Jul 18 2024

Threat Actors Ramp Up Use of Encoded URLs to Bypass Secure Email

Category: Cyber Threats,Email Securitydisc7 @ 10:36 am

https://www.darkreading.com/cyberattacks-data-breaches/threat-actors-ramp-up-use-of-encoded-urls-to-bypass-secure-email

Secure email gateways (SEG) do a lot to protect organizations from malware, spam, and phishing email. For some threat actors though, they also offer an attractive option for sneaking malicious mail past other SEGs.

Security researchers from Cofense this week reported observing a recent surge in attacks, where threat actors have used SEGs to encode or to rewrite malicious URLs embedded in their emails to potential victims. In many cases, when the emails arrived at their destination, SEGs allowed the malicious URLs to go through without properly vetting the link.

The SEG Versus SEG Threat

The reason, says Max Gannon, threat intelligence manager at Cofense, is that some secure email gateway products appear not to be handling SEG-encoded URLs properly and assume them to be always safe, when in reality they are not.

“We do not have access to the internals of SEGs, so I can’t say for certain,” Gannon says. “But they likely either implicitly trust the URLs or they attempt to scan them, but the domain of the SEG that encodes the URL is trusted, so the [receiving] SEG assumes the URL itself is legitimate.”

In SEG encoding, a secure email gateway product essentially rewrites every URL in an outgoing email into a link that points to its own infrastructure. When a recipient clicks on the encoded link, the user is first directed to the sender’s SEG system, which checks if the URL is safe before redirecting the user to the intended destination. The checks usually involve assessing the URL using reputation, blacklists, signatures, and other mechanisms, which means sometimes it might take an SEG days and even weeks before it designates a URL as malicious.

In these situations, problems can arise if the recipient’s secure email gateway technology does not recognize an already encoded URL as needing scanning, or if the recipient’s SEG scans the URL, but only sees the sending email gateway’s domain and not the final destination.

“Oftentimes when SEGs detect URLs in emails that are already SEG-encoded they do not scan the URLs, or the scanning shows only the security tool’s scanning page and not the actual destination,” Cofense wrote in its report this week. “As a result, when an email already has SEG-encoded URLs, the recipient’s SEG often allows the email through without properly checking the embedded URLs.”

A Substantial Increase

Attackers have abused SEG encoding previously to sneak malicious emails into target environments. But there has been a substantial increase in use of the tactic in the second quarter of this year, May in particular. Cofense said.

According to the security vendor, the four email security gateways that threat actors have abused the most to encode URLs and sneak them past email defense mechanisms are VIPRE Email Security, Bitdefender LinkScan, Hornet Security Advanced Threat Protection URL Rewriting, and Barracuda Email Gateway Defense Link Protection.

Cofense said its researchers had observed attackers using these SEGs to encode malicious URLs in variously themed campaigns targeted at users protected by SEGs from a variety of vendors.

Gannon says some SEG encodings would require the threat actor to run their URL through the SEG. “Other encodings like Barracuda Link Protect would let you simply prepend their URL to the malicious URL you are trying to bypass with,” he says. “For example, to use Barracuda Link Protect to bypass SEGs with the URL hxxp[:]//badplace[.]com/, I would simply add the Barracuda Link Protect URL and make it: hxxps://linkprotect[.]cudasvc[.]com/url?a=hxxp[:]//badplace[.]com/.”

Gannon says one reason why threat actors likely aren’t using the tactic on a much broader scale is because it involves additional work. “The biggest thing it comes down to is effort,” he says. If a threat actor can take an hour to encode all the URLs in a campaign and reach 500 more inboxes, they could take the same hour and just find an additional 1,000 email addresses to send the campaign to.”

Protecting against the tactic can be relatively difficult, as most SEGs don’t have tuning methods for ignoring other SEG encodings, Gannon says. Therefore, the best way to combat the tactic remains user awareness and training. “A vigilant and informed employee is not going to click a link in a suspect email, even if the URL is encoded by a SEG.”

SOURCE: CHIM VIA SHUTTERSTOCK

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Encoded URLs


Jul 16 2024

Understanding Compliance With the NIST AI Risk Management Framework

Category: NIST Privacy,Risk Assessmentdisc7 @ 10:06 am

Incorporating artificial intelligence (AI) seems like a logical step for businesses looking to maximize efficiency and productivity. But the adverse effects of AI use, such as data security risk and misinformation, could bring more harm than good.

According to the World Economic Forum’s Global Risks Report 2024, AI-generated misinformation and disinformation are among the top global risks businesses face today.

To address the security risks posed by the increasing use of AI technologies in business processes, the National Institute of Standards and Technology (NIST) released the Artificial Intelligence Risk Management Framework (AI RMF 1.0) in January 2023. 

Adhering to this framework not only puts your organization in strong position to avoid the dangers of AI-based exploits, it also adds an impressive type of compliance to your portfolio, instilling confidence in external stakeholders. Moreover, while NIST AI RMF is more of a guideline than a regulation, today there are several AI laws in the process of being enacted, so adhering to NIST’s framework helps CISOs to future-proof their AI compliance postures.

Let’s examine the four key pillars of the framework – govern, map, measure and manage – and see how you can incorporate them to better protect your organization from AI-related risks.

1.Establish AI Governance Structures

In the context of NIST AI RMF, governance is the process of establishing processes, procedures, and standards that guide responsible AI development, deployment, and use. Its main goal is to connect the technical aspect of AI system design and development with organizational goals, values, and principles.

Strong governance starts from the top, and NIST recommends establishing accountability structures with the appropriate teams responsible for AI risk management, under the framework’s “Govern” function. These teams will be responsible for putting in place structures, systems and processes, with the end goal of establishing a strong culture of responsible AI use throughout the organization.

Using automated tools is a great way to streamline the often tedious process of policy creation and governance. “We view it as our responsibility to help organizations maximize the benefits of AI while effectively mitigating the risks and ensuring compliance with best practices and good governance,” said Arik Solomon, CEO of Cypago, a SaaS platform that automates governance, risk management, and compliance (GRC) processes in line with the latest frameworks.

“These latest features ensure that Cypago supports the newest AI and cyber governance frameworks, enabling GRC and cybersecurity teams to automate GRC with the most up-to-date requirements.”

Rather than existing as a stand-alone component, governance should be incorporated into every other NIST AI RMF function, particularly those associated with assessment and compliance. This will foster a strong organizational risk culture and improve internal processes and standards.

2.Map And Categorize AI Systems

The framework’s “Map” function supports governance efforts while also providing a foundation for measuring and managing risk. It’s here that the risks associated with an AI system are put into context, which will ultimately determine the appropriateness or need for the given AI solution.

As Opice Blum data privacy expert Henrique Fabretti Moraes explained, “Mapping the tools in use – or those intended for use – is crucial for understanding and fine-tuning acceptable use policies and potential mitigation measures to decrease the risks involved in their utilization.” 

But how do you actually put this mapping process into practice?

NIST recommends the following approach:

  • Clearly establish why you need or want to implement the AI system. What are the expectations? What are the prospective settings where the system will be deployed? You should also determine the organizational risk tolerance for operating the system.
  • Map all of the risks and benefits associated with using the system. Here is where you should also determine your risk tolerance, not only with monetary costs but also those stemming from AI errors or malfunctions.
  • Analyze the likelihood and magnitude of the impact the AI system will have on the organization, including employees, customers, and society as a whole.

3.Measure AI Performance and Risk

The “Measure” function utilizes qualitative and quantitative techniques to analyze and monitor the AI-related risks identified in the “Map” function.

AI systems should be tested before deployment and frequently thereafter. But measuring risk with AI systems can be tricky. The technology is fairly new, so there are no standardized metrics yet. This might change in the near future, as developing these metrics is a high priority for many consulting firms. For example, Ernst & Young (EY) is developing an AI Confidence Index

“Our confidence index is founded on five criteria – privacy and security, bias and fairness, reliability, transparency and explainability, and the last is accountability,” noted Kapish Vanvaria, EY Americas Risk Market Leader. The other axis includes regulations and ethics. 

“Then you can have a heat map of the different processes you’re looking at and the functions in which they’re deployed,” he says. “And you can go through each one and apply a weighted scoring method to it.”

In the NIST framework’s priorities, there are three main components of an AI system that must be measured: trustworthiness, social impact, and how humans interact with the system. The measuring process will likely consist of extensive software testing, performance assessments and benchmarks, along with reporting and documentation of results.

4.Adopt Risk Management Strategies

The “Manage” function puts everything together by allocating the necessary resources to regularly attend to uncovered risks during the previous stages. The means to do so are typically determined with governance efforts, and can be in the form of human intervention, automated tools for real-time detection and response, or other strategies.

To manage AI risks effectively, it’s crucial to maintain ongoing visibility across all organizational tools, applications, and models. AI should not be handled as a separate entity but integrated seamlessly into a comprehensive risk management framework.

Ayesha Gulley, an AI policy expert from Holistic AI, urges businesses to adopt risk management strategies early, taking into account five factors: robustness, bias, privacy, exploitability and efficacy. Holistic’s software platform includes modules for AI auditing and risk posture reporting.

“While AI risk management can be started at any point in the project development,” she said, “implementing a risk management framework sooner than later can help enterprises increase trust and scale with confidence.”

Evolve With AI

The NIST AI Framework is not designed to restrict the efficient use of AI technology. On the contrary, it aims to encourage adoption and innovation by providing clear guidelines and best practices for developing and using AI securely and responsibly.

Implementing the framework will not only help you reach compliance standards but also make your organization much more capable of maximizing the benefits of AI technologies without compromising on risk.

AI-RMF A Practical Guide for NIST AI Risk Management Framework

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: NIST AI Risk Management Framework


Jul 10 2024

Attackers Already Exploiting Flaws in Microsoft’s July Security Update

Category: Cyber Attack,Security vulnerabilitiesdisc7 @ 10:12 am

Microsoft has given administrators plenty of work to do with July’s security update that contains patches for a brutal 139 unique CVEs, including two that attackers are actively exploiting and one that’s publicly known but remains unexploited for the moment.

The July update contains fixes for more vulnerabilities than the previous two monthly releases combined and addresses issues that left unmitigated could enable remote code execution, privilege escalation, data theft, security feature bypass, and other malicious activities. The update included patches for four non-Microsoft CVEs, one of which is a publicly known Intel microprocessor vulnerability.

Lack of Details Heighten Urgency to Fix Zero-Days

One of the zero-day vulnerabilities (CVE-2024-38080) affects Microsoft’s Windows Hyper-V virtualization technology and allows an authenticated attacker to execute code with system-level privileges on affected systems. Though Microsoft has assessed the vulnerability as being easy to exploit and requiring no special privileges or user interaction to exploit, the company has given it only a moderate — or important — severity rating of 6.8 on the 10-point CVSS scale.

As is typical, Microsoft provided scant information on the flaw in its release notes. But the fact that attackers are already actively exploiting the flaw is reason enough to patch now, said Kev Breen, senior director threat research at Immersive Labs, in an emailed comment. “Threat hunters would benefit from additional details, so that they can determine if they have already been compromised by this vulnerability,” he said.

The other zero-day bug, tracked as CVE-2024-38112, affects the Windows MSHTML Platform (aka Trident browser engine) and has a similarly moderate CVSS severity rating of 7.0. Microsoft described the bug as a spoofing vulnerability that an attacker could exploit only by convincing a user to click on a malicious link.

That description left some wondering about the actual nature of the threat it represented. “This bug is listed as ‘spoofing’ for the impact, but it’s not clear exactly what is being spoofed,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative (ZDI), wrote in a blog post. “Microsoft has used this wording in the past for NTLM relay attacks, but that seems unlikely here.”

Rob Reeves, principal cybersecurity engineer at Immersive Labs, viewed the vulnerability as likely enabling remote code execution but potentially complex to exploit, based on Microsoft’s sparse description. “Exploitation also likely requires the use of an ‘attack chain’ of exploits or programmatic changes on the target host,” he said in prepared comments. “But without further information from Microsoft or the original reporter … it is difficult to give specific guidance.”

Other High-Priority Bugs

The two bugs that were publicly known prior to Microsoft’s July update — and hence are also technically zero-day flaws — are CVE-2024-35264, a remote code execution vulnerability in .Net and Visual Studio, and CVE-2024-37985, which actually is a third-party (Intel) CVE that Microsoft has integrated into its release.

In all, Microsoft rated just four of the flaws in its enormous update as being of critical severity. Three are of them, each with a near maximum severity rating of 9.8 on 10, affect the Windows Remote Desktop Licensing Service component that manages client access licenses (CALs) for remote desktop services. The vulnerabilities, identified as CVE-2024-38076CVE-2024-38077, and CVE-2024-38089, all enable remote code execution and should be on the top of the list of bugs to prioritize this month. “Exploitation of this should be straightforward, as any unauthenticated user could execute their code simply by sending a malicious message to an affected server,” Child said in his post.

Microsoft wants organizations to disable the Remote Desktop Licensing Service if they are not using it. The company also recommends organizations immediately install the patches for the three vulnerabilities even if they plan to disable the service.

One eyebrow-raising aspect in this month’s Microsoft security update is the number of unique CVEs that affect Microsoft SQL Server — some 39, or more than a quarter of the 139 disclosed vulnerabilities. “Thankfully, none of them are critical based on their CVSS scores and they’re all listed as ‘Exploitation Less Likely,'” saysTyler Reguly, associate director of security R&D at Fortra. “Even with those saving graces, there are still a lot of CVSS 8.8 vulnerabilities that SQL Server customers will be looking to patch,” he noted.

As has been the trend in recent months, there were 20 elevation of privilege (EoP) bugs in this month’s update, slightly outnumbering remote code execution vulnerabilities (18). Though Microsoft and other software vendors often tend to rate EoP bugs overall as being less severe than remote code execution vulnerabilities, security researchers have advocated that security teams pay equal attention to both. That’s because privilege escalation bugs often allow attackers to take complete admin control of affected systems and wreak the same kind of havoc as they would by running arbitrary code on it remotely.

https://www.darkreading.com/application-security/attackers-already-exploiting-flaws-in-microsofts-july-security-update

SOURCE: ANUCHA CHEECHANG VIA SHUTTERSTOCK

Zero Day: Novice No More: Expose Software Vulnerabilities And Eliminate Bugs

This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Microsoft's Security Update


Jul 09 2024

How nation-state cyber attacks disrupt public services and undermine citizen trust

Category: APT,Cyber Attackdisc7 @ 11:25 am

In this Help Net Security interview, Rob Greer, VP and GM of the Enterprise Security Group at Broadcom, discusses the impact of nation-state cyber attacks on public sector services and citizens, as well as the broader implications for trust and infrastructure.

Greer also discusses common vulnerabilities in government IT systems and the potential of AI and public-private collaborations to enhance cybersecurity defenses.

How do nation-state attacks affect the public sector and services provided to citizens?

All attacks, nation-state or not, have the potential to impact public sector services and the citizens who rely on them.

Just recently on June 3, 2024, Synnovis, a provider to the UK National Health Service (NHS), suffered a cyber attack preventing the processing of blood test results and impacting thousands of patient appointments and surgeries. In 2017, the WannaCry attack, which spread to 150 countries across the world, disrupted the UK NHS, limiting ambulance service, patient appointments, medical tests and results, and forcing the closure of various facilities.

In the United States, many private sector organizations that provide public or critical infrastructure services have been significantly affected by cyberattacks. In 2021, JBS Foods, the largest US meat processor, was breached, forcing it to cease operations at 13 of its meat processing plants, impacting the US meat supply. One month prior, Colonial Pipeline was hit with a ransomware cyberattack, causing a run on gas in the eastern seaboard and requiring a presidential executive order to allow gas transport via semi-trucks.

A cyber attack in the Ukraine in 2015 brought down power for 230,000 customers, and such attacks have continued to disrupt the Ukrainian power grid since then.

In the US, we have seen the same nation-states employ less aggressive but potentially more disruptive strategies of espionage and misinformation in an effort to undermine the public’s trust in the electoral system.

While these are just a few notable examples, the impact ranges from delays and inconveniences to more significant repercussions like reduced capacity of healthcare services and other critical infrastructure. What’s harder to calculate is the degradation of trust when the public sector is compromised due to a cyber attack.

What are the most common vulnerabilities within government IT systems that cyber attackers exploit?

Many of the attack techniques that we see nation-states use are picked up by more common cyber criminals shortly after. While nation-states do have advanced capabilities and visibility that are hard or impossible for cyber criminals to replicate, the general strategy for attackers is to target vulnerable perimeter devices such as VPNs or firewalls as an entry point to the network. Next they focus on obtaining privileged credentials while leveraging legitimate software to masquerade as normal activity while they scout the environments for valuable data or large repositories to disrupt.

It’s important to note that the commonly exploited vulnerabilities in government IT systems are not distinctly different from the vulnerabilities exploited more broadly. Government IT systems are often extremely diverse and thus, subject to a variety of exploits. CISA actively maintains a Known Exploited Vulnerabilities (KEV) Catalog. These are vulnerabilities known to be exploited in the wild and pose an increased risk of exploitation for government organizations using any of the technologies cataloged.

How can governments use AI to strengthen cybersecurity defenses against sophisticated attacks?

AI has been in use for more than a decade in state-of-the-art security technologies, primarily to detect novel and constantly evolving attacks. Detecting the sheer volume of attacks today, as well as finding the singular “needle in a haystack” cannot be done by classic technologies, but is possible with sophisticated AI techniques. As a baseline, governments should evaluate their security technology to understand how effective AI and machine learning are at detecting the latest threats.

The more advanced capabilities can analyze the infrastructure to determine typical behavior and usage patterns and auto-configure security settings and policies, providing adaptive security that is even more efficient at detecting anomalous activities.

The latest generative AI technologies are also helping drive efficiency in the Security Operations Center (SOC). GenAI can help SOC analysts more quickly and fully understand attacks, and provide guidance to analysts using natural language. This is especially important as we face continued challenges staffing security professionals.

Are there any specific regulatory frameworks or policies that must be implemented or improved?

Currently, there are numerous policies and regulations, both domestically and internationally, which are inconsistent and vary in their requirements. These administrative requirements take significant resources which could otherwise be used to strengthen a company’s cybersecurity program. Therefore, it is imperative that existing and forthcoming cybersecurity regulations be harmonized and policies be considered comprehensively.

The recent summary from the Office of the National Cyber Director (ONCD) on the 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI) shows that the U.S. Government understands this problem. The report finds that the “lack of harmonization and reciprocity harms cybersecurity outcomes while increasing compliance costs through additional administrative burdens.” The ONCD is working with other federal agencies as well as the private sector to address these issues by seeking to “simplify oversight and regulatory responsibilities of cyber regulators” and “substantially reduce the administrative burden and cost on regulated entities.”

This is a much-needed exercise and it’s encouraging to see steps being taken to ensure that cybersecurity regulations are comprehensive, effective, and efficient.

What role should the private sector play in supporting government cybersecurity efforts?

The private sector has threat intelligence that the government often doesn’t have. This makes the bidirectional sharing of information between the private and public sectors essential in combating bad actors. Partnerships between leading cybersecurity research groups and vendors like the Cyber Threat Alliance (CTA), as well as public and private sector partnerships like the Joint Cyber Defense Collaborative (JCDC), help the cybersecurity community at large bring its combined intelligence to bear to help defend our global digital ecosystem.

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: nation-state cyber attacks


Jul 08 2024

Apple Geolocation API Exposes Wi-Fi Access Points Worldwide

Category: Access Control,API security,Wi-Fi Securitydisc7 @ 1:09 pm

https://www.darkreading.com/endpoint-security/apple-geolocation-api-exposes-wi-fi-access-points-worldwide

Beyond the devices that use them, Wi-Fi hubs themselves can leak interesting data, thanks to some quirks in Apple’s geolocation system.

SOURCE: FRANTIC VIA ALAMY STOCK PHOTO

Apple’s Wi-Fi Positioning System (WPS) can be used to map and track Wi-Fi access points (APs) around the globe. But in a presentation at Black Hat 2024, University of Maryland researcher Erik Rye will demonstrate how he mapped hundreds of millions of APs in a matter of days, without even needing an Apple device or any kind of permissions along the way.

How Apple Exposes Global APs

Have you ever wondered how your phone knows where it is in the world?

The Global Positioning System (GPS) is one tool it uses, of course, but it’s not a perfect one. It becomes less effective when the device loses a clear line to the sky, and it consumes a good deal of power, which isn’t ideal for such a persistent task. 

That’s where the Wi-Fi Positioning System comes in. WPS works a bit like GPS, if you substitute the satellites with Wi-Fi access points (APs).

For details:

https://www.darkreading.com/endpoint-security/apple-geolocation-api-exposes-wi-fi-access-points-worldwide

API Security for White Hat Hackers: https://amzn.to/45UJmsg

Wireless Security Architecture: https://amzn.to/4cCpNYb

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Apple Geolocation


Jul 03 2024

10 Clear Signs Your Business Needs a Cybersecurity Consultant—And What to Expect

Category: cyber security,Selling cyber securitydisc7 @ 8:37 am
https://www.linkedin.com/pulse/10-clear-signs-your-business-needs-cybersecurity-what-svyac/

You Can’t Keep Up with Emerging Threats or Technologies

Business Impact: Staying ahead of emerging threats and technologies is essential for protecting your business from cyberattacks. Falling behind can leave your business vulnerable to breaches, resulting in data loss, financial damage, and reputational harm. A cybersecurity consultant can help you stay current and implement the latest defenses, ensuring your business remains secure and competitive.

Expectation: CEOs should expect cybersecurity consultants to provide continuous education and training programs for their staff, ensuring the team stays updated with the latest cybersecurity trends and technologies. This empowers employees to recognize and respond to threats more effectively and reinforces a culture of security within the organization.

You Need an Impartial Security Assessment

Business Impact: Internal disagreements about security protocols can lead to inefficiencies and increased risk. An impartial assessment from a cybersecurity consultant can provide clarity, help to align your team and ensure that security measures are effective and unbiased. This can lead to a more cohesive security strategy and a more robust overall security posture.

Expectation: CEOs should expect cybersecurity consultants to conduct regular third-party security audits. These audits maintain an unbiased perspective on the company’s cybersecurity posture, uncover hidden vulnerabilities, and ensure that security measures evolve with the changing threat landscape.

You’re Lacking Innovation in Your Security Strategies

Business Impact: Innovation in security strategies is vital to staying ahead of cyber threats. A consultant brings fresh perspectives and innovative solutions that can enhance your existing security measures, leading to improved efficiency and effectiveness. This can result in cost savings, better resource allocation, and a more robust defense against cyber threats.

Expectation: CEOs should expect consultants to help establish a dedicated innovation team within the security department. This team should explore and integrate new technologies and methodologies, collaborating with the consultants to bring cutting-edge solutions to the organization.

You’re Unable to Meet Your Security Goals

Business Impact: Failing to meet security goals can expose your business to risks and hinder growth. A consultant can help identify the root causes of these challenges and provide actionable insights to achieve your objectives. Meeting security goals can enhance your business’s credibility, reduce the risk of breaches, and support overall business growth.

Expectation: CEOs should expect cybersecurity consultants to implement a structured framework like the NIST Cybersecurity Framework. This framework guides the security strategy and goal-setting processes, helping to identify gaps, set realistic goals, and track progress effectively.

Your Business Isn’t Growing, and You Don’t Know Why

Business Impact: Stagnant growth can indicate underlying security issues that are not immediately apparent. A cybersecurity consultant can conduct a thorough analysis to uncover hidden problems and provide solutions. Addressing these issues can remove barriers to growth, improve operational efficiency, and enhance your business’s financial performance.

Expectation: CEOs should expect cybersecurity consultants to perform a comprehensive security health check during the business strategy review. This health check identifies unseen security issues that may be hindering growth, and addressing them can streamline operations and enhance overall performance.

You’re Stalling on Implementing New Security Measures

Business Impact: Delaying important security initiatives can leave your business vulnerable and impede progress. A consultant can provide the expertise and resources needed to implement new security measures promptly. This can improve your security posture, reduce risk, and enable you to confidently take advantage of new business opportunities.

Expectation: CEOs should expect cybersecurity consultants to develop a clear, phased implementation plan for new security measures, prioritizing critical vulnerabilities first. This plan should include milestones and timelines to ensure steady progress and accountability.

You’re Working Outside Your Expertise

Business Impact: Focusing on areas outside your expertise can lead to suboptimal decisions and wasted resources. By hiring a cybersecurity consultant, you can ensure that specialized tasks are handled by experts, allowing you to focus on your strengths. This can lead to better decision-making, increased efficiency, and a higher quality of security measures.

Expectation: CEOs should expect cybersecurity consultants to establish a strategic partnership to handle specialized tasks. This ensures reliance on expert advice and services, allowing the CEO to focus on core business activities and leading to better overall outcomes.

You Lack In-House Security Expertise

Business Impact: A lack of in-house cybersecurity expertise can leave your business vulnerable to attacks and regulatory non-compliance. A consultant can fill this gap, providing the necessary skills and knowledge to protect your business. This can enhance your security posture, ensure compliance with industry regulations, and reduce the risk of costly breaches.

Expectation: CEOs should expect cybersecurity consultants to help implement an MSSP to supplement in-house capabilities. An MSSP provides continuous monitoring, threat detection, and response services, ensuring robust security even with limited internal resources.

You Have Tunnel Vision Regarding Security Issues

Business Impact: Working too closely on security problems can limit your perspective and lead to missed solutions. A consultant brings fresh eyes and can identify issues and solutions you might overlook. This can lead to more effective problem-solving, reduced risk, and improved overall security.

Expectation: CEOs should expect cybersecurity consultants to host regular brainstorming sessions with cross-functional teams. These sessions encourage diverse insights into security challenges, helping to uncover innovative solutions and prevent oversight.

You’re Working on a Time-Sensitive Security Project

Business Impact: Urgent security projects require expertise and efficiency to ensure success. A consultant can provide support to meet tight deadlines and achieve project goals.

Expectation: CEOs should expect cybersecurity consultants to utilize project management tools and methodologies like Agile to manage time-sensitive security projects efficiently. These tools streamline workflows, enhance collaboration, and meet critical deadlines without compromising quality.

FAQ’s

How do you verify the credentials and experience of a cybersecurity consultant?

To verify a cybersecurity consultant’s credentials and experience, you can:

  1. Check Certifications: Look for reputable certifications like CISSP, CISM, CEH, or others recognized in the industry.
  2. Review Past Projects: Ask for case studies or examples of past work that demonstrate their ability to handle challenges similar to yours.
  3. Seek References: Contact previous clients to get feedback on their experiences with the consultant.
  4. Interview Thoroughly: Conduct in-depth interviews to assess their knowledge, approach, and how they keep up with industry changes.
  5. Assess Continuous Learning: Inquire about their commitment to ongoing education and professional development.

What are the typical costs associated with hiring a cybersecurity consultant?

The cost can vary widely based on factors such as the scope of work, the consultant’s experience, and the duration of the engagement. Typical costs might include:

  1. Hourly Rates: Ranging from $150 to $500+ per hour.
  2. Project-Based Fees: Project fees can range from a few thousand dollars to hundreds of thousands, depending on the complexity.
  3. Retainer Agreements: Monthly retainers can range from $5,000 to $20,000 or more for ongoing support.
  4. Discussing and agreeing on the fee structure upfront is essential to ensure it aligns with your budget and expectations.

What are the common red flags when interviewing potential cybersecurity consultants?

Some red flags to watch out for include:

  1. Lack of Specific Experience: They must provide detailed examples of past projects or relevant experience.
  2. Overemphasis on Certifications: While important, certifications alone don’t guarantee practical expertise.
  3. Poor Communication Skills: Inability to clearly explain complex concepts or their approach to your specific issues.
  4. Vague proposals lack details about how they will address your needs or what deliverables you can expect.
  5. Unrealistic Promises: Guarantees of absolute security or immediate fixes are often unrealistic and should be scrutinized.

Can you provide examples of successful cybersecurity consultant engagements?

Examples of successful engagements include:

  1. Incident Response: A consultant helped a mid-sized company recover from a ransomware attack by quickly identifying the breach, containing the threat, and restoring data from backups, minimizing downtime and data loss.
  2. Security Program Development: A consultant worked with a healthcare provider to develop a comprehensive security program, achieving regulatory compliance and significantly reducing the risk of data breaches.
  3. Vulnerability Assessment: For a financial services firm, a consultant conducted a thorough vulnerability assessment, identifying and addressing critical security gaps that previously went unnoticed, enhancing overall security posture.

.

How do cybersecurity consultants stay updated on the latest threats and technologies?

Cybersecurity consultants stay current by:

  1. Continuous Education: Regularly attend training sessions and webinars and obtain advanced certifications.
  2. Professional Networks: Being active in professional organizations like (ISC)², ISACA, and others, which offer resources and networking opportunities.
  3. Industry Conferences: Participating in conferences such as Black Hat, DEF CON, and RSA Conference to learn about the latest trends and technologies.
  4. Research and Publications: I read industry publications and research papers and participated in cybersecurity forums and discussions.

Hands-On Experience: Engaging in ongoing practical work and simulations to apply new techniques and tools in real-world scenarios.

  1. This commitment to continuous learning ensures they can provide up-to-date and effective security solutions.

In what situations would a vCISO or CISOaaS service be appropriate?

CyberSecurity Consultants Playbook

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Cybersecurity Consultant


Jul 01 2024

New Hacker Group Attacking Systems With 10 Malware At Same Time

Category: Malwaredisc7 @ 8:03 am

A malware campaign of huge magnitude, and perhaps run by just one group, is using artificially nested files for distribution named ‘WEXTRACT.EXE            .MUI’.

More than 50,000 files worldwide featuring this method are delivered by different stealers and loaders such as Redline, RisePro, and Amadey.

Several samples are associated with an Eastern European cybercriminal-linked Autonomous System.

Cybersecurity researchers at OutPost24 recently detected that a new hacker group has been attacking the system with 1o malware at the same time.

10 Malware At Same Time

The “WEXTRACT.EXE            .MUI” malware distribution system is one that makes use of nested cabinet files to distribute a number of malware samples such as stealers and loaders.

This method’s complex execution sequence drops and runs malware in reverse order, which may result in bypassing security measures.

The technique could cause multiple infections as the loaders may download more malware.

From February 2023 through the start of 2024, a massive malware distribution campaign nested multiple malware families, such as Redline, Mystic Stealer, RisePro, Amadey, and SmokeLoader.

The campaign developed over time, incorporating obfuscation tools and different distribution methods.

An examination of over two thousand one hundred examples showed some malware combinations in which victims might be infected by several stealers and loaders simultaneously.

This suggests that there was a single actor behind the infrastructure and tactics for this campaign.

Distribution steps of one sample of WEXTRACT (Source – OutPost24)

It is likely that the campaign to distribute malware called “Unfurling Hemlock” buys distribution services from other actors.

Its earliest phases were in email attachments and downloads from hacked or hoax websites.

The infrastructure, mostly based on AS 203727, uses both exclusive and shared IPs for distributing WEXTRACT and other malware.

This indicates one actor or entity that is responsible for the campaign but delegates some of its distribution aspects to others.

The malware campaign uses different C2 URLs and IP addresses, some of which are specific to the WEXTRACT-related malware and others that are common to other campaigns.

The diversity in infrastructure supports the insight that this actor could be supplying samples from other campaigns, possibly encouraged by financial interest.

While the upload locations may not indicate the actual infection sites, the infection sources cut across several countries.

Here below we have mentioned the countries:-

Origin of the samples (Source – OutPost24)

Unlike the usual trend, this huge malware attack mainly targets Western institutions, including Russia.

This operation launched different types of malware simultaneously to increase the possibilities of infection and diversify potential paybacks.

Though not highly developed, this “cluster bomb” method may be adopted by threat actors in the future.

Researchers recommended using the latest anti-malware tools, performing analysis of packed files, and user alertness to be cautious about suspicious downloads and emails.

Evasive Malware: Understanding Deceptive and Self-Defending Threats

CrowdStrike Falcon Go | Premier Antivirus Protection for Small Businesses 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Cluster bomb


Jun 30 2024

Fake IT support sites push malicious PowerShell scripts as Windows fixes

Category: Malware,PowerShell Securitydisc7 @ 9:51 am

Fake IT support sites promote malicious PowerShell “fixes” for common Windows errors, like the 0x80070643 error, to infect devices with information-stealing malware.

First discovered by eSentire’s Threat Response Unit (TRU), the fake support sites are promoted through YouTube channels that have been compromised and hijacked to add legitimacy to the content creator.

In particular, the threat actors are creating fake videos promoting a fix for the 0x80070643 error that millions of Windows users have been dealing with since January.

“There were some problems installing updates, but we’ll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x80070643),” reads the Windows Update error.

0x80070643 in Windows Update
Source: BleepingComputer

It turns out that Windows Update is displaying an incorrect error message, as it was supposed to display a CBS_E_INSUFFICIENT_DISK_SPACE error on systems with a Windows Recovery Environment (WinRE) partition that’s too small for the update to install.

Microsoft explained that the new security update requires that the WinRE partition have 250 megabytes of free space, and if it doesn’t, you must manually expand the partition yourself.

However, expanding the WinRE partition is complicated, if not impossible, for those whose WinRE is not the last partition on the drive.

Due to this, many are unable to install the security update and are left with the 0x80070643 error message every time they use Windows Update.

These errors have caused many frustrated Windows users to seek a solution online, allowing threat actors to capitalize on their search for a fix.

Fake IT sites promote PowerShell fixes

According to eSentire, threat actors are creating numerous fake IT support sites that are specifically designed to help users with common Windows errors, heavily focusing on the 0x80070643 error.

“In June 2024, eSentire’s Threat Response Unit (TRU) observed an intriguing case involving a Vidar Stealer infection initiated through a fake IT support website (Figure 1),” explains the eSentire report.

“The infection began when the victim performed a web search for solutions to a Windows Update Error code.”

The researchers found two fake IT support sites promoted on YouTube named pchelprwizzards[.]com and pchelprwizardsguide[.]com. While writing this article, BleepingComputer found additional sites at pchelprwizardpro[.]com, pchelperwizard[.]com, and fixedguides[.]com.

Like the other videos eSentire found for the PCHelperWizard typo sites, BleepingComputer also found YouTube videos for the FixedGuides site, also promoting fixes for the 0x80070643 errors.

These sites all offer fixes that either require you to copy and run a PowerShell script or import the contents of a Windows Registry file.

Regardless of which “solution” is used, a PowerShell script will be executed that downloads malware on the device.

eSentire’s report outlines how the PCHelperWizard sites (not to be confused with the legitimate course site) will walk users through copying a PowerShell script into the Windows Clipboard and execute it in a PowerShell prompt.

Malicious PowerShell script disguised as a Windows error fix
Source: BleepingComputer

This PowerShell script contains a Base64 encoded script that will connect to a remote server to download another PowerShell script, which installs the Vidar information-stealing malware on the device.

When the script is finished, it will display a message that the fix was successful and to restart the computer, which will also launch the malware.

The FixedGuides site does it a bit differently, using an obfuscated Windows Registry file to hide autostarts that launch a malicious PowerShell script.

However, when I extracted the strings from the above file, you can see that it contains a valid Registry file that adds a Windows autostart (RunOnce) entry that runs a PowerShell script. This script ultimately downloads and installs information-stealing malware on the computer.

Using either fake fix will result in the information-stealing malware launching after Windows is restarted. Once started, the malware will extract saved credentials, credit cards, cookies, and browsing history from your browser.

Vidar can also steal cryptocurrency wallets, text files, and Authy 2FA authenticator databases, as well as take screenshots of your desktop.

This data is compiled into an archive called a “log,” which is then uploaded to the attacker’s servers. The stolen data is then used to fuel other attacks, such as ransomware attacks, or sold to other threat actors on dark web marketplaces.

However, the infected user is now left with a nightmare, having all their accounts compromised and potentially suffering financial fraud.

While Windows errors can be annoying, it is crucial to download software and fixes only from trusted websites, not from random videos and websites with little or no reputation.

Your credentials have become a valuable commodity and threat actors are coming up with sneaky and creative methods to steal them, so unfortunately, everyone needs to stay vigilant against unusual attack methods.

As for the 0x80070643 errors, if you are unable to resize the WinRE partition, your best bet is to use Microsoft’s Show or Hide Tool to hide the KB5034441 update so that Windows Update no longer offers it on your system and not search on the Internet for a magic fix.

https://www.bleepingcomputer.com/news/security/fake-it-support-sites-push-malicious-powershell-scripts-as-windows-fixes/

CrowdStrike Falcon Go | Premier Antivirus Protection for Small Businesses

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Fake IT support sites


Jun 28 2024

Your Phone’s 5G Connection Is Vulnerable to Bypass, DoS Attacks

Category: DDoS,Security vulnerabilities,Smart Phonedisc7 @ 9:33 am

https://www.darkreading.com/mobile-security/your-phone-s-5g-connection-is-exposed-to-bypass-dos-attacks

SOURCE: PETER GALLEGHAN VIA ALAMY STOCK PHOTO

Mobile devices are at risk of wanton data theft and denial of service, thanks to vulnerabilities in 5G technologies.

At the upcoming Black Hat 2024 in Las Vegas, a team of seven Penn State University researchers will describe how hackers can go beyond sniffing your Internet traffic by literally providing your Internet connection to you. From there, spying, phishing, and plenty more are all on the table.

It’s a remarkably accessible form of attack, they say, involving commonly overlooked vulnerabilities and equipment you can buy online for a couple of hundred dollars.

Step 1: Set Up a Fake Base Station

When a device first attempts to connect with a mobile network base station, the two undergo an authentication and key agreement (AKA). The device sends a registration request, and the station replies with requests for authentication and security checks.

Though the station vets the phone, the phone does not initially vet the station. Its legitimacy is essentially accepted as a given.

“Base stations advertise their presence in a particular area by broadcasting ‘sib1’ messages every 20 milliseconds, or 40 milliseconds, and none of those broadcast messages have authentication, or any kind of security mechanisms,” explains Penn State assistant professor Syed Rafiul Hussain. “They’re just plaintext messages. So there’s no way that a phone or a device can check whether it’s coming from a fake tower.”

Setting up a fake tower isn’t as tall a task as it might seem. You just need to mimic a real one using a software-defined radio (SDR). As Kai Tu, another Penn State research assistant points out, “People can purchase them online — they’re easy to get. Then you can get some open source software (OSS) to run on it, and this kind of setup can be used as a fake base station.” Expensive SDRs might cost tens of thousands of dollars, but cheap ones that get the job done are available for only a few hundred.

It might seem counterintuitive that a small contraption could seduce your phone away from an established commercial tower. But a targeted attack with a nearby SDR could provide even greater 5G signal strength than a tower servicing thousands of other people at the same time. “By their nature, devices try to connect to the best possible cell towers — that is, the ones providing the highest signal strength,” Hussain says.

Step 2: Exploit a Vulnerability

Like any security process, AKA can be exploited. In the 5G modem integrated in one popular brand of mobile processor, for example, the researchers found a mishandled security header that an attacker could use to bypass the AKA process entirely.

This processor in question is used in the majority of devices manufactured by two of the world’s biggest smartphone companies. Dark Reading has agreed to keep its name confidential.

After having attracted a targeted device, an attacker could use this AKA bypass to return a maliciously crafted “registration accept” message and initiate a connection. At this point the attacker becomes the victim’s Internet service provider, capable of seeing everything they do on the Web in unencrypted form. They can also engage the victim by, for example, sending a spear phishing SMS message, or redirecting them to malicious sites.

Though AKA bypass was the most severe, the researchers discovered other vulnerabilities that would allow them to determine a device’s location, and perform denial of service (DoS).

How to Secure 5G

The Penn State researchers have reported all the vulnerabilities they discovered to their respective mobile vendors, which have all since deployed patches.

A more permanent solution, however, would have to begin with securing 5G authentication. As Hussain says, “If you want to ensure the authenticity of these broadcast messages, you need to use public key infrastructure (PKI). And deploying PKI is expensive — you need to update all of the cell towers. And there are some non-technical challenges. For example, who will be the root certificate authority of the public keys?”

It’s unlikely that such an overhaul will happen any time soon, as 5G systems were knowingly built to transmit messages in plaintext for specific reasons.

“It’s a matter of incentives. Messages are sent in milliseconds, so if you incorporate some kind of cryptographic mechanism, it will increase the computational overhead for the cell tower and for the user device. Computational overhead is also associated with time, so performance-wise it will be a bit slower,” Hussain explains.

Perhaps the performance incentives outweigh security ones. But whether it be via a fake cell tower, Stingray device, or any other means, “They all exploit this feature — the lack of authentication of the initial broadcast messages from the cell towers.”

“This is the root of all evil,” Hussain adds.

Mastering 5G Network Design, Implementation, and Operations: A comprehensive guide to understanding, designing, deploying, and managing 5G networks

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: 5G Connection


Jun 27 2024

HACKING MICROSOFT MMC: DISCOVER THE GRIMRESOURCE EXPLOIT

Category: Hackingdisc7 @ 7:04 am

Elastic Security Labs has uncovered a novel technique, GrimResource, that leverages specially crafted Microsoft Management Console (MMC) files for initial access and evasion, posing a significant threat to cybersecurity.

In response to Microsoft’s decision to disable Office macros by default for internet-sourced documents, attackers have been forced to adapt, exploring new infection vectors like JavaScript, MSI files, LNK objects, and ISOs. These traditional methods are now heavily scrutinized by defenders, pushing well-resourced attackers to innovate further. A recent example includes North Korean actors using a novel command execution technique within MMC files.

Elastic researchers have identified GrimResource, a new infection technique that exploits MSC files, allowing attackers to execute arbitrary code in the context of mmc.exe when a user opens a specially crafted MSC file. The first sample leveraging GrimResource was uploaded to VirusTotal on June 6th.

Key Takeaways

  • GrimResource enables attackers to execute arbitrary code in Microsoft Management Console with minimal security warnings, making it ideal for initial access and evasion.
  • Elastic Security Labs provides analysis and detection guidance to help the community defend against this technique.

Detailed Analysis

INITIAL DISCOVERY

The GrimResource method was identified after a sample was uploaded to VirusTotal on June 6th, 2024. This sample demonstrated a novel way to achieve code execution by exploiting the MSC file format, commonly used in administrative tools within Windows.

TECHNICAL BREAKDOWN

Exploitation of apds.dll Vulnerability

The core of the GrimResource technique exploits an old cross-site scripting (XSS) flaw in the apds.dll library. By crafting an MSC file that includes a reference to this vulnerable library in the StringTable section, attackers can execute arbitrary JavaScript in the context of mmc.exe. This approach leverages the following steps:

  1. StringTable Manipulation: The MSC file is modified to include a reference to apds.dll.
  2. JavaScript Execution: The XSS flaw in apds.dll allows JavaScript execution within MMC, enabling further payload delivery.

Combination with DotNetToJScript

To execute arbitrary code, attackers combine the XSS exploit with the DotNetToJScript technique:

  1. Obfuscation Techniques: The initial sample uses the transformNode method for obfuscation, a technique also seen in recent macro-based attacks. This helps evade ActiveX security warnings.
  2. Embedded VBScript: The obfuscated script within the MSC file sets environment variables with the target payload.
  3. DotNetToJScript Execution: The script then uses DotNetToJScript to run an embedded .NET loader, named PASTALOADER, which retrieves the payload from the environment variables and executes it.

PASTALOADER Execution

PASTALOADER is designed to execute the payload in a stealthy manner:

  1. Payload Injection: PASTALOADER injects the payload into a new instance of dllhost.exe, a legitimate system process, to avoid detection.
  2. Stealth Techniques: The injection uses DirtyCLR, function unhooking, and indirect syscalls to minimize detection chances.
https://www.securitynewspaper.com/2023/09/29/send-phishing-emails-with-content-font-size-0px-can-to-hack-into-microsoft-outlook-365-accounts/embed/#?secret=RSwxVMwOix#?secret=Nug7FeGVNf

Final Payload: Cobalt Strike

In the identified sample, the final payload is the Cobalt Strike Beacon, a widely used post-exploitation tool. The injection into dllhost.exe is done carefully to avoid triggering security mechanisms.

DETECTION METHODS

Elastic Security Labs’ Detection Techniques

Elastic Security Labs has developed several detection methods to identify GrimResource activity:

  1. Suspicious Execution via Microsoft Common Console:
    • This detection looks for unusual processes spawned by mmc.exe, indicating potential malicious activity.
  2. .NET COM Object Created in Non-standard Windows Script Interpreter:
    • Detects memory allocations by .NET on behalf of Windows Script Host (WSH) engines, indicative of DotNetToJScript usage.
  3. Script Execution via MMC Console File:
    • Monitors file operations and process behaviors related to MSC file execution, particularly looking for the creation and use of apds.dll references.
  4. Windows Script Execution via MMC Console File:
    • Correlates the creation of temporary HTML files in the INetCache folder, a hallmark of the APDS XSS redirection.

Example EQL Rules

sequence by process.entity_id with maxspan=1m

[process where event.action == “start” and process.executable : “?:\\Windows\\System32\\mmc.exe” and process.args : “*.msc”]

[file where event.action == “open” and file.path : “?:\\Windows\\System32\\apds.dll”]

Detecting Temporary HTML Files:

sequence by process.entity_id with maxspan=1m

[process where event.action == “start” and process.executable : “?:\\Windows\\System32\\mmc.exe” and process.args : “*.msc”]

[file where event.action in (“creation”, “overwrite”) and process.executable : “?:\\Windows\\System32\\mmc.exe” and file.name : “redirect[?]” and file.path : “?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*\\redirect[?]”]

Forensic Artifacts

The technique leaves several forensic artifacts, including:

  • MSC File Manipulations: Unusual references in StringTable sections.
  • Temporary Files: HTML files in the INetCache directory named “redirect[?]”.
  • Process Anomalies: Unexpected process creation and memory allocations by mmc.exe and dllhost.exe.

Attackers have developed a new technique to execute arbitrary code in Microsoft Management Console using crafted MSC files. Elastic’s defense-in-depth approach has proven effective against this novel threat. Defenders should implement the provided detection guidance to protect themselves and their customers from GrimResource before it proliferates among commodity threat groups.

Windows Security Internals: A Deep Dive into Windows Authentication, Authorization, and Auditing

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: GRIMRESOURCE EXPLOIT, MICROSOFT MMC


Jun 25 2024

In what situations would a vCISO or CISOaaS service be appropriate?

Category: CISO,vCISOdisc7 @ 11:48 am

A virtual Chief Information Security Officer (vCISO) service or (CISOaaS) may be appropriate for a variety of scenarios, including:

Your clients, collaborators (partners) and some regulatory requirements anticipate the presence of an individual fulfilling the position of Chief Information Security Officer (CISO).
  1. Companies without an in-house CISO: Small and medium-sized companies may not have the budget or need for a full-time CISO. A vCISO service can provide these companies with access to a seasoned cybersecurity professional without having to hire a full-time employee.
  1. Companies experiencing rapid growth or change: Companies that are growing quickly or undergoing significant changes, such as mergers or acquisitions, may benefit from the expertise of a vCISO to help them navigate the cybersecurity implications of these changes.
  1. Companies with limited cybersecurity resources: Some companies may have an IT team but lack dedicated cybersecurity resources. A vCISO can help fill this gap by providing strategic guidance and oversight of the company’s cybersecurity program.
  1. Compliance requirements: Companies in regulated industries, such as healthcare or financial services, may require a CISO to meet regulatory requirements. A vCISO can help these companies meet compliance requirements with standards (ISO 27001) and regulations (PCI, HIPAA, NIST CSF, etc.) without having to hire a full-time CISO.
  1. Cybersecurity incident response: In the event of a cybersecurity incident, a vCISO can provide expertise and guidance to help the company respond effectively and minimize the impact of the incident.

Overall, a vCISO service can be a cost-effective way for companies to gain access to the expertise of a seasoned cybersecurity professional without having to hire a full-time employee.

Which organizations may need vCISO services:

  1. Small to Medium-Sized Enterprises (SMEs):
    • These businesses may not have the resources to hire a full-time CISO but still require expert guidance to manage their cybersecurity needs.
    • Industries: Technology startups, healthcare practices, legal firms, financial services, retail businesses, etc.
  2. Large Enterprises:
    • Large companies with existing security teams may use vCISO services for additional expertise, specific projects, or temporary coverage to assist in house CISO.
    • Industries: Finance, healthcare, manufacturing, utilities, telecommunications, etc.
  3. Non-Profit Organizations:
    • These organizations often need to protect sensitive donor and beneficiary information but might lack the budget for a full-time CISO.
    • Examples: Charitable organizations, educational institutions, and research entities.
  4. Government Agencies:
    • Small to mid-sized government entities may utilize vCISO services to bolster their cybersecurity posture and comply with regulations.
    • Examples: Local municipalities, state agencies, and public health departments.
  5. Regulated Industries:
    • Companies in heavily regulated industries need to adhere to strict compliance standards and may require specialized cybersecurity expertise.
    • Industries: Healthcare (HIPAA), finance (GLBA, SOX), and retail (PCI-DSS).
  6. Organizations Undergoing Digital Transformation:
    • Businesses that are adopting new technologies, moving to the cloud, or modernizing their IT infrastructure may need vCISO services to manage the associated security risks.
    • Examples: Companies implementing IoT, AI, or big data solutions.
  7. Businesses Experiencing Rapid Growth:
    • Fast-growing companies may face evolving cybersecurity challenges and can benefit from the strategic oversight of a vCISO.
    • Examples: Tech startups, e-commerce platforms, and fintech companies.
  8. Companies Preparing for Mergers and Acquisitions:
    • Businesses involved in M&A activities need to ensure that cybersecurity due diligence is performed and that their security posture is strong to protect sensitive data.
    • Examples: Investment firms, private equity groups, and merging corporations.
  9. Organizations Recovering from a Security Incident:
    • Companies that have experienced a breach or other security incident may hire a vCISO to help with incident response, recovery, and the implementation of stronger security measures.
    • Examples: Any business recovering from ransomware attacks, data breaches, or significant cybersecurity incidents to mitigate risk to an acceptable level and improves security posture

DISC InfoSec can offer tailored cybersecurity solutions that align with the specific needs and constraints of different types of organizations.

CISOaaS

Organizations committed to prioritizing security encounter the difficulty of locating a Chief Information Security Officer (CISO) possessing the appropriate skills and knowledge. It becomes necessary for someone to take charge of the security and compliance strategy, but this requirement often surpasses the expertise possessed by operational IT/CIO.

What is CISOaaS?
Chief Information Security Officer-as-a-Service (CISOaaS) provides information security leadership from an appropriate pool of expertise. CISOaaS provides security guidance to senior management and drives the organization’s information security program.

Cert-In issues new guidelines for government bodies, mandates appointment of CISO, Read more at: https://lnkd.in/dKcdHMtP

The benefits of our CISOaaS

  • Gain access to a diverse pool of highly experienced and specialized senior cyber security professionals.
  • Rapidly access valuable resources and eliminate the necessity of retaining talent.
  • Reduce your expenses by paying solely for the necessary support, effectively minimizing costs.
  • Based on CISOaaS being engaged for four days a month annually at current prices. 
  • Based on your requirements, you can hire a vCISO 5-10 hours a week or per month.
  • Mitigate your risk by strengthening your cyber and information strategy through the implementation of a clearly defined roadmap, thereby enhancing your overall security posture.
  • Acquire valuable experience in effectively educating and presenting to board members, and non-technical senior staff across functional diverse backgrounds.
  • Leverage our independent perspective and established credibility to secure comprehensive cross-business support and successfully accomplish your information security objectives.

Are you Ready? DISC InfoSec offers a free consultation to evaluate your security posture and GRC requirements, providing you with an actionable plan that starts here…

Deura InfoSec Partners with Ostendio to Streamline Compliance & Security Offerings

  • Strategic Partnership: Ostendio and Deura InfoSec have formed a partnership to enhance compliance and risk management services for Deura InfoSec clients using Ostendio’s GRC platform.
  • Efficiency Gains: Deura InfoSec will leverage Ostendio’s platform to streamline compliance processes, significantly reducing the time clients spend on information security management by up to 50%.
  • Client Benefits: The partnership allows Deura InfoSec to overcome the challenges of fragmented security and simplify the processes and costs of delivering complex cybersecurity programs.

DISC-vCISO-v3-0-1Download

Previous posts on vCISO/CISO

CISO Conversations: The Role of the vCISO

6 ways the CISO role is evolving today

A CISO’s Guide to Avoiding Jail After a Breach

Cybersecurity: The CISO’s View

We’d love to hear from you! If you have any questions, comments, or feedback, don’t hesitate to get in touch. Our team is here to help, and we’re always looking to improve our services. You can reach us by email at info@deurainfosec.com or through our website. contact form.

We offer discounted initial assessment based on various industry standards and regulations to demonstrate our value and identify possible areas for improvement. Potentially a roadmap for the to-be state.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: CISO, CISOaaS, FractionalCISO, GRC, Ostendio, vCISO


Jun 19 2024

Pentesting Azure Applications

Category: Pen Testdisc7 @ 5:54 pm

🔵 Important reminder for Azure users! When utilizing Azure cloud for your application, don’t overlook key testing areas such as user access, data protection, secure deployment, and other critical functions…

Top 10 threats to Azure applications

When deploying and managing applications on Microsoft Azure, it is essential to be aware of various security threats that could compromise the integrity, availability, and confidentiality of your services. Here are the top 10 threats to Azure applications:

  1. Misconfiguration of Security Settings:
    • Misconfigured security settings in Azure resources such as Storage Accounts, Virtual Networks, and Azure Active Directory can lead to unauthorized access and data breaches.
  2. Insecure APIs and Endpoints:
    • APIs and endpoints that are not properly secured can be exploited by attackers to gain unauthorized access or manipulate data.
  3. Insufficient Identity and Access Management (IAM):
    • Weak IAM policies can result in inadequate permission controls, allowing unauthorized users or applications to access sensitive resources.
  4. Data Breaches and Data Leakage:
    • Data stored in Azure services, if not properly encrypted and secured, can be susceptible to breaches and leakage.
  5. Denial of Service (DoS) Attacks:
    • Azure applications can be targeted by DoS attacks, which aim to overwhelm the application with traffic, making it unavailable to legitimate users.
  6. Vulnerable Virtual Machines and Containers:
    • Unpatched or poorly configured VMs and containers can be exploited by attackers to gain access to the underlying infrastructure.
  7. Insufficient Logging and Monitoring:
    • Lack of comprehensive logging and monitoring can prevent detection of security incidents and hinder incident response efforts.
  8. Weak Network Security:
    • Inadequate network security measures such as poorly configured Network Security Groups (NSGs) and lack of Virtual Network (VNet) isolation can expose Azure resources to external threats.
  9. Phishing and Social Engineering Attacks:
    • Azure accounts and services can be compromised through phishing and social engineering attacks, leading to unauthorized access.
  10. Vulnerabilities in Third-Party Dependencies:
    • Applications often rely on third-party libraries and services, which may have vulnerabilities that could be exploited by attackers if not properly managed and updated.

Mitigation Strategies

To mitigate these threats, organizations should implement a comprehensive security strategy that includes:

  • Regular Audits and Penetration Testing: Conduct regular security audits and penetration testing to identify and fix vulnerabilities.
  • Secure Configuration Management: Utilize Azure Security Center and Azure Policy to enforce security best practices and compliance.
  • Robust Identity and Access Management: Implement multi-factor authentication (MFA), role-based access control (RBAC), and conditional access policies.
  • Data Protection: Encrypt data at rest and in transit using Azure Key Vault and other encryption services.
  • Network Security: Use Azure Firewall, NSGs, and VNets to segment and secure network traffic.
  • Threat Detection and Response: Enable Azure Monitor, Azure Sentinel, and other logging and monitoring tools to detect and respond to security incidents.
  • Secure Development Practices: Follow secure coding practices and regularly update third-party dependencies to mitigate known vulnerabilities.
  • User Training and Awareness: Conduct regular training sessions to educate users about phishing and social engineering threats.

By being proactive and implementing these strategies, organizations can significantly reduce the risk of security threats to their Azure applications.

Ensuring thorough testing is vital for a secure seamless experience 🔴

The Definitive Guide to Testing and Securing Deployments…

Penetration Testing Azure for Ethical Hackers: Develop practical skills to perform pentesting and risk assessment of Microsoft Azure environments

Building and Automating Penetration Testing Labs in the Cloud: Set up cost-effective hacking environments for learning cloud security on AWS, Azure, and GCP

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Azure Applications


Jun 19 2024

How to Check If a Company Is ISO 27001 Certified

Category: ISO 27kdisc7 @ 5:44 pm

 IT Governance USA  

With data breaches and cyber attacks a constant news feature, and the US suffering more publicly disclosed incidents than any other country, it’s no surprise that cybersecurity is an increasingly bigger concern.

Customers, partners, authorities, and other stakeholders all want assurances that organizations are taking reasonable steps to prevent data breaches.

After all, customers want to know that their data is safe. Partners don’t want to end up in the headlines due to a breach in their supply chain. And authorities want organizations to be meeting their legal obligations.

With that in mind, demand for ISO 27001 certification is increasing.


What is ISO 27001?

ISO 27001 is the internationally recognized standard that stipulates the requirements for an ISMS (information security management system). This standard was most recently updated in 2022.

A significant benefit of ISO 27001, compared to alternative standards (such as the NIST Cybersecurity Framework, is that organizations can achieve independent, accredited certification to it.

While organizations implementing an ISMS don’t have to achieve ISO 27001 certification, doing so has numerous benefits. Most notably, it offers potential and existing clients assurance that you’re following information security best practice.


How do you know whether the certificate or the certification body is legitimate?

The best way to validate a potential vendor’s certification is to ask for a copy of their certificate. Any organization with accredited certification should be happy to provide it.

However, do check that the certificate has been issued by an accredited certification body.


How do you assess whether the certification body is accredited?

Certification bodies must also go through their own strict accreditation process to ensure they meet requirements and are qualified to carry out audits in line with ISO 27001.

To verify that a US certification body is accredited, check whether it is listed on an accreditation body’s website.

Accreditation bodies are selected and appointed by the IAF (International Accreditation Forum). For the US, in 2024, it has listed three accreditation bodies for ISO 27001:

  1. ANAB (ANSI-ASQ National Accreditation Board)
  2. IAS (International Accreditation Service)
  3. UAF (United Accreditation Foundation)

For ISO 27001, ANAB is the biggest accreditation body. Here’s a list of ISO 27001 certification bodies it has accredited.

How to Implement ISO 27001: A 9-Step Guide

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

Key strategies for ISO 27001:2022 compliance adoption

What is ISO 27002:2022

ISO 27k Chat bot

Implementation Guide ISO/IEC 27001:2022

Please send an email related to ISO27001:2022 implementation to info@DeuraInfoSec.com and we are happy to help!

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot


Jun 17 2024

Network enumeration with Nmap

Category: Cheat Sheet,Security Toolsdisc7 @ 12:39 pm

Nmap Cheatsheet by Hack The Box

The Nmap Handbook: A Deep Dive into Network Mapping and Scanning

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Nmap, Nmap handbook, Nmap network scanning


Jun 13 2024

Microsoft President Admits to Major Security Failures

Category: Security Breachdisc7 @ 3:25 pm

Brad Smith Says the Tech Giant ‘Accepts Responsibility’ for Cyber Breaches

https://www.databreachtoday.co.uk/microsoft-president-admits-to-major-security-failures-a-25515

Microsoft President Brad Smith during a tense U.S. congressional hearing Thursday acknowledged responsibility for a series of security failures that facilitated multiple high-profile state-sponsored cyberattacks targeting government institutions and the company itself.

Lawmakers on the House Committee on Homeland Security grilled Smith over Microsoft’s failure to address critical vulnerabilities and its mishandling of whistleblower warnings, which they argued led to the SolarWinds attack and other major breaches that federal cyber authorities say could have been avoided.

Rep. Mark Green, R-Tenn., who chairs the committee, described recent federal findings about Microsoft’s security blunders as “extremely concerning” and said the company’s “underinvestment in essential security measures exposed critical vulnerabilities.”

“Microsoft is deeply integrated into our nation’s digital infrastructure,” Green said, adding that the company has a “heightened responsibility” to ensure federal systems are protected from intrusion.

The hearing took place the same day ProPublica released a bombshell report alleging Microsoft ignored warnings from a whistleblower about a critical vulnerability that left the company susceptible to Russian hackers for several years. The whistleblower left the company in August 2020 out of frustration with its handling of the security flaw that ultimately facilitated Russia’s attack against SolarWinds just months later.

The federally empaneled Cyber Safety Review Board in a report published following a seven-month probe of the company’s security practices blamed Microsoft’s corporate culture for deprioritizing enterprise security investments and allowing preventable security breaches.

“Before I say anything else, I think it’s especially important for me to say that Microsoft accepts responsibility for each and every one of the issues cited in the CSRB’s report,” Smith said in his prepared opening remarks, adding: “Without equivocation or hesitation.”

The Russian state hacking group tracked as Midnight Blizzard, also known as APT29 and CozyBear, breached senior Microsoft executives’ email inboxes after using an unsophisticated hacking technique (see: Microsoft’s Latest Hack Sparks Major Security Concerns). The incident came less than a year after Microsoft disclosed that a group of Chinese hackers breached customers’ email systems as part of a cyberespionage campaign targeting federal agencies and other major organizations.

Lawmakers on both sides of the political aisle expressed doubts over whether Microsoft has been fully transparent with its customers and the federal government in the wake of recent security breaches. The ProPublica report published Thursday says that Smith testified to the Senate Intelligence Committee in 2017 that Microsoft became aware of the flaw leading to the SolarWinds attack only after the cybersecurity firm CyberArk published a blog post describing the exploit, known as Golden SAML.

“My concerns about whether we can rely on Microsoft to be transparent were heightened this morning when I read a ProPublica article about how an employee alerted Microsoft’s leadership to a vulnerability,” said ranking member Rep. Bennie Thompson, D-Mo. “That vulnerability was ultimately used by Russian hackers to carry out secondary phases of the SolarWinds attack in 2020.”

“Transparency is the foundation of trust, and Microsoft needs to be more transparent,” he said.

In response, Smith testified that Microsoft has made changes to its corporate governance structure to improve enterprisewide cybersecurity efforts and “integrate security into every process.” The company has added deputy CISOs to each of its components as part of its Secure Future Initiative, Smith said. The company launched the initiative in November 2023 (see: Microsoft Overhauls Security Practices After Major Breaches).

Smith also told lawmakers he is not aware of any vulnerabilities within Microsoft’s operating system that could affect government networks and said the company was “focused on identifying every vulnerability our employees can find.”

AJ Grotto, director of Stanford University’s geopolitics, technology and governance program and former senior White House director for cyber policy, said Microsoft “uses restrictive licensing to dominate the public sector” despite repeatedly putting federal networks in harm’s way.

“We’ve become accustomed to security flaws in Microsoft’s products, followed by promises from Microsoft to improve security, only to have the cycle repeat – with no consequences for Microsoft,” Grotto said in a statement sent to Information Security Media Group. Grotto urged lawmakers to demand the company “develop and share with Congress a plan for diversifying its exposure to cybersecurity risk.”

Smith told the House committee Microsoft has begun implementing 16 of the CSRB’s recommendations that apply directly to the company and added an additional 18 security measures to help improve its overall cyber posture.

Asked directly about the risk associated with the federal government’s reliance on a single technology vendor, Smith acknowledged potential concerns but said a network with too many players could be equally problematic.

“Just as there is risk relying on one vendor, there are risks in relying on multiple vendors,” Smith said. “Fundamentally, whether you have one vendor or multiple, the problem is similar – we all need to work together and just keep making progress.”

Microsoft President Brad Smith testifies before the House Committee on Homeland Security on June 13, 2024.

Big Breaches: Cybersecurity Lessons for Everyone

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Major Security Failures, Microsoft


Jun 12 2024

20,000 FortiGate appliances compromised by Chinese hackers

Category: Hacking,Security Breachdisc7 @ 7:43 am

How Coathanger persists on FortiGate devices

In February 2024, the Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) made it known that Chinese state-sponsored hackers breached the Dutch Ministry of Defense in 2023 by exploiting a known FortiOS pre-auth RCE vulnerability (CVE-2022-42475), and used novel remote access trojan malware to create a persistent backdoor.

The RAT was dubbed Coathanger and found to be capable of surviving reboots and firmware upgrades. It’s also difficult to detect its presence by using FortiGate CLI commands, and to remove it from compromised devices.

The security services shared indicators of compromise and a variety of detection methods in an advisory, and explained that “the only currently identified way of removing [it] from an infected FortiGate device involves formatting the device and reinstalling and reconfiguring the device.”

They also attributed the intrusion and the malware to a Chinese cyber-espionage group.

A widespread campaign

On Monday, the Dutch National Cyber Security Center said that the MIVD continued to investigate the campaign, and found that:

  • The threat actor gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023
  • They exploited the FortiOS vulnerability (CVE-2022-42475) as a zero-day, at least two months before Fortinet announced it

“During this so-called ‘zero-day’ period, the actor alone infected 14,000 devices. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry,” the NCSC said.

The threat actor installed the Coathanger malware at a later time, on devices of relevant targets.

“It is not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data,” they said, and added that given the difficult discovery and clean-up process, “it is likely that the state actor still has access to systems of a significant number of victims.”

Another problem is that the Coathanger malware can be used in combination with any present or future vulnerability in FortiGate devices – whether zero- or N-day.

Advice for organizations

“Initial compromise of an IT network is difficult to prevent if the attacker uses a zero-day. It is therefore important that organizations apply the ‘assume breach’ principle,” the NCSC opined.

“This principle states that a successful digital attack has already taken place or will soon take place. Based on this, measures are taken to limit the damage and impact. This includes taking mitigating measures in the areas of segmentation, detection, incident response plans and forensic readiness.”

(In the attack targeting the Dutch MoD, the effects of the intrusion were limited due to effective network segmentation.)

Finally, the NCSC noted that the problem is not specifically Fortinet appliances, but “edge” devices – firewalls, VPN servers, routers, SMTP servers, etc. – in general.

“Recent incidents and identified vulnerabilities within various edge devices show that these products are often not designed according to modern security-by-design principles,” they said. Because almost every organization has one or more edge devices deployed, they added, it pays for threat actors to look for vulnerabilities affecting them.

The NCSC has, therefore, published helpful advice on how organizations should deal with using edge devices.

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Chinese hackers, FortiGate appliances, The Hacker and the State


Jun 11 2024

YOUR AZURE SECURITY AT RISK? HOW HACKERS ARE EXPLOITING AZURE SERVICE TAGS (AND HOW TO STOP THEM)?

Category: Hacking,Risk Assessmentdisc7 @ 8:24 am

A significant security vulnerability has been discovered by Tenable Research that affects Azure customers relying on Service Tags for their firewall rules. This vulnerability allows attackers to bypass Azure firewall rules, posing a substantial risk to organizations using these configurations. Here’s an in-depth look at the vulnerability, how it can be exploited, and crucial defensive measures to mitigate the risk.

Azure Security

INITIAL DISCOVERY IN AZURE APPLICATION INSIGHTS

Tenable Research initially uncovered the vulnerability within Azure Application Insights, a service designed to monitor and analyze web applications’ performance and availability. The Availability Tests feature of Azure Application Insights, intended to check the accessibility and performance of applications, was found to be susceptible to abuse. Users can control server-side requests in these tests, including adding custom headers and changing HTTP methods. This control can be exploited by attackers to forge requests from trusted services, mimicking a server-side request forgery (SSRF) attack.

EXPANSION TO MORE THAN 10 OTHER AZURE SERVICES

Upon further investigation, Tenable Research found that the vulnerability extends beyond Azure Application Insights to more than 10 other Azure services. These include:

  • Azure DevOps
  • Azure Machine Learning
  • Azure Logic Apps
  • Azure Container Registry
  • Azure Load Testing
  • Azure API Management
  • Azure Data Factory
  • Azure Action Group
  • Azure AI Video Indexer
  • Azure Chaos Studio

Each of these services allows users to control server-side requests and has an associated Service Tag, creating potential security risks if not properly mitigated.

HOW ATTACKERS CAN EXPLOIT THE VULNERABILITY

Attackers can exploit the vulnerability in Azure Service Tags by abusing the Availability Tests feature in Azure Application Insights. Below are detailed steps and examples to illustrate how an attacker can exploit this vulnerability:

1. Setting Up the Availability Test:

  • Example Scenario: An attacker identifies an internal web service within a victim’s Azure environment that is protected by a firewall rule allowing traffic only from Azure Application Insights.
  • Action: The attacker sets up an Availability Test in Azure Application Insights, configuring it to target the internal web service.

2. Customizing the Request:

  • Manipulating Headers: The attacker customizes the HTTP request headers to include authorization tokens or other headers that may be expected by the target service.
  • Changing HTTP Methods: The attacker can change the HTTP method (e.g., from GET to POST) to perform actions such as submitting data or invoking actions on the target service.
  • Example Customization: The attacker configures the test to send a POST request with a custom header “Authorization: Bearer <malicious-token>”.

3. Sending the Malicious Request:

  • Firewall Bypass: The crafted request is sent through the Availability Test. Since it originates from a trusted Azure service (Application Insights), it bypasses the firewall rules based on Service Tags.
  • Example Attack: The Availability Test sends the POST request with the custom header to the internal web service, which processes the request as if it were from a legitimate source.

4. Accessing Internal Resources:

  • Unauthorized Access: The attacker now has access to internal APIs, databases, or other services that were protected by the firewall.
  • Exfiltration and Manipulation: The attacker can exfiltrate sensitive data, manipulate internal resources, or use the access to launch further attacks.
  • Example Impact: The attacker retrieves confidential data from an internal API or modifies configuration settings in an internal service.

DETAILED EXAMPLE OF EXPLOIT

Scenario: An organization uses Azure Application Insights to monitor an internal financial service. The service is protected by a firewall rule that allows access only from the ApplicationInsightsAvailability Service Tag.

  1. Deploying an Internal Azure App Service:
    • The organization has a financial application hosted on an Azure App Service with firewall rules configured to accept traffic only from the ApplicationInsightsAvailability Service Tag.
  2. Attempted Access by the Attacker:
    • The attacker discovers the endpoint of the internal financial application and attempts to access it directly. The firewall blocks this attempt, returning a forbidden response.
  3. Exploiting the Vulnerability:
    • Setting Up the Test: The attacker sets up an Availability Test in Azure Application Insights targeting the internal financial application.
    • Customizing the Request: The attacker customizes the test to send a POST request with a payload that triggers a financial transaction, adding a custom header “Authorization: Bearer <malicious-token>”.
    • Sending the Request: The Availability Test sends the POST request to the internal financial application, bypassing the firewall.
  4. Gaining Unauthorized Access:
    • The financial application processes the POST request, believing it to be from a legitimate source. The attacker successfully triggers the financial transaction.
    • Exfiltration: The attacker sets up another Availability Test to send GET requests with custom headers to extract financial records from the application.

ADVANCED EXPLOITATION TECHNIQUES

1. Chain Attacks:

  • Attackers can chain multiple vulnerabilities or services together to escalate their privileges and impact. For example, using the initial access gained from the Availability Test to find other internal services or to escalate privileges within the Azure environment.

2. Lateral Movement:

  • Once inside the network, attackers can move laterally to compromise other services or extract further data. They might use other Azure services like Azure DevOps or Azure Logic Apps to find additional entry points or sensitive data.

3. Persistent Access:

  • Attackers can set up long-term Availability Tests that periodically execute, ensuring continuous access to the internal services. They might use these persistent tests to maintain a foothold within the environment, continuously exfiltrating data or executing malicious activities.

DEFENSIVE MEASURES

To mitigate the risks associated with this vulnerability, Azure customers should implement several defensive measures:

1. Analyze and Update Network Rules:

  • Conduct a thorough review of network security rules.
  • Identify and analyze any use of Service Tags in firewall rules.
  • Assume services protected only by Service Tags may be vulnerable.

2. Implement Strong Authentication and Authorization:

  • Add robust authentication and authorization mechanisms.
  • Use Azure Active Directory (Azure AD) for managing access.
  • Enforce multi-factor authentication and least privilege principles.

3. Enhance Network Isolation:

  • Use network security groups (NSGs) and application security groups (ASGs) for granular isolation.
  • Deploy Azure Private Link to keep traffic within the Azure network.

4. Monitor and Audit Network Traffic:

  • Enable logging and monitoring of network traffic.
  • Use Azure Monitor and Azure Security Center to set up alerts for unusual activities.
  • Regularly review logs and audit trails.

5. Regularly Update and Patch Services:

  • Keep all Azure services and applications up to date with security patches.
  • Monitor security advisories from Microsoft and other sources.
  • Apply updates promptly to minimize risk.

6. Use Azure Policy to Enforce Security Configurations:

  • Deploy Azure Policy to enforce security best practices.
  • Create policies that require strong authentication and proper network configurations.
  • Use Azure Policy initiatives for consistent application across resources.

7. Conduct Security Assessments and Penetration Testing:

  • Perform regular security assessments and penetration testing.
  • Engage with security experts or third-party services for thorough reviews.
  • Use tools like Azure Security Benchmark and Azure Defender.

8. Educate and Train Staff:

  • Provide training on risks and best practices related to Azure Service Tags and network security.
  • Ensure staff understand the importance of multi-layered security.
  • Equip teams to implement and manage security measures effectively.

https://www.securitynewspaper.com/2024/05/16/how-to-implement-principle-of-least-privilegecloud-security-in-aws-azure-and-gcp-cloud/embed/#?secret=4TeHUyw59w#?secret=RHf1cNP2eR

The vulnerability discovered by Tenable Research highlights significant risks associated with relying solely on Azure Service Tags for firewall rules. By understanding the nature of the vulnerability and implementing the recommended defensive measures, Azure customers can better protect their environments and mitigate potential threats. Regular reviews, updates, and a multi-layered security approach are essential to maintaining a secure Azure environment.

Azure Security

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Azure Security


Jun 10 2024

Duckduckgo Launches Anonymous AI Chatbots

Category: Anonymousdisc7 @ 7:10 am

DuckDuckGo has unveiled a new feature, AI Chat, which offers users an anonymous way to access popular AI chatbots.

This innovative service includes models like OpenAI’s GPT 3.5 Turbo, Anthropic’s Claude 3 Haiku, and two open-source models, Meta Llama 3 and Mistral’s Mixtral 8x7B.

A New Era Of Private AI Interaction

DuckDuckGo’s AI Chat is designed to provide a private and anonymous experience for users who want to interact with AI chatbots.

This optional feature is free to use within a daily limit and can be easily switched off if desired.

The company emphasizes that all chats are private, anonymized, and not used for any AI model training.

According to the Spreadprivacy blog, Users can access DuckDuckGo AI Chat through various entry points, including duck.ai, duckduckgo.com/chat, the Chat tab on search results pages, or via the !ai and !chat bang shortcuts.

All these routes lead to the same destination, ensuring a seamless user experience.

Why AI Chat?

DuckDuckGo’s mission is to demonstrate that online privacy can be easily maintained.

The company believes people should be able to use the internet and digital tools without sacrificing their privacy.

This philosophy has driven the development of products that add a layer of privacy to everyday online activities, from search and browsing to email and now generative AI with AI Chat.

According to recent Pew research, many U.S. adults have concerns about AI’s impact on privacy, even as they recognize its potential benefits in other areas.

DuckDuckGo AI Chat aims to address these concerns by offering a private and anonymous way to use AI chatbots.

Enhancing The Search Experience

DuckDuckGo takes a thoughtful approach to integrating AI features in the competitive landscape of generative AI.

Before rolling out, the company carefully considers how these features can enhance the search and browsing experience.

AI Chat and search are seen as complementary tools that can help users find information more effectively, especially when exploring new topics.

For instance, users might start with AI Chat to ask a few questions and then switch to traditional search to find reviews, prices, or other primary sources.

Conversely, they might begin with a search and then use AI Chat for follow-up queries.

This flexibility allows users to choose the method that best suits their needs.

How It Works And Ensures Privacy

Users can select their preferred chat model and interact like any other chat interface when they land on the AI Chat page.

All chats are completely anonymous, with DuckDuckGo removing users’ IP addresses and using its own instead.

This ensures that requests appear from DuckDuckGo, not the individual user.

DuckDuckGo does not save or store any chats. While the underlying model providers may temporarily store chats to ensure system functionality, they cannot trace them back to individual users.

Agreements with model providers ensure that any saved chats are deleted within 30 days and are not used for model training.

AI Chat is free to use within a daily limit, maintaining strict user anonymity.

DuckDuckGo plans to keep the current level of access free while exploring a paid plan for higher usage limits and more advanced chat models.

DuckDuckGo is already working on improvements to AI Chat, including new capabilities like custom system prompts and general user experience enhancements.

The company also plans to add more chat models, potentially including DuckDuckGo– or user-hosted options.

Users are encouraged to provide feedback on desired features via the Share Feedback button on the AI Chat screen.

To experience DuckDuckGo AI Chat, visit duck.ai or duckduckgo.com/chat.

You can also find it on your search results page under the Chat tab or initiate a chat using the !ai or !chat bang shortcuts.

If AI Chat isn’t for you, it can be easily disabled in the Search settings menu.

We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Chatbots, DuckDuckGo


Jun 06 2024

How to Implement ISO 27001: A 9-Step Guide

Category: Information Security,ISO 27kdisc7 @ 8:47 am
https://itgovernance.eu/blog/en/a-9-step-guide-to-implementing-iso-27001?

How to Implement ISO 27001: A 9-Step Guide

The hardest part of many projects is knowing where to start.

ISO 27001 is no exception. This standard describes best practice for an ISMS (information security management system).

In other words, it lays out the requirements you must meet, but doesn’t show you the how. How you can adopt or implement them.

With ISO 27001:2013 certification no longer available, many organisations are preparing to adopt the 2022 version of the standard – which means tackling a new Annex A control set, among other new requirements.

ISO 27k Chat bot

1. Project mandate

The implementation project should begin by appointing a project leader.

They’ll work with other members of staff to create a project mandate, which is essentially a set of answers to these questions:

  • What do we hope to achieve?
  • How long will the project take?
  • Does the project have top management support?
  • What resources – financial and otherwise – will the project need?

2. Develop the ISO 27001 implementation plan

The next step is to use your project mandate to create a more detailed outline of:

  • Your information security objectives;
  • Your project risk register;
  • Your project plan; and
  • Your project team.

Information security objectives

Your information security objectives should be more granular and specific than your answer to ‘What do we hope to achieve?’ from step 1.

They’ll inform and be included in your top-level information security policy. They’ll also shape how the ISMS is applied.

Project risk register

Your project risk register should account for risks to the project itself, which might be:

  • Managerial – will operational management continue to support the project?
  • Budgetary – will funding continue to see the project through?
  • Legal – are specific legal obligations at risk?
  • Cultural – will staff resist change?

Each risk in the register should have an assigned owner and a mitigation plan. You should also regularly review the risks throughout the project.

Project plan

The project plan should detail the actions you must take to implement the ISMS.

This should include the following information:

  • Resources required
  • Responsibilities
  • Review dates
  • Deadlines

Project team

The project team should represent the interests of every part of the organisation and include various levels of seniority.

Drawing up a RACI matrix can help with this. This identifies, for the project’s key decisions, who’s:

  • Responsible;
  • Accountable;
  • Consulted; and
  • Informed.

One critical person to appoint and include in the project team is the information security manager. They’ll have a central role in the implementation project and eventually be responsible for the day-to-day functioning of the ISMS.


3. ISMS initiation

You’re now ready to initiate your ISMS!

Documentation structure

A big part of this is establishing your documentation structure – any management system is very policy- and procedure-driven.

We recommend a four-tier approach:

A. Policies
These are at the top of the ‘pyramid’, defining your organisation’s position and requirements.

B. Procedures
These enact the requirements of your policies at a high level.

C. Work instructions
These set out how employees implement individual elements of the procedures.

D. Records
These track the procedures and work instructions, providing evidence that you’re following them consistently and correctly.

This structure is simple enough for anyone to grasp quickly. At the same time, it provides an effective way of ensuring you implement policies at each level of your organisation. Plus, that you develop well-functioning, cohesive processes.

Tips for more effective policies and procedures

Your policies and procedures must also be effective. Here are four tips:

  1. Keep them practicable by balancing aspirations against the reality. If your policies and/or procedures appear too idealised, staff will be much less likely to follow them.
  2. Keep them clear and straightforward, so staff can easily follow your procedures.
  3. Use version control, so everyone knows which is the latest document.
  4. Avoid duplication. This will also help with the version control.

Make sure you systematically communicate your documentation – particularly new or updated policies – throughout your organisation. Be sure to also communicate them to other stakeholders.

Continual improvement

As part of your ISMS initiation, you’ll need to select a continual improvement methodology.

First, understand that continual improvement might sound expensive, but is cost-effective if done well. As ISO 27001 pioneer Alan Calder explains:

Continual improvement means getting better results for your investment. That typically means one of two things:

1. Getting the same results while spending less money.
2. Getting better results while spending the same amount of money.

Yes, you need to be looking at your objectives, and asking yourself how well your ISMS is currently meeting them. And where your management system falls short, money may have to be spent.

But many improvements have little financial cost. You can make a process more efficient – perhaps by cutting out a step, or automating some manual work.

While continual improvement is a critical element of an ISO 27001 ISMS, the Standard doesn’t specify any particular continual improvement methodology.

Instead, you can use whatever method you wish, so long as it continually improves the ISMS’s “suitability, adequacy and effectiveness” (Clause 10.1). That can include a continual improvement model you’re already using for another activity.


ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

Key strategies for ISO 27001:2022 compliance adoption

What is ISO 27002:2022

ISO 27k Chat bot

Implementation Guide ISO/IEC 27001:2022

Please send an email related to ISO27001:2022 implementation to info@DeuraInfoSec.com and we are happy to help!

ISO 27001 Controls Handbook: Implementing and auditing 93 controls to reduce information security risks

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Implement ISO 27001, ISO 27001 2022


Jun 05 2024

Unauthorized AI is eating your company data, thanks to your employees

Category: AI,Data Breach,data securitydisc7 @ 8:09 am
https://www.csoonline.com/article/2138447/unauthorized-ai-is-eating-your-company-data-thanks-to-your-employees.html

Legal documents, HR data, source code, and other sensitive corporate information is being fed into unlicensed, publicly available AIs at a swift rate, leaving IT leaders with a mounting shadow AI mess.

Employees at many organizations are engaging in widespread use of unauthorized AI models behind the backs of their CIOs and CISOs, according to a recent study.

Employees are sharing company legal documents, source code, and employee information with unlicensed, non-corporate versions of AIs, including ChatGPT and Google Gemini, potentially leading to major headaches for CIOs and other IT leaders, according to research from Cyberhaven Labs.

About 74% of the ChatGPT use at work is through non-corporate accounts, potentially giving the AI the ability to use or train on that data, says the Cyberhaven Q2 2024 AI Adoption and Risk Report, based on actual AI usage patterns of 3 million workers. More than 94% of workplace use of Google AIs Gemini and Bard are from non-corporate accounts, the study reveals.

Nearly 83% of all legal documents shared with AI tools go through non-corporate accounts, the report adds, while about half of all source code, R&D materials, and HR and employee records go into unauthorized AIs.

The amount of data put into all AI tools saw nearly a five-fold increase between March 2023 and March 2024, according to the report. “End users are adopting new AI tools faster than IT can keep up, fueling continued growth in ‘shadow AI,’” the report adds.

Where does the data go?

At the same time, many users may not know what happens to their companies’ data once they share it with an unlicensed AI. ChatGPT’s terms of use, for example, say the ownership of the content entered remains with the users. However, ChatGPT may use that content to provide, maintain, develop, and improve its services, meaning it could train itself using shared employee records. Users can opt out of ChatGPT training itself on their data.

So far, there have been no high-profile reports about major company secrets spilled by large public AIs, but security experts worry about what happens to company data once an AI ingests it. On May 28, OpenAI announced a new Safety and Security Committee to address concerns.

It’s difficult to assess the risk of sharing confidential or sensitive information with publicly available AIs, says Brian Vecci, field CTO at Varonis, a cloud security firm. It seems unlikely that companies like Google or ChatGPT developer OpenAI will allow their AIs to leak sensitive business data to the public, given the headaches such disclosures would cause them, he says.

Still, there aren’t many rules governing what AI developers can do with the data users provide them, some security experts note. Many more AI models will be rolled out in the coming years, Vecci says.

“When we get outside of the realm of OpenAI and Google, there are going to be other tools that pop up,” he says. “There are going to be AI tools out there that will do something interesting but are not controlled by OpenAI or Google, which presumably have much more incentive to be held accountable and treat data with care.”

The coming wave of second- and third-tier AI developers may be fronts for hacking groups, may see profit in selling confidential company information, or may lack the cybersecurity protections that the big players have, Vecci says.

“There’s some version of an LLM tool that’s similar to ChatGPT and is free and fast and controlled by who knows who,” he says. “Your employees are using it, and they’re forking over source code and financial statements, and that could be a much higher risk.”

Risky behavior

Sharing company or customer data with any unauthorized AI creates risk, regardless of whether the AI model trains on that data or shares it with other users, because that information now exists outside company walls, adds Pranava Adduri, CEO of Bedrock Security.

Adduri recommends organizations sign licensed deals, containing data use restrictions, with AI vendors so that employees can experiment with AI.

“The problem boils down to the inability to control,” he says. “If the data is getting shipped off to a system where you don’t have that direct control, usually the risk is managed through legal contracts and legal agreements.”

AvePoint, a cloud data management company, has signed an AI contract to head off the use of shadow AI, says Dana Simberkoff, chief risk, privacy, and information security officer at the company. AvePoint thoroughly reviewed the licensing terms, including the data use restrictions, before signing.

A major problem with shadow AI is that users don’t read the privacy policy or terms of use before shoveling company data into unauthorized tools, she says.

“Where that data goes, how it’s being stored, and what it may be used for in the future is still not very transparent,” she says. “What most everyday business users don’t necessarily understand is that these open AI technologies, the ones from a whole host of different companies that you can use in your browser, actually feed themselves off of the data that they’re ingesting.”

Training and security

AvePoint has tried to discourage employees from using unauthorized AI tools through a comprehensive education program, through strict access controls on sensitive data, and through other cybersecurity protections preventing the sharing of data. AvePoint has also created an AI acceptable use policy, Simberkoff says.

Employee education focuses on common employee practices like granting wide access to a sensitive document. Even if an employee only notifies three coworkers that they can review the document, allowing general access can enable an AI to ingest the data.

“AI solutions are like this voracious, hungry beast that will take in anything that they can,” she says.

Using AI, even officially licensed ones, means organizations need to have good data management practices in place, Simberkoff adds. An organization’s access controls need to limit employees from seeing sensitive information not necessary for them to do their jobs, she says, and longstanding security and privacy best practices still apply in the age of AI.

Rolling out an AI, with its constant ingestion of data, is a stress test of a company’s security and privacy plans, she says.

“This has become my mantra: AI is either the best friend or the worst enemy of a security or privacy officer,” she adds. “It really does drive home everything that has been a best practice for 20 years.”

Simberkoff has worked with several AvePoint customers that backed away from AI projects because they didn’t have basic controls such as an acceptable use policy in place.

“They didn’t understand the consequences of what they were doing until they actually had something bad happen,” she says. “If I were to give one really important piece of advice it’s that it’s okay to pause. There’s a lot of pressure on companies to deploy AI quickly.”

Credit: Moon Safari / Shutterstock

Artificial Intelligence for Cybersecurity 

ChatGPT for Cybersecurity Cookbook: Learn practical generative AI recipes to supercharge your cybersecurity skills

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Artificial Intelligence for Cybersecurity, ChatGPT for Cybersecurity


Next Page »