Tips for Securing Networks Against Malware

A surge of ransomware attacks is currently impacting organizations across Kenya. These sophisticated attacks are employing what I call a dual extortion model where they are not only encrypting critical data but also exfiltrating sensitive information before encryption, significantly amplifying the risk and potential damage. Threat actors are primarily exploiting vulnerable servers and outdated firewall systems to gain initial access to organizational networks. They leverage some of the tools that already exist in our every system that has not been updated especially when it comes to windows. (LOTL Attacks). These Cyber criminals are also leveration on AI tools to compromise your networks and systems. I will encourage organizations to look into the basics as usual as I have a feeling this is just the beginning. Several organizations are already in the zone of attacks and I believe a lot more are on the way. 1. Patch Management - Just patch the systems that you do not even use or decommission them 2. Network Segmentation - Segregate as much as possible to reduce your attack surface area 3. Backup Verification - If you do backup (which you should) make sure you test restorations and put them somewhere that attackers do not go for them as well. This particular ransomwares is going for backups first and deleting them after downloading on their side. Implement the 3-2-1 backup rule (3 copies, 2 different media, 1 offsite) 4. Access Control - Even though you have MFA, Review and revoke unnecessary administrative privileges but monitor for suspicious login attempts Detection & Response - Your EDRs can be bypassed too so do not rely on them alone.  5. Pentest & Continuous Vulnerability Management - Doing a onetime Pentest is fine but you need to also make sure you continuously check for frequent vulnerabilities. The amount of systems in Kenya who still leave insecure systems online is alarming. 6. Threat Intelligence - Separate signal from noise so as to focus on real threats to reduce incidents and downtimes. Better yet Conduct tabletop exercises with your team We can train you on them at www.cyberguardafrica.com Adopt Cyber RESILIENCE and not Cyber SECURITY cc Cyber Guard Africa AfricaHackon Startinev

Cyber Security - Ransomware Recovery Strategy for Azure / Could Ransomware persists as a top threat for organizations, with attackers initially compromising systems through the exploitation of vulnerabilities or phishing. Subsequently, they gather sensitive data, exfiltrate it from your network, and then encrypt the data. Once an organization is impacted, the attacker demans ransom, placing organizations at the crossroads of two risks: a. How to recover encrypted systems and data without affecting business operations. b. How to prevent the attacker from exposing sensitive data to the public. All organizations are susceptible to these attacks, increasing the likelihood of becoming the next victim. However, there can be prevented—strong internal processes can serve as a robust defense, preventing these attacks and facilitating a smooth recovery if ever impacted. Understanding the chain of events leading to a successful ransomware attack is crucial: 1. The attacker must compromise one of your systems for an initial foothold, often through a missing patch or phishing. 2. With the initial foothold, the attacker searches and collects sensitive data on your systems/storage. 3. The attacker exfiltrates the collected data from your network. 4. After exfiltration, they encrypt the data on your system/storage. Note: These stages typically take days to weeks, providing an opportunity for mitigation with effective security monitoring. Implementing a Cloud Workload Protection Strategy: 1. Ensure robust patch and vulnerability management for your workloads to prevent the initial foothold. 2. Configure all cloud workloads with Defender for Cloud and Defender for Endpoints (EDR): These tools block malware during the initial foothold. Prevent encryption of protected folder paths defined in the Defender profile. 3. Securely configure all storage accounts: Use Private Link to block public access; if public access is necessary, restrict it to trusted IPs. Configure storage accounts with Delete Protect to retain deleted data for the next 15 days. 4. Restrict internet access from production systems: Configure network firewalls/content filters to permit internet access only to known trusted URLs. 5. Backup strategies: -Ensure production VMs and storage accounts are configured with daily/Weekly backups. -Configure backups with immutable settings to safeguard them even if admin accounts are compromised. In the worst-case scenario, if your system is compromised: 1. Restore VMs and storage accounts, as your cloud backups remain secure. 2. Data exfiltration is already prevented by content filters and storage account restrictions. (point 3 & 4 Above)

New Ransomware Tactic: Qilin Targets Chrome Credentials 🚨 The Qilin ransomware group is escalating its attacks with a dangerous new strategy: stealing credentials directly from Google Chrome. This shift in tactics marks a concerning development in the ransomware landscape, and here’s what you need to know: ➜ Key Insights: → Credential Harvesting: ↳ Qilin deploys a custom stealer to collect account credentials stored in Google Chrome browsers. ↳ This tactic was observed by the Sophos X-Ops team during incident response engagements, highlighting an alarming change in ransomware operations. → Sophisticated Attack Execution: ↳ The attack began with Qilin gaining network access using compromised VPN credentials without multi-factor authentication (MFA). ↳ After an 18-day dormancy period, the attackers moved laterally, deploying PowerShell scripts to harvest credentials and ultimately encrypt data across the compromised network. → Widespread Impact: ↳ The Group Policy Objects (GPOs) applied to all machines in the domain, allowing Qilin to potentially steal credentials from every device connected to the network. ↳ This extensive credential theft can lead to follow-up attacks, widespread breaches, and long-lasting threats. → Measures to Protect Your Organization: ↳ Implement Multi-Factor Authentication (MFA): Add an extra layer of security to your accounts to defend against credential theft, even if initial login credentials are compromised. ↳ Regularly Update and Patch Systems: Ensure that all systems, especially browsers like Chrome, are up-to-date to close vulnerabilities that could be exploited by ransomware groups. ↳ Conduct Regular Security Audits: Assess your network security to identify potential vulnerabilities, ensuring robust defenses are in place against advanced threats. ↳ Adopt the Principle of Least Privilege: Restrict user access to only what is necessary to minimize the potential damage from a breach. ↳ Network Segmentation: Divide your network into smaller segments to limit the spread of an attack, making it easier to isolate and contain threats. P.S. Is your organization equipped to defend against the evolving tactics of ransomware groups like Qilin? ♻️ Share this post to raise awareness and 🔔 follow Brent Gallo - CISSP for more updates on cybersecurity. #CyberSecurity #Ransomware #ITSecurity #CredentialTheft #DataProtection #NetworkSecurity #MFA #Resilience #CyberThreats

Dear IT Auditors, Database Audit and Network Security Review Databases are often the final target in a cyberattack. Attackers may bypass applications, exploit weak networks, or abuse misconfigurations to reach valuable data. That’s why auditing database network security is critical for protecting both data integrity and availability. 📌 Understand the Network Architecture Begin by mapping the connections between the database and applications, users, and other systems. Databases should be located in a protected network zone, often behind firewalls and segregated from public-facing services. If the database is directly reachable from the internet, that’s a red flag. 📌 Review Firewall and Segmentation Rules Check inbound and outbound firewall rules for database servers. Access should be limited to approved application servers and specific IP ranges. Verify that administrative ports (like 1433 for SQL or 1521 for Oracle) are restricted. Network segmentation helps contain potential breaches. 📌 Database Ports and Protocols Ensure only necessary ports and protocols are open. Unused or legacy ports should be disabled. Protocols should use secure versions, for instance, encrypted SQL connections over TLS. Open ports are open invitations to attackers. 📌 Network Access Control Lists (ACLs) Audit the ACLs to confirm that only authorized network entities can communicate with the database. ACLs should be reviewed regularly and tied to user and system identities. Stale or overly broad ACLs often lead to unauthorized access. 📌 Intrusion Detection and Monitoring Verify that network traffic to and from the database is monitored. Tools like IDS/IPS or database activity monitoring (DAM) solutions should detect suspicious queries, brute-force attempts, or large data extractions. Alerts should feed into a central SIEM for continuous visibility. 📌 Remote and VPN Access If administrators access databases remotely, confirm that VPN and MFA controls are enforced. Remote connections without secure tunneling or strong authentication can expose the environment to external threats. 📌 Patching and Hardening Review whether database servers follow secure hardening guidelines. Confirm that network services, OS updates, and security patches are up to date. Many breaches exploit known vulnerabilities left unpatched. 📌 Audit Evidence Collect network diagrams, firewall rule sets, access control lists, SIEM alerts, and vulnerability scan results. These provide assurance that database network security is not only designed well but also actively maintained. Network security is the shield that protects the organization’s data core. When auditors review network controls around databases, they’re not just checking compliance; they’re verifying that attackers have no easy path to critical information. #DatabaseSecurity #NetworkSecurity #CyberSecurityAudit #ITAudit #DataProtection #FirewallManagement #RiskManagement #GRC #InformationSecurity #InternalAudit #CyberVerge #CyberYard

It is easy to chase flashy trends like AI deepfakes, headline breaches, or new zero days. But true security begins with basics. Discipline, not hype, protects your company. For example, every appliance exposed to the internet represents an entry point to your environment. VPN gateways and firewalls need constant patching. Skip one update and attackers gain entry. Missing even a single patch creates serious vulnerability. Core security hygiene demands getting fundamentals correct. Implement SSO and non-phishable MFA. Reduce access privileges to what’s strictly necessary. Apply intelligent segmentation within your network. Move toward a zero trust model that assumes breach and verifies every request. Strong security depends on foundational details rather than flashy distractions. The basics determine whether your data, customers, and reputation remain safe. https://lnkd.in/g5XyRez3

A ransomware defense checklist is essential for organizations to proactively safeguard against and mitigate the risks of ransomware attacks. Key measures include: 1. Regular Backups: Ensure frequent and secure backups of critical data. Store backups offline or in a separate network to prevent them from being encrypted during an attack. 2. Software Updates and Patching: Keep all systems, software, and devices up to date with the latest security patches to close vulnerabilities that ransomware may exploit. 3. Endpoint Protection: Implement strong endpoint security solutions, such as antivirus software, firewalls, and anti-malware tools, to detect and block ransomware before it can execute. 4. Network Segmentation: Divide the network into smaller segments to limit the spread of ransomware and prevent it from affecting the entire organization. 5. Email Filtering and User Awareness: Deploy email filtering systems to block malicious attachments and links. Conduct regular training to educate employees on phishing, suspicious emails, and safe online behavior. 6. Access Control and Least Privilege: Enforce strict access controls based on the principle of least privilege, ensuring that users and applications have only the permissions they need to reduce the impact of an attack. 7. Multi-Factor Authentication (MFA): Use MFA to secure access to critical systems and reduce the risk of unauthorized access from compromised credentials. 8. Incident Response Plan: Develop and regularly test an incident response plan specifically for ransomware attacks, ensuring that teams are prepared to contain, investigate, and recover from an attack quickly. By implementing this checklist, businesses can significantly reduce the likelihood of a successful ransomware attack and ensure they are prepared to respond effectively if one occurs. Stay connected to Aashay Gupta, CISM, GCP for content related to Cybersecurity.   #LinkedIn #Cybersecurity #Cloudsecurity #AWS #GoogleCloud #Trends #informationprotection #Cyberthreats #CEH #ethicalhacker #hacking #cloudsecurity #productmanagement #cybersecurity #appsec #devsecops

Your home and office devices can be used in cyberattacks. Here’s what to do. The US government disrupted a Chinese hacking operation that utilized compromised small office and home office network equipment, including routers, firewalls, and VPN hardware to route their traffic.  But employing simple cyber hygiene we will discuss below can keep your home, your business and/or your company safe. How Hackers Invaded: Hackers exploited vulnerabilities in outdated devices, especially those nearing "end-of-life" status and no longer receiving security updates. They then used known weaknesses to gain control and reroute their malicious traffic through these devices, making it harder to detect their real targets. Why They Do It: These compromised devices act as "stepping stones," hiding the hackers' tracks and making it harder to pinpoint their true intentions. It's similar to the 2016 attack on internet provider Dyn, when hackers launched a massive internet outage affecting websites such as Amazon, PayPal, Walgreens, Visa, CNN, Fox News, Wall Street Journal, and the New York Times. At that time, hackers took control of routers, cameras, Printers, and other devices by using the default password coming out of the factory. 🛡 Simple Steps to Secure Your Home and Office: ➡️ Update, Update, Update: Regularly update your router, firewall, VPN, and all connected devices with the latest security patches. Most devices offer automatic updates - enable them! ➡️ Ditch the old tech:  If your router or other devices are nearing end-of-life, invest in newer, secure models. ➡️ Password Power: Set strong, unique passwords for all your devices and enable two-factor authentication wherever possible. Hackers love easy prey, make them work for it! ➡️ Firewall Fortitude: Enable your firewall and anti-virus and configure both to detect and block suspicious activity. Think of it as a security guard for your digital life. For Companies: While the above advice works for both individuals and companies, companies should assume they will be hacked and be prepared.  The preparation must include at least: ♦︎ Off-network backup, ♦︎ Incident response action plan ♦︎ Disaster recovery plan What are you doing to keep your home equipment and your company secure? #cyberdefence #cybersecurity #levelUpYourLi _______________ ➡️ I am Talila Millman, a fractional CTO,  a management advisor, a keynote speaker, and an executive coach. I help CEOs and their C-suite grow profit and scale through optimal Product portfolio and an operating system for Product Management and Engineering excellence.  📘 My book The TRIUMPH Framework: 7 Steps to Leading Organizational Transformation will be published in Spring 2024. You can preorder a signed copy on my website Image credit: Bing AI powered by DALL-E3

It took me 5 years and preventing 25+ incidents to learn these 27 security engineering tips. You can learn them in the next 60 seconds: 1. Enforce MFA everywhere, especially for CI/CD, admin panels, and cloud consoles. 2. Use short-lived access tokens with automated rotation to limit blast radius. 3. Implement SAST in PR pipelines to catch vulnerabilities before merging. 4. Add DAST scans on staging environments to detect runtime vulnerabilities. 5. Use secret scanners to prevent credential leaks in repos (TruffleHog, Gitleaks). 6. Enforce least-privilege IAM roles with time-bound elevation workflows. 7. Use container image signing (Sigstore/Cosign) to verify supply chain integrity. 8. Pin dependencies and enable automated patching for third-party libraries. 9. Enforce network segmentation; don't let every service talk to everything. 10. Use Infrastructure-as-Code scanners (Checkov, tfsec) before provisioning infra. 11. Enable audit logging across cloud accounts and stream to a central SIEM. 12. Harden Kubernetes by disabling privileged pods and enforcing PodSecurity. 13. Use eBPF-based runtime monitoring to detect suspicious container behavior. 14. Add WAF in front of public APIs to block OWASP Top 10 patterns. 15. Use API gateways with strict schema validation to prevent injection attacks. 16. Enforce HTTPS everywhere with HSTS and TLS 1.2+. 17. Run vulnerability scans on container registries before deployment. 18. Add anomaly detection on login patterns to catch credential-stuffing early. 19. Use blue-green or canary deployment to contain bad releases safely. 20. Implement rate limiting + IP throttling on all public endpoints. 21. Encrypt data at rest with KMS and enforce key rotation policies. 22. Use service-to-service authentication with mTLS inside clusters. 23. Build threat models for every new large architectural change. 24. Set up incident playbooks and run quarterly tabletop exercises. 25. Use message queues for asynchronous tasks to prevent API overload. 26. Enforce zero-trust: verify identity, device, and context on every request. 27. Monitor everything, logs, metrics, traces, and alert on deviation, not noise. P.S: Follow saed ‎for more & subscribe to the newsletter: https://lnkd.in/eD7hgbnk I am now on Instagram: instagram.com/saedctl say hello

Ever heard of the NIST Cybersecurity Framework? It’s basically six fancy words that tell you how to stop your company from becoming the next headline. Let’s break it down like you’re explaining it to your manager who still thinks “the cloud” is affected by the weather: [ GOVERN ] Set policies, roles, and responsibilities. Basically: write things down, assign blame in advance, and act shocked when nobody follows the process. If your governance plan is a dusty PDF named “security_policy_final_FINAL_v3_revised2,” it’s time to panic. [ IDENTIFY ] Know what you have. Assets, data, users, systems, that mystery NAS labeled “DO NOT TOUCH.” Because if you don’t know what you own, how will you know what got hacked? And If you don’t know what you’re protecting, you’re not doing cybersecurity…you’re doing cyber-guessing. (Yes, that dusty server in the janitor’s closet counts.) [ PROTECT ] Implement controls. Put some guards up. Not actual guards, things like MFA, encryption, and people who know what a firewall is, not just a “Do not click suspicious links” banner in Comic Sans. Taping the admin password under the keyboard is not protection. And if your idea of protection is “we have antivirus,” I have bad news and worse news. [ DETECT] Catch the bad stuff. See something, say something. Or better yet, get a system that notices when your coffee machine starts scanning the network. Preferably before it emails your entire customer database to someone named “Vladimir_007.” If your team’s detection strategy is “check logs when something breaks,” congrats … you’ve already been breached. And no, your SIEM can’t detect threats if no one checks it. [ RESPOND ] Don’t scream. Have a plan. Preferably something better than “call that one guy who fixed it last time.” And don’t Google “what to do in a ransomware attack” at 2am. Also: stop forming a “crisis committee” during the actual crisis. [ RECOVER ] Restore things. Fix the mess. From backups. Not from that dusty USB you found in a drawer labeled “important maybe.” Lie to yourself and say, “This won’t happen again.” Bonus points if your backups actually work and aren’t stored on the same drive that got encrypted. Also, please test recovery before the incident, not during your public apology livestream. In Short : Know what you have, protect it, watch it, fix it fast, and get back to work. Because “hope” is not a strategy and “we’ll deal with it when it happens” is not a plan. And no, making an Excel sheet called “Threats” does not mean you’re managing risk. Bonus Zero Trust doesn’t mean we don’t trust you it means we actively don’t trust you, your device, your network, your cat, or the coffee machine. #Cybersecurity #NISTFramework #Infosec #Ransomware #SOC #Incidents #SecurityAwareness #IncidentResponse

Federal authorities are warning users of Gmail, Outlook, and other popular email services about dangerous ransomware linked to a group of developers who have breached hundreds of victims' data, including people in the medical, education, legal, insurance, tech, and manufacturing fields. The ransomware variant is called "Medusa," it was first identified in June 2021, the Cybersecurity and Infrastructure Security Agency (CISA) and FBI announced on March 12. To mitigate Medusa ransomware, the FBI and CISA are recommending that people: Develop a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location. For example, hard drives, storage devices and the cloud. Require all accounts to have password logins. Employees of companies should use long passwords, which should be frequently changed. Require multifactor authentication for all services, particularly for webmail, virtual private networks, and accounts that access critical systems. Make sure all operating systems, software, and firmware are up to date. Segment networks to prevent the spread of ransomware. Identify, detect, and investigate odd activity and potential passage of the indicated ransomware with a networking monitoring tool. Require VPNs or Jump Hosts for remote access. Monitor for unauthorized scanning and access attempts. Filter network traffic by stopping unknown or untrusted origins from accessing remote services on internal systems. Disable unused ports Keep offline backups of data and regularly maintain backup and restoration. Make sure all backup data is encrypted and inflexible.