB.

Alice verifies the signatures on the prekeys. If any signature check fails, Alice aborts the protocol. Otherwise, if all signature checks pass, Alice then generates an ephemeral curve key pair with public key EKA. Alice additionally generates a pqkem encapsulated shared secret:

               shared secret SS
               ciphertext CT

If the bundle does not contain a curve one-time prekey, she calculates:

    DH1 = DH(IKA, SPKB)
    DH2 = DH(EKA, IKB)
    DH3 = DH(EKA, SPKB)
    SK = KDF(DH1 || DH2 || DH3 || SS)

If the bundle does contain a curve one-time prekey, the calculation is modified to include an additional DH:

    DH4 = DH(EKA, OPKB)
    SK = KDF(DH1 || DH2 || DH3 || DH4 || SS)

After calculating SK, Alice deletes her ephemeral private key, the DH outputs, the shared secret SS, and the ciphertext CT.

Alice then calculates an “associated data” byte sequence AD that contains identity information for both parties:

    AD = EncodeEC(IKA) || EncodeEC(IKB)

Alice may optionally append additional information to AD, such as Alice and Bob’s usernames, certificates, or other identifying information.

Alice then sends Bob an initial message containing:

  • Alice’s identity key IKA
  • Alice’s ephemeral key EKA
  • The pqkem ciphertext CT encapsulating SS for PQPKB
  • Identifiers stating which of Bob’s prekeys Alice used
  • An initial ciphertext encrypted with some AEAD encryption scheme [5] using AD as associated data and using an encryption key which is either SK or the output from some cryptographic PRF keyed by SK.

The initial ciphertext is typically the first message in some post-PQXDH communication protocol. In other words, this ciphertext typically has two roles, serving as the first message within some post-PQXDH protocol, and as part of Alice’s PQXDH initial message.

The initial message must be encoded in an unambiguous format to avoid confusion of the message items by the recipient.

After sending this, Alice may continue using SK or keys derived from SK within the post-PQXDH protocol for communication with Bob, subject to the security considerations discussed in Section 4.

3.4. Receiving the initial message

Upon receiving Alice’s initial message, Bob retrieves Alice’s identity key and ephemeral key from the message. Bob also loads his identity private key and the private key(s) corresponding to the signed prekeys and one-time prekeys Alice used.

Using these keys, Bob calculates PQKEM-DEC(PQPKB, CT) as the shared secret SS and repeats the DH and KDF calculations from the previous section to derive SK, and then deletes the DH values and SS values.

Bob then constructs the AD byte sequence using IKA and IKB as described in the previous section. Finally, Bob attempts to decrypt the initial ciphertext using SK and AD. If the initial ciphertext fails to decrypt, then Bob aborts the protocol and deletes SK.

If the initial ciphertext decrypts successfully, the protocol is complete for Bob. For forward secrecy, Bob deletes the ciphertext and any one-time prekey private key that was used. Bob may then continue using SK or keys derived from SK within the post-PQXDH protocol for communication with Alice subject to the security considerations discussed in Section 4.

4. Security considerations

The security of the composition of X3DH [6] with the Double Ratchet [7] was formally studied in [8] and proven secure under the Gap Diffie-Hellman assumption (GDH)[9]. PQXDH composed with the Double Ratchet retains this security against an adversary without access to a quantum computer, but strengthens the security of the initial handshake to require the solution of both GDH and Module-LWE [10]. The remainder of this section discusses an incomplete list of further security considerations.

4.1. Authentication

Before or after a PQXDH key agreement, the parties may compare their identity public keys IKA and IKB through some authenticated channel. For example, they may compare public key fingerprints manually, or by scanning a QR code. Methods for doing this are outside the scope of this document.

Authentication in PQXDH is not quantum-secure. In the presence of an active quantum adversary, the parties receive no cryptographic guarantees as to who they are communicating with. Post-quantum secure deniable mutual authentication is an open research problem which we hope to address with a future revision of this protocol.

If authentication is not performed, the parties receive no cryptographic guarantee as to who they are communicating with.

4.2. Protocol replay

If Alice’s initial message doesn’t use a one-time prekey, it may be replayed to Bob and he will accept it. This could cause Bob to think Alice had sent him the same message (or messages) repeatedly.

To mitigate this, a post-PQXDH protocol may wish to quickly negotiate a new encryption key for Alice based on fresh random input from Bob. This is the typical behavior of Diffie-Hellman-based ratcheting protocols [7].

Bob could attempt other mitigations, such as maintaining a blacklist of observed messages, or replacing old signed prekeys more rapidly. Analyzing these mitigations is beyond the scope of this document.

4.3. Replay and key reuse

Another consequence of the replays discussed in the previous section is that a successfully replayed initial message would cause Bob to derive the same SK in different protocol runs.

For this reason, any post-PQXDH protocol that uses SK to derive encryption keys MUST take measures to prevent catastrophic key reuse. For example, Bob could use a DH-based ratcheting protocol to combine SK with a freshly generated DH output to get a randomized encryption key [7].

4.4. Deniability

Informally, cryptographic deniability means that a protocol neither gives its participants a publishable cryptographic proof of the contents of their communication nor proof of the fact that they communicated. PQXDH, like X3DH, aims to provide both Alice and Bob deniablilty that they communicated with each other in a context where a “judge” who may have access to one or more party’s secret keys is presented with a transcript allegedly created by communication between Alice and Bob.

We focus on offline deniability because if either party is collaborating with a third party during protocol execution, they will be able to provide proof of their communication to such a third party. This limitation on “online” deniability appears to be intrinsic to the asynchronous setting [11].

PQXDH has some forms of cryptographic deniability. Motivated by the goals of X3DH, Brendel et al. [12] introduce a notion of 1-out-of-2 deniability for semi-honest parties and a “big brother” judge with access to all parties’ secret keys. Since either Alice or Bob can create a fake transcript using only their own secret keys, PQXDH has this deniability property. Vatandas, et al. [13] prove that X3DH is deniable in a different sense subject to certain “Knowledge of Diffie-Hellman Assumptions”. PQXDH is deniable in this sense for Alice, subject to the same assumptions, and we conjecture that it is deniable for Bob subject to an additional Plaintext Awareness (PA) assumption for pqkem. We note that Kyber uses a variant of the Fujisaki-Okamoto transform with implicit rejection [14] and is therefore not PA as is. However, in PQXDH, an AEAD ciphertext encrypted with the session key is always sent along with the Kyber ciphertext. This should offer the same guarantees as PA. We encourage the community to investigate the precise deniability properties of PQXDH.

These assertions all pertain to deniability in the classical setting. As discussed in [15] we expect that for future revisions of this protocol (that provide post-quantum mutual authentication) assertions about deniability against semi-honest quantum advsersaries will hold. Deniability in the face of malicious quantum adversaries requires further research.

4.5. Signatures

It might be tempting to omit the prekey signature after observing that mutual authentication and forward secrecy are achieved by the DH calculations. However, this would allow a “weak forward secrecy” attack: A malicious server could provide Alice a prekey bundle with forged prekeys, and later compromise Bob’s IKB to calculate SK.

Alternatively, it might be tempting to replace the DH-based mutual authentication (i.e. DH1 and DH2) with signatures from the identity keys. However, this reduces deniability, increases the size of initial messages, and increases the damage done if ephemeral or prekey private keys are compromised, or if the signature scheme is broken.

4.6. Key compromise

Compromise of a party’s private keys has a disastrous effect on security, though the use of ephemeral keys and prekeys provides some mitigation.

Compromise of a party’s identity private key allows impersonation of that party to others. Compromise of a party’s prekey private keys may affect the security of older or newer SK values, depending on many considerations.

A full analysis of all possible compromise scenarios is outside the scope of this document, however a partial analysis of some plausible scenarios is below:

  • If either an elliptic curve one-time prekey (OPKB) or a post-quantum key encapsulation one-time prekey (PQOPKB) are used for a protocol run and deleted as specified, then a compromise of Bob’s identity key and prekey private keys at some future time will not compromise the older SK.
  • If one-time prekeys were not used for a protocol run, then a compromise of the private keys for IKBSPKB, and PQSPKB from that protocol run would compromise the SK that was calculated earlier. Frequent replacement of signed prekeys mitigates this, as does using a post-PQXDH ratcheting protocol which rapidly replaces SK with new keys to provide fresh forward secrecy [7].
  • Compromise of prekey private keys may enable attacks that extend into the future, such as passive calculation of SK values, and impersonation of arbitrary other parties to the compromised party (“key-compromise impersonation”). These attacks are possible until the compromised party replaces his compromised prekeys on the server (in the case of passive attack); or deletes his compromised signed prekey’s private key (in the case of key-compromise impersonation).

4.7. Passive quantum adversaries

PQXDH is designed to prevent “harvest now, decrypt later” attacks by adversaries with access to a quantum computer capable of computing discrete logarithms in curve.

  • If an attacker has recorded the public information and the message from Alice to Bob, even access to a quantum computer will not compromise SK.
  • If a post-quantum key encapsulation one-time prekey (PQOPKB) is used for a protocol run and deleted as specified then compromise after deletion and access to a quantum computer at some future time will not compromise the older SK.
  • If post-quantum one-time prekeys were not used for a protocol run, then access to a quantum computer and a compromise of the private key for PQSPKB from that protocol run would compromise the SK that was calculated earlier. Frequent replacement of signed prekeys mitigates this, as does using a post-PQXDH ratcheting protocol which rapidly replaces SK with new keys to provide fresh forward secrecy [7].

4.8. Active quantum adversaries

PQXDH is not designed to provide protection against active quantum attackers. An active attacker with access to a quantum computer capable of computing discrete logarithms in curve can compute DH(PK1, PK2) and Sig(PK, M, Z) for all elliptic curve keys PK1PK2, and PK. This allows an attacker to impersonate Alice by using the quantum computer to compute the secret key corresponding to PKA then continuing with the protocol. A malicious server with access to such a quantum computer could impersonate Bob by generating new key pairs PQSPK’B and PQOPK’B, computing the secret key corresponding to PKB, then using PKB to sign the newly generated post-quantum KEM keys and delivering these attacker-generated keys in place of Bob’s post-quantum KEM key when Alice requests a prekey bundle.

It is tempting to consider adding a post-quantum identity key that Bob could use to sign the post-quantum prekeys. This would prevent the malicious server attack described above and provide Alice a cryptographic guarantee that she is communicating with Bob, but it does not provide mutual authentication. Bob does not have any cryptographic guarantee about who he is communicating with. The post-quantum KEM and signature schemes being standardized by NIST [16] do not provide a mechanism for post-quantum deniable mutual authentication, although this can be achieved through the use of a post-quantum ring signature or designated verifier signature [12][15]. We urge the community to work toward standardization of these or other mechanisms that will allow deniable mutual authentication.

4.9. Server trust

A malicious server could cause communication between Alice and Bob to fail (e.g. by refusing to deliver messages).

If Alice and Bob authenticate each other as in Section 4.1, then the only additional attack available to the server is to refuse to hand out one-time prekeys, causing forward secrecy for SK to depend on the signed prekey’s lifetime (as analyzed in Section 4.6).

This reduction in initial forward secrecy could also happen if one party maliciously drains another party’s one-time prekeys, so the server should attempt to prevent this (e.g. with rate limits on fetching prekey bundles).

4.10. Identity binding

Authentication as in Section 4.1 does not necessarily prevent an “identity misbinding” or “unknown key share” attack.

This results when an attacker (“Charlie”) falsely presents Bob’s identity key fingerprint to Alice as his (Charlie’s) own, and then either forwards Alice’s initial message to Bob, or falsely presents Bob’s contact information as his own. The effect of this is that Alice thinks she is sending an initial message to Charlie when she is actually sending it to Bob.

To make this more difficult the parties can include more identifying information into AD, or hash more identifying information into the fingerprint, such as usernames, phone numbers, real names, or other identifying information. Charlie would be forced to lie about these additional values, which might be difficult.

However, there is no way to reliably prevent Charlie from lying about additional values, and including more identity information into the protocol often brings trade-offs in terms of privacy, flexibility, and user interface. A detailed analysis of these trade-offs is beyond the scope of this document.

4.11. Risks of weak randomness sources

In addition to concerns about the generation of the keys themselves, the security of the PQKEM shared secret relies on the random source available to Alice’s machine at the time of running the PQKEM-ENC operation. This leads to a situation similar to what we face with a Diffie-Hellman exchange. For both Diffie-Hellman and Kyber, if Alice has weak entropy then the resulting shared secret will have low entropy when conditioned on Bob’s public key. Thus both the classical and post-quantum security of SK depend on the strength of Alice’s random source.

Kyber hashes Bob’s public key with Alice’s random bits to generate the shared secret, making Bob’s key contributory, as it is with a Diffie-Hellman key exchange. This does not reduce the dependence on Alice’s entropy source, as described above, but it does limit Alice’s ability to control the post-quantum shared secret. Not all KEMs make Bob’s key contributory and this is a property to consider when selecting pqkem.

5. IPR

This document is hereby placed in the public domain.

6. Acknowledgements

The PQXDH protocol was developed by Ehren Kret and Rolfe Schmidt as an extension of the X3DH protocol [6] by Moxie Marlinspike and Trevor Perrin. Thanks to Trevor Perrin for discussions on the design of this protocol.

Thanks to Bas Westerbaan, Chris Peikert, Daniel Collins, Deirdre Connolly, John Schanck, Jon Millican, Jordan Rose, Karthik Bhargavan, Loïs Huguenin-Dumittan, Peter Schwabe, Rune Fiedler, Shuichi Katsumata, Sofía Celi, and Yo’av Rieck for helpful discussions and editorial feedback.

Thanks to the Kyber team [17] for their work on the Kyber key encapsulation mechanism.

7. References


T. Perrin, “The XEdDSA and VXEdDSA Signature Schemes,” 2016.


“Module-lattice-based key-encapsulation mechanism standard.”


A. Langley, M. Hamburg, and S. Turner, “Elliptic Curves for Security.” Internet Engineering Task Force; RFC 7748 (Informational); IETF, Jan-2016.


H. Krawczyk and P. Eronen, “HMAC-based Extract-and-Expand Key Derivation Function (HKDF).” Internet Engineering Task Force; RFC 5869 (Informational); IETF, May-2010.


P. Rogaway, “Authenticated-encryption with Associated-data,” in Proceedings of the 9th ACM Conference on Computer and Communications Security, 2002.


M. Marlinspike and T. Perrin, “The X3DH Key Agreement Protocol,” 2016.


T. Perrin and M. Marlinspike, “The Double Ratchet Algorithm,” 2016.


K. Cohn-Gordon, C. Cremers, B. Dowling, L. Garratt, and D. Stebila, “A formal security analysis of the signal messaging protocol,” J. Cryptol., vol. 33, no. 4, 2020.


T. Okamoto and D. Pointcheval, “The gap-problems: A new class of problems for the security of cryptographic schemes,” in Proceedings of the 4th international workshop on practice and theory in public key cryptography: Public key cryptography, 2001.


A. Langlois and D. Stehlé, “Worst-case to average-case reductions for module lattices,” Des. Codes Cryptography, vol. 75, no. 3, Jun. 2015.


N. Unger and I. Goldberg, “Deniable Key Exchanges for Secure Messaging,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015.


J. Brendel, R. Fiedler, F. Günther, C. Janson, and D. Stebila, “Post-quantum asynchronous deniable key exchange and the signal handshake,” in Public-key cryptography – PKC 2022 – 25th IACR international conference on practice and theory of public-key cryptography, virtual event, march 8-11, 2022, proceedings, part II, 2022, vol. 13178.


N. Vatandas, R. Gennaro, B. Ithurburn, and H. Krawczyk, “On the cryptographic deniability of the signal protocol,” in Applied cryptography and network security – 18th international conference, ACNS 2020, rome, italy, october 19-22, 2020, proceedings, part II, 2020, vol. 12147.


D. Hofheinz, K. Hövelmanns, and E. Kiltz, “A modular analysis of the fujisaki-okamoto transformation,” in Theory of cryptography – 15th international conference, TCC 2017, baltimore, MD, USA, november 12-15, 2017, proceedings, part I, 2017, vol. 10677.


K. Hashimoto, S. Katsumata, K. Kwiatkowski, and T. Prest, “An efficient and generic construction for signal’s handshake (X3DH): Post-quantum, state leakage secure, and deniable,” J. Cryptol., vol. 35, no. 3, 2022.


NIST, “Post-quantum cryptography.”


“Kyber key encapsulation mechanism.”

Source :

Top 5 Security Misconfigurations Causing Data Breaches in 2023

Edward Kost
updated May 15, 2023

Security misconfigurations are a common and significant cybersecurity issue that can leave businesses vulnerable to data breaches. According to the latest data breach investigation report by IBM and the Ponemon Institute, the average cost of a breach has peaked at US$4.35 million. Many data breaches are caused by avoidable errors like security misconfiguration. By following the tips in this article, you could identify and address a security error that could save you millions of dollars in damages.

Learn how UpGuard can help you detect data breach risks >

What is a Security Misconfiguration?

A security misconfiguration occurs when a system, application, or network device’s settings are not correctly configured, leaving it exposed to potential cyber threats. This could be due to default configurations left unchanged, unnecessary features enabled, or permissions set too broadly. Hackers often exploit these misconfigurations to gain unauthorized access to sensitive data, launch malware attacks, or carry out phishing attacks, among other malicious activities.

What Causes Security Misconfigurations?

Security misconfigurations can result from various factors, including human error, lack of awareness, and insufficient security measures. For instance, employees might configure systems without a thorough understanding of security best practices, security teams might overlook crucial security updates due to the growing complexity of cloud services and infrastructures.

Additionally, the rapid shift to remote work during the pandemic has increased the attack surface for cybercriminals, making it more challenging for security teams to manage and monitor potential vulnerabilities.

List of Common Types of Security Configurations Facilitating Data Breaches

Some common types of security misconfigurations include:

1. Default Settings

With the rise of cloud solutions such as Amazon Web Services (AWS) and Microsoft Azure, companies increasingly rely on these platforms to store and manage their data. However, using cloud services also introduces new security risks, such as the potential for misconfigured settings or unauthorized access.

A prominent example of insecure default software settings that could have facilitated a significant breach is the Microsoft Power Apps data leak incident of 2021. By default, Power Apps portal data feeds were set to be accessible to the public.

Unless developers specified for OData feeds to be set to private, virtually anyone could access the backend databases of applications built with Power Apps. UpGuard researchers located the exposure and notified Microsoft, who promptly addressed the leak. UpGuard’s detection helped Microsoft avoid a large-scale breach that could have potentially compromised 38 million records.

Read this whitepaper to learn how to prevent data breaches >

2. Unnecessary Features

Enabling features or services not required for a system’s operation can increase its attack surface, making it more vulnerable to threats. Some examples of unnecessary product features include remote administration tools, file-sharing services, and unused network ports. To mitigate data breach risks, organizations should conduct regular reviews of their systems and applications to identify and disable or remove features that are not necessary for their operations.

Additionally, organizations should practice the principle of least functionality, ensuring that systems are deployed with only the minimal set of features and services required for their specific use case.

3. Insecure Permissions

Overly permissive access controls can allow unauthorized users to access sensitive data or perform malicious actions. To address this issue, organizations should implement the principle of least privilege, granting users the minimum level of access necessary to perform their job functions. This can be achieved through proper role-based access control (RBAC) configurations and regular audits of user privileges. Additionally, organizations should ensure that sensitive data is appropriately encrypted both in transit and at rest, further reducing the risk of unauthorized access.

4. Outdated Software

Failing to apply security patches and updates can expose systems to known vulnerabilities. To protect against data breaches resulting from outdated software, organizations should have a robust patch management program in place. This includes regularly monitoring for available patches and updates, prioritizing their deployment based on the severity of the vulnerabilities being addressed, and verifying the successful installation of these patches.

Additionally, organizations should consider implementing automated patch management solutions and vulnerability scanning tools to streamline the patching process and minimize the risk of human error.

5. Insecure API Configurations

APIs that are not adequately secured can allow threat actors to access sensitive information or manipulate systems. API misconfigurations – like the one that led to T-Mobile’s 2023 data breach, are becoming more common. As more companies move their services to the cloud, securing these APIs and preventing the data leaks they facilitate is becoming a bigger challenge.

To mitigate the risks associated with insecure API configurations, organizations should implement strong authentication and authorization mechanisms, such as OAuth 2.0 or API keys, to ensure only authorized clients can access their APIs. Additionally, organizations should conduct regular security assessments and penetration testing to identify and remediate potential vulnerabilities in their API configurations.

Finally, adopting a secure software development lifecycle (SSDLC) and employing API security best practices, such as rate limiting and input validation, can help prevent data breaches stemming from insecure APIs.

Learn how UpGuard protects against third-party breaches >

How to Avoid Security Misconfigurations Impacting Your Data Breach Resilience

To protect against security misconfigurations, organizations should:

1. Implement a Comprehensive Security Policy

Implement a cybersecurity policy covering all system and application configuration aspects, including guidelines for setting permissions, enabling features, and updating software.

2. Implement a Cyber Threat Awareness Program

An essential security measure that should accompany the remediation of security misconfigurations is employee threat awareness training. Of those who recently suffered cloud security breaches, 55% of respondents identified human error as the primary cause.

With your employees equipped to correctly respond to common cybercrime tactics that preceded data breaches, such as social engineering attacks and social media phishing attacks, your business could avoid a security incident should threat actors find and exploit an overlooked security misconfiguration.

Phishing attacks involve tricking individuals into revealing sensitive information that could be used to compromise an account or facilitate a data breach. During these attacks, threat actors target account login credentials, credit card numbers, and even phone numbers to exploit Multi-Factor authentication.

Learn the common ways MFA can be exploited >

Phishing attacks are becoming increasingly sophisticated, with cybercriminals using automation and other tools to target large numbers of individuals. 

Here’s an example of a phishing campaign where a hacker has built a fake login page to steal a customer’s banking credentials. As you can see, the fake login page looks almost identical to the actual page, and an unsuspecting eye will not notice anything suspicious.

Real Commonwealth Bank Login Page
Real Commonwealth Bank Login Page.
Fake Commonwealth Bank Login Page
Fake Commonwealth Bank Login Page

Because this poor cybersecurity habit is common amongst the general population, phishing campaigns could involve fake login pages for social media websites, such as LinkedIn, popular websites like Amazon, and even SaaS products. Hackers implementing such tactics hope the same credentials are used for logging into banking websites.

Cyber threat awareness training is the best defense against phishing, the most common attack vector leading to data breaches and ransomware attacks.

Because small businesses often lack the resources and expertise of larger companies, they usually don’t have the budget for additional security programs like awareness training. This is why, according to a recent report, 61% of small and medium-sized businesses experienced at least one cyber attack in the past year, and 40% experienced eight or more attacks.

Luckily, with the help of ChatGPT, small businesses can implement an internal threat awareness program at a fraction of the cost. Industries at a heightened risk of suffering a data breach, such as healthcare, should especially prioritize awareness of the cyber threat landscape.

Learn how to implement an internal cyber threat awareness campaign >

3. Use Multi-Factor Authentication

MFA and strong access management control to limit unauthorized access to sensitive systems and data.

Previously compromised passwords are often used to hack into accounts. MFA adds additional authentication protocols to the login process, making it difficult to compromise an account, even if hackers get their hands on a stolen password

4. Use Strong Access Management Controls

Identity and Access Management (IAM) systems ensure users only have access to the data and applications they need to do their jobs and that permissions are revoked when an employee leaves the company or changes roles.

The 2023 Thales Dara Threat Report found that 28% of respondents found IAM to be the most effective data security control preventing personal data compromise.

5. Keep All Software Patched and Updated

Keep all environments up-to-date by promptly applying patches and updates. Consider patching a “golden image” and deploying it across your environment. Perform regular scans and audits to identify potential security misconfigurations and missing patches.

An attack surface monitoring solution, such as UpGuard, can detect vulnerable software versions that have been impacted by zero-days and other known security flaws.

6. Deploy Security Tools

Security tools, such as intrusion detection and prevention systems (IDPS) and security information and event management (SIEM) solutions, to monitor and respond to potential threats.

It’s essential also to implement tools to defend against tactics often used to complement data breach attempts, for example. DDoS attacks – a type of attack where a server is flooded with fake traffic to force it offline, allowing hackers to exploit security misconfigurations during the chaos of excessive downtime.

Another important security tool is a data leak detection solution for discovering compromised account credentials published on the dark web. These credentials, if exploited, allow hackers to compress the data breach lifecycle, making these events harder to detect and intercept.

Dara leaks compressing the data breach lifecycle.

Learn how to detect and prevent data leaks >

7. Implement a Zero-Trust Architecture

One of the main ways that companies can protect themselves from cloud-related security threats is by implementing a Zero Trust security architecture. This approach assumes all requests for access to resources are potentially malicious and, therefore, require additional verification before granting access.

Learn how to implement a Zero-Trust Architecture >

A Zero-Trust approach to security assumes that all users, devices, and networks are untrustworthy until proven otherwise.

8. Develop a Repeatable Hardening Process

Establish a process that can be easily replicated to ensure consistent, secure configurations across production, development, and QA environments. Use different passwords for each environment and automate the process for efficient deployment. Be sure to address IoT devices in the hardening process. 

These devices tend to be secured with their default factory passwords, making them highly vulnerable to DDoS attacks.

9. Implement a Secure Application Architecture

Design your application architecture to obfuscate general access to sensitive resources using the principle of network segmentation.

Learn more about network segmentation >

Cloud infrastructure has become a significant cybersecurity issue in the last decade. Barely a month goes by without a major security breach at a cloud service provider or a large corporation using cloud services.

10. Maintain a Structured Development Cycle

Facilitate security testing during development by adhering to a well-organized development process. Following cybersecurity best practices this early in the development process sets the foundation for a resilient security posture that will protect your data even as your company scales.

Implement a secure software development lifecycle (SSDLC) that incorporates security checkpoints at each stage of development, including requirements gathering, design, implementation, testing, and deployment. Additionally, train your development team in secure coding practices and encourage a culture of security awareness to help identify and remediate potential vulnerabilities before they make their way into production environments.

11. Review Custom Code

If using custom code, employ a static code security scanner before integrating it into the production environment. These scanners can automatically analyze code for potential vulnerabilities and compliance issues, reducing the risk of security misconfigurations.

Additionally, have security professionals conduct manual reviews and dynamic testing to identify issues that may not be detected by automated tools. This combination of automated and manual testing ensures that custom code is thoroughly vetted for security risks before deployment.

12. Utilize a Minimal Platform

Remove unused features, insecure frameworks, and unnecessary documentation, samples, or components from your platform. Adopt a “lean” approach to your software stack by only including components that are essential for your application’s functionality.

This reduces the attack surface and minimizes the chances of security misconfigurations. Furthermore, keep an inventory of all components and their associated security risks to better manage and mitigate potential vulnerabilities.

13. Review Cloud Storage Permissions

Regularly examine permissions for cloud storage, such as S3 buckets, and incorporate security configuration updates and reviews into your patch management process. This process should be a standard inclusion across all cloud security measures. Ensure that access controls are properly configured to follow the principle of least privilege, and encrypt sensitive data both in transit and at rest.

Implement monitoring and alerting mechanisms to detect unauthorized access or changes to your cloud storage configurations. By regularly reviewing and updating your cloud storage permissions, you can proactively identify and address potential security misconfigurations, thereby enhancing your organization’s data breach resilience.

How UpGuard Can Help

UpGuard’s IP monitoring feature monitors all IP addresses associated with your attack surface for security issues, misconfigurations, and vulnerabilities. UpGuard’s attack surface monitoring solution can also identify common misconfigurations and security issues shared across your organization and its subsidiaries, including the exposure of WordPress user names, vulnerable server versions, and a range of attack vectors facilitating first and third data breaches.

UpGuard's Risk Profile feature displays security vulnerabilities associated with end-of-life software.
UpGuard’s Risk Profile feature displays security vulnerabilities associated with end-of-life software.

To further expand its mitigation of data breach threat categories, UpGuard offersa data leak detection solution that scans ransomware blogs on the dark web for compromised credentials, and any leaked data could help hackers breach your network and sensitive resources.

UpGuard's ransomware blog detection feature.
UpGuard’s ransomware blog detection feature.

Source :

Cybersecurity and Social Responsibility: Ethical Considerations

Kyle Chin
updated Aug 21, 2023

Cybersecurity is necessary to protect data from criminals. However, the world of cybersecurity is not so simple. Therefore, a discussion of cybersecurity ethics needs to examine the morality of businesses collecting, processing, using, and storing data.

How cybersecurity professionals affect security measures is also worth exploring. Businesses and individuals should ask themselves whether the ends justify the means and to what extent they are willing to sacrifice data privacy for data protection.

This post underlines the ethical concerns and cybersecurity issues surrounding information security policies, procedures, systems, and teams and how they ought to contribute to the well-being of consumers.

What Are Ethics in Cybersecurity?

Ethics can be described as ideals and values that determine how people live and, increasingly, how businesses and their employees work.

While it is far from the technical specifications of networks and device configurations, it is an increasingly important part of business operations. It can be codified and included in an organization’s framework, determining acceptable behavior throughout the company in any scenario.

One of the main benefits of a strong ethical foundation for a business is that it will have a moral compass to help make ethical decisions in a rapidly changing business environment. The world is experiencing massive changes in information technology with advancements in artificial intelligence, machine learning algorithms, 5G, and data collection and processing.

The cyber threat landscape is also rapidly evolving, and businesses must make critical decisions about protecting themselves and their clients. With cybercrime on the rise and emerging threats driven by new technology such as AI, businesses need to elevate their cybersecurity. Doing so without sacrificing the customers or clients they set out to protect requires a strong ethical foundation and a written code of conduct.

The ACM Code of Ethics and Professional Conduct

In 1992, the Association for Computing Machinery (ACM) developed its Code of Ethics and Professional Conduct for computer systems workers. While it is not mandated, except for members of the ACM, it can be a useful starting point for Chief Information Security Officers (CISOs) and other stakeholders to think about and take a stance on ethical practices when tackling sensitive cybersecurity issues.

The Code of Ethics was revisited and revised in 2018. While the cloud stands to make more updates in the face of 5G, AI, and other advances in computing, it remains a valuable resource for anyone seeking to define ethical standards concerning computer systems and technology.

Having a clear set of ethical principles is helpful because it can clarify and speed up important decision-making in an increasingly complex, rapidly evolving cyber threat landscape.

The ACM Code of Ethics is divided into four categories:

  • General Ethical Principles
  • Professional Responsibilities
  • Professional Leadership Principles
  • Compliance with the Code

General Ethical Principles

The General Ethical Principles section makes the following assertions about the role of computing professionals. Computing professionals should:

  1. Use their skills to benefit society and people’s well-being, and note that everyone is a stakeholder in computing.
  2. Avoid negative and unjust consequences, noting that well-intended actions can result in harm that they should then mitigate.
  3. Fully disclose all pertinent computing issues and not misrepresent data while being transparent about their capabilities to perform necessary tasks.
  4. Demonstrate respect and tolerance for all people.
  5. Credit the creators of the resources they use.
  6. Respect privacy, using best cybersecurity practices, including data limitation.
  7. Honor confidentiality, including trade secrets, business strategies, and client data.

Professional Responsibilities

The Professional Responsibilities section also says that computing professionals must prioritize high-quality services, maintain competence and ethical practice, promote computing awareness, and perform their duties within authorized boundaries.

  1. Strive to achieve high quality in both the processes and products of professional work.
  2. Maintain high standards of professional competence, conduct, and ethical practice.
  3. Know and respect existing rules pertaining to professional work.
  4. Accept and provide an appropriate professional review.
  5. Give comprehensive and thorough evaluations of computer systems and their impacts, including analysis of possible risks.
  6. Perform work only in areas of competence.
  7. Foster public awareness and understanding of computing, related technologies, and their consequences.
  8. Access computing and communication resources only when authorized or when compelled by the public good.
  9. Design and implement systems that are robustly and usably secure.

Professional Leadership Principles

Professional Leadership pertains to any position within an organization that has influence or managerial responsibilities over other members and has increased responsibilities to uphold certain values set by the organization.

  1. Ensure that the public good is the central concern during all professional computing work.
  2. Articulate, encourage acceptance of, and evaluate fulfillment of social responsibilities by the organization or group members.
  3. Manage personnel and resources to enhance the quality of working life.
  4. Articulate, apply, and support policies and processes that reflect the principles of the Code.
  5. Create opportunities for members of the organization or group to grow as professionals.
  6. Use care when modifying or retiring systems.
  7. Recognize and take special care of systems that become integrated into the infrastructure of society.

Compliance with the Code

Of course, compliance with the Code of Ethics is the only way to ensure cybersecurity professionals uphold certain ethical standards. Without enforcement of the Code of Ethics or similar ethical considerations, it is impossible to document and recognize adherence to ethics and social responsibility.

  1. Uphold, promote, and respect the principles of the Code.
  2. Treat violations of the Code as inconsistent with membership in the ACM.

Corporate Social Responsibility and Cybersecurity

To compete with other businesses and delivery the user experiences that consumers expect, modern businesses are obligated to collect and process increasing amounts of data. This particular genie is already out of the bottle, so the question is not really whether big data should exist but how businesses use and protect data.

Cybersecurity helps prevent and mitigate data breaches and attacks that threaten information security, so it is crucial for public safety and well-being, as well as helping to ensure the longevity of businesses. There is so much at stake that cybersecurity professionals should be willing to come under scrutiny by those in and outside the field.

Cyber ethics encapsulates common courtesy, trust, and legal considerations. Acting ethically should protect individuals, organizations, and the wider economy. So it’s vital for cyber professionals and the organizations that employ them. The following considerations will explore what makes effective cybersecurity and explain how poor cybersecurity is not only ineffective but also potentially unethical.

Information Security

Businesses have a moral obligation to protect their customers and business partners. They benefit from data that allows them to operate and can give them a competitive advantage, but they need to protect that information from hackers and accidental leaks.

Unfortunately, businesses that are hacked are often at fault. While nobody deserves to be hacked, a business’s moral obligations to consumers are such that they are expected to have adequate cybersecurity for their computer systems and respond promptly and decisively in the event of a cyber incident.

Equifax’s 2017 cyber attack is a prime example of a business that damaged its reputation due to inadequate cybersecurity and poor response to attacks. It was hacked around May 2017 but did not disclose the breach until September.

While Equifax’s president for Europe said that protecting consumer and client data was always its top priority, it failed to follow through with patching a software security vulnerability it knew about in March and failed to let affected customers know so that they could take steps to protect themselves from phishing, identity theft, and other kinds of fraud.

Equifax’s human and technological failures compromised 14.5 million sensitive data records, including addresses, birth dates, driver’s licenses, and social security numbers. It also puts the firm’s morality into question, as it processes sensitive information and purports to help customers with their financial security, but its ineffective cybersecurity procedures put those people at risk.


Ethically, businesses should be prepared to disclose the risks inherent to the business if they could substantially affect people, whether customers, business partners, or their supply chain.

Data breach reporting is a significant part of a business’s transparency. While reporting a breach highlights a business in crisis, failing to report promptly can lead to a more significant loss of trust, criticism from industry professionals, and sometimes, as in Equifax’s case, action from investigators.

Even if a business operates in an unregulated industry or a cyber attack does not cause business disruption or affect clients, reporting all data breaches is a worthwhile ethical consideration. The more businesses report cyber attacks, the more information there is for cybersecurity experts and industry professionals to share and learn from. This protects other businesses and their clients from emerging threats.

While revealing a vulnerability or data breach according to applicable regulations may not be necessary, there is a moral question as to whether this information should be shared regardless. Being transparent about discovering vulnerabilities can help all businesses protect their information systems and clients.

Cyber incidents are varied, and cybercriminals are continually researching new methods to apply and vulnerabilities to exploit. So how businesses respond to threats and potential threats needs to change on a case-by-case basis. However, they can base their decision-making on an explicit, underlying ethical framework that guides the business according to its values and corporate social responsibility.

While some businesses reject revealing data breaches “unnecessarily” for fear of losing trust or business, disclosing data breaches late can cause more damage and even harsh penalties. Handling a crisis professionally and ethically can even be good for a firm’s reputation, as in the case of Norsk Hydro’s handling of the fallout from its 2017 ransomware attack, which impressed industry professionals and cybersecurity experts.

Organizations and their cybersecurity teams can reap rewards from being proactive and enacting policies and procedures according to a defined, documented code of ethics.

Security vs. Privacy Protection

A prime ethical dilemma in cybersecurity concerns cybersecurity experts’ privileged access to sensitive information. In effect, they must understand how cybercriminals operate and be able theoretically to perform the same feats without crossing the line into the territory of black hat hackers.

Cybersecurity professionals set access privileges, monitor network activity, and can read people’s emails. They can scan machines and therefore can compromise and protect people’s personal lives.

Collecting data leads to ethical questions but so does protecting it. Ethically, everyone deserves dignity, which is tied in with privacy. But how do businesses achieve privacy when they collect customer data, and that data must be protected?

Social engineering and identity theft are among the biggest cyber risks to the public. This is partly because it can affect people beyond those whose data is stored. With stolen data, a cybercriminal can launch phishing attacks against the victim and their associates.

Keeping personally identifiable information (PII) secure, therefore, is paramount. However, that requires personnel to access and in some ways manipulate that data. Anyone working in cybersecurity is walking a tightrope of ethical issues every day. It’s helpful to acknowledge this so that grey areas can be defined and clients are reassured.


Excellent cybersecurity is not just about technical standards. Cybersecurity professionals need to demonstrate their moral standards when handling sensitive data. During daily duties, cybersecurity professionals will have access to confidential data and files. This could include sensitive data such as payroll details, private emails, and medical records.

Intellectual property theft is one of the most costly cybercrime, as stealing a business’s product designs and concepts can give opponents an unfair advantage while saving them the massive cost and time investment of product development. Nation-states may sponsor cyber espionage to achieve this advantage, risking destabilizing the affected nation’s market and economy. Intellectual property theft can be a serious risk to human life in a critical infrastructure industry, such as defense or healthcare.

It almost goes without saying that cybersecurity staff shouldn’t say anything to the public about the confidential data and intellectual property they see, nor should they store or transmit it in any way that is not aligned with the business’s goals to protect data. “Almost” because ethical debates often involve bringing things out of the shadows and into the light.

An implicit understanding may not be enough to ensure the confidentiality of sensitive data. It’s better to have documented policies and procedures regarding confidentiality and the organization’s attitude to how cybersecurity interacts with personal data.

On April 13, 2023, federal investigators arrested Jake Teixeira, an air national guardsman, concerning the unauthorized transmission of classified US intelligence documents. Teixeira’s role in the Massachusetts Air National Guard was as a Cyber Transport Systems Journeyman responsible for maintaining communication networks.

While there are some claims that he acted as a whistleblower, he shared the documents in a small private group on a social media platform, not seeming to have intended to share it with a wider audience.

Nonetheless, this massive data security breach calls into question cybersecurity professionals’ commitment to upholding the law when faced with tempting confidential information. Cybersecurity teams must be continuously committed and engaged to perform their duties honorably, within the law, and according to the expectations of their employers.

Although The Association for Computing Machinery (ACM) developed a Code of Ethics and Professional Conduct for computer systems workers, ethics in cybersecurity is not regulated. Ethics can’t be ensured by law enforcement.

Having said that, unethical behavior can lead to fines, loss of revenue, and loss of customers, so businesses and cybersecurity professionals will benefit from addressing ethics seriously.

While there’s no handy accreditation that cybersecurity staff can achieve to attest to their honesty, hiring organizations should look at a cybersecurity firm’s history and culture for evidence of its ethical stance on cybersecurity.


Cybersecurity professionals cannot have a lapse of concentration or a couple of days where they’re off their game and let things slide. Responsibility for others’ information security is a massive contractual and ethical responsibility. Almost no matter what the individual does, scrutiny will be on any assigned cybersecurity team or professional in the event of a cyber incident.

Cybersecurity professionals must maintain their competence level, respect sensitive information privacy, and uphold the well-being of those they serve. It requires honesty for these team members to evaluate their skills, abilities, and alertness and ensure that they take the appropriate action to stay on top of their game.

Ethical Hacking

Ethical hacking refers to sanctioned hacking by businesses onto their own systems to discover vulnerabilities and security gaps. Ethical hackers attempt to find vulnerabilities to exploit and break into information systems to fix those issues before cybercriminals find them.

But now imagine an ethical break-in, in which an ethical burglar break into people’s homes and then advises them on which locks they should have used and where to hide their laptops. Ethical hackers use illegal means to achieve positive results.

To protect data from hackers, particularly when they are using increasingly sophisticated methods and rapidly advancing technologies, cybersecurity professionals must use the same techniques. Cybersecurity programmers need to know how to commit crimes by black hat hackers, such as stealing credit card data. What stops them from doing this, however, is that ethical principles separate them.

Cyber professionals must be aware of computer ethics since what they do gives them access to privileged information. This is especially true for professionals working in critical infrastructure, including defense, healthcare, finance, and manufacturing, where the consequences of unethical actions regarding sensitive data could cause serious harm to individuals, organizations, and the economy.

Cybersecurity professionals and businesses that need them must understand cyber ethics and insist that a moral code is always evident in their attitude and behavior.


Before the dark web became known as a haven for hackers and cybercriminals to extort money, purchase malware, and prepare to commit multiple kinds of cybercrime, it existed in large part to protect whistleblowers.

Whistleblowing refers to someone reporting their organization’s wrongdoing, typically an employee. A whistleblower’s objection might be that the organization or someone in it is acting illegally, fraudulently, immorally, or without proper regard for safety or human rights. Furthermore, the issue should be in the public interest.

Public sector whistleblowers are protected by the First Amendment. Even so, whistleblowing might be considered a grey area when considering cyber ethics.

If a cybersecurity expert reveals confidential information to stop a harmful practice, the objective is good, but how they achieved this breaks the ethical confidentiality essential to that employee-employer relationship.

Edward Snowden famously blew the whistle on the National Security Agency’s unethical, invasive surveillance of innocent US citizens. While the former computer intelligence consultant and CIA systems administrator is a hero to many, his actions were criminal. The US Department of Justice charged him with stealing government property and violating the Espionage Act of 1917.

Jesselyn Radack, from the Government Accountability Project, argued that Snowden’s contract with the Government was less important than the social contract of a democracy.

Security vs. Functionality

While organizations have a responsibility to society to protect data, they need to balance this requirement with maintaining functionality. A technically workable cybersecurity solution is not necessarily the best if it prevents the organization from operating. This is a moral debate because organizations won’t always use the most secure cybersecurity practices or systems. Operating a modern business means navigating such trade-offs daily.

Cybersecurity experts have a responsibility to balance securing information and keeping organizations running. Some businesses need to be able to work quickly, such as in healthcare where the most robust security system could slow daily operations and risk human life. A holistic approach to information security is required based on thorough risk management.

Source :

Exploring the ePrivacy Directive

Leah Sadoian
updated Sep 15, 2023

There are a variety of cybersecurity regulations in Europe, including the ePrivacy Directive, which focuses on enhancing data protection, processing personal data, and privacy in the digital age. This Directive, recently updated with the ePrivacy regulation, continues the European Union’s ongoing efforts to create cohesive and comprehensive European data protection and cybersecurity standards across all member states.

Upgrade your organization’s cybersecurity standards with UpGuard Breachsight >

What is the ePrivacy Directive?

The Privacy and Electronic Communications Directive 2002/58/EC, or the ePrivacy Directive, is a European Union cybersecurity directive on data protection and privacy protection. The current ePrivacy Directive addresses the growing landscape of new digital technologies and electronic communications services. The Directive aims to harmonize national protection of fundamental rights within the EU, including privacy, confidentiality, and free data movement.

The ePrivacy Directive was enacted in 2002. It required each EU Member State to pass its national data protection and privacy laws, regulating essential issues like consent, spam marketing, cookies, and confidentiality.

Key Components of the ePrivacy Directive

Since the ePrivacy Directive focuses on the protection of online privacy in the electronic communications sector, the Directive’s key components include standards around how people communicate with each other electronically, aligning them with recent technological advancements.

Cookies and Consent Mechanisms

A significant component of the ePrivacy Directive is cookies, which are small data files websites use to track user behavior. Specifically, the Directive states that websites must obtain informed user consent before storing or retrieving any information on their electronic devices, giving the ePrivacy Directive the nickname “cookie law.”

Gaining this consent includes providing end-users with information about the purpose of the data storage and an opportunity to accept or opt-out. Many websites utilize a cookie banner to obtain cookie consent for website visitors. However, cookies essential for site functionality or for delivering a service requested by a user (like tracking the items in an online shopping cart) are exempt from this requirement. Note that the Directive applies to both first-party and third-party cookies.

Protection of Personal Data in Communications

Concerning data protection, the Directive states that providers of electronic communication services must ensure that their services are secure—which in turn secures any personal data that may be shared through those services. Standard electronic communication services include email and instant messaging.

These providers must also inform their users whenever a risk, such as a data breach or ransomware attack, leaves their personal data vulnerable to misuse.

Data Retention

Data retention refers to how companies retain your data, and the ePrivacy Directive includes standards for this practice.

Specifically, the Directive states that when providers of services no longer need your data, they must erase or anonymize it. There are specific situations in which data retention is allowed, such as billing services or issues of national security.

Otherwise, data may only be retained if a user consents to it, and they must also be informed why the data is being processed and the length of time it will be stored.

Unsolicited Marketing Communications

The ePrivacy Directive includes strict restrictions on the use of digital marketing communications. Unsolicited communications for direct marketing purposes are not allowed without the recipient’s consent. This includes email and text message marketing.

Typically, this is done through opt-in or opt-out systems determined by individual EU member states. However, the overall rule is that marketing communications cannot be sent without explicit consent from the user.

Location Data

The ePrivacy Directive sets instructions for using location data obtained through electronic communications. Specifically, location data must be processed with informed consent and should be anonymized when no longer needed.

This provision is very relevant for mobile service providers and location-based services. Like the marketing communications provision, an opt-in or opt-out mechanism allows users to provide explicit consent before location data is provided.

Communications Confidentiality

Companies that provide electronic communication services must implement appropriate security measures to safeguard users’ data. They must also notify users and relevant authorities in case of any security breaches involving personal data. Additionally, the Directive governs how traffic data, which includes information about communication between individuals, can be processed and stored.

Even though the primary goal of the ePrivacy Directive is to protect confidentiality, it does allow for the retention of metadata for billing, service quality, and other purposes. Member states may require data retention under specific conditions, often related to national security or criminal investigations.

Member State Laws

The ePrivacy Directive is a directive that requires every EU Member State to establish national laws to accomplish the Directive’s goals. There is some variation in the regulations across different countries due to this, unlike the GDPR, which is a regulation and applies directly throughout the EU.

How the ePrivacy Directive Affects the GDPR

The General Data Protection Regulation (GDPR) is a mandatory regulation in Europe that protects the personal data of its citizens. Since the GDPR and the ePrivacy directive both concern data privacy, they work in tandem across various components.

  • Scope: The ePrivacy Directive focuses explicitly on the electronic communications sector, and the GDPR extends data privacy laws to other industries that process personal data.
  • Consent: Both the ePrivacy Directive and the GDPR focus on user consent, but the GDPR also outlines principles of lawful processing, including contractual necessity, legitimate interests, and legal obligation.
  • Confidentiality vs. Data Protection: The ePrivacy Directive is primarily concerned with the privacy and security of electronic communications, and the GDPR includes broader concepts of data protection like data minimization, accountability, and individuals’ rights to access, rectify, and erase personal data.
  • Security Measures: The ePrivacy Directive requires providers of electronic communication services to implement security measures to protect user information. At the same time, the GDPR mandates robust security measures and includes the concept of “data protection by design and default.”
  • Data Breach Notifications: Both require notification of data breaches to users and regulatory authorities. The ePrivacy Directive only requires communication service providers to provide notification, but the GDPR extends that requirement to all data controllers and processors.

Who Must Comply with the ePrivacy Directive?

The ePrivacy Directive applies to entities providing electronic communication services in the EU, including but not limited to:

  • Telecommunication Companies: Traditional telecom providers offer fixed or mobile telephony services.
  • Internet Service Providers (ISPs): Entities providing internet connectivity services.
  • Over-the-top (OTT) Providers: Companies that offer online communication services, such as instant messaging apps and VoIP services like Skype or WhatsApp.
  • Website Owners: Any website that uses cookies or similar technologies to track user behavior must comply with the Directive.
  • Email and SMS Marketers: Businesses that send marketing messages via email or SMS must adhere to the rules set by the Directive.
  • Location-Based Services: Services that use location data also fall under the Directive’s jurisdiction.

Penalties for Noncompliance

Penalties for failing to comply with the ePrivacy Directive may differ across EU Member States, as each country is responsible for incorporating the Directive into national law. As a result, penalties can vary from monetary fines to legal actions, and the severity of the consequences will depend on the nature of the breach and the location of the incident. Below are some typical types of penalties that may be enforced:

  • Financial Fines: These can vary widely from state to state but are generally designed to be dissuasive. Some countries have a cap on fines, while others may calculate them as a percentage of the annual turnover of the offending company.
  • Legal Sanctions: In some instances, severe or repeat violations may result in legal action, including the possibility of criminal charges.
  • Reputational Damage: Beyond legal penalties, companies that violate ePrivacy laws often suffer significant reputational damage, which can result in loss of customer trust and revenue.
  • Cease and Desist Orders: Regulatory bodies may require the violating entity to stop the offending action immediately, often at the cost of temporarily or permanently turning off a service or feature.
  • Data Audits: In some cases, the regulatory bodies may require a thorough audit of data protection practices within the offending organization.
  • Notification Requirements: Failing to notify the authorities and individuals affected by a data breach, as stipulated by the Directive, can lead to additional penalties.

In 2022, Google and Meta were both found to be in violation of the ePrivacy Directive and faced steep fines for their non-compliance. France’s Commission Nationale Informatique & Libertés (CNIL) fined Google €150M and Facebook another €60M for not offering an option for users to reject non-essential cookies in line with the option to accept all tracking. This violates the ePrivacy Directive’s requirements around cookies and consent mechanisms.

The Future: Introducing the ePrivacy Regulation

Since 2002, the digital communications industry has evolved rapidly, which means the ePrivacy Directive needed drastic updating. In 2017, The European Commission proposed the ePrivacy Regulation, which aims to replace the existing ePrivacy Directive and better align it with the General Data Protection Regulation (GDPR) data protection laws.

The regulation is still under discussion amongst the EU Council because of the scope of the rules and the impact it would have on big tech companies, large telecom providers, and even areas of online advertising, media, and national security.

This new legislation is a regulation of the European Parliament and Council of the European Union. It specifies and complements the ePrivacy Directive on privacy-related topics such as the confidentiality of communications, consumer privacy controls through electronic consent and browsers, and cookies.

Key Differences

  • Legal Form and Scope: As a directive, member states must achieve specific goals but have the authority to decide how to do so, which can lead to differences in implementation across countries. The ePrivacy Regulation is a directly applicable law that becomes enforceable across the European Union, creating greater consistency.
  • Cookies and Trackers: The ePrivacy Regulation expands on the requirement for user consent before utilizing cookies and tracking technologies but simplifies the rules around this requirement. This can include allowing users to consent through browser extensions and specific exceptions for cookies that improve user experience.
  • Consent: The ePrivacy Regulation aligns the ePrivacy Directive’s requirements for user consent with the GDPR’s more stringent standards. This also simplifies consent mechanisms.
  • Electronic Marketing: The ePrivacy Regulation extends the ePrivacy Directive’s restriction on unsolicited communications for marketing purposes to cover new marketing methods and forms of electronic communication, like marketing through social media platforms.
  • Data Protection and Security: The ePrivacy Directive requires service providers to utilize security measures and report data breaches. The ePrivacy Regulation aligns those requirements with the GDPR’s broader data protection framework, which has stricter data breach notification timelines.
  • Penalties: Instead of allowing individual member states to determine penalties for noncompliance, the ePrivacy Regulation adopts a penalty framework similar to the GDPR, with fines based on a company’s global turnover, up to 4% or up to €20 million, whichever is higher. It also gives more power to Data Protection Authorities, aligning it with the GDPR.
  • International Impact: The ePrivacy Regulation’s alignment with the GDPR means data protection standards are not just primarily focused on EU member states but now affect any company that offers services or data transfers to EU residents (even if they are not located within the EU).

UpGuard Helps Your Organization Stay Compliant with Privacy Regulations

Enhance your organization’s data privacy standards with UpGuard. Whether you’re looking to stay compliant with the EU’s ePrivacy Regulation or the CCPA in the states, our all-in-one attack surface management platform, BreachSight, helps you understand the risks impacting your external security posture and know that your assets are constantly monitored and protected.

UpGuard BreachSight features include:

  • Security Ratings: Use our security ratings for a data-driven, objective, and dynamic measurement of your organization’s security posture. Our security ratings are generated by analyzing trusted commercial, open-source, and proprietary threat intelligence feeds and non-intrusive data collection methods.
  • Continuous Security Monitoring: Get real-time information about misconfigurations, understand your risk profile, and get started in minutes, not weeks, with our fully integrated solution and API. Because we use externally verifiable information, you won’t have to lift a finger to get started.
  • Attack Surface Reduction: Reduce your attack surface by discovering exploitable vulnerabilities and permutations of your domains at risk of typosquatting.
  • Data Protection: UpGuard’s proprietary Data Leak Search Engine scans every corner of the Internet and identifies data that presents a risk. It monitors your Internet presence and doesn’t check every website where we can find cloud storage buckets and source code repos.
  • Workflows and Waivers: Simplify and accelerate how you remediate issues, waive risks, and respond to security queries. Use our real-time data to get information about risks, rely on our workflows to track progress, and know precisely when issues are fixed.
  • Security Profile: Eliminate security questionnaires and stop answering the same questions repeatedly. Create an UpGuard security profile and share it before being asked.
  • Reporting and Insights: The Reports Library makes accessing tailor-made reports for different stakeholders in one centralized location easier and faster. See all risks–across various domains, IPs, and categories–in the UpGuard platform or extract the data directly from the API.
  • Business Operation Management: Share access to your UpGuard account with other team members with confidence. Each user gets an individual account with fine-grained access control.
  • Third-Party Integrations: Integrate and extend the UpGuard platform with other tools with our easy-to-use API that can save hours of human time.

    Source :

What is ISO 31000? An Effective Risk Management Strategy

Edward Kost
updated Sep 14, 2023

ISO 31000 was specifically developed to help organizations effectively cope with unexpected events while managing risks. Besides mitigating operational risks, ISO 31000 supports increased resilience across all risk management categories, including the most complicated group to manage effectively – digital threats.

Whether you’re considering implementing ISO 31000 or you’re not very familiar with this framework, this post provides a comprehensive overview of the standard.

Learn how UpGuard simplifies Vendor Risk Management >

What is ISO 31000?

ISO 31000 is an international standard outlining a risk management structure supporting effective risk management strategies. The standard is divided into three sections:

  1. Principles
  2. Framework
  3. Process
The three components of ISO 31000 - Principles, Framework, Process


The objective of all of the principles of ISO 31000 is to simultaneously increase the value and protection aspects of a management system.

The 11 principles of ISO 31000 are as follows:

  • Risk management creates and protects value – Risk management should support objective achievement and performance improvements across various sectors, including human health and safety, cybersecurity, regulatory compliance, environmental protection, governance, and reputation.
  • Risk management is an integral part of all organizational processes – Risk management shouldn’t be separated from the main body of a management system. It should be integrated into an organization’s processes to create a risk-aware culture. Management teams should champion this cultural change.
  • Risk management is systematic, structured, and timely – Risk management should cover the complete scope of systemic risk. It shouldn’t be focused on a single business component prone to risks, like the sales cycle.
  • Risk management is tailored – A risk management program should be tailored to your objectives within the context of internal and external risk profiles.
  • Risk management is transparent and inclusive – All appropriate stakeholders and decision-makers should be involved in ensuring risk management remains relevant and updated.
  • Risk management is dynamic, iterative, and responsive to change – A risk management program shouldn’t be based on a rigid template. It should be dynamic, capable of conforming to changing internal and external threat landscapes.
  • Risk management is based on the best available information – Risk management processes shouldn’t be limited to historical data, stakeholders’ feedback, forecasts, and expert judgments. It’s essential to consider the limitation of data sources and the likely possibility of divergent opinions among experts.
  • Risk management is part of decision-making – Risk management should help leadership teams make intelligent risk mitigation decisions by understanding which risks should be prioritized to maximize impact.
  • Risk management takes human and cultural factors into account – All risk management activities should be assigned to individuals with the most relevant competencies. Appropriate tools should be available to these individuals to support their efforts as much as possible.
  • Risk management facilitates continual improvement of the organization – Strategies should be developed to ensure risk management efforts are continuously improving.
  • Risk management explicitly addresses uncertainty – Risk management should directly address uncertainty by understanding its nature and finding ways to mitigate it.


The framework component of the ISO 31000 standard outlines the structure of a risk management framework, but not in a prescriptive way. The objective is to help organizations integrate risk management into their overall management system based on their unique risk exposure context. Businesses should implement the framework through the lens of their risk management objectives, prioritizing the most relevant aspect of the proposed framework. This flexibility makes any management system capable of mapping to ISO 31000, making the standard industry agnostic.

ISO 31000 can be implemented by any industry to reduce enterprise risk, regardless of size or existing risk management process.

The driving factor for the framework aspect of ISO 31000 is the management team’s commitment to embedding a risk management culture across all organizational levels.

Leadership and commitment branching out into 5 points - integration, design, implementation, evaluation, and improvement.

The five framework pillars of ISO 31000 are as follows:

  • Integration – The risk management framework should be integrated into all business processes, a change that follows the management team’s push for a cultural shift towards greater risk awareness.
  • Design – The design of the final risk management framework must consider the organization’s unique risk exposure and risk appetite.
  • Implementation – An implementation strategy should consider potential roadblocks, resources, timeframes, key personnel, and mechanisms for tracking the framework’s efficacy following implementation.
  • Evaluation  The evaluation components broaden the focus on measuring framework efficacy. This process could involve appealing to various data sources, such as customer complaints, the number of unexpected risk-related events, etc.
  • Improvement – This is the final step of the popular management system design model, Plan Do, Check Act (PDCA). Improvements should be made based on the insights gathered in the evaluation phase. The objective of each improvement interaction is to reduce the number of surprises caused by the risk management framework.

The design of the risk framework should be based on business objectives and a risk management policy within an organization’s unique risk context (the contextualization of risks is a recurring theme in ISO 31000).

Risk management policy feeding program design which is part of a cycle consissting of - program design, implementation, monitoring, improvement.

The Framework stage sets the broad risk management context, which is then refined in the Process stage, setting the foundation for more meaningful insights gathered through risk assessments.


The process approach to ISO 31000 is represented graphically as follows:

Risk management process lifecycle.

Communication and Consultation

The first stage of this process approach is communication and consultation. The more cross-functional opinions that are heard, the more comprehensive your risk management efforts will be. This stage draws upon ISO 31000’s inclusivity and cultural factor principles.

Communications aren’t just limited to internal functions. External stakeholders should be involved in all decision-making processes. This will encourage stakeholder involvement in all stages of the risk management program’s development – which supports the primary objective of the Framework stage in ISO 31000:2018.

Scope, Context, and Criteria

Ideally, many of these mechanisms should already be established in your management system. The scope of all management activities is performed within the organization’s context, as defined in ISO 9001 Clause 4.1.

Contextual intelligence is a consideration of all internal and external issues impacting the achievement of business objectives. Contextualization can be achieved by gathering information from the following sources:

  • Risk assessment of internal and external risk factors
  • Internal audits
  • Organization policy statements
  • The use of a SWOT template (Strengths, Weaknesses, Opporitnies, Threats)
  • Strategy documents
  • Questionnaires (for internal and external process investigations)
  • Interviews (with stakeholders, senior management, cross-functional teams including finance, human resources, engineering, training, etc.).

Learn about UpGuard’s security questionnaires >

The criteria used to assess risk depends on the most appropriate initiative and objective methodology as outlined in the value creation principle of ISO 31000.

This could include

  • Strategic objectives
  • Operational objectives
  • Business objectives
  • Health and safety objectives
  • Cybersecurity objectives

Start by narrowing your focus to a single scope. Then, after the process has been proven to work, expand your scope into other regions.

Risk Assessment

After defining your scope, context, and criteria, the actual risk assessment process begins. There are three primary stages in the risk assessment lifecycle.

  • Risk Identification – Understanding the source of discovered risks and their classification (whether they originate from internal or external attack surfaces)
  • Risk Analysis – Understanding the impact of identified risks and potential risks and the efficacy of their associated security controls.
  • Risk Evaluation – A comparison of discovered risks against your risk register.
  • Deciding which risk should be addressed based on an acceptance criterion defined by your risk appetite.

Learn about UpGuard’s vendor risk assessment features >

Risk evaluation data will determine which actions need to take place. Any control adjustments or framework improvements will be relative to each unique scope, context, and criteria scenario.

Stakeholders should be involved in deciding how to best respond to risk evaluation insights.

Risk Treatment

The risk treatment stage is where you decide the best course of action. These decisions will depend on your risk appetite, which defines the threshold between the levels of risk that can be accepted and those that need to be addressed.

Different types of risk should be considered, including:

  • Strategic risks
  • Cybersecurity risks
  • Reputational risks
Security controls suppress cybersecurity inherent risks within acceptable risk appetite levels
Security controls suppress cybersecurity inherent risks within acceptable risk appetite levels

Your methodology for treating risks depends on the risk culture being developed by the management team. Some organizations have a very low-risk tolerance, while others (such as those in heavily regulatory industries like healthcare) have a very low tolerance to risk. These tolerance bands are decided during the calculation of your risk appeite. If your risk appetite has already been determined, revise it to ensure it’s clear enough to support the risk management standards of ISO 31000.

Learn how to calculate your risk appetite >

A risk matrix is helpful in the risk treatment phase as it indicates what risks should be prioritized in remediation efforts to minimize impact.

In the context of Vendor Risk Management, a risk matrix indicates which vendors pose the most significant risk to an organization’s security posture.

For a deep dive into Vendor Risk Management, read this post.

These insights, coupled with an ability to project the impact of selected 

remediation tasks, help response teams optimize their risk treatment efforts, supporting the continuous improvement objectives of ISO 3100

UpGuard’s vendor risk matrix.
Remediation impact projections on the UpGuard platform.

Another form of risk treatment is to outsource the responsibility to a third party. For example, third-party risk management, the process of managing security risks caused by third-party vendors, could be outsourced to a team of cybersecurity experts. Your organization will still be responsible for the outcome of detected risks but without the added burden of also having to manage them.

The benefit of reduced internal resources makes outsourcing third-party risk management a very economical choice for scaling businesses.

Watch this video to learn about UpGuard’s Third-Party Risk Management Service.

Monitoring and Review

Evaluating the effectiveness of your implemented risk framework will determine whether or not your ISO 31000 risk management program was a profitable investment. During each review and iteration process, be sure to keep the human and cultural factor principle front of mind – don’t forget the people impacted by each iteration. 

Your risk mitigation objectives shouldn’t be so ambitious that you must handcuff your employees. You need to strike the perfect balance between risk management, risk acceptance, and employee well-being.

Recording and Reporting

Finally, all risk management activities should be recorded. Not only will this support stakeholders with their ongoing risk-based strategic decisions, but it will also provide you with a reference for tracking your management systems maturity throughout the ISO 31000 implementation lifecycle.

Source :

A Comprehensive Guide on Cybersecurity for Business Travelers


Business travel has become an integral part of many professionals’ lives, enabling them to expand networks and explore new opportunities. However, it also exposes travelers to various cyber risks that can compromise sensitive data and business operations.

In this comprehensive guide, we will examine the world of cybersecurity for business travelers, providing valuable insights and practical tips to ensure data protection while on the go.

The Cyber Risks of Business Travel 

Traveling on business opens up both individuals and organizations to countless cyber risks, including vulnerabilities associated with public Wi-Fi connections, the risk of device theft, weak password security, compliance issues, insecure email traffic, and unsecured file-sharing platforms.

These risks can lead to unauthorized access, data breaches, and severe financial and reputational consequences if not properly addressed. Below we outline those risks in further detail so that you may avoid them:

Public Wi-Fi Connections

These networks, often found in hotels, airports, and coffee shops, are often unsecured and easily exploited by cyberhackers. Connecting to these networks puts sensitive data at risk of interception, allowing cybercriminals to steal login credentials, financial information, and other confidential data. It is essential for business travelers to exercise caution and avoid transmitting sensitive information or accessing critical accounts while connected to public Wi-Fi.

Device Theft

The loss or theft of laptops, smartphones, or tablets not only results in financial loss but also grants illicit access to valuable company information. Cybercriminals may exploit stolen devices to gain access to sensitive data, compromise corporate networks, or launch phishing attacks against colleagues and clients.

Implementing physical security measures such as using laptop locks and keeping devices within sight can help deter theft while encrypting data and enabling remote wiping capabilities can mitigate the risks associated with device loss or theft.

Password Security

Weak or reused passwords can provide easy access to unauthorized individuals. Implementing strong, unique passwords across all devices and accounts adds an extra layer of protection. Additionally, enabling two-factor authentication (2FA) enhances security by requiring an additional verification step.


It’s important to ensure that personal and business data remain compliant with relevant laws, such as the General Data Protection Regulation (GDPR). Implementing encryption protocols and secure file storage solutions helps maintain compliance and mitigate risks.

Insecure Email Traffic

Business travelers must be careful when using public or unsecured networks to send sensitive information via email. Implementing end-to-end encryption, using secure email providers, and avoiding opening suspicious attachments or clicking on unknown links are vital precautions to protect against email-based attacks.

File Sharing

File sharing can introduce serious security risks. It’s critical to utilize secure file-sharing platforms that encrypt data both in transit and at rest. It’s advisable to implement access controls and permissions to restrict file sharing to authorized individuals only. Also, regularly reviewing and updating file-sharing policies can also help prevent evolving cybersecurity threats.

Cybersecurity Tips for Business Travelers

As we mentioned above, cybercriminals are constantly targeting business travelers, seeking to exploit vulnerabilities in their devices and steal sensitive information. Therefore, it is imperative for business travelers to be well-equipped with effective cybersecurity tips and best practices to safeguard their valuable data and protect their digital assets while on the move.

Here are some simple yet effective things you can do to help keep the hackers at bay:

Lock Your Screens

This simple yet crucial step helps prevent unauthorized access to private or sensitive information. By enabling screen locks, such as passcodes, PINs, or biometric authentication (fingerprints or facial recognition), business travelers can create an additional layer of security that ensures that data remains protected even if their device falls into the wrong hands

Use Public Wi-Fi Sparingly

Public Wi-Fi networks found in hotels, airports, and coffee shops are infamous for their lack of security. When connecting to public Wi-Fi, business travelers expose their data to potential interception by hackers.

As such, it is highly advisable to use public Wi-Fi as sparingly as possible and avoid transmitting any sensitive information, such as login credentials, financial data, or confidential documents.

Instead, business travelers should consider using their mobile network or setting up a personal hotspot with a secure password, or utilizing a virtual private network (VPN) to encrypt internet traffic and protect private data from prying eyes.

Disable the Auto-Connect Feature

Most devices have a feature that automatically connects to available Wi-Fi networks. While this is extremely convenient, this feature can be a security risk. Disabling the auto-connect feature ensures that the device doesn’t automatically connect to untrusted or potentially malicious networks.

It also provides more control over network connections, allowing business travelers to evaluate the security of each network before connecting and minimizing the risk of unwittingly joining an insecure network.

Avoid Location-Sharing

Sharing locations through social media platforms or apps can compromise privacy and potentially put business travelers at risk. This is because cybercriminals can use location data to track movement, identify patterns, and exploit absence from certain locations.

By refraining from location-sharing, business travelers can maintain a higher level of privacy and reduce the chances of becoming a target for physical theft or cyber-attacks.

Use Anti-virus Protection and Run OS Updates

Installing reliable anti-virus software on devices is crucial for detecting and preventing malware infections. Anti-virus protection helps safeguard against various threats, including viruses, ransomware, and spyware.

Additionally, keeping the operating system (OS) up to date with the latest security patches and updates is essential. This is because operating system updates often include bug fixes, vulnerability patches, and security enhancements that protect against known exploits and vulnerabilities.

Update Your Passwords

Regularly updating passwords is an essential cybersecurity practice for business travelers. Strong, unique passwords provide an additional layer of protection against unauthorized access. It is recommended to use a combination of upper and lowercase letters, numbers, and special characters when creating passwords.

Travelers should avoid reusing passwords across different accounts or platforms, as this increases the risk of a single password compromise leading to multiple account breaches. Implementing a password manager can also help generate and securely store complex passwords for easy and secure access.

Disable Bluetooth

Bluetooth technology allows wireless connections between devices, but it also presents potential security risks. Cybercriminals know this and often exploit Bluetooth vulnerabilities to gain unauthorized access to business travelers’ devices or intercept sensitive data. Disabling Bluetooth when not in use mitigates these risks and reduces the likelihood of being targeted through Bluetooth-related attacks.

Turn Off NFC (Near-Field Communication) 

NFC enables contactless communication between devices. While NFC can be convenient for certain tasks, it also presents security risks, such as unauthorized access or data theft. Turning off NFC when not required helps prevent potential attacks and keeps business travelers’ devices and data secure.

Back up Information on the Cloud

Regularly backing up data on secure cloud storage services provides an additional layer of protection against data loss. In the event of device theft, damage, or loss, having all information securely stored in the cloud ensures that users can access and retrieve important files, documents, and data from any device with internet access.

Be Vigilant

Maintaining a vigilant mindset is crucial for business travelers. Staying alert for phishing attempts, suspicious links, and unfamiliar emails or messages is vital.

Hackers often exploit travel-related scenarios to trick individuals into revealing sensitive information or downloading malware.

By being cautious, double-checking before clicking on links or providing personal information, and staying informed about common phishing techniques, can significantly reduce the risk of falling victim to cyber-attacks.

By implementing the above cybersecurity tips, business travelers can enhance their digital security, reduce the risk of data breaches, and protect their sensitive information while on the go. 

Cybersecurity Tips for Businesses  

Organizations of all sizes must prioritize cybersecurity to protect their sensitive data, intellectual property, and customer information. Implementing effective cybersecurity measures is essential to safeguarding against cyber threats and minimizing the risk of data breaches. 

Here are some essential tips for businesses to enhance their cybersecurity posture:

Implement Public Wi-Fi Policies

Establish clear policies and guidelines for employees regarding the use of public Wi-Fi networks. This includes educating them about the risks associated with public Wi-Fi and providing instructions on how to connect securely or avoid using untrusted networks altogether.

Implement VPN Usage Policies

Administer the use of virtual private networks (VPNs) when accessing company resources remotely. Implement policies that require employees to connect to a business VPN to ensure encrypted and secure communication, especially when accessing sensitive data or using public networks.

Train Your Employees to Keep Their Devices Secure

Conduct regular training sessions to educate employees on best practices for device security. This includes creating strong passwords, enabling two-factor authentication (2FA), keeping software and applications updated, and avoiding suspicious websites and downloads.

Train Employees for a Response Plan

Develop and train employees on a comprehensive incident response plan. Ensure they understand the steps to take in the event of a cybersecurity incident, including who to notify, how to preserve evidence, and how to mitigate further damage.

Encourage Situational Awareness

Foster a culture of cybersecurity awareness among employees by promoting situational awareness. Encourage them to be vigilant and identify potential threats, such as phishing emails, suspicious activities, or social engineering attempts. Encourage reporting of any suspicious incidents promptly.

Protect Mobile Devices With Strong Passwords and 2FA

Emphasize the importance of strong passwords and enable two-factor authentication (2FA) on all company-owned mobile devices. This provides an additional layer of security and prevents unauthorized access to sensitive information.

Require Regular Software Updates

Make it a policy for employees to frequently update their software, applications, and operating systems. This ensures that devices have the latest security patches and protections against emerging threats.

Provide Traveling Employees With Charging Devices

Equip traveling employees with reliable charging devices to inhibit the use of public charging stations, which can be compromised to deliver malware or steal data.

Issue Travel-Only Laptops

Provide dedicated laptops specifically for business travel. These travel-only laptops should be hardened and secured with robust security measures, minimizing the risk of data exposure while on the move.

Update Devices After Traveling

After returning from travel, ensure that employees’ devices undergo thorough security checks and updates. This helps address any potential security vulnerabilities or malware that may have been acquired during travel.

Implement a Mobile Device Management Solution

Deploy a mobile device management (MDM) solution to enforce security policies, remotely manage and monitor devices, and protect sensitive data on mobile devices. MDM solutions provide centralized control and enhanced security for company-owned devices, especially for those used by traveling employees.

Unlock Advanced Security With Perimeter 81

Cybersecurity is of increasingly paramount importance for business travelers and organizations. The risks and threats faced while on the move require a proactive and comprehensive approach to protect sensitive information and mitigate potential breaches.

By implementing the cybersecurity tips outlined in this article, both business travelers and their organizations can significantly enhance their digital security posture, ensuring that sensitive information and digital assets are safeguarded, and enabling them to focus on their professional endeavors while minimizing the risks associated with their journeys.

Need a business VPN to use? We have the leading VPN and ZTNA technology suite to help you secure your business. Book a demo today!


What are some good cybersecurity practices when going on a business trip?

To ensure cybersecurity while on business trips, there are several essential practices to follow. First, it is crucial to use secure and trusted networks, avoiding public Wi-Fi whenever possible. Instead, connect to secure networks such as virtual private networks (VPNs) or mobile hotspots with strong encryption.

Additionally, enabling two-factor authentication (2FA) adds an extra layer of security by requiring an additional verification step, like a unique code sent to a mobile device, along with a password. Keeping devices and software updated is also vital, as regular updates help protect against known vulnerabilities.

Implementing strong password practices, being cautious of phishing attempts, securing physical devices, and regularly backing up important data are further measures that business travelers should adopt.

What is cybersecurity in tourism?

Cybersecurity in tourism refers to the protection of digital assets, data, and systems within the tourism industry. It involves employing measures to safeguard against cyber threats, data breaches, and unauthorized access to sensitive information.

In the tourism sector, cybersecurity is vital to ensure the integrity and confidentiality of customer data, financial transactions, and other sensitive information.

It encompasses practices such as securing online booking platforms, protecting customer payment information, educating employees about cyber threats, and maintaining robust data protection protocols to instill confidence and trust in travelers.

What type of businesses need cybersecurity?

All businesses, regardless of size or industry, need cybersecurity measures to protect their digital assets and sensitive information. While certain industries face higher risks, such as financial institutions, healthcare organizations, e-commerce companies, government agencies, and technology firms, it is crucial to recognize that cybersecurity is relevant to all businesses.

Cyber threats can impact any organization that utilizes digital technologies, stores customer data or relies on online systems for operations. Safeguarding digital assets and customer information should be a priority for businesses across industries.

Source :

How to Build Network Security for Your Business in 2023


Network security is paramount for businesses of all sizes. With the ever-evolving threat landscape and increasing cyber-attacks, it is crucial to implement robust network security measures to safeguard sensitive data, protect customer information, and ensure uninterrupted operations.

Read on to discover the concept of network security for businesses in 2023. We will also discuss various strategies, tools, and best practices to build secure network infrastructure.

What is Network Security for Businesses?

Network security for businesses refers to a set of measures and practices implemented to protect a company’s computer network from unauthorized access, data breaches, and other cyber threats.

It involves safeguarding the network infrastructure, including hardware, software, and data, by implementing layers of security controls.

Network security also aims to maintain the confidentiality, integrity, and availability of the network, ensuring that only authorized users can access resources and sensitive information while preventing malicious actors from compromising the system. 

The following points cover what you need to know about network security:

How Does Network Security Work? 

Network security operates on multiple layers and employs numerous technologies and protocols to safeguard the network infrastructure. 

For example:

  • Firewalls act as a barrier between an internal network and external networks, monitoring and controlling incoming and outgoing network traffic based on predefined security rules. They examine data packets, filter out potential threats, and prevent unauthorized access to the network. 
  • Virtual Private Networks (VPNs) establish secure, encrypted connections over public networks, such as the Internet, allowing remote users to access the company’s network resources securely. By encrypting data transmitted between the user and the network, business VPNs protect sensitive information from interception and unauthorized access. 
  • Intrusion Detection Systems/Intrusion Prevention Systems (IDS/IPS) tools monitor network traffic in real-time, identifying, and alerting administrators about potential security breaches, anomalies, or malicious activities. IDS identifies threats, while IPS actively blocks or mitigates attacks. 
  • Secure Web Gateways (SWGs) provide secure web browsing by filtering internet traffic, blocking malicious websites, preventing malware downloads, and enforcing acceptable use policies. They protect users from web-based threats and help maintain a secure browsing environment.
  • Zero Trust assumes that no user or device within or outside the network is inherently trustworthy. It enforces strict access controls, verifies identities, and continuously evaluates trustworthiness, even for users and devices inside the network perimeter. Zero Trust architecture reduces the attack surface and enhances overall network security. 

These are just a few examples of the mechanisms employed in network security. Businesses often implement a combination of technologies and strategies tailored to their specific needs and risk profiles.

The key is to establish multiple layers of security controls that work together to detect, prevent, and mitigate threats to the network infrastructure.

Benefits of Network Security For Businesses

Implementing robust network security measures, as outlined in the provided sources, offers several benefits to businesses as follows:

  • Protection of sensitive data: As mentioned above, network security measures, such as firewalls, VPNs, and encryption, play a vital role in safeguarding sensitive data. They help protect customer information, financial records, and proprietary data from unauthorized access, data breaches, and theft. By implementing these measures, businesses can ensure the confidentiality and integrity of their data, preserving customer trust and complying with data protection regulations.
  • Continuity of operations: Network security measures contribute to the smooth functioning of business operations. By detecting and mitigating potential risks and threats, businesses can prevent disruptions caused by malware, DDoS attacks, or unauthorized access attempts. This leads to improved productivity, reduced downtime, and minimized financial losses associated with network outages or data breaches. Network security solutions, such as SIEM systems and intrusion detection/prevention systems, enable businesses to proactively monitor and respond to security incidents, maintaining operational continuity 
  • Meeting regulatory requirements: compliance with industry-specific standards, such as HIPAA for healthcare or GDPR for data privacy, is crucial for avoiding penalties and maintaining the trust of customers and partners. Implementing robust network security measures, including vulnerability scanning and regular software updates, helps businesses adhere to these standards and protect sensitive information.

In summary, the implementation of strong network security measures, as recommended by the provided sources, ensures the protection of sensitive data, maintains operational continuity, and facilitates regulatory compliance for businesses. These benefits contribute to the overall security posture of the organization and help build trust with customers and partners.

Potential Dangers to Business Network Security

Business network security faces numerous potential dangers today. Cyber-attacks pose a significant threat, with attackers employing techniques such as phishing, malware, and ransomware to gain unauthorized access, compromise data, and disrupt operations.

Insider threats from internal employees or contractors can also jeopardize network security, ranging from accidental data breaches to intentional malicious activities. Weak passwords and authentication practices create vulnerabilities, allowing attackers to exploit credentials.

Additionally, the explosion of Bring Your Own Device (BYOD) policies and mobile devices introduces new risks, including device loss or theft. Cloud security is another concern, as misconfigurations or vulnerabilities in cloud platforms can lead to data breaches.

Understanding and addressing these potential dangers is vital for businesses to protect their assets, maintain operational continuity, and safeguard their reputation. Lastly, implementing robust cloud security measures such as encryption, access controls, and regular security assessments helps safeguard data and applications in the cloud.

By understanding and proactively addressing these potential dangers, businesses can fortify their network security defenses and mitigate risks effectively.

Some of the main threats to consider are:


Viruses are malicious software programs designed to replicate themselves and infect other files or systems. They can spread via email attachments, infected websites, or removable storage devices.

Once a virus infects a business network, it can cause major damage, including data corruption, system crashes, and unauthorized access.

Viruses often exploit software vulnerabilities or user actions, such as clicking on infected links or downloading malicious files.

To protect against viruses, businesses should deploy up-to-date antivirus software that can detect and remove known viruses. Regular software updates, employee training on safe browsing habits, and caution when opening email attachments or downloading files are essential preventive measures.


Spyware is software that secretly gathers information about a user’s activities, usually without their knowledge or consent. Spyware can monitor keystrokes, capture login credentials, track web browsing habits, and collect sensitive data.

It can be installed through malicious downloads, infected websites, and even bundled with legitimate software. Once installed, spyware operates in the background, compromising user privacy and potentially exposing sensitive business information.

Preventive measures against spyware include using reputable antivirus and anti-spyware software, regularly scanning systems for malware, and educating employees about safe online practices. Firewalls and web filters can also help block access to malicious websites known for distributing spyware.


Worms are self-replicating malware that spread through computer networks without requiring user intervention. They work by exploiting vulnerabilities in network protocols or software to gain unauthorized access and propagate rapidly.

Worms can consume network bandwidth, disrupt system performance, and deliver payloads such as additional malware or remote-control functionality. To defend against worms, businesses should regularly update operating systems and software to patch known vulnerabilities.

Network segmentation and strong access controls limit the spread of worms within the network. Intrusion detection and prevention systems (IDS/IPS) help detect and block worm-related activities, and firewalls can be configured to filter incoming and outgoing traffic to prevent worm propagation.


Adware is software that displays unwanted advertisements, often in the form of pop-ups, on a user’s device. Today, adware is commonly bundled with free software or downloaded unknowingly from malicious websites.

It can slow down system performance, consume network bandwidth, and compromise user privacy. In some cases, adware may even track user behavior and collect personal information for targeted advertising purposes.

Preventing adware requires implementing robust security measures such as using reputable antivirus software, exercising caution when downloading software from unfamiliar sources, and regularly scanning devices for malware.

Browser extensions or plugins that block or filter unwanted advertisements can also help mitigate the risks associated with adware.


Trojans (taken from the concept of Trojan horses) are deceptive programs that masquerade as legitimate software or files to fool users into executing them. Once activated, these Trojans can grant unauthorized access to attackers, enabling them to steal sensitive data, install additional malware, or control the infected system remotely.

Trojans are often spread through email attachments, malicious downloads, or compromised websites. To protect against Trojans, businesses need to implement strong email security measures, including spam filters and email authentication protocols.

Regularly updating software, using reputable antivirus software, and educating employees about safe browsing habits and email hygiene are crucial in preventing Trojan infections.


Ransomware is a type of malware that encrypts a user’s files or entire systems, rendering them inaccessible until a ransom is paid to the attacker. Ransomware attacks can have severe consequences, including financial loss, operational disruption, and reputational damage.

Attackers often exploit vulnerabilities in software or use social engineering techniques to trick users into downloading or executing the malware.

Preventing ransomware requires a multi-layered approach, including regular backups of critical data, implementing strong email security measures, keeping systems and software up to date, and educating employees about phishing techniques and safe computing practices.

Network segmentation and robust access controls help limit the spread of ransomware within the network, and security solutions such as advanced endpoint protection and behavior-based detection can aid in early detection and mitigation.

By understanding the potential dangers posed by viruses, spyware, worms, adware, Trojans, and ransomware, businesses can implement comprehensive security measures to mitigate these risks.

Regular software updates, employee training, strong access controls, and deploying reputable security solutions are essential in maintaining a secure network environment and protecting sensitive business data.

Types of Network Security Solutions

As you have already read, protecting your business network from cyber threats is of paramount importance. Various types of network security solutions have emerged to safeguard organizations’ sensitive data and critical systems. From access control to cloud network security, these solutions form the foundation of a robust network defense strategy.

Below, we explore the most commonly available network security solutions, each addressing specific vulnerabilities and providing unique protective measures.

Access Control

Access control is the foundation of network security, ensuring that only authorized individuals can access sensitive resources and information. By implementing user authentication mechanisms such as strong passwords, multi-factor authentication, and access privilege management, businesses can enforce strict control over network access and reduce the risk of unauthorized entry.

Application Security

Application security focuses on protecting software and web applications from vulnerabilities and exploitation. This involves implementing secure coding practices, regularly updating applications, and utilizing web application firewalls (WAFs) to detect and block potential threats. By securing applications, businesses can prevent breaches that exploit application weaknesses.

Anti-Virus and Anti-Malware

To combat the evolving landscape of malware and viruses, businesses should deploy robust anti-virus and anti-malware solutions. These software applications scan files, emails, and websites for malicious code and remove or quarantine any detected threats. Regular updates and real-time scanning help ensure protection against the latest malware strains.


Firewalls are the most common first line of defense for network security. They monitor and control both incoming and outgoing network traffic based on predefined security rules. They also establish a barrier between trusted internal networks and external networks, effectively blocking unauthorized access and potentially malicious connections.

Intrusion Prevention Systems (IPS)

IPS solutions detect and prevent unauthorized access attempts and network attacks in real time. By monitoring network traffic for known attack signatures or anomalous behavior, IPS systems can take immediate action to block and mitigate potential threats, enhancing network security.

Network Segmentation

Network segmentation involves dividing a network into smaller, isolated segments, creating barriers that limit unauthorized access and the lateral movement of threats. By implementing network segmentation, businesses can contain breaches, reduce the impact of successful attacks, and protect critical resources.

Mobile Security

Mobile security measures include implementing mobile device management (MDM) solutions, enforcing strong passwords, encrypting data, and deploying remote wipe capabilities to protect sensitive information if a device is lost or stolen.

VPN (Virtual Private Network)

VPN creates a secure, encrypted connection over a public network, enabling users to access the company’s network resources remotely. By utilizing a VPN, businesses can ensure that data transmitted between remote users and the network remains secure, protecting sensitive information from interception.

Web Security

Web security solutions protect businesses from web-based threats, such as malicious websites, phishing attempts, and drive-by downloads. These solutions include web filtering, content scanning, and URL categorization, effectively preventing employees from accessing dangerous websites and reducing the risk of infection.

Data Loss Prevention

Data loss prevention (DLP) solutions help businesses protect sensitive information from unauthorized access, accidental exposure, or intentional data theft. By implementing DLP measures, such as encryption, access controls, and content monitoring, organizations can identify, monitor, and prevent the unauthorized transmission or storage of sensitive data. This can help dramatically reduce the risk of data breaches and compliance violations.

Behavioral Analytics

Behavioral analytics utilizes machine learning (ML) and artificial intelligence (AI) algorithms to detect anomalous user behavior within a network. By establishing baselines of normal behavior, these solutions can identify deviations that may indicate insider threats or compromised accounts.

Behavioral analytics enhances network security by providing real-time threat detection and response capabilities.

Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) is a security model that assumes no trust, even for users and devices within the network perimeter. It verifies each user and device, granting access only to authorized resources based on granular policies. ZTNA enhances network security by reducing the attack surface and providing secure access control, regardless of the user’s location or network connection.


Sandboxing involves isolating potentially malicious files, programs, or activities in a controlled environment to analyze their behavior without risking harm to the network. By executing files within a sandbox, businesses can detect and mitigate threats such as zero-day exploits, malware, and ransomware before they can cause damage.

Hyperscale Network Security

Hypersecale network security refers to security measures designed to protect highly scalable and distributed network architectures, such as those found in cloud environments. It involves implementing security measures that can scale dynamically to accommodate the ever-changing demands of large-scale networks, ensuring robust protection against cyber threats.

Cloud Network Security

Cloud network security involves implementing security controls and solutions specifically designed for cloud environments. It includes measures such as encryption, access controls, data loss prevention, and security monitoring to safeguard data and applications hosted in the cloud.

Email Security

Email remains a common entry point for cyber-attacks. Email security solutions include spam filters, anti-phishing measures, attachment scanning, and encryption. By implementing robust email security measures, businesses can prevent malicious emails from reaching users’ inboxes and protect against email-based threats such as phishing and malware.

In conclusion: by considering and implementing a comprehensive range of network security solutions, businesses can significantly enhance their defenses against modern cyber threats. However, it is essential to tailor these solutions to your organization’s specific needs and regularly update and test them to ensure their effectiveness in safeguarding your network, data, and sensitive assets.

With a proactive and layered approach to network security, businesses can mitigate risks and maintain a secure digital environment.

How to Build Your Network Security

Building a strong network security infrastructure is crucial in order to establish comprehensive security measures that address potential vulnerabilities and safeguard against cyber threats.  

Here are 12 best practices for how to go about it:

Monitor Traffic

  • Implement network monitoring tools to gain visibility into network traffic.
  • Analyze and identify abnormal and/or suspicious activities indicative of potential security breaches.
  • Monitor both inbound and outbound traffic to detect and respond to threats promptly.

Run Network Audits Regularly

  • Conduct regular network audits to assess the overall security posture of your network.
  • Identify and address any vulnerabilities, misconfigurations, or outdated security protocols.
  • Review access controls, firewall rules, and network segmentation to ensure they align with your security requirements.

Stay Informed on New Threats

  • Stay updated with the latest security trends, vulnerabilities, and attack techniques.
  • Subscribe to security bulletins, follow reputable security blogs, and participate in industry forums to stay informed.
  • Regularly assess your network security measures against emerging threats and adapt your defenses accordingly.

Build and Update Your Firewall and Antivirus

  • Deploy a robust firewall solution to monitor and control network traffic based on predefined security policies.
  • Regularly update firewall rules to incorporate new security requirements and address emerging threats.
  • Utilize reputable anti-virus software and keep it up to date to protect against malware, viruses, and other malicious software.

Use MFA (Multi-Factor Authentication)

  • Implement multi-factor authentication to add an extra layer of security to user login processes.
  • Require users to provide additional verification factors, such as a unique code or biometric information, along with their credentials.
  • MFA significantly reduces the risk of unauthorized access even if passwords are compromised.

Implement Single Sign-On (SSO)

  • Deploy a single sign-on solution to streamline user authentication across multiple applications and services.
  • SSO reduces the number of passwords users need to remember, simplifies access management, and enhances security by enforcing strong authentication practices.

Train Employees Regularly

  • Provide regular security awareness training to employees to educate them about common security threats and best practices.
  • Train employees on identifying phishing emails, handling sensitive information, and practicing secure browsing habits.
  • Encourage employees to report any security incidents or suspicious activities promptly.

Create Secure Passwords

  • Educate employees about the importance of strong passwords and enforce password policies.
  • Encourage the use of complex passwords with a mix of uppercase and lowercase letters, numbers, and special characters.
  • Implement password management tools to securely store and manage passwords.

Disable File Sharing Outside of File Servers

  • Restrict file sharing to designated file servers or secure collaboration platforms.
  • Disable or restrict file-sharing features on endpoints to prevent unauthorized access or accidental exposure of sensitive data.

Backup Your Data

  • Regularly back up your critical data to a secure, offsite location.
  • Implement automated backup solutions to ensure data availability in the event of a system failure, natural disaster, or cyber-attack.
  • Test data restoration processes periodically to ensure the integrity and reliability of backups.

Update Router Firmware

  • Keep your router’s firmware up to date to address security vulnerabilities and take advantage of the latest security features.
  • Enable automatic firmware updates or establish a regular schedule to ensure timely updates.

Create Data Recovery Plans

  • Develop comprehensive data recovery plans to outline procedures for restoring data and resuming operations after a security incident or system failure.
  • Test and refine these plans regularly to ensure they are effective

Make Your Business a Fortress Against Cyber Threats

Businesses today absolutely must prioritize network security. By implementing a multi-layered approach, embracing emerging technologies, educating employees, and maintaining regular security practices, organizations can build a strong fortress against cyber threats.

This ongoing commitment to network security not only protects sensitive data and ensures operational continuity but also fosters trust with customers and partners. Need a hand? Book a demo today!


How is network security used in business? 

Network security involves implementing a range of security measures, such as firewalls, intrusion detection systems, encryption, access controls, and user authentication, to safeguard networks from unauthorized access, data breaches, malware, and other cyber threats. Network security also plays a vital role in regulatory compliance and maintaining the trust of customers and partners.

How do I secure my business network?

Securing a business network involves implementing a combination of technical and organizational measures. Here are some essential steps to secure your business network:

– Use strong network security solutions, such as firewalls, antivirus software, and intrusion detection systems.
– Implement strong access controls, including strong passwords, multi-factor authentication (MFA), and role-based access controls.
– Regularly update software and firmware to patch vulnerabilities and address security flaws.
– Train employees on security best practices, such as identifying phishing emails, practicing safe browsing habits, and protecting sensitive data.
– Segment your network to isolate critical systems and limit the impact of a potential breach.
– Encrypt sensitive data both in transit and at rest to protect it from unauthorized access.
– Conduct regular network assessments and audits to identify vulnerabilities and address them promptly.
– Develop an incident response plan to effectively respond to and mitigate security incidents.
– Regularly back up critical data and test data restoration procedures to ensure data availability and quick recovery in case of a breach or system failure.
– Stay informed about the latest security threats and trends and adapt your security measures accordingly.

What are the 5 types of network security?

The five types of network security are:

1. Perimeter Security: This includes measures such as firewalls, intrusion detection systems, and virtual private networks (VPNs) to protect the network’s perimeter from unauthorized access and external threats.

2. Endpoint Security: Endpoint security focuses on securing individual devices connected to the network, such as laptops, smartphones, and IoT devices. It involves implementing antivirus software, patch management, and encryption to protect endpoints from malware and unauthorized access.

3. Network Access Control (NAC): NAC ensures that only authorized devices and users can connect to the network. It verifies the identity and security posture of devices before granting network access, enforcing security policies, and minimizing the risk of unauthorized or compromised devices accessing the network.

4. Data Security: Data security involves protecting sensitive information from unauthorized access, alteration, or theft. It includes encryption, access controls, data loss prevention (DLP), and backup and recovery strategies to safeguard critical data.

5. Security Monitoring and Incident Response: This type of security focuses on detecting and responding to security incidents. It includes security monitoring tools, intrusion detection and prevention systems (IDPS), security information and event management (SIEM), and incident response plans to identify, mitigate, and recover from security breaches.

What are the 3 elements of network security?

The three elements of network security are commonly referred to as the CIA triad, which stands for:

1. Confidentiality: Confidentiality ensures that sensitive data is protected from unauthorized access and disclosure. Encryption, access controls, and secure transmission protocols are used to maintain the confidentiality of information.

2. Integrity: Integrity ensures that data remains unaltered and trustworthy throughout its lifecycle. Data integrity measures, such as digital signatures, checksums, and access controls, prevent unauthorized modifications or tampering of data.

3. Availability: Availability ensures that network resources and services are accessible and operational when needed. Network security measures, such as redundancy, load balancing, and disaster recovery plans, are implemented to minimize downtime and ensure continuous availability.

Source :