Wednesday, June 30, 2021

Low-code development

  •  A low-code development platform (LCDP) provides a development environment used to create application software through a graphical user interface instead of traditional hand-coded computer programming. A low-coded platform may produce entirely operational applications, or require additional coding for specific situations. Low-code development platforms reduce the amount of traditional hand coding, enabling accelerated delivery of business applications

https://en.wikipedia.org/wiki/Low-code_development_platform

Sunday, June 27, 2021

Operational Technology (OT)

  •  In short, IT deals with information, while OT deals with machines.

The former manages the flow of digital information (read: data), while the latter manages the operation of physical processes and the machinery used to carry them out.

shorthand to represent this distinction is the office (IT) vs. the factory floor (OT).


Understanding OT


Compared with IT, OT is unique in that related hardware and software is usually (historically) designed to do specific things: control heat, monitor mechanical performance, trigger emergency shutoffs, etc. Typically, this is done through industrial control systems (ICS) and supervisory control and data acquisition (SCADA).


If employees have seen fit to change the temperature on a factory floor, raise or lower humidity levels, or shut off machinery for a given reason, OT has provided a quick, clear way of making that happen — a physical switch, a steel lever, or a big red button. Conversely, IT systems have been able to perform key operations without constant human intervention — provided those workflows are within programmed functions.


https://www.coolfiresolutions.com/blog/difference-between-it-ot/








  • The New Age of Operational Technology


Traditionally, OT was an ‘air-gapped’ environment, meaning that it was not connected to external networks or digital technologies.

since the rise of the fourth industrial revolution, also known as "Industry 4.0". Companies taking part in this change have begun implementing new digital solutions in their networks looking to stay ahead of their competition. These solutions aim to increase automation, add “smart” devices, make data more efficient and available, and interconnect networks for convenience.


As part of the interconnection, and in order to make OT components more accessible while being able to collect and analyze data about them, IT and OT networks are also becoming interconnected

This movement is referred to as IT-OT Convergence.

While connecting operational with information technology opens a great door to new opportunities, it also introduces a vast landscape of cybersecurity threats to what was once an air-gapped network.


IT vs OT - Four Core Differences


1. Enterprise vs Industry

OT includes completely different components that can be found primarily in industrial environments. These components are often screenless (machinery, PLCs), they communicate over industrial protocols that are never seen on IT networks (e.g., Modbus, Ethernet/IP, Profinet), they lack security tools (firewalls, antivirus), and they are even programmed differently than “normal” computers.


2. IT Prioritizes Confidentiality, OT Focuses on Safety

In OT, the safety and availability of equipment and processes dominate.For example, a ransomware attack that blocks access to operations can lead to a few days of inactivity where each day may be worth millions of dollars.


3. IT Incidents are More Frequent, OT Incidents are More Destructive

IT has more touchpoints with the internet. These gateways pose higher security risks because each one can potentially be a hack waiting to happen.


OT has a lower number of gateways, making it comparatively safer. However, the potential magnitude of compromised physical equipment tends to be greater than that of a data breach. Even slight OT cyber-incidents can lead to huge financial losses and have damaging ramifications that can affect the general population, such as water contamination and power outages


4. Security Patching - Every Week vs Every Ten Years

IT components advance so fast and have relatively short life spans, that a network can look completely different only several years apart. In fact, IT security updates are so frequent that many IT vendors have a designated "update day of the week" or "Patch Tuesday".


patching OT components requires complete shutdowns that halts production, vendors running OT networks rarely patch their components, if at all.Since OT components are rarely updated, they may have many more public vulnerabilities when compared to IT computers. This means that the probability of a successful exploit on an OT system is exponentially higher than on an IT system.



https://www.otorio.com/blog/it-security-vs-ot-security-the-operational-technology-cybersecurity-guide-for-industry-professionals/







Tuesday, June 22, 2021

cyber security standards

  •  ISO/IEC 27001 is an international standard on how to manage information security.

https://en.wikipedia.org/wiki/ISO/IEC_27001


ISO/IEC 27001

Information security management

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family.

https://www.iso.org/isoiec-27001-information-security.html



  • IEC 62304

The international standard IEC 62304 – medical device software – software life cycle processes[1] is a standard which specifies life cycle requirements for the development of medical software and software within medical devices.

https://en.wikipedia.org/wiki/IEC_62304



  • What is UL 2900?

UL 2900 is a series of standards published by UL (formerly Underwriters Laboratories), a global safety consulting and certification company. The standards present general software cyber security requirements for network-connectable products (UL 2900-1), as well as requirements specifically for medical and healthcare systems (UL 2900-2-1), industrial control systems (UL 2900-2-2), and security and life safety signaling systems (UL 2900-2-3).

https://www.synopsys.com/glossary/what-is-ul-2900.html




Thursday, June 3, 2021

Bring Your Own Key (BYOK)

  •  What is Bring Your Own Key (BYOK)?


While cloud computing offers many advantages, a major disadvantage has been security, because data physically resides with the cloud service provider (CSP) and out of the direct control of the owner of the data. 

For enterprises that elect to use encryption to protect their data, securing their encryption keys is of paramount importance.

Bring Your Own Key (BYOK) is an encryption key management system that allows enterprises to encrypt their data and retain control and management of their encryption keys.

However, some BYOK plans upload the encryption keys to the CSP infrastructure. In these cases, the enterprise has once again forfeited control of its keys.

A best-practice solution to this "Bring Your Own Key" problem is for the enterprise to generate strong keys in a tamper-resistant hardware security module (HSM) and control the secure export of its keys to the cloud, thereby strengthening its key management practices.


https://cpl.thalesgroup.com/faq/key-secrets-management/what-bring-your-own-key-byok






Wednesday, June 2, 2021

Office 365 Security

  •  Office 365 Security overview


In Office 365 security, there are three main security services (or products) tied to your subscription type:


    Exchange Online Protection (EOP)

    Microsoft Defender for Office 365 Plan 1 (Defender for Office P1)

    Microsoft Defender for Office 365 Plan 2 (Defender for Office P2)


EOP

Prevents broad, volume-based, known attacks


Microsoft Defender for Office 365 P1

Protects email and collaboration from zero-day malware, phish, and business email compromise.


Microsoft Defender for Office 365 P2

Adds post-breach investigation, hunting, and response, as well as automation, and simulation (for training).



https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/overview?view=o365-worldwide


  • Exchange Online Protection overview

Exchange Online Protection (EOP) is the cloud-based filtering service that protects your organization against spam, malware, and other email threats. EOP is included in all Microsoft 365 organizations with Exchange Online mailboxes.

EOP is also available by itself to protect on-premises mailboxes and in hybrid environments to protect on-premises Exchange mailboxes.

How EOP works

When an incoming message enters EOP, it initially passes through connection filtering, which checks the sender's reputation. The majority of spam is stopped at this point and rejected by EOP.

Then the message is inspected for malware. If malware is found in the message or the attachment(s) the message is routed to an admin only quarantine store

The message continues through policy filtering, where it's evaluated against any mail flow rules (also known as transport rules) that you've created. For example, a rule can send a notification to a manager when a message arrives from a specific sender.

The message passes through content filtering (anti-spam and anti-spoofing) where harmful messages are identified as spam, high confidence spam, phishing, high confidence phishing, or bulk (anti-spam policies) or spoofing (spoof settings in anti-phishing policies). You can configure the action to take on the message based on the filtering verdict (quarantine, move to the Junk Email folder, etc.).

A message that successfully passes all of these protection layers is delivered to the recipients.

EOP datacenters

In Europe, the Middle East, and Africa (EMEA), all Exchange Online mailboxes are located in EMEA datacenters, and all messages are routed through EMEA datacenters for EOP filtering.

EOP features

EOP uses several URL block lists that help detect known malicious links within messages.
EOP uses a vast list of domains that are known to send spam.
EOP uses multiple anti-malware engines help to automatically protect our customers at all times.
EOP inspects the active payload in the message body and all message attachments for malware.

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/exchange-online-protection-overview?view=o365-worldwide


  • Configure connection filtering

If you're a Microsoft 365 customer with mailboxes in Exchange Online or a standalone Exchange Online Protection (EOP) customer without Exchange Online mailboxes, you use connection filtering in EOP (specifically, the default connection filter policy) to identify good or bad source email servers by their IP addresses.

The IP Allow List, safe list, and the IP Block List are one part of your overall strategy to allow or block email in your organization.

What do you need to know before you begin?

You open the Security & Compliance Center at https://protection.office.com/. To go directly to the Anti-spam settings page, use https://protection.office.com/antispam.

To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.

You need to be assigned permissions in Exchange Online before you can do the procedures in this article:

    To modify the default connection filter policy, you need to be a member of the Organization Management or Security Administrator role groups.
    For read-only access to the default connection filter policy, you need to be a member of the Global Reader or Security Reader role groups.



https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-the-connection-filter-policy?view=o365-worldwide

  • Anti-spam protection in EOP

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP.

Anti-spam technologies in EOP

The anti-spam settings in EOP are made of the following technologies:

    Connection filtering: Identifies good and bad email source servers early in the inbound email connection via the IP Allow List, IP Block List, and the safe list (a dynamic but non-editable list of trusted senders maintained by Microsoft). You configure these settings in the connection filter policy.

Spam filtering (content filtering): EOP uses the spam filtering verdicts Spam, High confidence spam, Bulk email, Phishing email and High confidence phishing email to classify messages. You can configure the actions to take based on these verdicts, and you can configure the end-user notification options for messages that were quarantined instead of delivered. 

Manage errors in spam filtering

It's possible that good messages can be identified as spam (also known as false positives), or that spam can be delivered to the Inbox.

Here are some best practices that apply to either scenario:

Always submit misclassified messages to Microsoft.

Examine the anti-spam message headers: These values will tell you why a message was marked as spam, or why it skipped spam filtering.
Point your MX record to Microsoft 365: In order for EOP to provide the best protection, we always recommend that you have email delivered to Microsoft 365 first.
If the MX record points to some other location (for example, a third-party anti-spam solution or appliance), it's difficult for EOP to provide accurate spam filtering. In this scenario, you need to configure Enhanced Filtering for connectors (also known as skip listing).

Use email authentication: If you own an email domain, you can use DNS to help insure that messages from senders in that domain are legitimate. To help prevent spam and unwanted spoofing in EOP, use all of the following email authentication methods:
SPF: Sender Policy Framework verifies the source IP address of the message against the owner of the sending domain. 
DKIM: DomainKeys Identified Mail adds a digital signature to the message header of messages sent from your domain
DMARC: Domain-based Message Authentication, Reporting, and Conformance helps destination email systems determine what to do with messages that fail SPF or DKIM checks and provides another level of trust for your email partners. 

Verify your bulk email settings: The bulk complaint level (BCL) threshold that you configure in anti-spam policies determines whether bulk email (also known as gray mail) is marked as spam. The PowerShell-only setting MarkAsSpamBulkMail that's on by default also contributes to the results.

Prevent the delivery of spam to the Inbox

Verify your organization settings: Watch out for settings that allow messages to skip spam filtering (for example, if you add your own domain to the allowed domains list in anti-spam policies)

Verify the junk email rule is enabled in the user's mailbox: It's enabled by default, but if it's disabled, messages marked as junk can't be moved into the Junk Email folder

Use the available blocked sender lists:

Unsubscribe from bulk email If the message was something that the user signed up for (newsletters, product announcements, etc.) and contains an unsubscribe link from a reputable source, consider asking them to simply unsubscribe.

Standalone EOP: create mail flow rules in on-premises Exchange for EOP spam filtering verdicts: In EOP environments where EOP protects on-premises Exchange mailboxes, you need to configure mail flow rules (also known as transport rules) in on-premises Exchange to translate the EOP spam filtering verdict so the junk email rule can move the message to the Junk Email folder. 

Prevent good email from being identified as spam

Here are some steps that you can take to help prevent false positives:

    Verify the user's Outlook Junk Email Filter settings:
Verify the Outlook Junk Email Filter is disabled: When the Outlook Junk Email Filter is set to the default value No automatic filtering, Outlook doesn't attempt to classify massages as spam. When it's set to Low or High, the Outlook Junk Email Filter uses its own SmartScreen filter technology to identify and move spam to the Junk Email folder, so you could get false positives. Note that Microsoft stopped producing spam definition updates for the SmartScreen filters in Exchange and Outlook in November, 2016. The existing SmartScreen spam definitions were left in place, but their effectiveness will likely degrade over time.
Verify the Outlook 'Safe Lists Only' setting is disabled: When this setting is enabled, only messages from senders in the user's Safe Senders list or Safe Recipients list are delivered to the Inbox; email from everyone else is automatically moved to the Junk Email folder.
Use the available safe sender lists
Verify users are within the sending and receiving limits
Standalone EOP: use directory synchronization: If you use standalone EOP to help protect your on-premises Exchange organization, you should sync user settings with the service by using directory synchronization.

Anti-spam legislation

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-protection?view=o365-worldwide

  • Anti-malware protection in EOP

Some of the major categories of malware are:

    Viruses that infect other programs and data, and spread through your computer or network looking for programs to infect.

    Spyware that that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.

    Ransomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect and remove the malware payload that's associated with the ransomware.

EOP offers multi-layered malware protection that's designed to catch all known malware traveling into or out of your organization. The following options help provide anti-malware protection:

Layered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. 

Real-time threat response: During some outbreaks, the anti-malware team may have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. 

Fast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released

In EOP, messages that are found to contain malware in any attachments are quarantined, and can only be released from quarantine by an admin.

Anti-malware policies

Anti-malware policies control the settings and notification options for malware detections. 

Recipient notifications: By default, a message recipient isn't told that a message intended for them was quarantined due to malware. But, you can enable recipient notifications in the form of delivering the original message with all attachments removed and replaced by a single file named Malware Alert Text.txt 
You can replace the default text in the Malware Alert Text.txt file with your own custom text.

Common attachments filter: There are certain types of files that you really shouldn't send via email (for example, executable files). Why bother scanning these type of files for malware, when you should probably block them all, anyway? That's where the common attachments filter comes in. It's disabled by default, but when you enable it, the file types you specify are automatically treated as malware. You can use the default list of file types or customize the list. The default file types are: .ace, .ani, .app, .docm, .exe, .jar, .reg, .scr, .vbe, .vbs.

Zero-hour auto purge (ZAP) for malware: ZAP for malware quarantines messages that are found to contain malware after they've been delivered to Exchange Online mailboxes. By default, ZAP for malware is turned on

Sender notifications: By default, a message sender isn't told that their message was quarantined due to malware. But, you can enabled notification messages for senders based on whether the sender is internal or external.

Recipient filters: For custom anti-malware policies, you can specify recipient conditions and exceptions that determine who the policy applies to. You can use these properties for conditions and exceptions:

    The recipient is
    The recipient domain is
    The recipient is a member of

Recipient filters: For custom anti-malware policies, you can specify recipient conditions and exceptions that determine who the policy applies to. You can use these properties for conditions and exceptions:

    The recipient is
    The recipient domain is
    The recipient is a member of

Priority: If you create multiple custom anti-malware policies, you can specify the order that they're applied. No two policies can have the same priority, and policy processing stops after the first policy is applied.


Anti-malware policies in the Microsoft 365 security center vs PowerShell

The basic elements of an anti-malware policy are:

    The malware filter policy: Specifies the recipient notification, sender and admin notification, ZAP, and the common attachments filter settings.
    The malware filter rule: Specifies the priority and recipient filters (who the policy applies to) for a malware filter policy.

The difference between these two elements isn't obvious when you manage anti-malware polices in the security center:

    When you create an anti-malware policy, you're actually creating a malware filter rule and the associated malware filter policy at the same time using the same name for both.
    When you modify an anti-malware policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the malware filter rule. Other settings (recipient notification, sender and admin notification, ZAP, and the common attachments filter) modify the associated malware filter policy.
    When you remove an anti-malware policy, the malware filter rule and the associated malware filter policy are removed.

In Exchange Online PowerShell or standalone EOP PowerShell, the difference between malware filter policies and malware filter rules is apparent.
You manage malware filter policies by using the *-MalwareFilterPolicy cmdlets, and you manage malware filter rules by using the *-MalwareFilt7erRule cmdlets.

In PowerShell, you create the malware filter policy first, then you create the malware filter rule that identifies the policy that the rule applies to.
In PowerShell, you modify the settings in the malware filter policy and the malware filter rule separately.
When you remove a malware filter policy from PowerShell, the corresponding malware filter rule isn't automatically removed

Default anti-malware policy

Every organization has a built-in anti-malware policy named Default that has these properties:


    The policy is applied to all recipients in the organization, even though there's no malware filter rule (recipient filters) associated with the policy.
    The policy has the custom priority value Lowest that you can't modify (the policy is always applied last). Any custom anti-malware policies that 
you create always have a higher priority than the policy named Default.
    
The policy is the default policy (the IsDefault property has the value True), and you can't delete the default policy.


https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection?view=o365-worldwide

  • Configure anti-phishing policies in EOP

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, there's a default anti-phishing policy that contains a limited number of anti-spoofing features that are enabled by default

Admins can view, edit, and configure (but not delete) the default anti-phishing policy. For greater granularity, you can also create custom anti-phishing policies that apply to specific users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies

Organizations with Exchange Online mailboxes can configure anti-phishing policies in the Security & Compliance Center or in Exchange Online PowerShell.

The basic elements of an anti-phishing policy are:

    The anti-phish policy: Specifies the phishing protections to enable or disable, and the actions to apply options.
    The anti-phish rule: Specifies the priority and recipient filters (who the policy applies to) for an anti-phish policy
The difference between these two elements isn't obvious when you manage anti-phishing policies in the Security & Compliance Center:


    When you create an anti-phishing policy, you're actually creating an anti-phish rule and the associated anti-phish policy at the same time using the same name for both.
    When you modify an anti-phishing policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the anti-phish rule. All other settings modify the associated anti-phish policy.
    When you remove an anti-phishing policy, the anti-phish rule and the associated anti-phish policy are removed.

In Exchange Online PowerShell, you manage the policy and the rule separately. 

Every organization has a built-in anti-phishing policy named Office365 AntiPhish Default that has these properties:

    The policy is applied to all recipients in the organization, even though there's no anti-phish rule (recipient filters) associated with the policy.
    The policy has the custom priority value Lowest that you can't modify (the policy is always applied last). Any custom policies that you create always have a higher priority.
    The policy is the default policy (the IsDefault property has the value True), and you can't delete the default policy.



https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-anti-phishing-policies-eop?view=o365-worldwide

  • Recommended settings for EOP and Microsoft Defender for Office 365 security

Applies to

    Exchange Online Protection
    Microsoft Defender for Office 365 plan 1 and plan 2
    Microsoft 365 Defender


Exchange Online Protection (EOP) is the core of security for Microsoft 365 subscriptions and helps keep malicious emails from reaching your employee's inboxes. 

Anti-spam, anti-malware, and anti-phishing protection in EOP

EOP anti-spam policy settings
EOP outbound spam policy settings
EOP anti-malware policy settings
EOP default anti-phishing policy settings

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-worldwide