7 reality that exposes network security: breaking false security

Now that you have known about the Salary of Network Security Engineer, you must be attracted to achieving it. If you wish to have it, you must have to do lots and lots of studies, unless you have a good and reliable DevNet 300 910 DEVOPS Dumps provider like that of the ITCertDumps.

Safety professionals can have a false “safe sense”, in order to better ensure that corporate organization security, we explore 7 places that should make changes.

migrating the cloud; safety “left shift” (the first time to move safely to the development process); buy the latest XDR and spoofing tools. Technology and network security industries have always been influenced by marketing hype, but can these moves really make companies become more secure? Or do they just add more complexity?

attack from SolarWinds to Microsoft Exchange vulnerabilities, major hackers attack events, how can security professionals sleep well? They may feel that they are doing correct things, but is they just have a false sense of security?

salt Security Technical Police Michael Isbitski said that security professionals should pay more attention to and protect the application programming interface (API) security, as these interfaces provide support for many such technologies. From hosting internal cloud applications to rely on gateways and traditional patch management tools, old-fashioned security methods pay attention to API security, and the reality is that the API is easily damaged by the attacker.

In view of the fact that the risk is too large, the company needs modest to accept our own facts and tools to choose too confident. Corporate organizations should look for methods to update their tools and processes to meet the challenges of new network threats.

We have summarized 7 recommendations to help security professionals care about the need to consider the concept of emerging and safe concepts and technical processes.

1. Is the cloud application that you build really safe?

As the business organization constantly moves the business to the cloud, they put it on the cloud redesigned security tool. A large amount of funds, common forms are mainly cloud workload protection and container security tools. Such tools can be used to identify known vulnerable dependent dependencies, detect error configurations, differential segment workloads, and prevent deviation from determined security baseline. However, the unfained vulnerabilities and error configurations in the Kubernetes and other platforms have always been an attacker’s entry point, allowing them to bypass access control, run malicious code on the infected cluster, and deploy the encrypted monetary mining program.

Unfortunately, this new cloud security tool still cannot solve most of the application layer security issues. These tools are mainly solved by cybersecurity and infrastructure security issues, and they continue to be placed in vulnerable. Therefore, public clouds may be safe, but this does not mean that your internal build is safe.

2. Enterprises can “move left”, but still must “right move”

“left shift” concept encourages the development team to increasing safety processes and tools into software development life In the cycle (SDLC), and propagation of safety expertise. Left shift is closely related to DevSecops practice, while the latter’s goal is to integrate and automate security in design, build and deploy phases. This approach has brought returns for many companies because they can iterate more quickly, verify that the security is properly built-in from the beginning, while reduces the cost of repairing the SDLC post-repair leakage.

However, corporate organizations cannot move the whole level as the cost of sacrificing runtime. Developers will never write perfect code, and cannot be scanned by a wide range of code in the publishing window period, and the design purpose of the scanner is to find known vulnerabilities or weaknesses that follow the clear mode.

Enterprise organization must be clear, “left move” is not only means to left. However, from a good aspect, left shifts can make the development team to discover and fix a lot of security vulnerabilities more quickly.

Today, the new attack and zero-day vulnerability will always appear, so we still have to protect the application in production. Many companies should not sacrifice the runtime safety to move left. Most people have realized that both of them need to take into account.

3. WAF and gateways cannot fully protect the API

Application Programming Interface (API) allows easy to easily communicate with the machine. Today, the application development has become a new practical standard. By integrating third-party services, developers don’t have to build all functions from there, which can speed up new products and services.

In recent years, the use of the API is more explosive growth. According to Akamai, API communications now accounts for more than 83% of all Internet traffic.

Although the API supports the interactive digital experience that users have been habbed, it is the basis for the company’s digital transformation, but they also provide a variety of ways to access the company data for malicious hackers, and become the root cause of many security issues. The location.

In early May this year, the Pen Test Partners Security Researcher Jan Masters found that he can make a request for private data to Peloton’s official API without authentication, and the user’s Local equipment and cloud servers are so no fire. These data include detailed user age, gender, urban, weight, exercise statistics, and even revealing information such as born birthdays in personal data settings pages.

In addition to Peloton, companies that are exposed to API-related network security issues include Equifax, Instagram, Facebook, Amazon, and PayPal.

This is a major reason is that too many companies assume that the web application firewall (WAF) and API gateways protect their API. In fact, these technologies cannot block most types of API attacks due to inherent design limitations, and they will also make companies produce false security for their API and API-driven applications.

API is unique to each company, and real attacks for APIs usually do not follow the definition modes of known vulnerabilities. Fighting these security risks requires safety, regardless of the attack technology that attackers use, it can continue to learn API behavior and prevent attackers as soon as possible.

4. Traditional patch and vulnerability management tools Unable to protect API

Although patch and vulnerabilities can help security teams solve security risks in ready-made software and components, but applications and The API security policy needs to be much more than this.

However, in order to avoid the victims of 99% known vulnerabilities, the company has selected a large number of resources in terms of patch and vulnerability management. They are usually tracked as universal vulnerabilities and exposure (CVE), which is a useful classification method that can be used to categorize a clear vulnerability in the published software or hardware. However, this method cannot capture various potential vulnerabilities that companies that can be introduced in building or integrating applications with APIs.

An attacker sometimes has a well-known vulnerability in the software, such as the recent Exchange server hacker attack event. However, more common situations are that the attacker will look for the unique API or API integration of the target business. Because the code created or integrated with these companies can be repaired without “patches”.

General Defect List (CWE) ID is a classification method that is more suitable for describing the application of autonomous development and API defects. If the company develops code or integrates other code, the security person should be familiar with CWE and Owasp Top 10. They are more relevant to classify, more suitable for self-building applications or APIs rather than from other local purchase software for CVE IDs.

According to the official statement, CWE can help developers and safety practitioners do the following:

describe and discuss software and hardware defects with universal language;

check Defects in software and hardware products;

evaluating coverage of tools for these defects;

utilizing universal benchmark implementation defect identification, alleviation and prevention work;

Prevent software and hardware vulnerabilities before deploying;

5. Basic conscious training is not enough – especially for engineers

around Lesso Software Attack, Webfishing and Social Engineering Safety awareness training has been greatly concerned, because these are an attacking means of attackers.

However, enterprises have made too ideal assumptions for this level of consciousness to actually change employee behavior. Too many enterprises use a single-handed method, usually provide one to two training through third parties every year, ensuring that employees have completed this training, and then they will throw their brains until the next training continues Process.

This is obviously not enough, and even it is entirely a waste of time. Focus on “Point-in-Time” is much better, it can change the behavior of employees, let them work in a more secure thinking.

In addition, many companies focus on application security training and consciousness remain very backward. As the application is released, developers and engineers often have time to participate in training. Even if there is time learning, they will focus more on their own interested technical stacks, and safety is often thrown.

Currently, for most companies, safety professional skills are still shortage, especially in the “full stack” engineering field. This allows non-security personnel to have less guidance when creating or updating applications. Agile methodology and DevOps practice have caused development and distribution timeline compression, and it has not given safety training and consciousness such as safety design review or threats.

Lack of lack time has always been a challenge, but the safety left shift in the development of life cycle is imperative; security issues cannot be thrown into the brain, why not consider security from the perspective of organization?

Build safety in advance before the safety event or vulnerability, is more cost-effective than after the disaster remedy. But this does need to pay the development and study to the developer, and it is also necessary to do this. Conscious training is not a matter of one.

6. Just buy new tools does not ensure the security of the security

Enterprise Organization often feels that as long as you buy the latest hot security tool, they can be safe, but the fact is not the case.

The loss rate of employees, often leading to new tools purchased by enterprises, often managing poor management, or even administrator configuration errors. The security team needs from the province: What are we using the latest version? Do we make full use of all the functions of the new product? Does the update process covers some rules?

People always feel that “money is universal” , Buy enough to solve safety problems. But unfortunately, in many cases, people who originally installed products have left. This is why sometimes there will be 1,000 rules in that, and the current administrator dares to revise it because they are afraid that it will destroy some very important things.

In addition to technical aspects, companies also need employees to have soft skills – can follow the procedures, reading documents, communicate issues to management.

In addition, many people also believe that all these new products are definitely completely integrated. This is also one of the reasons for extending detection and response (XDR), because XDR is essentially a pre-addending solution that includes endpoint, network, and cloud threat detection and response.

But no matter what to say, safety problems are always a problem. This is also a reason for promoting the sustainable growth of managed security services, even if some top suppliers have more and more managed services. They realize that no matter how integrated and effective your product platform, there are more and more CISOs want to have as much as possible outsourcing technology. And this trend may grow steadily over time.

7. Enterprises that launch Internet access products are not always paying attention to security

The business focus of a company may be manufactured in automotive, electronic consumer goods or household appliances, but they may not always be conscious. To invest more time and money in the development and management of these products and their integrated mobile applications.

This is indeed calculating the evolving result. Companies that do not engage in software development business are now independently developed and APIs to support their core services. However, companies do not always recognize that for many Internet of ITEs API and applications, they must also protect properly.

Today, with the popularity of 5G in the United States and many developed countries, the panning of all types of Internet of Things equipment will be more than just a possibility, but will become a standard practice. Many such devices do not only have built-in security features, but they have never considered safety during the development process.

can be said, if you are unable to provide better protection for 5G IoT, a large-scale Internet of Things zombie network may come back, especially in the zombie network-driven encrypted monetary mining to many hackers. More and more favorable can be viewable. In the next decade, the Internet of Things may become one of the important issues of network security stories.

If you wish to make your career in network, the Certifications is considered to be the best certification, to jump-start your career. But gaining this certification isn’t considered to be that much easy. You have to go through lots and lots of study process unless you have the help of the DevNet 300 915 DEVIOT Dumps offered at the ITCertDumps.

Be the first to reply

Leave a Reply

Your email address will not be published.