Tag Archives: cyber security


Mitigating the Greatest Software Development Security Risk: Human Fallibility

Most application security failures are the result of people. Consequently, technology professionals understand that they should rotate access credentials/keys. Programmers know that SQL injection is bad, just as network engineers understand that opening SSH or RDP to the internet is dangerous. You probably know that you should not email financial information to the individual claiming … Read More

How to Build a Threat Hunter Mentality

One Hundred and Ninety-Seven. That’s the average number of days an advanced persistent threat, known as an APT, can dwell without being detected inside a network—according to the 2018 Cost of a Data Breach Study conducted by the Ponemon Institute. That is a six-month period in which a very quiet threat, using sophisticated tactics, is actively exploring the network and most likely offloading sensitive data before it’s noticed, not even counting the days, weeks, months needed to then respond and recover from its foothold.  Data breaches can cause devastating financial … Read More

Paymerang is proud to partner with VASS, VASBO, and former Virginia Governor Terry McAuliffe to address cyber security with Virginia School Superintendents and Business Officers 

From its inception, Paymerang has helped our clients fight fraud and protect their organization’s treasury. That’s why we are proud to partner with the Virginia Association of State Superintendents (VASS), the Virginia Association of School Business Officers (VASBO), and former Virginia Governor Terry McAuliffe to help Virginia’s public schools learn how they can protect their … Read More

Mitigating the Greatest Software Development Security Risk: Human Fallibility

Most application security failures are the result of people. Consequently, technology professionals understand that they should rotate access credentials/keys. Programmers know that SQL injection is bad, just as network engineers understand that opening SSH or RDP to the internet is dangerous. You probably know that you should not email financial information to the individual claiming to have millions of dollars of your frozen assets—even though that individual asserts that they mean you no ill will.

As fascinating as famed exploits like Heartbleed, Meltdown, and KRACK are—most security breaches don’t occur because of an arcane exploit that demands cryptographic expertise to understand. In truth, the three attacks mentioned can be resolved by installing a patch. If these resolutions are so simple, why do so many organizations fall victim to these attacks? Many simply forgot to click the “update” button.

The traditional cybersecurity approach to preventing mistakes from compromising a system was a combination of:

  1. Policies
  2. Controls
  3. More people and bureaucracy (oversight)

There are deficiencies with this approach because the points enumerated are susceptible to rebuttal. Firstly, most people do not read policies, even if instructed or required to do so. Secondly, controls can be effective, but many are enforced manually by people. Lastly, introducing layers of bureaucracy and staff intended to enforce controls/policy can be effective in achieving greater security all-around—but this significantly slows the pace of innovation and product delivery. Even with this traditional approach, security vulnerabilities still slip through. It doesn’t take long to think of an enterprise/entity/government/organization with multiple layers of security staff and approvals that has made front-page news for massive security breaches.

How can we stop humans (ourselves) from introducing security vulnerabilities?

DevOps (Development Operations) has infused application development with an “automate first” imperative to accelerate the software development lifecycle (SDLC)—delivering products faster and more consistently. DevOps achieves this, in part, by collaborating with IT infrastructure teams to extend automation and idempotence into these teams via concepts/technologies such as infrastructure-as-code. In short, DevOps encompasses people, process, and technology. However, it has traditionally left behind security people, security process, and security technology. DevSecOps (Development Security Operations) extends the CI/CD approach to its next logical domain: security.

DevSecOps has a veritable cornucopia of benefits, a great number of which can be incorporated into a CI/CD pipeline. DevSecOps seeks to make application security less a matter of reactionary manual verification and testing—shifting it into CI/CD pipelines so that security is at the forefront of the SDLC from its very origin.

Here are just a few examples of how security technology can mitigate our own inherent failings:

  • Source code analysis tools (SAST) can be implemented to identify mistakes introducing vulnerabilities into the application. These tools are generally run prior to deployment, thus allowing the detection of vulnerabilities earlier in the SDLC.
  • Open source code analysis can be used to check that packages/libraries listed in a manifest (package manager file), or incorporated into an application, are up-to-date and that the versions utilized do not contain vulnerabilities. This analysis occurs prior to deployment. Some tools will also check the licensing status of these packages to ensure that the code can be used in enterprise systems without breaching the license, to reduce legal exposure.
  • Dynamic scanning tools can be run post-deployment, particularly in UAT environments, to ensure that the deployed application does not have vulnerabilities. These tools can also be used to verify that infrastructure is setup and configured in a secure manner. Dynamic scanning tools are used to check everything from SSL/TLS configuration, port and protocol availability, to asset patch compliance. Additionally, these tools can be used to scan and enforce compliance with frameworks such as SOC2, NIST, PCI and HIPAA.
  • Configuration management tools and patch managers can be used to automate, schedule, and administer the application of infrastructure patches. Furthermore, configuration management tools can prevent all-to-common configuration mistakes made during manual environment configuration.
  • Automated compliance tools can enforce that the state of an environment is maintained and tracked so that configuration drift does not engender a security risk.
  • Threat modeling tools can analyze and identify application components that present risk.
  • Intrusion prevention systems (IPS) can automatically detect suspicious traffic flows at OSI (Open Systems Interconnection) layer 3 and 4 and take action to resolve the threat automatically.
  • Last but not least: alerting, monitoring, and log aggregation tools are a pivotal part of securing applications and CI/CD pipelines. Moreover, this data can now be combed by machine learning tools designed for intelligent, real-time threat analysis and detection.

DevSecOps is not just security technology. It is people, process, and technology. Technology can mitigate human fallibility—but people and process are still required to achieve the greatest level of security to deliver products in the SDLC faster, consistently, and securely.

How to Build a Threat Hunter Mentality

One Hundred and Ninety-Seven. That’s the average number of days an advanced persistent threat, known as an APT, can dwell without being detected inside a network—according to the 2018 Cost of a Data Breach Study conducted by the Ponemon Institute. That is a six-month period in which a very quiet threat, using sophisticated tactics, is actively exploring the network and most likely offloading sensitive data before it’s noticed, not even counting the days, weeks, months needed to then respond and recover from its foothold. 

Data breaches can cause devastating financial losses and affect an organization’s reputation for years. From lost business to regulatory fines and remediation costs, data breaches have far-reaching consequences. According to the 2019 Cost of a Data Breach Report conducted by the Ponemon Institute and sponsored by IBM Security, the average total cost of a data breach is $3.92 million USD.

Dealing with something this untenable requires identifying the infrequent signaling events of an active APT occurring across the network, along with conducting continuous network investigation by cyber defenders. This approach combines the use of monitoring automation along with vigilant human cyber defenders. The monitoring watches across the network for the known tactics and techniques employed by these threats. To complement this monitoring is the need to have cyber defenders continuously exploring the network landscape to identify blind spots in the monitoring and where a threat could try to hide. 

The mission is detection, containment, and eradication of these stealthy threats so they cannot acquire sensitive data. To successfully execute this two-prong approach starts by understanding the intricacies of how threats operate to achieve their goals. 

With the main goal of persisting undetected in the network for as long as it can and steal the target sensitive data, the supporting tactics for the threat include the ability to run malicious code, gain higher-privilege permissions, avoid being detected, compromise user credentials, discover all assets in the network, compromise multiple assets through lateral movement, gather data that it wants, and use remote control mechanisms on assets that have been compromised. 

Knowing the details of these tactics can help determine what to include in the monitoring rulesets, such as watching for certain processes to run, certain codes to be written in log files, creation of encrypted zip/archive files, atypical data flow movement, and communications across the network. 

The vigilant cyber defender efforts of this approach require the need for relevant information, including both internal log data and external cyber intelligence, along with tools used to track down threats and analyze suspicious events, including: 

Security Logs

Generated by the multiple defense-in-depth protection and detection technologies such as firewalls, network intrusion detection, network data flow, insider threat detection, data loss prevention, and endpoint security tools. 

Security Information and Event Management (SIEM) System

This tool turns log data from across the network and supplemented external cyber intelligence feeds into meaningful information. Cyber defenders can take additional discovery actions using the findings and correlations identified to reveal hidden threats. 

Advanced Analytics & Entity Linking

Advanced analytics software uses patterns instead of pre-defined rules to find security anomalies in the environment, while entity mapping software links relationships between entities and provides interactive visualizations to highlight any hidden connections. 

With the implementation of this monitoring and cyber defender paired approach, an organization can begin to find advanced threats in their network, strengthen their approach, and identify and mitigate these threats before they even appear in the network. 

To learn more about protecting your organization from growing threats, check out our presentation on Crushing Payment Fraud Risk.

Paymerang is proud to partner with VASS, VASBO, and former Virginia Governor Terry McAuliffe to address cyber security with Virginia School Superintendents and Business Officers 

From its inception, Paymerang has helped our clients fight fraud and protect their organization’s treasury.

That’s why we are proud to partner with the Virginia Association of State Superintendents (VASS), the Virginia Association of School Business Officers (VASBO), and former Virginia Governor Terry McAuliffe to help Virginia’s public schools learn how they can protect their data and our taxpayer dollars from cybercrime.

The Governor and Paymerang CEO Nasser Chanda held a spirited session, with over 200 school superintendents and business officers, where they discussed some of the resources available to localities and school divisions. This includes partnering with the Fusion Center to do a cyber risk analysis, which can often be done free of charge and with minimal staff time.

On day two of the conference we held a Q&A session with thirty VASS and VASBO members, who heard from the current Governor’s administration, Paymerang’s own Director of Cybersecurity Jeff Gainer, and the Virginia State Police. The panel provided Superintendents and School Business Officers with the opportunity to learn about the threat cybercrime presents to their IT and financial infrastructure, and to ask questions of the foremost experts dealing with this threat every day.

One key takeaway from our discussion is that fighting cybercrime is not just one person’s job in an organization. It is important that organizations have a culture of information sharing and threat alertness.