Information Technology

Logo: Kaspersky Lab/Composition: ZDNet
Suppose you are in the business of generating passwords, it would probably be a good idea to use an additional source of entropy other than the current time, but for a long time, that’s all Kaspersky Password Manager (KPM) used. In a blog post to cap off an almost two year saga, Ledger Donjon head of security research Jean-Baptiste Bédrune showed KPM was doing just that. “Kaspersky Password Manager used a complex method to generate its passwords. This method aimed to create passwords hard to break for standard password crackers. However, such method lowers the strength of the generated passwords against dedicated tools,” Bédrune wrote. One of the techniques used by KPM was to make letters that are not often used appear more frequently, which Bédrune said was probably an attempt to trick password cracking tools. “Their password cracking method relies on the fact that there are probably ‘e’ and ‘a’ in a password created by a human than ‘x’ or ‘j’, or that the bigrams ‘th’ and ‘he’ will appear much more often than ‘qx’ or ‘zr’,” he said. “Passwords generated by KPM will be, on average, far in the list of candidate passwords tested by these tools. If an attacker tries to crack a list of passwords generated by KPM, he will probably wait quite a long time until the first one is found. This is quite clever.” The flip side was that if an attacker could deduce that KPM was used, then the bias in the password generator started to work against it.

“If an attacker knows a person uses KPM, he will be able to break his password much more easily than a fully random password. Our recommendation is, however, to generate random passwords long enough to be too strong to be broken by a tool.” The big mistake made by KPM though was using the current system time in seconds as the seed into a Mersenne Twister pseudorandom number generator. “It means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second,” Bédrune said. Because the program has an animation that takes longer than a second when a password is created, Bédrune said it could be why this issue was not discovered. “The consequences are obviously bad: every password could be bruteforced,” he said. “For example, there are 315619200 seconds between 2010 and 2021, so KPM could generate at most 315619200 passwords for a given charset. Bruteforcing them takes a few minutes.” Bédrune added due to sites often showing account creation time, that would leave KPM users vulnerable to a bruteforce attack of around 100 possible passwords. However, due to some bad coding leading to an out-of-bounds read on an array, Ledger Donjon found an additional smidgen of entropy. “Although the algorithm is wrong, it actually makes the passwords more difficult to bruteforce in some cases,” the post said. KPM versions prior to 9.0.2 Patch F on Windows, 9.2.14.872 on Android, or 9.2.14.31 on iOS were affected, with Kaspersky replacing the Mersenne Twister with BCryptGenRandom function on its Windows version, the research team said. Kaspersky was informed of the vulnerability in June 2019, and released the fix version in October that same year. In October 2020, users were notified that some passwords would need to be generated, with Kaspersky publishing its security advisory on 27 April 2021. “All public versions of Kaspersky Password Manager liable to this issue now have a new logic of password generation and a passwords update alert for cases when a generated password is probably not strong enough,” the security company said. In late 2015, Kaspersky said one in seven people were using just one password. “A strong password that differs for each account is an important basic element of protecting your digital identity,” David Emm, principal security researcher at Kaspersky Lab, said at the time in a delicious piece of irony. More Security News More

China has reportedly warned local companies it will tighten oversight of data security and overseas listings days after unveiling Didi has been subject to a government cybersecurity review. The State Council on Tuesday issued a statement indicating that it would crack down on the corporate sector across a range of areas, spanning from anti-trust to cybersecurity to fintech, Bloomberg said in a report. As part of the statement, China reportedly said rules for local companies listing overseas would be revised and publicly-traded firms would be held accountable for keeping their data secure. China also reportedly said it would step up its regulatory oversight of companies trading in offshore markets. China’s lawmakers have already commenced its crackdown, having passed new data security laws last month to strengthen the government’s control over digital information. The newly passed laws provide a broad framework for future rules on internet services, such as how certain types of data must be stored and handled locally.   The warning comes days after Didi was removed from app stores in China for breaching regulations relating to the collection and use of personal data, which occurred shortly after the company made its debut on the New York Stock Exchange. Beyond Didi, other Chinese tech giants like Alibaba and Tencent have come under government scrutiny in recent months, with Alibaba being hit with a record 18.2 billion yuan fine. 33 other mobile apps have also been called out by Beijing for collecting more user data than deemed necessary when offering services.

With government oversight intensifying in China, tech companies, including Apple, Facebook, Google, and Twitter, have jointly warned that they could stop offering their services in Hong Kong if the government goes ahead with plans to amend privacy and doxxing laws. The laws, if amended, would put the staff of companies at risk of being imprisoned while making digital platforms vulnerable to criminal investigations for doxxing posts made by the platforms’ users. The laws in question were proposed by Hong Kong’s Constitutional and Mainland Affairs Bureau in May as it said doxxing needed to be addressed due to it being prevalent against government members seeking to introduce an amendment Bill on extradition that led to the 2019 Hong Kong protests.On the same day of China’s warning of increased tech oversight, Ministry of Foreign Affairs Deputy Director Zhao Lijian reportedly told local media that China would “not allow any country to reap benefits from doing business with China while groundlessly accusing and smearing China”.While not mentioning Australia by name, Zhao said a “certain country” has been acting as a “cat’s paw for others” and that there are consequences associated with that, when asked about Australia’s loss of market share in China’s agricultural market. RELATED COVERAGE More

Kaseya, an IT solutions developer for MSPs and enterprise clients, announced that it had become the victim of a cyberattack on July 2, over the American Independence Day weekend. 

It appears that attackers have carried out a supply chain ransomware attack by leveraging a vulnerability in Kaseya’s VSA software against multiple managed service providers (MSP) – and their customers.According to Kaseya CEO Fred Voccola, less than 0.1% of the company’s customers were embroiled in the breach — but as their clientele includes MSPs, this means that smaller businesses have also been caught up in the incident. Present estimates suggest that 800 to 1500 small to medium-sized companies may have experienced a ransomware compromise through their MSP. The attack is reminiscent of the SolarWinds security fiasco, in which attackers managed to compromise the vendor’s software to push a malicious update to thousands of customers. However, we are yet to find out just how widespread Kaseya’s ransomware incident will prove to be. Here is everything we know so far. ZDNet will update this primer as we learn more. 

What is Kaseya?

Kaseya’s international headquarters is in Dublin, Ireland, and the company has a US headquarters in Miami, Florida. The vendor maintains a presence in 10 countries. Kaseya provides IT solutions including VSA, a unified remote-monitoring and management tool for handling networks and endpoints. In addition, the company provides compliance systems, service desks, and a professional services automation platform. The firm’s software is designed with enterprises and managed service providers (MSPs) in mind, and Kaseya says that over 40,000 organizations worldwide use at least one Kaseya software solution. As a provider of technology to MSPs, which serve other companies, Kaseya is central to a wider software supply chain. 

What happened?

On July 2 at 2:00 PM EDT, as previously reported by ZDNet, Kaseya CEO Fred Voccola announced “a potential attack against the VSA that has been limited to a small number of on-premise customers.”At the same time, out of an abundance of caution, Voccola urged clients to immediately shut down their VSA servers. “It’s critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA,” the executive said. Customers were notified of the breach via email, phone, and online notices. As Kaseya’s Incident Response team investigated, the vendor also decided to proactively shut down its SaaS servers and pull its data centers offline. By July 4, the company had revised its thoughts on the severity of the incident, calling itself the “victim of a sophisticated cyberattack.” Cyber forensics experts from FireEye’s Mandiant team, alongside other security companies, have been pulled in to assist. “Our security, support, R&D, communications, and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service,” Kaseya said, adding that more time is needed before its data centers are brought back online. Once the SaaS servers are operational, Kaseya will publish a schedule for distributing a security patch to on-prem clients. In a July 5 update, Kaseya said that a fix has been developed and would first be deployed to SaaS environments, once testing and validation checks are complete. “We are developing the new patch for on-premises clients in parallel with the SaaS Data Center restoration,” the company said. “We are deploying in SaaS first as we control every aspect of that environment. Once that has begun, we will publish the schedule for distributing the patch for on-premises customers.”

The ransomware attack, explained

The FBI described the incident succinctly: a “supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers.”Huntress (1,2) has tracked 30 MSPs involved in the breach and believes with “high confidence” that the attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface. According to the cybersecurity firm, this allowed the attackers to circumvent authentication controls, gain an authenticated session, upload a malicious payload, and execute commands via SQL injection, achieving code execution in the process. Kyle Hanslovan, CEO and co-founder of Huntress, told attendees of a webinar discussing the technical aspects of the attack on July 6 that the threat actors responsible were “crazy efficient.””There is no proof that the threat actors had any idea of how many businesses they targeted through VSA,” Hanslovan commented, adding that the incident seemed to be shaped more due to a “race against time.” “Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks,” Sophos noted. “As such, it has a high level of trust on customer devices. By infiltrating the VSA Server, any attached client will perform whatever task the VSA Server requests without question. This is likely one of the reasons why Kaseya was targeted.”The vendor has also provided an in-depth technical analysis of the attack. Security expert Kevin Beaumont said that ransomware was pushed via an automated, fake, and malicious software update using Kaseya VSA dubbed “Kaseya VSA Agent Hot-fix”.”This fake update is then deployed across the estate — including on MSP client customers’ systems — as it [is] a fake management agent update,” Beaumont commented. “This management agent update is actually REvil ransomware. To be clear, this means organizations that are not Kaseya’s customers were still encrypted.”With a tip from RiskIQ, Huntress is also investigating an AWS IP address that may have been used as a launch point for the attack. On July 5, Kaseya released an overview of the attack, which began on July 2 with reports of ransomware deployment on endpoints. “In light of these reports, the executive team convened and made the decision to take two steps to try to prevent the spread of any malware: we sent notifications to on-premises customers to shut off their VSA servers and we shut down our VSA SaaS infrastructure,” the company says.According to the firm, zero-day vulnerabilities were exploited by the attackers to trigger a bypass authentication and for code execution, allowing them to infect endpoints with ransomware. However, Kaseya emphasizes that there is no evidence of the VSA codebase being “maliciously modified”. Wietse Boonstra, a Dutch Institute for Vulnerability Disclosure (DIVD) researcher, previously identified a number of vulnerabilities, tracked as CVE-2021-30116, which were used in the ransomware attacks. They were reported under a Coordinated Vulnerability Disclosure pact.”Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions,” DIVD says. “Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. ” 

[embedded content]

Who has been impacted?

Over the weekend, Kaseya said that SaaS customers were “never at risk” and current estimates suggest that fewer than 40 on-prem clients worldwide have been affected. However, it should be noted that while a small number of Kaseya clients may have been directly infected, as MSPs, SMB customers further down the chain relying on these services could be impacted in their turn. According to reports, 800 Coop supermarket chain stores in Sweden had to temporarily close as they were unable to open their cash registers.Huntress said in a Reddit explainer that an estimated 1,000 companies have had servers and workstations encrypted. The vendor added that it is reasonable to suggest “thousands of small businesses” may have been impacted.”This is one of the farthest-reaching criminal ransomware attacks that Sophos has ever seen,” commented Ross McKerchar, Sophos VP. “At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company.”On July 5, Kaseya revised previous estimates to “fewer than 60” customers, adding that “we understand the total impact thus far has been to fewer than 1,500 downstream businesses.”Now, on July 6, the estimate is between 50 direct customers, and between 800 and 1,500 businesses down the chain. When it comes to SaaS environments, Kaseya says, “We have not found evidence that any of our SaaS customers were compromised.”In a press release dated July 6, Kaseya has insisted that “while impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure.” 

[embedded content]

Kaseya CEO Fred Voccola said that the attack, “for the very small number of people who have been breached, it totally sucks.”

“We are two days after this event,” Voccola commented. “We have about 150 people that have probably slept a grand total of four hours in the last two days, literally, and that’ll continue until everything is as perfect as can be.”Less than 0.1% of the company’s customers experienced a breach.”Unfortunately, this happened, and it happens,” the executive added. “Doesn’t make it okay. It just means it’s the way the world we live in is today.”

What is ransomware?

Ransomware is a type of malware that specializes in the encryption of files and drives. In what has become one of the most severe and serious security problems modern businesses now face, ransomware is used by threat actors worldwide to hijack systems and disrupt operations. Once a victim’s system or network has been encrypted, cyber criminals will place a ransom note on the system, demanding payment in return for a decryption key (which may, or may not, work). Today’s ransomware operators may be part of Ransomware-as-a-Service (RaaS), when they ‘subscribe’ to access and use a particular type of ransomware. Another emerging trend is double extortion, in which a victim will have their information stolen during a ransomware raid. If they refuse to pay up, they may then face the prospect of their data being sold or published online. Common and well-known ransomware families include REvil, Locky, WannaCry, Gandcrab, Cerber, NotPetya, Maze, and Darkside. Read on: What is ransomware? Everything you need to know about one of the biggest menaces on the webSee also:

Who is responsible?

Charlie Osborne | ZDNet

The cyberattack has been attributed to the REvil/Sodinikibi ransomware group, which has claimed responsibility on its Dark Web leak site, “Happy Blog.”In an update over the weekend, the operators claimed that more than “a million” systems have been infected. REvil has offered a decryption key, allegedly universal and, therefore, able to unlock all encrypted systems, for the ‘bargain’ price of $70 million in the bitcoin (BTC) cryptocurrency.REvil has been previously linked to ransomware attacks against companies, including JBS, Travelex, and Acer. 

What are the ransomware payment terms?

The ransomware note claims that files are “encrypted, and currently unavailable.” A file extension .csruj has reportedly been used. Operators are demanding payment in return for a decryption key and one ‘freebie’ file decryption is also on the table to prove the decryption key works. The operators add (spelling unchanged):”Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests. If you will not cooperate with our service –for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice – time is much more valuable than money.”Sophos malware analyst Mark Loman shared a screenshot on Twitter of a ransomware note planted on an infected endpoint demanding $44,999. John Hammond, senior security researcher at Huntress, told ZDNet that the company has already seen ransom demands of up to $5 million. Kevin Beaumont says that, unfortunately, he has observed victims “sadly negotiating” with the ransomware’s operators. Fabian Wosar, CTO of Emsisoft, has also explained in a Twitter thread why using a key obtained by a single organization paying up is unlikely to be a viable path for unlocking all victims. “REvil absolutely has the capability of decrypting only a single victim without these purchased decryption tools being applicable for other victims hit by the same campaign public key,” the security expert noted.

What are the reactions so far?

At the time of the breach, Kaseya notified law enforcement and cybersecurity agencies, including the Federal Bureau of Investigation (FBI) and US Cybersecurity and Infrastructure Security Agency (CISA).The FBI and CISA have released a joint statement on the security incident and are urging customers to run a tool provided by Kaseya to determine the risk of exploit, and to both enable and enforce multi-factor authentication (MFA) on enterprise accounts, wherever possible.Kaseya has been holding meetings with the FBI and CISA “to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers.”The White House is asking organizations to inform the Internet Crime Complaint Center (IC3) if they suspect they have been compromised.On Saturday, US President Biden said he has directed federal intelligence agencies to investigate. “Targeting [an] MSP platform (that is managing many customers at once) was very well thought and planned,” Amit Bareket, CEO of Perimeter 81, told ZDNet. “What’s unique is that hackers are becoming more strategic and targeting platforms that will filtrate down to many companies with one shot. RMMs [remote monitoring and management] are basically keys to many many companies, which amount to the kingdom for bad actors.”

Are there any recovery plans?

As of July 4, Kaseya says the company has now moved on from a root cause analysis of the attack to recovery and patch plans, consisting of:Communication of our phased recovery plan with SaaS first followed by on-premises customers.  Kaseya will be publishing a summary of the attack and what we have done to mitigate it.   Some lightly-used legacy VSA functionality will be removed as part of this release out of an abundance of caution. A specific list of the functionality and its impact on VSA capabilities will be outlined in the release notes.  There will be new security measures implemented including enhanced security monitoring of our SaaS servers by FireEye and enablement of enhanced WAF capabilities. We have successfully completed an external Vulnerability Scan, checked our SaaS Databases for Indicators of Compromise, and have had external security experts review our code to ensure a successful service restart.Data centers starting with the EU will be restored, followed by the UK, APAC, and then North American systems.  By late evening on July 5, Kaseya said a patch has been developed and it is the firm’s intention to bring back VSA with “staged functionality” to hasten the process. The company explained: The first release will prevent access to functionality used by a very small fraction of our user base, including: Classic Ticketing Classic Remote Control (not LiveConnect). User Portal Kaseya has now published an updated timeline for its restoration efforts, starting with the relaunch of SaaS servers, now set for July 6, 4:00 PM EDT and 7:00 PM EDT. Configuration changes to improve security will follow, including an on-premise patch, expected to land in 24 hours, or less, from the time SaaS servers come back online. “We are focused on shrinking this time frame to the minimal possible — but if there are any issues found during the spin-up of SaaS, we want to fix them before bringing our on-premises customers up,” the firm says. Additional security improvements include the creation of 24/7 SOCs for VSA, as well as a complimentary CDN with a web application firewall (WAF) for every VSA. 

What can customers do?

Kaseya has released a tool, including Indicators of Compromise (IoC), which can be downloaded via Box. There are two PowerShell scripts for use: one on a VSA server, and the other has been designed for endpoint scanning. The self-assessment scripts should be used in offline mode. They were updated on July 5 to also scan for data encryption and REvil’s ransom note.However, the scripts are only for potential exploit risk detection and are not security fixes. Kaseya will release patches as quickly as it can, but in the meantime, customers simply have to wait. “All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations,” the firm said. “A patch will be required to be installed prior to restarting the VSA.”Cado Security has provided a GitHub repository for responders, including malware samples, IoCs, and Yara Rules. Truesec CSIRT has also released a script on GitHub to identify and mitigate damage on infected systems. Kaseya has also warned that “customers who experienced ransomware and receive a communication from the attackers should not click on any links  —  they may be weaponized.” More

By default, user identities are distributed among cloud applications, virtual environments, networks and web portals. With no central Identity access management (IAM) strategy, businesses of all sizes lose precious security and productivity.IAM software platforms make it faster and easier for employees to securely access the data and applications they require to execute their duties. These packages ensure an enterprise that only authorized employees are accessing the correct information. For example, while a human resources staffer needs access to an employee’s personal information, the marketing team doesn’t need the same files. IAM tools provide effective role-based access to keep an organization’s resources safe and out of the hands of intruders. These tools generally perform two functions: They confirm that the user, device, or application is who they say they are by cross-referencing the credentials they provide against what the system has on file. Then, once those credentials are confirmed, the software only provides the necessary level of access, instead of giving the individual access to everything within a network.Here are ZDNet’s top picks of the leading providers of identity access management software in 2021.

Okta

Okta, in May 2021, completed the acquisition of Auth0 for $6.5 billion, picking up a boatload of new intellectual property to go with a new set of customers. Gartner recognized Okta as a leader in its Magic Quadrant for Access Management 2020 for the fourth year in a row. Gartner analysts described Okta as “one of the most mature and advanced AM tools in the market to meet both internal and external user access management use case’s needs.”Okta enables organizations to secure and manage their extended enterprise, whether on-premises or in a private, public or hybrid cloud. With more than 6,000 pre-built integrations to applications and infrastructure providers, Okta claims that its customers can securely adopt the technologies they need to fulfil their missions. Okta provides SSO (single sign-on), MFA (multi-factor authentication) and a universal directory, which gives a SecOps team a single place to manage all user identities. The platform offers several different factors for their MFA, meaning users are not limited to phone or email authentication. Okta also provides zero trust access management for infrastructure, enabling more control over user permissions. It also automatically secures APIs on the backend.PROSIntuitive to deploy and integrate other applications as use cases require.SSO process keeps employees from having to remember multiple passwords.Extensive feature menu.CONSPricing might be steep for small businesses.It can be hard to find login information that’s no longer active.

View Now at Okta

Auth0

Auth0, founded in 2013 and acquired by Okta in May 2021 for $6.5 billion, is a respected alternative for developers who want to create a secure login experience for their personal applications. It is a next-gen identity management platform for web, mobile, IoT, and internal applications.The software assigns permissions automatically based on a user’s role, affording less chance of error than manual assignments. It also can provide access tokens to give users temporary access they might need. The versatile Auth0 platform handles API authorization to ensure that users only connect to safe applications. The platform offers monthly pricing.PROSProvides templates in several programming languages.The unusual freemium option can be deployed for up to 7,000 users.CONSOptions few and far between available for customizationFew tools for corporate governance

View Now at Auth0

Ping Identity

Ping Identity, founded in 2002 and one of the most well-established identity management companies in the business, was designed for hybrid IT environments. It works cleanly across public, private and hybrid clouds and with on-premises networks and applications. The platform combines multi-factor authentication with single sign-on options to provide an intuitive and secure sign-on experience for each user. It also includes an analytics engine to help SecOps teams detect (and predict) anomalies in user behavior that could signal that a phony identity has compromised the system.Thanks to its vast feature set, Ping Identity also can help enforce business rules for authorization and authentication through customizable policy tracking.PROSOne of the most innovative companies in this space, new features always in the pipeline.Highly attentive and responsive support team.Easy to implement and good interoperability with other applications.CONSQuality comes at a cost: One of the more expensive platforms in the market.

View Now at Ping Identity

Microsoft Azure Identity Management

Any product with Microsoft in the name is automatically going to get attention from potential buyers. Microsoft Azure Identity Management, considered a service of Active Directory, offers several different identity management products for on-premises, public, private and hybrid clouds.Azure’s Identity Management enables an enterprise to automatically classify and label data to make it easier to assign access rights based on user roles. It also lets users track suspicious activity on shared data and applications, so admins know exactly who is accessing each file and when they’re doing it.PROSThanks to a familiar MS interface, this is relatively easy to deploy and use.Secures data and applications and limits access in only a few steps.Provides reliable remote access for identity management.CONSApplication updates often can be slow to implement.Sometimes requires expert maintenance and management from Microsoft, which could be cost-prohibitive for small businesses.

View Now at Microsoft Azure Identity Management

OneLogin

OneLogin brings to the security table a cloud IAM platform that keeps simplicity for users upfront as its most important feature. OneLogin features integration templates for more than 6,000 different applications to help admins keep users safe across an entire network. The platform is designed to work with various versions of cloud and on-premises applications.The HR department controls the user identities, allowing a company to adjust them as the employee lifecycle changes or ends easily. Users even have the option to implement certificate-based trust for remote employees, meaning they’ll never have to enter a password.PROSKnown for its strong customer support services.Analysts praise its intuitive usability and granular access control.CONSThe Chrome plugin has been problematic.Event logs occasionally miss important actions.

View Now at OneLogin

CyberArk Workforce Identity

CyberArk, the oldest company on the list (founded 1999), has been both a pioneer and innovator in the identity management field. The company also has earned respect in the investment community, having raised more than a half-billion dollars during the past several years, according to Crunchbase.CyberArk Workforce Identity offers both MFA and SSO to help employees log into applications easily and securely; it automates onboarding/offboarding processes to lighten the load on HR and IT teams. The company, formerly known as Idaptive, features a frictionless sign-on process that helps prevent shadow IT from flourishing among employees looking for quicker ways to log into the resources they need. The multi-factor process is supported by analytics functionality, making it faster to spot anomalies that could lead to security breaches.PROSUsers can extend the protection to endpoints to ensure that only approved devices are connecting to a network.Features integrations for more than 150 applications.Known for its responsive and highly professional user support.CONSCustom reporting doesn’t always accept SQL inputs as designed.The user interface can make navigation difficult.

View Now at CyberArk Workforce Identity

ForgeRock

ForgeRock’s Identity Platform is backwards-compatible, meaning that it supports most legacy enterprise systems. It automates several identity lifecycle processes, including creating new identities when employees are hired, changing access as they are promoted and removing permissions when employees leave. It is compatible with on-premises, cloud and hybrid environments.ForgeRock is designed to support large numbers of identities, making it optimal for enterprise companies. ForgeRock provides three individual environments (development, testing, and production) for the cost of a single license for cloud deployments. Users don’t have to pay extra to license additional tenancies. ForgeRock also provides the necessary DevOps tools for developers. Pricing is handled per identity registered.PROSSupports legacy systems while still offering modern solutions.Simple integration path for Java-based applications.Has the ability to add customized components into modules.CONSThe user interface can sometimes be difficult to navigate.

View Now at ForgeRock

JumpCloud

JumpCloud is a relatively new entrant (founded in 2012) into the leadership of this segment. Because it is a next-gen identity management company, it makes a point of being among the most versatile on this list. It prides itself on its secure single sign-on (SSO) access. The platform works with both on-premises and cloud applications; it is equally at home being used with Windows, macOS and Linux operating systems and infrastructure.JumpCloud also provides reporting and analytics that log user activity, allowing a SecOps team to view and log access attempts that might show that an identity has been compromised. It even offers remote management for security admins.PROSFree platform for up to 10 users and 10 devices.Easy to install and add users.Wide breadth of features.CONSEnterprise pricing is per user.Reporting requires an API

View Now at JumpCloud

Oracle Identity Management

Oracle Identity Management provides not only a well-known name and track record with U.S. government and military use cases but also airtight access to both on-premises and cloud applications.The platform is highly scalable. Oracle enables organizations to set their own rules and policies for access, so they have complete control over their data and applications at all times. It also offers SSO for any integrated application from any type of device, including mobile phones and tablets.One of the platform’s key features is its real-time fraud prevention process to protect against compromised credentials and keep business resources secure.PROSCapable of handling large volumes of data traffic.Reliable user provisioning.CONSRequires customization to access many features; professional services can be expensive.Can represent a steep learning curve for staff members.

View Now at Oracle Identity Management

IBM

IBM Security Verify is an identity-as-a-service (IDaaS) platform that includes the SSO, MFA and identity analytics features that are quickly becoming standardized. It offers AI-powered authentication and adaptive-access decisions to prevent shadow IT practices among employees and keep identities from becoming compromised. There are options for passwordless authentication, which will become the next standard feature in IAM systems.IBM also provides user lifecycle management and compliance to make it easy for HR departments to create new identities as they hire new employees and remove identities when employees leave.PROSCentralizes and automates profile management and authentication.Known for its feature-rich platform.CONSThe tricky and difficult learning curve, according to some users.Licensing and pricing structure can be complicated to enact.

View Now at IBM Security Verify

What are the most important advantages of using an automated IAM package?

IAM software platforms make it faster and easier for employees to access the data and applications securely they require to execute their duties. These packages ensure an enterprise that only authorized employees are accessing the correct information.

How does artificial intelligence add functionality to an IAM system?

Using its constant monitoring ability, AI-powered authentication, and adaptive-access functions help prevent shadow IT practices among employees and keep identities from becoming compromised. They do the grunge work that humans don’t do well; they also keep track of an employee’s history in the system and predict if and when they might make a log-in error. Real-time fraud prevention using AI protects against compromised credentials and keeps business resources secure.

Does a good IAM platform sort and secure data besides handle identity management?

Yes. A good identity management package enables an enterprise to automatically classify and label data to make it easier to assign access rights based on user roles. It also lets users track suspicious activity on shared data and applications, so admins know exactly who is accessing each file and when they’re doing it.

ZDNet Recommends More

A Mongolian certification authority (CA) official website was harboring malware and facilitated downloads of a backdoored client to users.

Researchers from Avast named MonPass as the compromised CA, which was potentially breached up to eight times as eight different web shells and backdoors were present on the CA’s server. During an analysis conducted between March and April, Avast found indicators of compromise due to the web shells and backdoors and a version of the MonPass client, available from February 8, 2021, until March 3 2021, for download, was malicious.  Avast says that the installer contained Cobalt Strike binaries. Cobalt Strike is a legitimate threat emulation tool for penetration testers that threat actors also abuse for purposes including malware deployment, data exfiltration, and network activity obfuscation.  The malicious installer, an unsigned PE file, first pulled the legitimate installer version from the MonPass domain and executed the software on a user’s machine to avoid arousing suspicion. However, in the background, an image file was also downloaded, and steganography was used to unpack and decrypt hidden code containing a Cobalt Strike beacon for installation on a victim’s machine.  Avast says that additional variants of the malicious package have since been found on VirusTotal.  When it comes to attribution, the researchers say, “we’re not able to make attribution of these attacks with an appropriate level of confidence.”

“However, it’s clear that the attackers clearly intended to spread malware to users in Mongolia by compromising a trustworthy source, which in this case is a CA in Mongolia,” Avast added.  MonPass was notified of the researcher’s findings on April 22 through MN CERT/CC. By June 29, MonPass confirmed the issue had been resolved, leading to Avast’s public disclosure.  Anyone that downloaded MonPass client software between February 8 and March 3 should remove the client and its associated backdoor. The latest version available is v.1.21.1.  MonPass told ZDNet that impacted clients were informed of the security issue, and the company “remotely scanned their computers to ensure that there was no threat.” “These attacks do not affect our public key infrastructure system, our system is completely secure, and it is operating normally behind multiple layers of protection,” the company says. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Enterprise tech firm Kaseya has confirmed that around than 1,500 businesses were impacted as a result of an attack on its remote device management software, which was used to spread ransomware. It appears that the attackers carried out a supply chain ransomware attack by leveraging a vulnerability in Kaseya’s VSA software against multiple managed service providers (MSP) – and their customers.

“To date, we are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack. While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses. We have not found evidence that any of our SaaS customers were compromised,” Kaseya said in an update on the attack.The attackers exploited a previously unknown flaw in Kaseya’s VSA software, which is used by MSPs and their customers. VSA is remote monitoring and management software, which is used to manage endpoints, such as PCs, servers and cash registers, as well as manage patching and security vulnerabilities. On Sunday, the actors asked for $70 million in exchange for a universal decryption tool that would supposedly resolve the REvil issue for Kaseya and its customers. Some victims, such as Swedish supermarket Coop remained closed for business on Monday due to the attack. The company is currently working to replace its affected checkout systems at multiple stores, it said in a statement on Monday.  Kaseya noted that it had not received reports of VSA customers that had been compromised since Saturday. It says that no other Kaseya products were compromised. 

While Kaseya’s software-as-a-service (SaaS) line of VSA was not affected, its servers were taken down during the incident response and remain offline today. Kaseya has developed a patch for customers running VSA on their own servers. A patch should be available with 24 hours after its SaaS servers are brought back online, which it estimates will happen today, July 6, between 2 PM and 5 PM EDT, Kaseya said in an update. 

Kaseya attack

SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chiefKaseya worked with the FBI and CISA on Monday evening to discuss systems and network hardening tasks prior to restoring services for its SaaS and on-premises customers. “A set of requirements will be posted prior to service restart to give our customers time to put these counter measures in place in anticipation of a return to service on July 6th,” it noted. It’s also released a new, free comprise detection tool that customers can use to check networks and computers. The new version searches for indicators of compromise, data encryption, and the REVil ransom note.”We recommend that you re-run this procedure to better determine if the system was compromised by REvil,” Kaseya said. Kaseya is still urging customers to keep VSA servers offline until it’s safe to proceed with restoration efforts.  More

Microsoft unveiled Windows 11 last week and has now shared the first few features and UI changes with testers in the Windows Insider program. The feature update is due out in the fall, but despite the new look, could it be security rather than design that is going to drive businesses to upgrade? 

Dave Weston, director of enterprise and operating system security at Microsoft, says he’s confident the added security of Windows 11 will drive faster uptake. Weston points out that, according to tech analyst Gartner, security was the number one driver for enterprises upgrading to Windows 10 from Windows 7. And since then, thanks to a range of high-profile hacking incidents and the rise of ransomware, security is even higher on the agenda.SEE: Network security policy (TechRepublic Premium)”I expect the adoption to go even faster than the Windows 7 to 10 period because of the security advantages,” he says.He says the two most important things enterprises can do to improve security is get rid of passwords and move to a zero-trust framework – a network security design that assumes breaches, and acknowledges that managed and unmanaged devices flow between homes and workplaces fluidly as a result of new work practices brought by the COVID-19 pandemic.    

Microsoft has been talking up passwordless authentication for years now as an early backer of the FIDO2 standard. Key Microsoft technologies in this space include Windows Hello biometrics for accessing Azure Active Directory (Azure AD) networks, and apps that support the Microsoft Authenticator app and FIDO2-based security keys, such as Google’s Titan keys.”So with Windows 11, out of the box, you can actually create a Microsoft account that never has a password that uses your face or biometrics in lieu of a password,” Weston says.Beyond this, Windows 11 tightens up operating system security because more of these security features for the enterprise are turned on by default. “We got deep in the engine, tweaked things, tuned things, got things fast enough and compatible enough that they’re just there. It’s not the features that are there – it’s the features that are turned on by default,” he says. This means virtualization-based security (VBS), TPM, or Trusted Platform Module hardware-based security, and BitLocker are automatically on for all Windows 11 machines. “This is really the most secure release – not in the sense of new features – but that users used to have to be educated on or needed more effort to enable and protect themselves. It’s just there now,” he says.”As more websites on the internet start to support FIDO2 and the passwordless standards, we think we’re well on our way to a world where you’re just not going to enter passwords,” says Weston.  He adds that Microsoft bolstered the security of biometrics in Windows 11, putting this biometric data in their own shielded virtual machine. This helps stop attackers stealing biometric data for future attacks on systems that rely on biometric authentication. “That means if malware or a hacker got on your machine, it couldn’t tamper with your biometric data, which is a much stronger security guarantee for biometrics,” explains Weston. Security in hardware is also a key evolution.

More Windows 11

The TPM is a chip that is either integrated into the PC’s motherboard or added separately into the CPU with the aim of protect encryption keys, user credentials, and other sensitive data behind a hardware barrier. All certified Windows 11 systems must have a TPM 2.0 chip.Another example is Pluton, a Microsoft-made and updated component of CPU hardware from Intel, AMD and Qualcomm. Pluton-equipped computers aren’t available just yet, but Windows 11 is ready to use it. SEE: Security Awareness and Training policy (TechRepublic Premium)Pluton is embedded in the CPU, so it’s not a separate processor. A major benefit is that end users can just get firmware updates from Microsoft’s usual Patch Tuesday updates from Windows Update.   “We write the software for this chip, so the root of trust is a combination of mostly hardware and a small amount of software to make it run. The nice thing about Pluton is that Microsoft writes the code and keeps it up to date, so it comes through Windows Update and users don’t have to do anything,” he says. “Today when you have a security issue, users have to go out of their normal flow and track it down on the web and run an executable, and they often don’t do that, which leaves these systems vulnerable.”Every Windows 11 device will have a hardware identity and a TPM, which means the cloud can uniquely identify it and organizations can determine if a device that can connect into their cloud meets acceptable security guarantees. “In addition, we have conditional access agents built in to the operating system that leverages hardware. Which means that before a device can connect to sensitive data – which is what ransomware wants to encrypt – companies can easily define a security policy with all the protections you would need to stop ransomware: antivirus, control that patches up to date, and so we’re making that much easier to enforce on Windows 11.” The catch is that you’ll need new hardware with the latest CPUs from these chipmakers to take advantage of Windows 11’s default security features: the question is whether CIOs and consumers alike will take security seriously enough to make the upgrade. More

Japan’s Ministry of Defense has announced plans to bolster its cybersecurity unit by bringing on additional personnel to help defend against increasingly sophisticated attacks. The ministry is looking to bring on 800 more staff by the end of March 2022, according to a report by Nikkei, which would take the Japanese government’s cybersecurity defence unit from about 660 personnel to nearly 1,500. Part of the hiring process will include hiring from the private sector. The cybersecurity unit is currently responsible for protecting shared systems used by Japan’s Self-Defense Forces (SDF). A new unit, however, will be stood up and launched in 2022 to oversee the cyber defence for the entire SDF and consolidate units for each branch, Nikkei said in the report.The plans announced by the Japanese government to beef up its cybersecurity defence follows a cyber attack in May that saw data from various government entities reportedly stolen by hackers that gained access to Fujitsu’s ProjectWEB platform. Among the impacted government entities included the Ministry of Land, Infrastructure, Transport, and Tourism; the Cabinet Secretariat; and Narita Airport, Japan’s public broadcaster NHK said in a report. In the same month, the Japanese government also reportedly announced it would introduce new regulations across 44 sectors to further strengthen its national cyber defence, which was partly in response to the Colonial Pipeline hack that unfolded in the United States. The government plans to amend various laws governing each sector through passing an all-encompassing motion and a new law requiring each sector to be conscious of national security risks, Nikkei said in a report.

The sectors that are expected to see the legislative changes include telecommunications, electricity, finance, railroads, government services, and healthcare, among others. Specifically, these sectors will reportedly be required to look into issues stemming from the use of foreign equipment or services, including cloud data storage and connections to servers located overseas. Related Coverage More