What is a blockchain security implications

Table of Contents

What is Blockchain Security?

What Are the Types of Blockchain?

Blockchain Security Challenges

6 Blockchain Security Examples

Blockchain 2035: The Digital DNA of Internet 3.0

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Leave a Comment

API Security Checklist

Specification-based-security-analysis-of-api

Hacking APIs: Breaking Web Application Programming Interfaces

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Leave a Comment

New WiFi Flaw Let Attackers Hijack Network Traffic

A fundamental security issue in the design of the IEEE 802.11 WiFi protocol standard, according to a technical study written by Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef of imec-DistriNet, KU Leuven, allows attackers to deceive access points into exposing network frames in plaintext.

When the receiver is in sleep mode, for example, Wi-Fi devices routinely queue frames at different tiers of the network stack before sending.

WiFi frames are data packages comprising a header, data payload, and trailer containing data like the MAC addresses of the source and destination and control and management information.

By keeping track of the busy/idle states of the receiving points, these frames are broadcast in a regulated manner to prevent collisions and maximize data exchange performance.

According to the researchers, queued/buffered frames are not sufficiently protected from attackers, who can control data transmission, client spoofing, frame redirection, and capturing.

Adversary Can Abuse the Power-Save Mechanisms

The initial version of the 802.11 standards already included power-saving features that let clients go into a sleep or doze mode to use less power. All frames intended for a client station are queued when it goes into sleep mode because it sends a frame to the access point with a header that includes the power-saving flag.

Nevertheless, the standard does not specify how to manage the security of these queued frames and does not impose any time restrictions on how long the frames may remain in this state.

The access point dequeues the buffered frames, adds encryption, and transmits them to the target after the client station has awakened.

Attack Diagram

In this case, a hacker might impersonate a network device’s MAC address and transmit power-saving frames to access points, making them queue up frames for the intended target. To obtain the frame stack, the attacker then sends a wake-up frame.

Typically, the WiFi network’s group-addressed encryption key or a pairwise encryption key, specific to each device and used to encrypt frames sent between two devices, are used to encrypt the transmitted frames.

By providing authentication and association frames to the access point, the attacker can force it to transmit the frames in plaintext or encrypt them using a key provided by the attacker, changing the security context of the frames.

“As a result of the attack, anyone within the communication range of the vulnerable access point can intercept the leaked frames in plaintext or encrypted using the group-addressed encryption key, depending on the respective implementation of the stack (i.e., user-space daemon, kernel, driver, firmware).”, explain the researchers.

Network Device Models That Are Known To Be Vulnerable:

“An adversary can use their Internet-connected server to inject data into this TCP connection by injecting off-path TCP packets with a spoofed sender IP address,” researchers warn.

“This can, for instance, be abused to send malicious JavaScript code to the victim in plaintext HTTP connections with as goal to exploit vulnerabilities in the client’s browser.”

The researchers warn that these attacks may be exploited to inject malicious content, such as JavaScript, into TCP packets.

Cisco is the first firm to recognize the significance of the WiFi protocol weakness, acknowledging that the attacks described in the paper may be effective against Cisco wireless access point products and Cisco Meraki products.

“This attack is seen as an opportunistic attack, and the information gained by the attacker would be of minimal value in a securely configured network.” – Cisco.

The company advises implementing mitigating strategies such as employing software like Cisco Identity Services Engine (ISE), which can impose network access restrictions by implementing Cisco TrustSec or Software Defined Access (SDA) technologies.

“Cisco also recommends implementing transport layer security to encrypt data in transit whenever possible because it would render the acquired data unusable by the attacker,” Cisco.

Hacking Exposed Wireless, Third Edition: Wireless Security Secrets & Solutions 

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Leave a Comment

HACKING WPA1, WPA2, AND WPA3 USING 802.11 WI-FI STANDARD VULNERABILITY

An adversary may circumvent encryption for some communications by exploiting a flaw in the widespread 802.11 protocol, which enables them to do so. The university researchers that made the discovery claim that the flaw enables an adversary to “trick access points into leaking frames in plaintext, or encrypted using the group or an all-zero key.”

Due to the fact that it is a flaw in the Wi-Fi protocol, it impacts more than one implementation. A ground-breaking academic paper with the provocative title “Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmission Queues” was made available to the public on March 27, 2023. This document revealed flaws in the 802.11 Wi-Fi standard. Because of these vulnerabilities, an attacker could be able to impersonate a targeted wireless client and reroute frames that are already in the transmit queues of an access point to a device that the attacker controls. In this post, we will analyze the workings of this opportunistic attack and investigate the many preventative measures that may be taken to protect your network from this danger.

The attack, which has been given the name “MacStealer,” is directed against Wi-Fi networks that include hostile insiders and takes advantage of client isolation bypasses (CVE-2022-47522). Even if clients are unable to communicate with one another, it is able to intercept communication at the MAC layer. Wi-Fi networks that use client isolation, Dynamic ARP inspection (DAI), and other mechanisms meant to prevent clients from attacking one another are susceptible to this issue.

The first company to recognize the flaw was Cisco, which said that the attacks described in the research article might be effective against Cisco Wireless Access Point devices and Cisco Meraki products with wireless capabilities. Cisco was the first firm to admit the issue.

The client authentication and packet routing processes in Wi-Fi networks function independently of one another, which is the root cause of the security hole known as CVE-2022-47522. The usage of passwords, users, 802.1X IDs, and/or certificates is required for authentication, although MAC addresses are what determine how packets are routed. This inconsistency may be exploited by a malicious insider who disconnects a victim from the network and then reconnects to it using the victim’s MAC address and the attacker’s credentials. As a consequence of this, any packets that are still on their way to the victim, such as data from a website, will instead be received by the attacker.

The following are the three basic stages of this attack:

The attacker will wait for the victim to connect to a susceptible Access Point (AP), at which point the attacker will submit a request to an internet server. For example, the attacker may send an HTTP request to a website that only displays plaintext.
Steal the Identifying Information of the Victim: The perpetrator of the attack removes the victim’s network connection before the AP has a chance to process the server’s response. After that, the attacker creates a fake version of the victim’s MAC address and logs in to the network using their own credentials.
Intercept the Response: At this step, the access point (AP) pairs the attacker’s encryption keys with the victim’s MAC address. This gives the attacker the ability to intercept any pending traffic that is destined for the victim.
It is essential to keep in mind that the communication that is being intercepted may be secured by higher-layer encryption, such as that provided by TLS and HTTPS. Therefore, regardless of whether or not a higher-layer encryption is being used, the IP address that a victim is talking with may still be discovered by this approach. This, in turn, exposes the websites that a victim is viewing, which, on its own, might be considered sensitive information.

All Corporate WPA1, WPA2, and WPA3 networks are vulnerable to the attack in exactly the same way. This is due to the fact that the attack does not take use of any cryptographic features of Wi-Fi; rather, it takes advantage of the way in which a network decides to which client packets should be transmitted, sometimes known as routing.

To summarize, the attack described in the “Framing Frames” study is a worrying vulnerability that presents the possibility of adversaries being able to intercept and perhaps read sensitive information that is being carried across Wi-Fi networks. It is essential for businesses to take all of the required steps, such as implementing strong security measures and using mitigations that have been advised, in order to guarantee the safety and security of their networks.

Using 802.1X authentication and RADIUS extensions are two methods that may be utilized to stop MAC address theft. Safeguarding the MAC address of the gateway, putting in place Managed Frame Protection (802.11w), and making use of virtual local area networks (VLANs) are all viable mitigations. The use of policy enforcement techniques using a system such as Cisco Identity Services Engine (ISE), which may limit network access by utilizing Cisco TrustSec or Software Defined Access (SDA) technologies, is something that Cisco advises its customers to do. It is also recommended by Cisco to implement transport layer security in order to encrypt data while it is in transit if it is practicable to do so. This would prevent an attacker from using the data they have collected.

Hacking Exposed Wireless, Third Edition: Wireless Security Secrets & Solutions 

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Leave a Comment

What is Malware and how to prevent it

How to recognize and remove malware

What is Malware and how to prevent it

Malware comes in many forms: the unwanted programs can surface as pathogens, spies, or remote controls in computers. Whether it’s a virus, spyware, or a Trojan horse, this harmful software should be kept well away from your computer. What are the different types of malware? We show you how to protect yourself from them and what steps to take if your computer or webspace are affected.

  1. What exactly is malware and what are the different types?
  2. Who is affected by malware and how do you recognize an attack?
  3. Preventative measures against malware
  4. Use internet applications wisely
  5. How to remove spyware, Trojans, viruses, etc.
  6. Malware on websites
  7. Never underestimate the dangers of malicious software

Source:

https://www.ionos.com/digitalguide/server/security/how-to-recognize-and-remove-malware/

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Leave a Comment

HACKING PHONES REMOTELY WITHOUT TOUCHING VIA NEW INAUDIBLE ULTRASOUND ATTACK

The Near-Ultrasound Invisible Trojan, or NUIT, was developed by a team of researchers from the University of Texas at San Antonio and the University of Colorado Colorado Springs as a technique to secretly convey harmful orders to voice assistants on smartphones and smart speakers.

If you watch videos on YouTube on your smart TV, then that television must have a speaker, right? According to Guinevere Chen, associate professor and co-author of the NUIT article, “the sound of NUIT harmful orders will [be] inaudible, and it may attack your mobile phone as well as connect with your Google Assistant or Alexa devices.” “That may also happen in Zooms during meetings. During the meeting, if someone were to unmute themselves, they would be able to implant the attack signal that would allow them to hack your phone, which was placed next to your computer.

The attack works by playing sounds close to but not exactly at ultrasonic frequencies, so they may still be replayed by off-the-shelf hardware, using a speaker, either the one already built into the target device or anything nearby. If the first malicious instruction is to mute the device’s answers, then subsequent actions, such as opening a door or disabling an alarm system, may be initiated without warning if the first command was to silence the device in the first place.

“This is not only a problem with software or malicious software. It is an attack against hardware that makes use of the internet. According to Chen, the non-linearity of the microphone design is the flaw that has to be fixed by the manufacturer in order to eliminate the vulnerability. “Among the 17 smart gadgets we evaluated, [only] Apple Siri devices need the user’s voice to be hijacked, while other voice assistant devices may be triggered by using any voice or a robot voice,” the study’s authors write.

Using headphones is Chen’s recommendation for anybody worried about the NUIT attack, despite the fact that a genuine defense against NUIT would involve the usage of customized hardware. She indicates that the risk of being attacked by NUIT is reduced if you do not utilize the speaker to emit sound. “When using earphones, there is a limit to the amount of sound that can be sent to the microphone since the volume of the sound coming from the earphones is too low. In the event that the microphone is unable to pick up the subversive inaudible order, the underlying voice assistant won’t be able to be maliciously triggered by NUIT.


InfoSec Threats
 | InfoSec books | InfoSec tools | InfoSec services

Leave a Comment

Hackers Exploited Critical Microsoft Outlook Vulnerability To Gain Exchange Server Access

In response to a recent vulnerability identified in Outlook, Microsoft recently published a proper guide for its customers to help them discover the associated IoCs.

That Outlook vulnerability in question has been tracked as “CVE-2023-23397” with a CVSS score of 9.8 and marked as Critical.

As a result of this flaw, NTLM hashes can be stolen, and without any user interaction, they can be reused to execute a relay attack.

The threat actors use specially crafted malicious emails to exploit the vulnerability and manipulate the victim’s connection. As a result, this allows them to get control of an untrusted location.

The attacker can authenticate as the victim with the Net-NTLMv2 hash leaked to the untrusted network.

Microsoft patched the flaw

In the Patch Tuesday updates for March 2023, Microsoft fixed the vulnerability in order to prevent the possibility of any further attacks.

The problem is that this approach was taken after it was weaponized by Russian threat actors and used as a weapon against the following sectors in Europe:

  • Government
  • Transportation
  • Energy
  • Military

It was reported in April 2022 that Microsoft’s incident response team had found evidence that the shortcoming could be exploited.

Attack chain & threat hunting Guidance

It has been identified that a Net-NTLMv2 Relay attack allowed a threat actor to gain unauthorized entry to an Exchange Server in one attack chain.

By exploiting this vulnerability, the attacker could modify mailbox folder permissions and maintain persistent access, posing a significant security risk.

The adversary used the compromised email account in the compromised environment to extend their access. It has been discovered that this is done by sending additional malicious messages through the same organization to other members.

CVE-2023-23397 can lead to credential compromise in organizations if they do not implement a comprehensive threat-hunting strategy. 

As a first step, running the Exchange scanning script provided by Microsoft is important to detect any malicious activity. However, it’s imperative to note that for all scenarios, this script is not capable of providing any visibility into messages that are malicious in nature.

Multiple mailboxes can be opened at the same time by Outlook users. Messages received through one of the other services will still trigger the vulnerability if a user configured Outlook to open mailboxes from multiple services. The scanned mailboxes do not contain that message.

If a user wishes to move a message to a local file, they can do so. Finding evidence of a prior compromise in Archived messages may be possible in some cases.

You can no longer access your Exchange messages if they have been deleted from Exchange. It is recommended that incident responders review the security telemetry collected from all available channels in order to confirm the presence of IP addresses and URIs obtained from the PidLidReminderFileParameter values. 

There are a number of data sources that can be used to gather data, including:-

  • Firewall logs
  • Proxy logs
  • Azure Active Directory sign-in logs for users of Exchange Online
  • IIS Logs for Exchange Server
  • VPN logs
  • RDP Gateway logs
  • Endpoint telemetry from endpoint detection and response (EDR)
  • Forensic endpoint data

Recommendations

Here below we have mentioned all the recommendations:-

  • To mitigate the issue, make sure to update Microsoft Outlook immediately.
  • Ensure that defense-in-depth mitigations are active in organizations leveraging Microsoft Exchange Server on-premises.
  • The script should be used to remove either the messages or just the properties if suspicious or malicious reminder values are observed.
  • In the event that a targeted or compromised user receives suspicious reminders or initiates incident response activities, they should be instructed to reset their passwords.
  • To mitigate the impact of possible Net-NTLMv2 Relay attacks, it is recommended that you use multifactor authentication.
  • On Exchange, you should disable unnecessary services that you don’t need.
  • Block all IP addresses except those on an allowlist from requesting connections on ports 135 and 445.
  • If your environment has NTLM enabled, you should disable it.

Source:

https://gbhackers.com/microsoft-outlook-vulnerability/amp/

Leave a Comment

TLS Essentials 12: TLS 1.2 Wireshark analysis

This lesson on TLS – Transport Layer Security – analyzes a TLS 1.2 connection with Wireshark.

🔷🔷 About 🔷🔷

TLS 1.2 Wireshark analysis

Wireshark 101: Essential Skills for Network Analysis

midBit Technologies, LLC SharkTap Gigabit Network Sniffer

SharkTap Gigabit Network Sniffer


InfoSec Threats
 | InfoSec books | InfoSec tools | InfoSec services

Leave a Comment

Hackers Exploited Critical Microsoft Outlook Vulnerability To Gain Exchange Server Access

In response to a recent vulnerability identified in Outlook, Microsoft recently published a proper guide for its customers to help them discover the associated IoCs.

That Outlook vulnerability in question has been tracked as “CVE-2023-23397” with a CVSS score of 9.8 and marked as Critical.

As a result of this flaw, NTLM hashes can be stolen, and without any user interaction, they can be reused to execute a relay attack.

The threat actors use specially crafted malicious emails to exploit the vulnerability and manipulate the victim’s connection. As a result, this allows them to get control of an untrusted location.

The attacker can authenticate as the victim with the Net-NTLMv2 hash leaked to the untrusted network

Microsoft patched the flaw

In the Patch Tuesday updates for March 2023, Microsoft fixed the vulnerability in order to prevent the possibility of any further attacks.

The problem is that this approach was taken after it was weaponized by Russian threat actors and used as a weapon against the following sectors in Europe:

  • Government
  • Transportation
  • Energy
  • Military

It was reported in April 2022 that Microsoft’s incident response team had found evidence that the shortcoming could be exploited.

Attack chain & threat hunting Guidance

It has been identified that a Net-NTLMv2 Relay attack allowed a threat actor to gain unauthorized entry to an Exchange Server in one attack chain.

By exploiting this vulnerability, the attacker could modify mailbox folder permissions and maintain persistent access, posing a significant security risk.

The adversary used the compromised email account in the compromised environment to extend their access. It has been discovered that this is done by sending additional malicious messages through the same organization to other members.

CVE-2023-23397 can lead to credential compromise in organizations if they do not implement a comprehensive threat-hunting strategy. 

As a first step, running the Exchange scanning script provided by Microsoft is important to detect any malicious activity. However, it’s imperative to note that for all scenarios, this script is not capable of providing any visibility into messages that are malicious in nature.

Multiple mailboxes can be opened at the same time by Outlook users. Messages received through one of the other services will still trigger the vulnerability if a user configured Outlook to open mailboxes from multiple services. The scanned mailboxes do not contain that message.

If a user wishes to move a message to a local file, they can do so. Finding evidence of a prior compromise in Archived messages may be possible in some cases.

You can no longer access your Exchange messages if they have been deleted from Exchange. It is recommended that incident responders review the security telemetry collected from all available channels in order to confirm the presence of IP addresses and URIs obtained from the PidLidReminderFileParameter values. 

There are a number of data sources that can be used to gather data, including:-

  • Firewall logs
  • Proxy logs
  • Azure Active Directory sign-in logs for users of Exchange Online
  • IIS Logs for Exchange Server
  • VPN logs
  • RDP Gateway logs
  • Endpoint telemetry from endpoint detection and response (EDR)
  • Forensic endpoint data

Recommendations

Here below we have mentioned all the recommendations:-

  • To mitigate the issue, make sure to update Microsoft Outlook immediately.
  • Ensure that defense-in-depth mitigations are active in organizations leveraging Microsoft Exchange Server on-premises.
  • The script should be used to remove either the messages or just the properties if suspicious or malicious reminder values are observed.
  • In the event that a targeted or compromised user receives suspicious reminders or initiates incident response activities, they should be instructed to reset their passwords.
  • To mitigate the impact of possible Net-NTLMv2 Relay attacks, it is recommended that you use multifactor authentication.
  • On Exchange, you should disable unnecessary services that you don’t need.
  • Block all IP addresses except those on an allowlist from requesting connections on ports 135 and 445.
  • If your environment has NTLM enabled, you should disable it.

Leave a Comment

9 addictions you must break to become your better self

9-additictions-you-must-break-to-become-your-better-self-

Master Your Emotions: A Practical Guide to Overcome Negativity and Better Manage Your Feelings 

Leave a Comment

Pwn2Own Vancouver 2023 awarded $1,035,000 and a Tesla for 27 0-days

On the third day of the Pwn2Own Vancouver 2023 hacking contest, the organization awarded $185,000 for 10 zero-day exploits.

Pwn2Own Vancouver 2023 is ended, contestants disclosed 27 unique zero-days and the organization awarded a total of $1,035,000 and a Tesla Model 3. The team Synacktiv (@Synacktiv) (Benoist-Vanderbeken, David Berard, Vincent Dehors, Tanguy Dubroca, Thomas Bouzerar, and Thomas Imbert) won the competition, they earned 53 points, $530,000, and a Tesla Model 3.

On the third day, contestants were awarded $185,000 after demonstrating 5 zero-day exploits targeting the Ubuntu Desktop, Windows 11, and the VMware Workstation software.

Pwn2Own Vancouver 2023

The day began with the hack of Ubuntu Desktop by Kyle Zeng from ASU SEFCOM, he used a double-free bug and earned $30,000 and 3 Master of Pwn points.

Thomas Imbert (@masthoon) from Synacktiv (@Synacktiv) used a UAF against Microsoft Windows 11. They earn $30,000 and 3 Master of Pwn points.

The researchers Mingi Cho of Theori used a UAF against Ubuntu Desktop, the team earned $30,000 and 3 Master of Pwn points.

The STAR Labs (@starlabs_sg) team used an uninitialized variable and UAF to hack the VMWare Workstation virtualization software. They earned $80,000 and 8 Master of Pwn points. The STAR Labs team also attempted to demonstrate an exploit against Microsoft Teams, but failed to do it within the time allotted.

Bien Pham (@bienpnn) from Qrious Security successfully targeted Ubuntu Desktop, but used a known exploit, for this reason, the attempt was classified as “Collision”. The team earned $15,000 and 1.5 Master of Pwn points.

“That’s a wrap for Pwn2Own Vancouver! Contestants disclosed 27 unique zero-days and won a combined $1,035,000 (and a car)! Congratulations to the Masters of Pwn, Synacktiv (@Synacktiv), for their huge success and hard work! They earned 53 points, $530,000, and a Tesla Model 3.” reads the wrap for the hacking competition that was published by The Zero Day Initiative.

Leave a Comment

Top ways attackers are targeting your endpoints

Over the last several years, endpoints have played a crucial role in cyberattacks. While there are several steps organizations can take to help mitigate endpoint threats – such as knowing what devices are on a network (both on-premises and off-site), quarantining new or returning devices, scanning for threats and vulnerabilities, immediately applying critical patches, etc. – there is still much to be done to ensure endpoint security.

To achieve that, it’s important to understand some of the primary attack vectors hackers use against endpoints.

Phishing/spear-phishing

Phishing, especially spear-phishing, is an effective way for gaining access to endpoints to harvest user credentials.

It is not itself an exploit, but a method that threat actors use to deliver a payload – whether it’s a link to a fake Microsoft 365 web portal (for credential harvesting), or a macro-enabled word document with a malware payload that executes on opening.

Because of this nuance, it’s critical that security analysts implement not only email filtering (a crude defense, at best) but endpoint tools that would block the deployment of malware payloads delivered by email: antivirus (AV) and antimalware (AM). Implementing AV/AM products creates a safety net, blocking malware execution if a phishing email successfully bypasses corporate email filters.

We recently saw how threat actors deployed phishing to infect user endpoints at a massive scale with the IceXLoader malware. The malware is bundled into an innocent-looking ZIP file delivered as an email attachment. Once opened, the malware extracts itself to a hidden file directory on the C drive of an endpoint, providing a beachhead for the attacker to perform additional attacks to further breach the corporate network.

OS vulnerability exploitation

Vulnerabilities are made possible by bugs, which are errors in source code that cause a program to function unexpectedly, in a way that can be exploited by attackers. By themselves, bugs are not malicious, but they are gateways for threat actors to infiltrate organizations. These allow threat actors to access systems without needing to perform credential harvesting attacks and may open systems to further exploitation. Once they are within a system, they can introduce malware and tools to further access assets and credentials.

For attackers, vulnerability exploitation is a process of escalation, whether through privileges on a device or by pivoting from one endpoint to other assets. Every endpoint hardened against exploitation of vulnerabilities is a stumbling block for a threat actor trying to propagate malware in a corporate IT environment.

There are routine tasks and maintenance tools that allow organizations to prevent these vulnerabilities getting exploited by attackers. Patch management tools can scan devices, install patches (fixes), and provide reports on the success or failure of these actions. In addition, organizations can leverage configuration management tools to maintain OS configuration files in the desired secure state.

Software vulnerability exploitation

Software vulnerabilities exist in products (software) installed within an OS environment. For example, Google Chrome gets frequent patches from Google, primarily because it is a massive target for exploitation.

As with OS vulnerabilities, the best defense against exploits are the frequently released third-party patches/updates, the implementation of which can be facilitated by endpoint management tools.

Additionally, enforcing acceptable use policies can help reduce the opportunities for end users to engage in behaviors that could put their endpoints and company assets at risk.

And beyond security information and event management (SIEM) and antivirus tools, organizations can drastically decrease the impact caused by a successfully executed ransomware attack by:

  • Implementing data loss prevention (DLP) solutions
  • Creating off-site backups
  • Taking advantage of data storage solutions in the cloud

Conclusion

The changing cyberattack landscape requires IT and security departments to be nimble and evolve in tandem with threats. The fixes of yesterday may not work today – while the threats could be the same, their tactics are likely different. When working to mitigate network threats, do not forget the increasingly vital role endpoints play.

hole

Endpoint security Complete Self-Assessment Guide

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Leave a Comment

Hacking contest Pwn2Own: Ubuntu, Tesla, macOs and Windows 11 cracked

It is the third day of the PWN2OWN VANCOUVER 2023 hacking contest. So far, security researchers managed to crack the operating systems Ubuntu, macOS and Windows 11, and other products, including Tesla cars and Adobe Reader.

Security researchers who managed to hack their targets win price money and the hacked devices, even if it is a Tesla.

Six of the eight hacks on day one were successful, a seventh was also successful, but it used an exploit that was known previously. Only one attempt failed to hack the target in time.

Here is the day one overview:

  • AbdulAziz Hariri of Haboob SA used a 6-bug logic chain exploiting multiple failed patches against Adobe Reader to escape the application’s sandbox and bypass a banned API list.
  • STAR Labs hacked Microsoft SharePoint successfully, using a 2-bug chain attack.
  • Bien Pham from Qrious Security exploited Oracle VirtualBox successfully using an OOB Read and a stacked-based buffer overflow.
  • Synacktiv successfully hacked a Tesla Model 3. They executed a TOCTOU (Time-of-Check-to-Time-of-Use) attack against Tesla – Gateway.
  • Marcin Wi?zowski managed to elevate privileges on Microsoft’s Windows 11 operating system using an improper input validation bug.
  • Synacktiv was able to escalate privileges on Apple macOS using a TOCTOU bug.
  • STAR Labs used an already known exploit to successfully hack Ubuntu Desktop.
  • last_minute_pwnie fafiled to get an Ubuntu exploit working.

A total price money of $375,000 was awarded to the successful researchers and teams. The Tesla Model 3 changed owner as well.

On day two, security researchers managed to hack Oracle VirtualBox, Microsoft Teams, another Tesla, and Ubuntu Desktop.

Here is the day two overview:

  • Thomas Imbert  and Thomas Bouzerar  from Synacktiv used a 3-bug chain against Oracle VirtualBox with a Host EoP.
  • Team Viettel hacked Microsoft Teams successfully using a 2-bug chain.
  • David Berard and Vincent Dehors from Synacktiv managed to get an exploit working that gave them unconfined root access in a Tesla. They used heap overflow and an OOB write for that.
  • dungdm of Team Viettel exploited Oracle VirtualBox using an uninitialized variable and a UAF bug.
  • Tanguy Dubroca from Synacktiv managed to escalate privilege on Ubuntu Desktop using an incorrect pointer scaling.

The researchers received $475,000 in price money on the second day.

Attacks against Ubuntu Desktop, Microsoft Teams, Microsoft Windows 11, and VMWare Workstation are planned for the third and final day of the hacking competition.

Additional information about the successful hacks and exploits have not been released to the public.  Companies whose products have been exploited will create security patches to protect their devices and applications from potential attacks targeting the bugs.

Expect security updates for all hacked products in the coming days and weeks.

https://allinfosecnews.com/item/hacking-contest-pwn2own-ubuntu-tesla-macos-and-windows-11-cracked-2023-03-24/

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Leave a Comment

APACHE TOMCAT VULNERABILITY LEAKS APPLICATION SESSION COOKIE TO ATTACKERS

One of the most popular and widely used web servers for Java is Apache Tomcat. It is small, simple to install, and highly pleasant for constructing Java web applications. It can also be used to create applications that are a bit more sophisticated than the conventional JSP application online since it can include JSF implementations like MyFaces, Primefaces, RichFaces, and others (standard library, defined in J2EE for the development of dynamic web applications using Java).

All of this is very beneficial, and in fact, many web application developers use it on their computers in order to be able to develop quickly and to be able to focus on what really interests them: ensuring that the logic of their Java pages and classes works as it should. All of this is very beneficial. It really is that straightforward… a software developer typically does not worry about the safety of the Tomcat server that he has installed on the computer that his employer has provided for him. In fact, the concept of security is so foreign to him that it does not even enter his mind very often. “pure Java” HTTP web server environments are made available by the Apache Tomcat server, which incorporates the technologies of Jakarta Servlet, Jakarta Expression Language, and WebSocket. These technologies allow Java code to be executed in these environments. Because of this, it is a frequently chosen option among developers who want to use Java to build online apps.

Up to and including versions 8.5.85/9.0.71/10.1.5/11.0.0-M2 of Apache Tomcat have been determined to have a vulnerability that has been rated as problematic (Application Server Software). An unidentified feature of the component known as RemoteIpFilter Handler is broken as a result of this bug. The manipulation using an unknown input results in a vulnerability involving the unsecured transmission of credentials. The user name and password are not adequately protected when they are being sent from the client to the server via the login pages, which are not using suitable security measures.

Session cookies generated by Apache Tomcat versions 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute when used in conjunction with requests received from a reverse proxy over HTTP and which had the X-Forwarded-Proto header set to https. Because of this, the user agent could send the session cookie through an unsecured connection. Hence, this might be dangerous.

The vulnerability was disclosed on March 22nd, 2023. The advisory is now available for download at lists.apache.org, where it is also shared. Since March 21st, 2023, this vulnerability has been assigned the identifier CVE-2023-28708. There is neither a technical description nor an exploit that is readily accessible to the public. The attack method has been given the designation of T1557 by the MITRE ATT&CK project.

This vulnerability may be remedied by upgrading to version 8.5.86, 9.0.72, 10.1.6, or 11.0.0-M3 respectively.

Leave a Comment

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them.

ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge.

Understanding Attack Surface Management

Here are some key terms in ASM:

  • Attack vectors are vulnerabilities or methods threat actors use to gain unauthorized access to a network. These vulnerabilities include vectors such as malware, viruses, email attachments, pop-ups, text messages and social engineering. 
  • An attack surface is the sum of attack vectors that threat actors can potentially use in a cyberattack. In any organization, all internet-connected hardware, software and cloud assets add to the attack surface. 
  • Shadow IT is any software, hardware or computing resource being used on a company’s network without the consent or knowledge of the IT department. Quite often, shadow IT uses open-source software that is easy to exploit. 
  • Attackers use sophisticated computer programs and programming techniques to target vulnerabilities in your attack surface, like shadow IT and weak passwords. These cyber criminals launch attacks to steal sensitive data, like account login credentials and personally identifiable information (PII)

Read the Threat Index

Why is Attack Surface Management Important?

Security teams can use ASM practices and tools to prevent risks in the following ways:

  • Reduce blind spots to get a holistic view of your IT infrastructure and understand which cloud or on-premise assets are exposed to attackers.
  • Eliminate shadow IT to remove unknown open-source software (OSS) or unpatched legacy programs.
  • Minimize human error by building a security-conscious culture where people are more aware of emerging cyber threats. 
  • Prioritize your risk. You can get familiar with attack patterns and techniques that threat actors use.

How Attack Surface Management Works

There are four core processes in attack surface management: 

  1. Asset discovery is the process of automatically and continuously scanning for entry points that threat actors could attack. Assets include computers, IoT devices, databases, shadow IT and third-party SaaS apps. During this step, security teams use the following standards:
    • CVE (Common Vulnerabilities and Exposures): A list of known computer security threats that helps teams track, identify and manage potential risks.
    • CWE (Common Weakness Enumeration): A collection of standardized names and descriptions for common software weaknesses.
  2. Classification and prioritization is the process of assigning a risk score based on the probability of attackers targeting each asset. CVEs refer to actual vulnerabilities, while CWEs focus on the underlying weaknesses that may cause those vulnerabilities. After analysis, teams can categorize the risks and establish a plan of action with milestones to fix the issues.
  3. Remediation is the process of resolving vulnerabilities. You could fix issues with operating system patches, debugging application code or stronger data encryption. The team may also set new security standards and eliminate rogue assets from third-party vendors.
  4. Monitoring is the ongoing process of detecting new vulnerabilities and remediating attack vectors in real-time. The attack surface changes continuously, especially when new assets are deployed (or existing assets are deployed in new ways).  

You can learn more about the four core processes and how attack surface management works on the IBM blog. 

How to Get a Job in Attack Surface Management

Anyone who works in attack surface management must ensure the security team has the most complete picture of the organization’s attack vectors — so they can identify and combat threats that present a risk to the organization.

Hiring companies look for people with a background and qualifications in information systems or security support. The minimum expectations typically include the following:

  • Strong technical security skills
  • Strong analytical and problem-solving skills
  • Working knowledge of cyber threats, defenses and techniques
  • Working knowledge of operating systems and networking technologies
  • Proficiency in scripting languages, like Perl, Python or Shell Scripting
  • Experience with attack surface management and offensive security identity technologies.

What’s Next in Attack Surface Management?

Cyber Asset Attack Surface Management (CAASM) is an emerging technology that presents a unified view of cyber assets. This powerful technology helps cybersecurity teams understand all the systems and discover security gaps in their environment.

There is no one-size-fits-all ASM tool — security teams must consider their company’s situation and find a solution that fits their needs. 

Some key criteria include the following:

  • Easy-to-use dashboards
  • Extensive reporting features to offer actionable insights
  • Comprehensive automated discovery of digital assets (including unknown assets, like shadow IT)
  • Options for asset tagging and custom addition of new assets
  • Continuous operation with little to no user interaction
  • Collaboration options for security teams and other departments.

With a good ASM solution, your security team can get a real cyber criminal’s perspective into your attack surface. You can find, prioritize and solve security issues quickly and continuously. Ultimately, a diligent attack surface management strategy helps protect your company, employees and customers. 

Side view of young businessman using laptop in office. Male professional sitting at conference table working on laptop computer.

Operationalizing Threat Intelligence: A guide to developing and operationalizing cyber threat intelligence programs

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Leave a Comment

TOP WAYS TO LEARN MORE ABOUT CYBERSECURITY

Are you interested in how to better protect yourself from cyber-attacks? We know cybersecurity can be overwhelming and appear incredibly complicated, but it doesn’t have to be that way. In this blog post, we will review some of the key ways you can get a deeper dive into learning more about cybersecurity so you have all the resources and tools necessary for protecting yourself and your data. With these tips in hand, we guarantee you will soon become a pro at safeguarding your important information!

GET A DEGREE IN CYBERSECURITY

For those looking to further their knowledge and job prospects in the field of cybersecurity, obtaining a degree online is one of the best ways to do so. With an online masters degree in cybersecurity, you can learn from the comfort of your own home yet receive top-quality education from professional educators. You will also have access to online tools and resources that can help you in understanding various concepts related to cybersecurity. Further, since online learning has become more accepted in recent years, online degrees are widely respected by employers, making them a great way to stand out from other job candidates and gain recognition for your abilities.

TAKE COURSES AT A LOCAL COLLEGE OR UNIVERSITY, OR THROUGH AN ONLINE PLATFORM

Besides getting a degree, taking courses can help you become certified or increase your skill set in this fast-growing field. With many universities and colleges offering various types of cybersecurity classes, there’s always an opportunity to learn something new about digital security. Besides providing certificates at the end of each course, it also gives you hands-on experience which is necessary for any job in this sector. For those who cannot attend college full-time, taking an online course is also an option; there are plenty of websites and e-learning platforms offering face-to-face tutorials as well as self-paced learning that suit your schedule and budget.

Cyber Security Training Courses

Professional Certificates, Bachelors & Masters Program

READ INDUSTRY BLOGS AND ARTICLES ON CYBERSECURITY TOPICS

Keeping up to date on the latest cybersecurity news and trends is key to staying as safe as possible online. One of the best ways to stay informed is to read industry blogs and articles specifically devoted to security topics. These resources are widely available and typically written by experts with in-depth, up-to-date knowledge on their respective topic areas. Familiarizing yourself with these, even if you only skim articles here and there, can instill a strong base of knowledge and help arm you against cyber threats both now and in the coming years.

Blog.DeuraInfosec.com

ATTEND WEBINARS AND VIRTUAL CONFERENCES ABOUT CYBERSECURITY

Another fantastic way to become more knowledgeable about cybersecurity is by attending webinars and virtual conferences. These events present a great opportunity to stay up-to-date with the ever-evolving cybersecurity industry, as well as learn best practices for cybersecurity prevention. Moreover, through these presentations and interactive discussions, you can gain insider insights from renowned experts and create connections that could open the door to new career opportunities. Attending webinars or virtual conferences about cybersecurity is an excellent way for individuals who are looking to make a career change in the field or gain additional knowledge in their field of expertise to stay ahead of the curve.

7 free online cybersecurity courses you can take right now

REACH OUT TO PROFESSIONALS IN THE FIELD FOR ADVICE OR MENTORSHIP

If you are looking to get more information about cybersecurity, one highly recommended solution is to reach out to professionals already in the field. Connecting with people who have experience in the area of cyber security can be extremely beneficial. Not only will they be able to provide insight into the day-to-day operations of a cyber security role and which industry trends are making waves now, but they may also be willing to mentor you or provide advice on how best to further your own career path. Taking advantage of related opportunities such as these can help ensure that your career objectives stay aligned with the ever-changing world of cybersecurity.

Programming, software development, ISO27k and AWS online courses

FOLLOW INDUSTRY NEWS AND TRENDS TO STAY INFORMED ON THE LATEST DEVELOPMENTS

Finally, staying on top of industry news and trends is an excellent way to keep up-to-date with the latest developments in cybersecurity. By subscribing to newsletters or following accounts dedicated to the sector, you can stay ahead of any new technologies or security threats. Additionally, attending webinars, conferences, and other events can help you interact directly with experts on topics ranging from IT governance to network security. Doing so will let you find out firsthand how new developments in cybersecurity are impacting the field, allowing you to adjust your approach as needed.

All in all, staying informed on the latest developments and trends within the cybersecurity industry is key for anyone hoping to make a career out of it. By reading blogs, attending webinars and virtual conferences, reaching out to professionals in the field for advice or mentorship, and following news related to this sector you can stay ahead of any new technologies or security threats. With these tips at hand, there’s no reason why you can’t become an expert in cyber security yourself!

https://www.facebook.com/DISCInfoSec

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Leave a Comment

NBA Cyber Incident – Fans’ Personal Information Exposed

As a result of a recent data breach, the NBA notified all its fans about the fact that a significant amount of personal information was compromised.

While using the information gathered, phishing attacks can be conducted by the threat actors on the individuals who have been affected. A third-party newsletter service was said to be holding the personal information exposed in the leak.

In addition to managing five professional sports leagues, the NBA also manages a media organization. And here below, we have listed those five sports leagues:-

  • NBA
  • WNBA
  • Basketball Africa League
  • NBA G League
  • NBA 2K League

In over 215 countries and territories worldwide, with over 50 languages spoken, NBA programming and games are broadcast worldwide.

NBA Cyber Incident

A number of fans have been notified of the cyber security incident through an email sent out with the tag “Notice of Cybersecurity Incident.”

According to the NBA, neither its systems nor the credentials of the fans affected by the incident were compromised. But, some theft of the personal information belonged to some fans.

Further, the association reported that the names and email addresses were accessed and copied by an unauthorized third party. But, in this instance, sensitive information, such as usernames and passwords, was not exposed.

Apart from this, a third-party provider and an external cybersecurity service are being engaged by the NBA to assist in the investigation of the issue to know the extent of the impact and resolve the issue as soon as possible.

NBA warned fans of phishing attacks

NBA warned that phishing attacks and various scams could be targeted at the affected individuals due to the sensitive nature of the data involved, reported Bleeping Computer.

It was strongly recommended to the affected fans that they remain vigilant when they open any suspicious emails that they receive. In the notification emails, the NBA informs fans that it will never send them an email asking for any of this information:-

  • Other account information
  • Usernames
  • Passwords

It is also recommended for fans who have been impacted verify the authenticity of any emails they receive by ensuring that the sender’s email address ends with “@nba.com.” 

Check that the embedded links point to a trustworthy website, and don’t open email attachments that they haven’t been expecting to receive.

NBA Cyber Incident

NBA warns fans over data breach, personal details copied

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Leave a Comment

Most security pros turn to unauthorized AI tools at work

The research demonstrates that embracing automation in cybersecurity leads to significant business benefits, such as addressing talent gaps and effectively combating cyber threats. According to the survey, organizations will continue investing in cybersecurity automation in 2023, even amid economic turbulence.

“As organizations look for long-term solutions to keep pace with increasingly complex cyberattacks, they need technologies that will automate time-consuming, repetitive tasks so security teams have the bandwidth to focus on the threats that matter most,” said Marc van Zadelhoff, CEO, Devo. “This report confirms what we’re already hearing from Devo customers: adopting automation in the SOC results in happier analysts, boosted business results, and more secure organizations.”

Security pros are using AI tools without authorization

According to the study, security pros suspect their organization would stop them from using unauthorized AI tools, but that’s not stopping them.

  • 96% of security pros admit to someone at their organization using AI tools not provided by their company – including 80% who cop to using such tools themselves.
  • 97% of security pros believe their organizations are able to identify their use of unauthorized AI tools, and more than 3 in 4 (78%) suspect their organization would put a stop to it if discovered.

Adoption of automation in the SOC

Organizations fail to adopt automation effectively, forcing security pros to use rogue AI tools to keep up with workloads.

  • 96% of security professionals are not fully satisfied with their organization’s use of automation in the SOC.
  • Reasons for dissatisfaction with SOC automation varied from technological concerns such as the limited scalability and flexibility of the available solutions (42%) to financial ones such as the high costs associated with implementation and maintenance (39%). But for many, concerns go back to people: 34% cite a lack of internal expertise and resources to manage the solution as a reason they are not satisfied.
  • Respondents indicated that they would opt for unauthorized tools due to the better user interface (47%), more specialized capabilities (46%), and allow for more efficient work (44%).

Investing in cybersecurity automation

Security teams will prioritize investments in cybersecurity automation in 2023 to solve organizational challenges, despite economic turbulence and widespread organizational cost-cutting.

  • 80% of security professionals predict an increase in cybersecurity automation investments in the coming year, including 55% who predict an increase of more than 5%.
  • 100% of security professionals reported positive business impacts as a result of using automation in cybersecurity, citing increased efficiency (70%) and financial gains (65%) as primary benefits.

Automation fills widening talent gaps

Adopting automation in the SOC helps organizations combat security staffing shortages in a variety of ways.

  • 100% of respondents agreed that automation would be helpful to fill staffing gaps in their team.
  • Incident analysis (54%), landscape analysis of applications and data sources (54%), and threat detection and response (53%) were the most common ways respondents said automation could make up for staffing shortages.

AI

A Guide to Combining AI Tools Like Chat GPT, Quillbot, and Midjourney for Crafting Killer Fiction and Nonfiction (Artificial Intelligence Uses & Applications)

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Leave a Comment

Researcher create polymorphic Blackmamba malware with ChatGPT

The ChatGPT-powered Blackmamba malware works as a keylogger, with the ability to send stolen credentials through Microsoft Teams.

The malware can target Windows, macOS and Linux devices.

HYAS Institute researcher and cybersecurity expert, Jeff Sims, has developed a new type of ChatGPT-powered malware named Blackmamba, which can bypass Endpoint Detection and Response (EDR) filters.

black mamba snake coiled up

This should not come as a surprise, as in January of this year, cybersecurity researchers at CyberArk also reported on how ChatGPT could be used to develop polymorphic malware. During their investigation, the researchers were able to create the polymorphic malware by bypassing the content filters in ChatGPT, using an authoritative tone.

As per the HYAS Institute’s report (PDF), the malware can gather sensitive data such as usernames, debit/credit card numbers, passwords, and other confidential data entered by a user into their device.

ChatGPT Powered Blackmamba Malware Can Bypass EDR Filters

Once it captures the data, Blackmamba employs MS Teams webhook to transfer it to the attacker’s Teams channel, where it is “analyzed, sold on the dark web, or used for other nefarious purposes,” according to the report.

Jeff used MS Teams because it enabled him to gain access to an organization’s internal sources. Since it is connected to many other vital tools like Slack, identifying valuable targets may be more manageable.

Jeff created a polymorphic keylogger, powered by the AI-based ChatGPT, that can modify the malware randomly by examining the user’s input, leveraging the chatbot’s language capabilities.

The researcher was able to produce the keylogger in Python 3 and create a unique Python script by running the python exec() function every time the chatbot was summoned. This means that whenever ChatGPT/text-DaVinci-003 is invoked, it writes a unique Python script for the keylogger.

This made the malware polymorphic and undetectable by EDRs. Attackers can use ChatGPT to modify the code to make it more elusive. They can even develop programs that malware/ransomware developers can use to launch attacks.

ChatGPT Powered Blackmamba Malware Can Bypass EDR Filters
Researcher’s discussion with ChatGPT

Jeff made the malware shareable and portable by employing auto-py-to-exe, a free, open-source utility. This can convert Python code into .exe files that can operate on various devices, such as macOS, Windows, and Linux systems. Additionally, the malware can be shared within the targeted environment through social engineering or email.

It is clear that as ChatGPT’s machine learning capabilities advance, such threats will continue to emerge and may become more sophisticated and challenging to detect over time. Automated security controls are not infallible, so organizations must remain proactive in developing and implementing their cybersecurity strategies to protect against such threats.

What is Polymorphic malware?

Polymorphic malware is a type of malicious software that changes its code and appearance every time it replicates or infects a new system. This makes it difficult to detect and analyze by traditional signature-based antivirus software because the malware appears different each time it infects a system, even though it performs the same malicious functions.

Polymorphic malware typically achieves its goal by using various obfuscation techniques such as encryption, code modification, and different compression methods. The malware can also mutate in real time by generating new code and unique signatures to evade detection by security software.

The use of polymorphic malware has become more common in recent years as cybercriminals seek new and innovative ways to bypass traditional security measures. The ability to morph and change its code makes it difficult for security researchers to develop effective security measures to prevent attacks, making it a significant threat to organizations and individuals alike.

Chat GPT: Is the Future Already Here?

AI-Powered ‘BlackMamba’ Keylogging Attack Evades Modern EDR Security

BlackMamba GPT POC Malware In Action

Professional Certificates, Bachelors & Masters Program

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Leave a Comment

How CISOs Can Work With the CFO to Get the Best Security Budget

CISOs can and should push back when they’re presented with budget costs that affect the business. Here’s how.

The CISO challenge of budgeting – Intelligent CISO

Today’s enterprise security executives face situations that could really hurt the company’s bottom line. Security teams are trying to modernize security operations in an increasingly porous network environment with ever more sophisticated threats. There are also economic pressures from layoffs, budget cuts, and restructuring.

Even worse, CFOs have heard from CISOs the doom-and-gloom predictions of the potential fiscal disaster of data breaches so often that it’s no longer resonating with them.

The doomer scenario is not hypothetical — global compliance requirements and privacy regulations drive the cost of a breach even higher than just the technical costs. However, CFOs and other C-level executives have heard these warnings so often now that it’s just background information that doesn’t drive their decision making.

Is there a more effective way to help the CFO understand why security needs to be far better funded? Yes: Present the CFO with a shared-risk scenario.

Setting Protection Priorities

Allan Alford, who was a CISO in various industries including technology, communications, and business services before morphing into a CISO consultant, says CISOs should use a different approach to describe cybersecurity issues to the CFO. They should begin by asking the CFO to identify the six most important strategic elements of the business — possibly including the supply chain, manufacturing operations, sensitive future product plans, etc. — then detail their plans for protecting each of those critical areas, Alford says.

The CISO can present the situation to the CFO in the following manner: “Thanks for sharing those priorities. Now, you are saying we need to cut the security budget by 37%. Given the state of the economy in our sectors, that is completely understandable. To make the cuts possible, can you tell me which of these six areas I should stop protecting? We will also need to bring in the line-of-business executive so that you can explain how these changes will impact that area.”

Historically, CISOs, CSOs, CROs, and other security-adjacent executives have been good soldiers, accepting the CFO-ordered cuts and deciding where changes have to be made, Alford says. This conflicts with the CISO’s job: to protect the company — including all intellectual property and all assets.

If the CFO decides to cut back security funding, they need to work with the COO, the CEO, the board, and other senior executives to decide which operations they can afford to not protect. It should not be left to the CISO to make those calls or defend the choices.

In fairness, the decision is rarely black-and-white. But if the CISO positions the budget decisions in this manner, the CFO will see the actual business impact the reductions would have. When the CFO is forced to decide where the cuts will happen and to choose which top-priority division is left undefended, the conversation shifts, Alford says. The CISO can say to the CFO, “We’ll jointly figure out what risks are tolerable, but make no mistake: A 37% cut will put various units at extreme risk. Can the business afford that deep a cut in our defenses?”

The CISO can present cost-effective alternatives to reduce security defenses, rather than eliminating them entirely. Now there is the possibility of negotiating a smaller budget cut. Maybe that 37% cut becomes a 23% cut.

Negotiating as a Group

The conversation shouldn’t begin and end with the CFO, says Daniel Wallance, an associate partner with McKinsey. It should involve the board’s risk committee, the CEO, the COO, and other colleagues who have a role in security spending, such as the CIO and the CRO.

“There is also spend coming from risk management [and] compliance on top of IT. I would engage those functions, as they have shared [security] responsibility and they may actually have dedicated resources,” Wallance says. “I need this to not be a one-on-one conversation. I want to make it a group.”

These conversations with other security executives should happen before and after the CFO meeting, but not during.

The CISO needs to meet with the other security players before meeting with the CFO to learn what overlaps and redundancies currently exist. The CISO also needs to know how much budget flexibility those other executives are willing to offer. That will be crucial information to have while working with the CFO. After meeting with the CFO, the CISO can go back to the other executives and see what they can negotiate as a group.

The actual CISO-CFO meeting should be just the two executives, to avoid making the CFO feel ganged up on. The discussion should be as friendly as possible to allow for reasonable compromises.

Involving the board’s risk committee is critical, as it is ultimately the board’s role — working with the CEO — to dictate the company’s risk tolerance. If the CFO’s requested budget reductions conflict with that risk tolerance, the board needs to know about it.

“The CISO should be meeting with the risk committee regularly,” Wallance says. “The business may not understand the implications of the budget cut. The CFO is not the only person at issue here.”

Adapting to Market Conditions

Larger trends in the economy also affect CISO budgetary needs.

There is a realistic existential threat to cyber insurance, the net that CFOs have relied on for more than 20 years. Lloyds of London said that it would stop covering the losses from state actor attacks, which is problematic given how difficult it is to prove an attack’s origin and who funded it. Insurance giant Zurich warned it might abandon cyber insurance entirely. And an Ohio Supreme Court decision raised the prospect of other cyber insurance limitations. Those changes could sharply increase the pressure on the CFO to better fund security, given that the enterprise will now be on the hook for the full amount of damages.

A complicating factor is the much-ballyhooed cybersecurity talent shortage. Whether the gap is as big as some say, it’s true that the cost of talent today is higher than what most budgets allow. So, yes, you will have difficulty finding qualified people, but increase the salary enough and, poof — no more talent shortage.

Richard Haag, the VP for compliance services at consulting firm Intersec Worldwide Inc., maintained that the difficulty in acquiring sufficiently experienced talent is a powerful argument in those CFO discussions.

“[I]n security, labor is about the only thing that can possibly be cut. You can’t just swap out firewalls. These agreements are locked in,” Haag says. “You need to say ‘I can barely protect your top strategic areas now. With the cuts you want, I simply won’t be able to defend your top targets and certainly not your not-so-top targets. I need more people, certainly not fewer people.'”

Alford also suggests the CISO point out how they negotiate lower vendor costs. Document it and share it with the CFO to demonstrate that the budget is being spent wisely.

“Demonstrate your efficiencies by driving vendor discounts as low as you can get them to go. CFOs want to know the money is being well spent, and ‘we got a heck of a deal’ does that well,” Alford says.

Finally, the CISO can also make the case for better security delivering more revenue. Does higher security investment make prospective customers more comfortable? Is lack of security making some existing customers leave? For example, if a financial institution chooses to reimburse customers in all fraud situations — rather than what most FIs do, which is to only reimburse in some situations — it could boast that its customers are better protected against fraud, prompting customers to leave competitors. That move would justify higher cybersecurity spend because of the greater acceptance of fraud costs.

“If you can shorten that sales cycle and prove that security gained more sales, it can be highly persuasive to CFOs: ‘Today, three customers walked away, but tomorrow none will,'” Alford says.

https://www.darkreading.com/edge-articles/how-cisos-can-work-with-the-cfo-to-get-the-best-security-budget

The Business-Minded CISO: How to Organize, Evangelize, and Operate an Enterprise-wide IT Risk Management Program

Leave a Comment