Mar 29, 2024The Hacker NewsPen Testing / Regulatory Compliance

Network penetration testing plays a vital role in detecting vulnerabilities that can be exploited. The current method of performing pen testing is pricey, leading many companies to undertake it only when necessary, usually once a year for their compliance requirements. This manual approach often misses opportunities to find and fix security issues early on, leaving businesses vulnerable to expensive cyberattacks and potential breaches. However, new technologies using automation and AI have revolutionized the process, making regular network pentesting easy and affordable. We’re now in the golden era of pentesting, where every company can assess the security of their networks without breaking the bank.

Automating pen testing is a game-changer

Automation in cybersecurity is becoming a big deal and it’s only going to get bigger. Nowadays, we need automation to help deal with the fact that there just aren’t enough cybersecurity pros to go around. Businesses can’t keep up with all their security needs just using people, even if they get some help from outside services or contractors. According to the United States National Institute of Standards in Technology (NIST), by 2025, a lack of available cybersecurity workers combined with simple negligence will cause more than half of major cybersecurity problems.

Getting into security automation and AI is a game-changer for companies wanting to beef up their cyber defenses without having to hire a bunch of extra people. Especially when money is tight, automating security is a smart move because it’s cheaper, faster, and just as good as the old-school way of doing things manually. Automated pentesting delivers unparalleled security benefits at a fraction of the price of manual pen testing. Companies can now opt for regular, on-point and wallet-friendly automated pen tests, empowering them to find weak spots and mitigate risk proactively.

8 Benefits of Automated Network Pentesting

Network penetration testing is important for keeping a company’s network security resilient and ready for anything hackers might throw at it. Here’s a quick rundown of eight benefits that an organization gets from assessing their networks regularly with pentesting.

1. Finding and Fixing Weak Spots: Regular pen tests help IT professionals spot problems in your networks and devices before the bad guys do. This means you can patch things up or work around them, making it harder for hackers to sneak in or steal data.
2. Catching What Other Tools Miss: Pen tests mimic real hacker attacks, finding security holes that vulnerability scans might overlook. This includes checking all of the factors that could lead to an intrusion like making sure your user permissions are tight and your security policies work in real life.
3. Spotting Where Operations Can Improve: It’s not just about the tech. Pen testing can also show IT professionals where a company’s security processes, staff awareness, or response times might be lacking. Fixing these areas makes an organization’s overall security stronger and more resilient.
4. Avoiding Downtime and Money Loss: Catching vulnerabilities early helps organizations avoid damaging cyberattacks and dodge breaches that could cost a company a fortune in money and time offline. Think about avoiding legal headaches, fines, and the costs of cleaning up a mess, not to mention keeping your good reputation and customer trust. According to a 2023 survey by Kaseya, more than half of the IT professionals polled said that their company lost over $50,000 to cybersecurity incidents.
5. Staying on the Right Side of Regulators: Data protection regulations have proliferated on the regional and national levels. Plus, insurers can require regular security check-ups to issue and maintain cyber insurance policies. Those rules often include pen tests.
6. Getting Inside a Hacker’s Mind: Pen tests give you the lowdown on how attackers think and what tricks they use, giving IT professionals the edge they need to beef up their company’s defenses and get everyone on the team in a security-first mindset.
7. Putting Your Incident Plan to the Test: You can use pen tests to see if your plan for dealing with attacks works when push comes to shove. It’s all about being ready to spot, handle, and bounce back from security problems. Having a tested incident response plan can save 35% of the cost of an incident.
8. Making Your Customers Feel Secure: Showing that you’re serious about security by doing regular pen tests can make your customers trust you more. People like knowing their data is in safe hands.

Don’t fall for the trap of only pentesting for compliance

Just doing network pen testing once per year to check a box isn’t enough these days. Cyber threats move and evolve lightning-fast today. A reactive approach leaves a lot of holes in a company’s defense that bad actors could slip through. Waiting too long between pen tests means a company might not catch easily fixed issues until after hackers have already taken advantage, which can lead to an expensive cybersecurity nightmare.

Just doing the bare minimum to meet compliance standards isn’t enough to stand up to the new, sophisticated cyberattacks that cybercriminals are launching at a record pace. The advent of widely available AI hasn’t just revolutionized cybersecurity. It has also revolutionized cybercrime. Companies need to be ready for the deluge of novel cyber threats that are headed their way. Pen testing helps IT professionals find the cracks that bad actors could slip through before there’s trouble.

Why should I pen test regularly?

Now is the perfect time for companies to get serious about regular network pen testing, thanks to automation. Here’s why every company should start using automated network pentesting immediately:

• It saves money – Automated network pen testing is much cheaper than the old-school manual way. A company used to need to hire expensive skilled people or outsource the task, a scenario that was both slow and pricey. Not anymore. With automation IT professionals can do pen tests both frequently, and most importantly, on a dime.

• You can scan more often – The digital world changes fast, with new weak spots popping up all the time. Automation lets you run pen tests a lot more often, keeping a constant watch for trouble. Automated tools like vPenTest from Vonahi Security can assess your systems and networks much more quickly than a person can with no IT team burden.

• Better quality and consistency – Automated pen testing hits the mark every time, running the same checks consistently without human mistakes. These tools are super accurate, spotting problems precisely and giving IT pros the lowdown on how to fix them. This not only bumps up the quality of a company’s security checks but also helps the IT team keep track of how things are improving over time.

Automate network pentesting with vPenTest

For any company wanting to up their cybersecurity game, using automated solutions like vPenTest from Vonahi Security is a no-brainer. vPenTest is a comprehensive, on-demand network penetration testing solution designed for IT teams. With the power of automation and the latest methodologies, vPenTest enhances your security posture by making pen testing faster, more accurate, and cost-effective. vPenTest helps get you more bang for your buck. With vPenTest, your network assessments cover more ground, enabling you to uncover and remediate your exploitable vulnerabilities before they become a real problem. Say goodbye to manual processes and hello to the golden age of automation with vPenTest. Learn more about vPenTest today!

About Vonahi Security

Vonahi Security, a Kaseya Company, is a pioneer in building the future of offensive cybersecurity consulting services through automation. vPenTest from Vonahi is a SaaS platform that fully replicates manual internal and external network penetration testing, making it easy and affordable for organizations to continuously evaluate cybersecurity risks in real-time. vPenTest is used by managed service providers, managed security service providers, and internal IT teams. Vonahi Security is headquartered in Atlanta, GA.

In today’s digital-first business environment dominated by SaaS applications, organizations increasingly depend on third-party vendors for essential cloud services and software solutions. As more vendors and services are added to the mix, the complexity and potential vulnerabilities within the SaaS supply chain snowball quickly. That’s why effective vendor risk management (VRM) is a critical strategy in identifying, assessing, and mitigating risks to protect organizational assets and data integrity.

Meanwhile, common approaches to vendor risk assessments are too slow and static for the modern world of SaaS. Most organizations have simply adapted their legacy evaluation techniques for on-premise software to apply to SaaS providers. This not only creates massive bottlenecks, but also causes organizations to inadvertently accept far too much risk. To effectively adapt to the realities of modern work, two major aspects need to change: the timeline of initial assessment must shorten, and iterative assessments over time must increase.

How Nudge Security can help

To address the need for a new, more flexible model, Nudge Security has created security profiles for over 97,000 SaaS apps, giving customers (and trial users) access to robust, actionable security context and AI-powered risk insights. ‍Each security profile includes an app description, key vendor details, security certifications, breach histories, data locality, security program links, supported authentication methods, and SaaS supply chain details. Using the information in these profiles, you can:

• Accelerate vendor security reviews with “one stop shopping” for key details
• Share a list of approved applications with employees
• Speed up vendor evaluations for new technology purchases
• Get alerted when your SaaS providers or those in your digital supply chain experience breaches

Let’s take a look at how Nudge Security helps you with each step of vendor risk management.

1. View security profiles for all SaaS apps used by anyone in your organization

Nudge Security discovers all SaaS accounts ever created by anyone in your organization within minutes of starting a free trial, and requires only a single point of integration: read-only API access to your Microsoft 365 or Google Workspace email provider. No endpoint agents, network proxies, browser plugins, app integrations, or other complicated deployment steps required. Learn more about how it works here.

For each of the apps used in your organization, Nudge Security provides a vendor security profile that includes many of the details required to conduct a vendor security review. Details include the app category and description, corporate headquarters, legal terms, data hosting details, and more. You can also view information about the vendor’s security program, breach history, compliance certifications, and links related to the vendor’s public support for security engagement.

‍2. Provide employees with a directory of approved applications

After you’ve reviewed an app, you can assign a status like “Approved”, “Acceptable”, or “Unacceptable” to indicate if usage should be permitted. For any apps that are deemed “Unacceptable”, automated nudges can be triggered in response to new accounts to redirect the user towards a similar, approved app or ask for context on why they need to use that particular app.

Additionally, Nudge Security makes it easy to create and share an app directory with employees, so everyone in the org can view a comprehensive list of approved applications that meet appropriate security and compliance standards. Employees can peruse the list by category and submit access requests that are routed directly to each application’s technical owner, whether or not that person sits within central IT. This removes the need for IT to be the “event forwarder” between users and app owners, while still retaining visibility and centralized governance.

3. Speed up vendor evaluations for new technology purchases

For apps your organization isn’t already using, Nudge Security still gives you access to vendor security profiles to help you evaluate apps more quickly. You can search for any app and your search results will indicate if it’s currently used in your organization or not.

‍

From there, you can access the same vendor security profile details described above and update the app status to indicate it if is “Approved”, “Acceptable”, or “Unacceptable”. Any apps deemed “Approved” can be automatically added to your app directory, and you can choose whether to also include apps with an “Acceptable” status in your app directory.

4. Dig into the SaaS supply chain for each application.

Nudge Security provides critical capabilities to help you manage SaaS security, including SaaS supply chain visibility. This information is available within each SaaS security profile—and you can even click through each supply chain app to see its associated security profile.

Understanding an app’s SaaS supply chain can help you assess and manage data security risks and ensure compliance with regulatory standards.

5. Get alerted to breaches affecting your SaaS providers

When an app in use at your organization experiences a data breach, it can put your own organization’s security at risk. Nudge Security alerts you when apps your employees are using experience a data breach—or the apps in their supply chains.

Within each security profile, you can see an overview of the app’s breach history or a green thumbs up if there are no known breaches.

When an app you use, or one in your digital supply chain is impacted by a breach, you will receive a notification like the one below so you can take appropriate action to assess and mitigate any potential impact.

Accelerate vendor risk assessments with Nudge Security

With Nudge Security’s patented method of SaaS discovery, an unrivaled database of vendor security profiles, and automated workflows, you can effectively manage third-party risk while strengthening your organization’s SaaS security posture.

Start your free 14-day trial now

Mar 11, 2024The Hacker NewsCybersecurity / Browser Security

As the shift of IT infrastructure to cloud-based solutions celebrates its 10-year anniversary, it becomes clear that traditional on-premises approaches to data security are becoming obsolete. Rather than protecting the endpoint, DLP solutions need to refocus their efforts to where corporate data resides – in the browser.

A new guide by LayerX titled “On-Prem is Dead. Have You Adjusted Your Web DLP Plan?” (download here) dives into this transition, detailing its root cause, possible solution paths forward and actionable implementation examples. After reading the guide, security and IT professionals will be equipped with the relevant information they need to update and upgrade their DLP solutions.

Guide highlights include:

Why DLP

The guide commences with an explanation of the role of the DLP. DLPs protect data from unwanted exposure by classification, determining its sensitivity level, and enforcing protective action. This is supposed to allow organizations to detect and prevent data breaches and other malicious activities and meet compliance regulations.

What Has Changed for DLP and Corporate Data

However, DLPs were designed with on-prem environments in mind. In these scenarios, data that leaves the environment is usually attached to an email or a hardware device. Therefore, DLPs were traditionally placed on the gateway between the corporate network and the public Internet. The rise of SaaS apps and website use requires an approach that addresses corporate data in its new location: online.

3 Data Protection Paths Forward

To address this gap, there are three ways security and IT teams can operate.

1. No Change – Using DLPs solutions as they are while limiting data uploads to insecure online locations. As explained, this solution is partially effective.

2. CASB DLP – Inspecting files with SaaS apps and enforcing policies between apps and devices and apps. This solution is effective for some sanctioned apps, but not for all or for unsanctioned ones.

3. Browser DLP – Monitoring data activity at the transaction point. This solution enforces policies across all vectors – devices, apps and the browser.

Since the browser is the interface between the device and websites and SaaS apps, it is the optimal location for placing the DLP. An enterprise browser extension can operate as a browser DLP, thanks to its ability to deeply monitor user activities and the web page execution. It can also enforce actions like alerting and blocking dangerous user actions.

Example Browser DLP Policies

Here are some examples of DLP policies that are designed to answer data location in a cloud environments:

• Alert about confidential files being attached to email web apps.
• Blocking confidential file uploads to personal Google Drives.
• Blocking confidential file downloads to unmanaged devices.

This guide is an essential read for any organization dealing with data that is online. You can read it here.

In the past 2 years, we have observed a significant surge in hacktivism activity due to ongoing wars and geopolitical conflicts in various regions. Since the war against Ukraine began, we have witnessed a notable mobilization of non-state and state-backed actors alike, forming new groups or joining existing hacker collectives.

We understand hacktivism as a form of computer hacking that is done to further the goals of political or social activism1. While activism describes a normal, non-disruptive use of the Internet in order to support a specific cause (online petitions, fundraising, coordinating activities), hacktivism includes operations that use hacking techniques with the intent to disrupt but not to cause serious harm (e.g., data theft, website defacements, redirects, Denial-of-Service attacks). Cyber operations that inherit a willingness or intent to cause harm to physical property, severe economic damage or loss of life would be referred to as cyberterrorism,2, 3 The lines between conducting cyber operations under the term of hacktivism and engaging in hostilities and causing severe damage and harm are becoming more and more blurry. With ongoing wars and conflicts, cyberspace has become messier than ever. We see a new leveling of the physical and cyber battlefields, resulting in a very thin line between physical (war) and cyber (hacktivism)4. As Dr Vasileios Karagiannopoulos and Professor Athina Karatzogianni put it:

“Contemporary events show us that hacktivism has become mainstream and is now an inevitable dimension of political conflicts, even those that end up in kinetic clashes between states, testing the virtual limits of symbolic, sensationalist hacks, vigilantism, cyber espionage, and even cyber warfare.5“

We began tracking some of the most active hacktivist groups in 2023. One factor that has increased transparency of ongoing hacktivism activity is visibility. We are now able to follow and subscribe to hacktivists’ communication channels.

Telegram is a widely used messaging service misused by hacktivists6. While Telegram has attempted to counter malicious activities on its platform, they do face challenges many digital service providers face: the ability of abusers to return with a new user name, new channel name, or new account and continue as usual. Last September, Telegram banned the main channel of a hacktivist group called Anonymous Sudan, most likely based on their use of bots, not because of their engagement in various forms of cyber aggression. The group replied to this action with the following:

Another channel was created, and their activities continued. And so did many other operations under the disguise of hacktivism.

Hacktivists target private and Government organizations alike, and we have seen that hacktivist groups can take down even the biggest national or international websites. Some hacktivist groups have developed strong DDoS capabilities, while others are rather noisy about their capabilities and impact, applying a language and narrative that is disproportional to their actual action (and impact).

In both cases, the result is Fear, Uncertainty, and Doubt (FUD) – the escalation of anxiety, distrust, and disharmony – in an already tense and complex geopolitical context. Such FUD is emblematic of a continuous evolution towards ‘cognitive’ attacks, which seek to shape perception through technical activity. The impact has less to do with the disruptive effect of the attack or the value of the data or systems that may be affected (e.g., stolen, leaked, or destroyed) but with the impact that the attacks have on societal perception, discourse, and policy.

Hacktivist activity in 2023

During the first three quarters of 2023, most of the hacktivism activity observed in 2023 (n=4016) originated from the war against Ukraine, and we saw Europe as a geographical region mostly impacted. We witnessed how proclaimed attacks against “the West” were a common narrative that we observed by pro-Russian hacktivist groups. Therefore, our focus became to monitor some of the very active, pro-Russian hacktivist groups.

Countries that were impacted the most by pro-Russian hacktivist attacks were Ukraine, Poland and Sweden. The highest level of hacktivism activity we have seen was in February 2023. This corresponds with the emergence of the hacktivist group Anonymous Sudan at the end of January 2023, which heavily targeted countries in the Nordics but later moved on to other regions in the world.

The focus on Ukraine is simply understood as the use of hacktivism as a tool in the war with Russia. The second most impacted country was Poland, which could be explained by Poland’s geographical closeness to the war. Sweden has been the third most impacted country since the beginning of 2022. However, Sweden only emerged in our data between January and March 2023, when the hacktivist group Anonymous Sudan heavily attacked Sweden and Denmark.

How politically consistent are these groups?

Two pro-Russian hacktivist groups that impacted the private and public sectors alike in 2023 were NoName057(16) and Anonymous Sudan. Anonymous Sudan is a very inconsistent threat actor. Our observations show that they have attacked victims all around the world, shifting their purported motivations and reasonings frequently. Despite the apparent identity crisis, the group has proven to be capable, not only technically, but also at making noise and seeking attention. But while they have made a name for themselves with their volume of activity in 2023, their claims often exceed the real impact of their attacks7. In the end, they are dependent on media attention and thrive on the attention of the wider public. The other hacktivist group we have been observing during 2023 is NoName057(16). NoName057(16) might be more politically consistent than Anonymous Sudan has proven to be.

NoName057(16) has been active since the war against Ukraine began and has been targeting countries that are members of the the North Atlantic Treaty Organization (NATO) and countries that are considered to oppose Russian interests. By monitoring the publicly available Telegram messages on the English-speaking channel of NoName057(16) Eng, we deduce that the group specifically and directly impacts countries that are providing aid to Ukraine in the ongoing war.

Political hacktivism as a ‘proportionate’ response

Using an external dataset that has collected official announcements of countries committing to support Ukraine, we can correlate NoName057(16)’s attacks against the specific countries providing the promised support.

For this purpose, we use the Ukraine support tracker database that has been created and is regularly updated by the Kiel Institute for the World Economy8. The institute began tracking government-to-government (bilateral) commitments to Ukraine on January 24, 2022, by at least 40 different governments and continuously doing so at the time of writing.

The Ukraine support tracker shows that the United States has provided the most aid to Ukraine. In fact, they have committed (though not yet completely delivered) more support to Ukraine than all EU countries combined.

Noteworthy, besides the documented aid provided by the respective countries listed, a paper published9 alongside the Ukraine aid tracker database points out that the overall support given to Ukraine could be bigger when compared to support given in other wars in history.

As the paper states:

“The results show that governments in Europe did announce very large emergency funds in response to the war and energy price spike, but the bulk of the announced support was pledged to support their own households and firms rather than to support Ukraine. In total, the domestic energy support package commitments announced by EU countries amount to €570 billion, compared to €55 billion in total EU commitments to Ukraine.”

This is particularly interesting considering the perceived high level of aid provided that is created by news outlets. The activities of NoName057(16) appear to track media trends and can seem disproportionate when this aid is put into a historical context.

So how does NoName057(16)’s victimology look in comparison to the level of support provided by governments as tracked by the Ukraine aid tracker project?

As can be seen above, victimology is very diverse in terms of which country is impacted. In total, since they became active, NoName057(16) has impacted 38 different countries. The top 5 countries impacted in 2023 (Q1 – Q3) were Poland, Lithuania, Czech Republic, Italy and Spain. Ukraine is only at position #6 in NoName057(16)’s list of victims, which is interesting given the fact that Ukraine is the target country in the physical war.

Let’s explore whether we can find a reasonable explanation for NoName057(16)’s choice of victim countries in the Ukraine support tracker database. For this, we conducted an experiment that looks at the countries that are noted by the Ukraine support tracker. We rank those countries by how much support (in terms of billions of USD) countries have promised to aid Ukraine (as visualized earlier). We then overlay this with the NoName057(16) country victim list, adding a ranking to reflect who has been attacked the most. Using the ranking of countries in each list, we calculate the distance between the two rankings.

In our experiment, a distance of “0” could be considered to signal a politically “proportionate” response by NoName057(16), indicating that the country’s ranking as a victim corresponds with its ranking in terms of the level of support offered. We increase the radius to consider countries with distances between -4 and 4 as the “proportionate” victims.

A negative distance tells us that those countries have made promises to support Ukraine but have not experienced correspondingly high numbers of attacks by NoName057(16). These countries are thus underrepresented in the NoName057(16) victim data. A positive distance suggests the opposite: These countries have been attacked many times by NoName057(16), but have not committed equivalently significant support to Ukraine. These countries are thus overrepresented in the NoName057(16) victim data.

If we look at examples of this logic at both extremes, we can identify the countries that appear “under-attacked”, those that appear “over-attacked“with respect to the level of support they have promised Ukraine, and those where the level of attack could be viewed as political “proportionate” from the hacktivist perspective.

But there are other groups of countries that emerge from this insight:

1. Under-attacked and involved: Some countries have indeed committed to supporting Ukraine but were never impacted by attacks from NoName057(16).
2. **Those countries include South Korea, Ireland, Slovenia, Turkey, Taiwan, and Hungary.
3. Over-attacked: Some countries appear to have suffered a disproportionate level of attack relative to the amount of support they have offered. The countries include Lithuania, Estonia, Latvia, Italy and Czech Republic, Spain, and Bulgaria.
4. *Iceland and New Zealand also technically fall into this group, but their victim counts and promised support levels are so low that their position in our analysis is exaggerated.
5. Proportionate and involved: Sweden, France, Germany, Finland, Slovakia, Canada, Denmark and Switzerland have all been heavily impacted by attacks, but the relative volume of attacks correlates logically with the relatively high level of aid provided to Ukraine. These countries could be thought of as the major ‘front’ in NoName’s hacktivist war.
6. *The impact on Greece, Croatia and Luxembourg is also technically ‘logical’ in that it corresponds with the level of aid provided, but it should be noted that the levels of impact and the levels of aid are both substantially lower than the other countries in this group.
7. Proportionate but uninvolved: Some countries have not been impacted by attacks at all, and have not pledged to support Ukraine. These include Cyprus, Malta, China, and India. The impact on this group is politically “logical”, but essentially irrelevant.
8. Under-attacked but heavily involved: The countries in this group include the United States, Japan, Norway, Netherlands, Portugal, Austria, the United Kingdom, Romania, Belgium and Australia. These countries have indeed been impacted by attacks, but the relative level of attacks they experience is low relative to the level of aid they have offered. The level of focus by NoName on this group is therefore also politically “disproportionate”, with the United States standing far beyond others in this group from this perspective. The same analysis, but using a percentage of GDP as the measure of aid given (rather than pure USD), would place Norway as the stand-out in this group.

We observe that most of the over-attacked countries are geographically relatively close to the war, which could be the main reason for their apparent “unfair treatment.” This aligns with the findings of the paper published with the Ukraine support tracker, in which the authors highlight that Eastern European countries stand out in terms of the help provided as a percentage of their GDP, especially when factoring in the costs of hosting war refugees10. Thus, geographical proximity and the appearance of “hands-on” support could explain why some countries are impacted more than seems “proportionate.” The exceptions here appear to be Spain and Italy, both of which suffer relatively high levels of attack despite relatively low levels of promised support but are not in close geographical proximity to the conflict.

Our qualitative observation of respective Telegram channels suggests that NoName057(16) has mostly been attacking Spain due to the military support and military training offered, along with the sanctions they’ve imposed.

Italy seems to be the victim of similar reasoning to Spain, in which they are apparently attacked due to military aid provided. There seems to be a misconception by NoName057(16) that Italy and Spain are large donors to Ukraine. As the Ukraine Support Tracker authors state: “In international comparison, it is puzzling why some rich Western European countries, like France, Italy, or Spain, provide so little bilateral support11.”

This is another excerpt of our analysis. An analysis of the threat potential of Cyber Warfare and its main actors (as well as a ton of other interesting research topics like an analysis of the data obtained from our extensive vulnerability management operations and Cyber Extortion statistics) can be found in the Security Navigator. Just fill in the form and get your download. It’s worth it!