Microsoft IIS servers hacked by Blue Mockingbird to mine Monero

This month news broke about a hacker group, namely Blue Mockingbird, exploiting a critical vulnerability in Microsoft IIS servers to plant Monero (XMR) cryptocurrency miners on compromised machines.

Source: Microsoft IIS servers hacked by Blue Mockingbird to mine Monero

Leave a Comment

It’s not every day the NSA publicly warns of attacks by Kremlin hackers – so take this critical Exim flaw seriously

GRU crew actively exploit hole – but you it patched months ago, right?

Source: It’s not every day the NSA publicly warns of attacks by Kremlin hackers – so take this critical Exim flaw seriously



Russian hackers stole NSA data


Inside Russia’s Hacker Underworld


HBO What to Do About Cyberattacks








Get a Cyber Aware Cheat Sheet now!

Leave a Comment

ISO 27k reading list

ISO 27k books reading list

 

Many ISO 27001 practitioners attend ISO 27001 Lead Implementer courses or buy a ISO 27001 TOOLKIT to gain practical knowledge and skills to develop an information security management system (ISMS). Some go even further by securing a budget to call in an experienced ISO 27001 consultant to guide them through the process and help them with the more complex aspects of the project. But most information security professionals start the journey by simply reading a lot on the subject and doing initial preparation on their own – a method that is not only cost effective, but also gives them a good foundation to understand what is needed for successful ISO 27001 delivery.

Below is a list of books that can help ISO 27001 practitioners prepare for ISO 27001 implementation.

 

Implementing the ISO 27001:2013 ISMS Standard

 

ISO-27001

Authored by an internationally recognized expert in the field, this expanded, timely second edition addresses all the critical information security management issues needed to help businesses protect their valuable assets. Professionals learn how to manage business risks, governance and compliance. This updated resource provides a clear guide to ISO/IEC 27000 security standards and their implementation, focusing on the recent ISO/IEC 27001.
Moreover, readers are presented with practical and logical information on standard accreditation and certification. From information security management system (ISMS) business context, operations, and risk, to leadership and support, this invaluable book is your one-stop resource on the ISO/IEC 27000 series of standards.

Implementing the ISO/IEC 27001:2013 ISMS Standard 2nd Edition

 

ISO 27001 controls – A guide to implementing and auditing

 

Ideal for information security managers, auditors, consultants and organisations preparing for ISO 27001 certification, this book will help readers understand the requirements of an ISMS (information security management system) based on ISO 27001.

The ISO 27001 controls – A guide to implementing and auditing 

 

 ISO/IEC 27001 Master: Auditors & Implementers’ Guide

 

ISO/IEC 27001 Master is book written to meet the combined needs of Internal and External Auditors as well as Lead Implementers who simultaneously need the knowledge and skills of implementing the ISMS as well as the skill to perform the audits. Written in simple and straightforward English, the book can be used by beginners as well as advanced learners. Besides being a practitioner’s guide, candidates and students preparing for their ISO 27001 Certification Examinations can also make use the book which provides a step-by-step guide towards implementing the requirements of the ISO 27001 Standard.

The ISO/IEC 27001 Master: Auditors & Implementers

 

Secure & Simple – A Small-Business Guide to Implementing ISO 27001 On Your Own

 

In Secure & Simple Dejan Kosutic, an author and experienced information security consultant, is giving away all his practical know-how on successful ISO 27001 implementation. Whether you’re new or experienced in the field, this book gives you everything you will ever need to implement ISO 27001 on your own.

Dejan provides examples of implementing the standard in small and medium-sized organizations (i.e. companies with up to 500 employees). It is written primarily for beginners in the field and for people with moderate knowledge of ISO 27001. Even if you do have experience with the standard, but feel that there are gaps in your knowledge, you’ll find this book very helpful.

Secure & Simple is the definitive guide for implementing and maintaining the most popular information security standard in the world. The author leads you, step-by-step, from an introduction to ISO 27001 to the moment your company passes the certification audit.

Secure & Simple – A Small-Business Guide to Implementing ISO 27001 On Your Own


ISO 27001 Handbook: Implementing and auditing an Information Security Management System in small and medium-sized businesses

This book helps you to bring the information security of your organization to the right level by using the ISO/IEC 27001 standard.

An organization often provides services or products for years before the decision is taken to obtain an ISO/IEC 27001 certificate. Usually, a lot has already been done in the field of information security, but after reading the requirements of the standard, it seems that something more needs to be done: an ‘information security management system’ must be set up.
ISO 27001 Handbook: Implementing and auditing


ISO IEC 27001 Lead Implementer A Complete Guide – 2020 Edition

 

Are breaches of any criminal or civil law and statutory, regulatory or contractual obligations and of any security requirements avoided? Ensuring the integration of the ISMS requirements into its business processes? What is the certification process for ISO 27001? Do you have documented statements of the ISMS policy and objectives? Are there any outdated operating systems running on any machines in the current environment?

Defining, designing, creating, and implementing a process to solve a challenge or meet an objective is the most valuable role… In EVERY group, company, organization and department.

Unless you are talking a one-time, single-use project, there should be a process. Whether that process is managed and implemented by humans, AI, or a combination of the two, it needs to be designed by someone with a complex enough perspective to ask the right questions. Someone capable of asking the right questions and step back and say, ‘What are we really trying to accomplish here? And is there a different way to look at it?’

This Self-Assessment empowers people to do just that – whether their title is entrepreneur, manager, consultant, (Vice-)President, CxO etc… – they are the people who rule the future. They are the person who asks the right questions to make ISO IEC 27001 Lead Implementer investments work better.

This ISO IEC 27001 Lead Implementer All-Inclusive Self-Assessment enables You to be that person.

All the tools you need to an in-depth ISO IEC 27001 Lead Implementer Self-Assessment. Featuring 910 new and updated case-based questions, organized into seven core areas of process design, this Self-Assessment will help you identify areas in which ISO IEC 27001 Lead Implementer improvements can be made.

In using the questions you will be better able to:

– diagnose ISO IEC 27001 Lead Implementer projects, initiatives, organizations, businesses and processes using accepted diagnostic standards and practices

– implement evidence-based best practice strategies aligned with overall goals

– integrate recent advances in ISO IEC 27001 Lead Implementer and process design strategies into practice according to best practice guidelines

Using a Self-Assessment tool known as the ISO IEC 27001 Lead Implementer Scorecard, you will develop a clear picture of which ISO IEC 27001 Lead Implementer areas need attention.

Your purchase includes access details to the ISO IEC 27001 Lead Implementer self-assessment dashboard download which gives you your dynamically prioritized projects-ready tool and shows your organization exactly what to do next. You will receive the following contents with New and Updated specific criteria:

– The latest quick edition of the book in PDF

– The latest complete edition of the book in PDF, which criteria correspond to the criteria in…

– The Self-Assessment Excel Dashboard

– Example pre-filled Self-Assessment Excel Dashboard to get familiar with results generation

– In-depth and specific ISO IEC 27001 Lead Implementer Checklists

– Project management checklists and templates to assist with implementation

INCLUDES LIFETIME SELF ASSESSMENT UPDATES

Every self assessment comes with Lifetime Updates and Lifetime Free Updated Books. Lifetime Updates is an industry-first feature which allows you to receive verified self assessment updates, ensuring you always have the most accurate information at your fingertips.

Leave a Comment

Russian cyberspies use Gmail to control updated ComRAT malware

ESET security researchers have discovered a new version of the ComRAT backdoor controlled using the Gmail web interface and used by the state-backed Russian hacker group Turla for harvesting and stealing in attacks against governmental institutions.

Source: Russian cyberspies use Gmail to control updated ComRAT malware



US, UK, and Holland fighting back against Russia’s cyber attacks


Russia cyber attacks: “a new stage in an espionage war, going beyond traditional espionage”







Download a CyberAware cheat sheet

Leave a Comment

Hacker extorts online shops, sells databases if ransom not paid

More than two dozen SQL databases stolen from online shops in various countries are being offered for sale on a public website. In total, the seller provides over 1.5 million rows of records but the damage is likely much larger.

Source: Hacker extorts online shops, sells databases if ransom not paid

More than two dozen SQL databases stolen from online shops in various countries are being offered for sale on a public website. In total, the seller provides over 1.5 million rows of records but the amount of stolen data is much larger.

The attacker is hacking into insecure servers that are reachable over the public web, copies the databases, and leaves a note asking for a ransom in return of the stolen data.

Money made

Victims have 10 days to pay BTC 0.06 ($525 at current price) a wallet provided in the ransom note, else the hacker makes the database public or uses it as they please.

Hacked! What to do with an extortion email


Bitcoin Email Blackmail Ransom Scam





Download a CyberAware cheat sheet

Leave a Comment

FREE Open Source Tools

FREE Open Source Tools – via SANS Institute

Free open source tools

Download a pdf

Open source intelligence (OSINT)

Cybersecurity Tools | Popular Tools for Cybersecurity Threats


Download a CyberAware cheat sheet

Leave a Comment

Security executives succeeding in the chaotic coronavirus world

What a crazy world we live in – employees working from home, “dirty” personal devices being used to access corporate data, furloughed employees still maintaining corporate IT assets and access – all while the quantity and variety of cyberattacks and fraud is drastically increasing. Corporate security executives have never had a harder set of challenges to deal with.

Source: Security executives succeeding in the chaotic coronavirus world

 

What is your greatest security concern right now?

The collective response to this question is that security executives are most worried about the increase in phishing campaigns and fraud, especially with distracted employees who aren’t as diligent with security hygiene while working from home. As one executive stated, “My greatest concern right now is social engineering resulting from cyberattacks on people wherever they are. High stress means reduced cognitive functions, so attackers may find it easier to do social engineering, which opens the door to everything else.”

Other major concerns include mitigating the impact of an increased attack surface and the need to enhance remote access controls to make certain organizational security levels are met despite a large majority of employees working remotely. For example, one executive further explained that she was most focused on mitigating the impact of this increased attack surface, particularly enhancing remote access controls such that the organization would be secure even if 100% of the employees were now remote. Enhancements to firewall, NAC, DLP and other solutions were required. Vendor risk also was a much greater concern for this executive, with third parties potentially now more vulnerable.

Virtual CISO and Security Advisory – Download a #vCISO template!

 

Virtual CISO and CISO – Checkout a vCISO/CISO latest titles

 

10 Tenets of CISO Success

Leave a Comment

Consider a Virtual CISO to Meet Your Current Cybersecurity Challenges | GRF CPAs & Advisors

By: Melissa Musser, CPA, CITP, CISA, Risk & Advisory Services Principal, and Darren Hulem, IT and Risk Analyst The COVID-19 crisis, with a new reliance on working from home and an overburdened healthcare system, has opened a new door for cybercriminals. New tactics include malicious emails claiming the recipient was exposed COVID-19, to attacks on…Read more ›

Source: Consider a Virtual CISO to Meet Your Current Cybersecurity Challenges | GRF CPAs & Advisors

Small- to medium-sized nonprofits and associations are particularly at risk, and many are now employing an outsourced Chief Information Security Officer (CISO), also known as a Virtual CISO (vCISO), as part of their cybersecurity best practices.

vCISO model not only offers flexibility over time as the organization changes, providers are also able to deliver a wide range of specialized expertise depending on the client’s needs.

The vCISO offers a number of advantages to small- and medium-sized organizations and should be part of every nonprofit’s or association’s risk management practices.

Virtual CISO and Security Advisory – Download a #vCISO template!

Three Keys to CISO Success

Leave a Comment

To test its security mid-pandemic, GitLab tried phishing its own work-from-home staff. 1 in 5 fell for it

Welp, at least that’s better than industry averages, says code-hosting biz

Source: To test its security mid-pandemic, GitLab tried phishing its own work-from-home staff. 1 in 5 fell for it

The mock attack simulated a targeted phishing campaign designed to get GitLab employees to give up their credentials.

The GitLab Red Team – security personnel playing the role of an attacker – obtained the domain name gitlab.company and set it up using the open source GoPhish framework and Google’s GSuite to send phishing emails. The messages were designed to look like a laptop upgrade notification from GitLab’s IT department.

“Targets were asked to click on a link in order to accept their upgrade and this link was instead a fake GitLab.com login page hosted on the domain ‘gitlab.company’,” explained security manager Steve Manzuik in a GitLab post.

“While an attacker would be able to easily capture both the username and password entered into the fake site, the Red Team determined that only capturing email addresses or login names was necessary for this exercise.”

Fifty emails went out and 17 (34 per cent) clicked on the link in the messages that led to the simulated phishing website. Of those, 10 (59 per cent of those who clicked through or 20 per cent of the total test group) went on to enter credentials. And just 6 of the 50 message recipients (12 per cent) reported the phishing attempt to GitLab security personnel.

Download a CyberAware Cheat Sheet

Leave a Comment

Santander, one of the biggest European banks, was leaking sensitive data on their website

Santander Consumer Bank, the Belgian branch of the bank, had a misconfiguration in its blog domain that was allowing its files to be indexed.

Source: Santander, one of the biggest European banks, was leaking sensitive data on their website

A Santander Consumer spokesperson said:

“The incident highlighted relates specifically to the Santander Consumer Bank Belgium blog only. The blog contains only public information and articles, and therefore no customer data or critical information from the blog  has been compromised. Our security team has already fixed the issue to ensure the blog is secure.”

What exactly is wrong with the Santander website?

When we visited the Santander blog on its Belgian domain, we noticed that the www endpoint of the blog subdomain had a misconfiguration that allowed all of its files to be indexed by search engines

Included in these indexed files was an important info.json file that seemed to contain its Cloudfront API keys.

Download a CyberAware Cheat Sheet

 

Leave a Comment

CISO Recruitment: What Are the Hot Skills?

CISO/vCISO Recruitment

What are enterprises seeking in their next CISO – a technologist, a business leader or both? Joyce Brocaglia of Alta Associates shares insights on the key qualities

What kinds of CISOs are being replaced? Brocaglia says that an inability to scale and a tactical rather than strategic orientation toward their role are two reasons companies are looking to replace the leaders of their security teams—or place them underneath a more senior cybersecurity executive. They are looking for professionals with broad leadership skills rather than a “one-trick pony.”

Today’s organizations want the CISO to be intimately involved as a strategic partner in digital transformation initiatives being undertaken. This means that their technical expertise must be broader than just cybersecurity, and they must have an understanding of how technology impacts the business—for the better and for the worse. And candidates must be able to explain the company’s security posture to the board and C-suite in language they understand—and make recommendations that reflect an understanding of strategic risk management.

CISOs who came up through the cybersecurity ranks are sometimes at a disadvantage as the CISO role becomes more prominent—and critical to the business. Professionals in this position will do well to broaden their leadership skills and credentials, sooner rather than later.

Source: CISO Recruitment: What Are the Hot Skills?



Interview with Joyce Brocaglia, CEO, Alta Associates



The Benefits of a vCISO




Want know more about vCISO as a Service…






Subscribe to DISC InfoSec blog by Email

Leave a Comment

10 Steps to Cyber Security

10 Steps to Cyber Security

10 Steps to Cyber Security pdf


Free Download Cybersecurity For Dummies Cheat Sheet

10 steps to improve your online security and stop hackers

10 Steps To Becoming An Elite Cyber Security Pro Hacker

Full Ethical Hacking Course – Network Penetration Testing for Beginners


Subscribe to DISC InfoSec blog by Email

Leave a Comment

Cyber Security Planning Guide

Cyber Security Planning Guide

Open a PDF file The best practice guide for an effective infoSec function.



Guide to Developing a Cybersecurity Strategy & Roadmap







Subscribe to DISC InfoSec blog by Email

Leave a Comment

Blue Team Cheat Sheets

 

Blue Team Cheat Sheets

Open a PDF file The best practice guide for an effective infoSec function.

Cyber Security Fundamentals: What is a Blue team?

 



Subscribe to DISC InfoSec blog by Email

Leave a Comment

CyberSecurity for Dummies

CyberSecurity for Dummies

Open a PDF file The best practice guide for an effective infoSec function.

 
Introduction to Cybersecurity


What You Should Learn Before Cybersecurity




Subscribe to DISC InfoSec blog by Email

Leave a Comment

Preparing a Secure Evolution to 5G

5G CYBERSECURITY

Preparing a Secure Evolution to 5G

5G CYBERSECURITY




Tech Talk: 5G Security


Security of 5G networks: EU Member States complete national risk assessments


Bye bye privacy with 5G





Subscribe to DISC InfoSec blog by Email

Leave a Comment

Q3 2019 Top-Clicked Phishing Email Subjects from KnowBe4 [INFOGRAPHIC]

Q3 2019 Top-Clicked Phishing Email Subjects from KnowBe4. Users continue to fall for LinkedIn, Facebook, and security-minded messages. See the full report!

Source: Q3 2019 Top-Clicked Phishing Email Subjects from KnowBe4 [INFOGRAPHIC]

This is what happens when you reply to spam email | James Veitch


How to Spot a Phishing Email I Fortune



Anatomy of Scam Emails – How To Recognise A Phishing Scam Message





Subscribe to DISC InfoSec blog by Email

Leave a Comment

ISO 31000 and ISO 22301 available now for free to read

Because of the COVID-19 crisis, ISO enabled free access to ISO 22301, ISO 22395, ISO 22320, ISO 22316, and ISO 31000 standards – find the links here.

Source: ISO 31000 and ISO 22301 available now for free to read

ISO standards:

 

Subscribe to DISC InfoSec blog by Email

Leave a Comment

Comprehensive open source free tools list

SANS Faculty has a comprehensive open source free tools available to support your information security career, training and research.

SANS Free tool list


to download pdf for open source free tools list



Open Source Tools For Working Remotely From Home: pfsense, OpenVPN, Syncthing, and Nextcloud





Subscribe to DISC InfoSec blog by Email

Leave a Comment

Coronavirus Business Continuity Management Bundle

#Coronavirus Business Continuity Management (#BCM) Bundle

Ensure your organisation can survive in the face of disaster; learn how to create and implement an effective business continuity plan.

#Coronavirus Business Continuity Management (#BCM) Bundle

Webinar: Business Continuity Management: Impact Analysis and Risk Assessment

Subscribe to DISC InfoSec blog by Email

Leave a Comment