The journey for someone to the role of Chief Information Security Officer (CISO) isn’t often straightforward. Take Sandy Dunn, for example. Per SailPoint, Sandy started as a paper delivery kid at 10 years old. She then worked her way through software sales, insurance, and even horses before becoming the CISO of a health insurance provider in Idaho.

All these “entry-level” jobs share one thing in common. They gave Sandy the experience to fulfill a CISO’s multifaceted responsibilities. But don’t just take my word for it. Check out my conversation with Sandy below.

“One skill I think every CISO needs is business acumen.”

Joe Pettit: Thanks for taking the time to speak with me today, Sandy. I would love to hear some of your views on the role of the modern CISO. How is it changing, and what are the essential skills that a CISO should have now?

Sandy Dunn: The required skills for a CISO is an interesting question. Every business is different, so really every CISO role will be slightly different with different expectations for where they fit in the organization. One skill I think every CISO needs is business acumen. You need to be able to understand how security fits into that specific business. Having some level of technical skills is important, too. It helps you with effective communication with your cybersecurity team about issues, tools, proposed remediation, and then to be able to explain everything they just told you back to the business or put it into a business context. Technical knowledge will benefit you in understanding the severity of a problem, too (independent of the volume of the voice who is bringing it) and determine if a situation is a one-alarm fire or a five-alarm fire.

“…one of the things I really had to (Read more…)

*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Joe Pettit. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/ciso-interview-series-investing-in-frameworks-humans-and-your-technical-skills/

The 5 Roles of Leadership: Tools & best practices for personable and effective leaders

MITRE Corporation has released the tenth version of ATT&CK, its globally accessible (and free!) knowledge base of cyber adversary tactics and techniques based on real-world observations.

Version ten comes with new Data Source objects, new and changed techniques in its various matrices, key changes to facilitate hunting in ICS environments, and more.

MITRE ATT&CK v10

The most prominent change in this newest version of the framework is new objects with aggregated information about data sources.

“The data source object features the name of the data source as well as key details and metadata, including an ID, a definition, where it can be collected (collection layer), what platform(s) it can be found on, and the data components highlighting relevant values/properties that comprise the data source,” MITRE ATT&CK Content Lead Amy L. Robertson and cybersecurity engineers Alexia Crumpton and Chris Ante explained.

“These data sources are available for all platforms of Enterprise ATT&CK, including our newest additions that cover OSINT-related data sources mapped to PRE platform techniques.”

Changes in ATT&CK for ICS and the Mobile matrices are focused on providing all the features currently provided in the Enterprise matrices.

“v10 also includes cross-domain mappings of Enterprise techniques to software that were previously only represented in the ICS Matrix, including Stuxnet, Industroyer, and several others. The fact that adversaries don’t respect theoretical boundaries is something we’ve consistently emphasized, and we think it’s crucial to feature Enterprise-centric mappings for more comprehensive coverage of all the behaviors exhibited by the software,” they added.

The complete release notes for MITRE ATT&CK v10 can be found here.

Facebook announced to have designed a new tool, named SSRF Dashboard, that allows security researchers to search for Server-Side Request Forgery (SSRF) vulnerabilities.

Server-side request forgery is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain chosen by the attacker.

“In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization’s infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials.”

“This tool is a simple UI where researchers can generate unique internal endpoint URLs for targeting. The UI will then show the number of times these unique URLs have been hit as a result of a SSRF attempt. Researchers can leverage this tool as part of their SSRF proof of concept to reliably determine if they have been successful.” states Facebook.

SSRF Dashboard allows researchers to create unique internal endpoint URLs that could be targeted by SSRF attacks and determine if they have been hit. The tool allows researchers to test their SSRF proof-of-concept (PoC) code.

Pentesters could report any SSRF flat to the company by including the ID of the SSRF attempt url that they used along with their PoC.

Additional information on the utility can be found here.

The FIN7 hacking group is attempting to enter in the ransomware business and is doing it with an interesting technique. The gang space creates fake cybersecurity companies that hire experts requesting them to carry out pen testing attacks under the guise of pentesting activities.

FIN7 is a Russian criminal group that has been active since mid-2015, it focuses on restaurants, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.

One of the companies created by the cyber criminal organizations with this purpose is Combi Security, but researchers from Gemini Advisory discovered other similar organizations by analyzing the site of another fake cybersecurity company named Bastion Security.

The Bastion Secure website is hosted on the Russian domain registrar Beget, which is popular in the Russian cybercrime communities. Most of the submenus of the site return a Russian-language HTTP 404 error, a circumstance that suggests the site creators were Russian speakers. At the time of the report, some of the HTTP 404 errors remain unfixed.

The website is a clone of the website of Convergent Network Solutions Ltd, Bastion Secure’s ‘About’ page states that is a spinoff of the legitimate cybersecurity firm that anyway not linked to the criminal gang.

Pentest as a Service (PtaaS)

The Commerce Department’s Bureau of Industry and Security (BIS) would ban U.S. firms from selling hacking tools to authoritarian regimes.

The Commerce Department’s Bureau of Industry and Security (BIS) would introduce a new export control rule aimed at banning the export or resale of hacking tools to authoritarian regimes. 

The rule announced by the BIS tightens export controls on technology that could be used by adversaries to conduct malicious cyber activities and surveillance of private citizens resulting in human rights abuse.

The rull will become effective in 90 days and will ban the export of “cybersecurity items” for National Security (NS) and Anti-terrorism (AT) reasons.

“Specifically, this rule establishes a new control on these items for National Security (NS) and Anti-terrorism (AT) reasons, along with a new License Exception Authorized Cybersecurity Exports (ACE) that authorizes exports of these items to most destinations except in the circumstances described. These items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it.” reads the announcement published by the Bureau of Industry and Security, Commerce.

The new License Exception Authorized Cybersecurity Exports would allow the export, reexport and transfer (in-country) of ‘cybersecurity items’ to most destinations, while retaining a license requirement for exports to countries of national security or weapons of mass destruction concern.  The license will be required for those countries subject to a U.S. arms embargo.

The complete list includes states of weapons of mass destruction or national security concern or subject to a U.S. arms embargo.

The rule is consistent with the result of BIS’s negotiations in the Wassenaar Arrangement (W.A.) multilateral export control regime and results from a review of comments from Congress, the private sector, academia, civil society, and other stakeholders.

A China-linked hacking group, tracked as LightBasin (aka UNC1945), hacked mobile telephone networks around the globe and used specialized tools to access calling records and text messages from telecommunications companies.

The cyberespionage group has been active since at least 2016, according to the CrowdStrike researchers it is using a very sophisticated toolset. CrowdStrike researchers reported that at least 13 telecommunication companies were compromised by since 2019.

The campaign was uncovered by CrowdStrike by investigating a series of security incidents in multiple countries, the security firm added that the threat actors show an in-depth knowledge of telecommunications network architectures.

“LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications network architectures.” reads the report published by Crowdstrike. “Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata.”

The hacking group initially compromised one of the telecommunication companies by leveraging external DNS (eDNS) servers which are part of the General Packet Radio Service (GPRS) network.

The eDNS are used in roaming between different mobile operators, threat actors leveraged it to connect directly to and from other compromised telecommunication companies’ GPRS networks via SSH and through previously deployed implants.

The group was able to target other telecommunications-specific systems in the GPRS network such as Service Delivery Platform (SDP) systems, and SIM/IMEI provisioning, as well as Operations Support Systems (OSS), and Operation and Maintenance Units (OMU).

Crowdstrike collected evidence of the use of password-spraying attempts using extremely weak either third-party-focused passwords (i.e. huawei) for the initial compromise.

FBI, CISA, NSA have published a joint advisory about the operation of the BlackMatter ransomware gang and provides defense recommendations.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have published an advisory that provides details about the BlackMatter ransomware operations and defense recommendations.

This advisory provides information on tactics, techniques, and procedures (TTPs) associated with the ransomware gang that were obtained from the analysis of a sample of BlackMatter ransomware as well from trusted third-party reporting.

The BlackMatter group launched its operations at at the end of July, the gang claims to be the successor of Darkside and REvil groups. Like other ransomware operations, BlackMatter also set up its leak site where it publishes data exfiltrated from the victims before encrypting their system.

The launch of the BlackMatter ransomware-as-a-service (RaaS) was first spotted by researchers at Recorded Future who also reported that the gang is setting up a network of affiliates using ads posted on two cybercrime forums, such as Exploit and XSS.

#MachineLearning: Hacking Tools for Computer + Hacking With Kali Linux + Python Programming- The ultimate beginners guide to improve your knowledge of programming and data science

Working from home comes with a slew of security concerns. Businesses planning to look at remote work as a long-term strategy should take the time to reassess any “band-aid” security solutions that may have been applied at the beginning of the pandemic and look at ways that security can be prioritized permanently.

Here are the top tactics businesses should keep in mind as they transition to a fully remote workplace:

White hat hackers earned $1.88 million at the Tianfu Cup hacking contest by finding vulnerabilities in popular software.

The Tianfu Cup is the most important hacking contest held in China, this year white hat hackers earned $1.88 Million demonstrating vulnerabilities in popular software.

The edition of this year took place on October 16 and 17 in the city of Chengdu, participants had three attempts of 5 minutes to demonstrate their exploits.

The winner is the security firm Kunlun Lab who earned $654,500, below the tweet of the amazing expert @mj0011 CEO of Cyber-Kunlun & Kunlun Lab and former CTO of Qihoo 360 and founder of team 360Vulcan.

US Treasury says there was $590M in suspicious ransomware activity in H1 2021, exceeding the entire amount in 2020, when $416M was reported  —  Suspicious activity reports related to ransomware jumped significantly in 2021, according to the U.S. Treasury Department’s Financial Crimes Enforcement Network.

There was $590 million in suspicious activity related to ransomware in the first six months of 2021, exceeding the entire amount in 2020, when $416 million was reported, according to a report released Friday by the U.S. Treasury Department’s Financial Crimes Enforcement Network.

The average amount of reported ransomware transactions per month in 2021 was $102.3 million, according to the report. If the current trend continues, suspicious activity reports filed in 2021 “are projected to have a higher ransomware-related transaction value than SARs filed in the previous 10 years combined,” according to the report. SARs is shorthand for suspicious activity reports.

U.S. based cybersecurity companies filed most of the SARs related to ransomware while banks and cryptocurrency exchanges filed more than a third of the reports. The reports reflect just how quickly ransomware attacks have grown.

The report offers new insight into the scale of ransomware attacks devastating U.S. businesses and impacting critical infrastructure. A Treasury spokesperson said the SARs don’t represent all ransomware payments. 

Reporting ransomware payments to the Treasury via a suspicious activity report is often a requirement of cybersecurity insurance policies, according to a person familiar with the matter. 

The Treasury Department also identified 68 ransomware variants, noting that the most commonly reported types were REvil, Conti and DarkSide. Ransomware groups often sell their malware, or variant, to affiliates who then use it to plot attacks, in what is known as ransomware-as-a-service. REvil, Conti and DarkSide are suspected by cybersecurity firms of being tied to Russia in some way — because they use the Russian language or are suspected of being based there.  

The report was filed as the Treasury Department issued guidance to the virtual currency industry to prevent exploitation by entities sanctioned by the U.S. and ransomware groups. It is part of a broader effort by the Biden administration to attempt to curb ransomware attacks. In ransomware attacks, hackers encrypt a victim’s files and promise to unlock them if they are paid a fee.

Among the more notable attacks were those in May on Colonial Pipeline Co. in May that squeezed fuel supplies on the East Coast and on the meatpacker JBS SA. 

The Treasury report stated that ransomware actors are increasingly requesting payment in cryptocurrencies like Monero, which are designed to enhance anonymity. 

More: BleepingComputer, The Record, CNET, The Hill, PYMNTS.com, CyberScoop, and CoinDesk

“Today’s hyper-targeted spear phishing attacks, coming at users from all digital channels, are simply not discernable to the human eye. Add to that the increasing number of attacks coming from legitimate infrastructure, and the reason phishing is the number one thing leading to disruptive ransomware attacks is obvious.”

Human interaction online has largely moved to the cloud

Apps and browsers are used as humans connect with work, family, and friends. Cybercriminals are taking advantage of this by attacking outside of email and taking advantage of less protected channels like SMS text, social media, gaming, collaboration tools, and search apps.

Spear phishing and human hacking from legitimate infrastructure increased in August 2021, 12% (or 79,300) of all malicious URLs identified came from legitimate cloud infrastructure like including AWS, Azure, outlook.com, and sharepoint.com – enabling cybercriminals the opportunity to easily evade current detection technologies.

There was also a 51% increase in phishing in 2021 compared to 2020. That is on top of triple-digit growth in attacks in 2020 over the previous year.

A joint cybersecurity advisory published by US agencies revealed that three ransomware attacks on wastewater systems this year.

A joint cybersecurity advisory published today by the FBI, NSA, CISA, and the EPA revealed three more attacks launched by Ransomware gangs against US water and wastewater treatment facilities (WWS) this year.

This is the first time that these attacks are publicly disclosed, they took place in March, July, and August respectively. The three facilities hit by ransomware operators are located in the states of Nevada, Maine, and California. In all the attacks the ransomware encrypting files on the infected systems and in one of the security incidents threat actors compromised a system used to control the SCADA industrial equipment.

The advisory reports common tactics, techniques, and procedures (TTPs) used by threat actors to compromise IT and OT networks of WWS facilities, they include:

• Spearphishing campaign aimed at the personnel to deliver malicious payloads such as ransomware and RAT;
• Exploitation of services and applications exposed online that enable remote access to WWS networks (i.e. RDP accesses);
• Exploitation of vulnerabilities affecting control systems running vulnerable firmware versions.

The three new incidents included in the advisory

What’s the Difference Between OT, ICS, SCADA and DCS?

The former chief software officer for the U.S. Air Force, Nicolas Chaillan, says the U.S. is falling far behind China in cybersecurity. In a no-holds-barred interview, he unloads his frustrations, built up over three years of inept bungling at the Pentagon.

He quit his job last month, in disgust. “We are setting up critical infrastructure to fail,” Chaillan warned. And now Defense Department officials will be bracing themselves for more criticism as he vows to testify to Congress.

Lauren Knausenberger now holds the poisoned chalice. In today’s SB Blogwatch, we plan to fail.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Fruit salad word salad.

Beijing Back Better

What’s the craic? Katrina Manson reports—“Chaillan speaks of ‘good reason to be angry’ as Beijing heads for ‘global dominance’”:

Kindergarten level”
In his first interview since leaving the post at the Department of Defense a week ago, Nicolas Chaillan told [me] the failure of the US to respond to Chinese cyber and other threats was putting his children’s future at risk. “We have no competing fighting chance against China in 15 to 20 years. Right now, it’s already a done deal; it is already over in my opinion,” he said.
…
Chaillan, 37, who spent three years on a Pentagon-wide effort to boost cyber security and as first chief software officer for the US Air Force, said Beijing is heading for global dominance because of its advances in artificial intelligence, machine learning and cyber capabilities. He argued these emerging technologies were far more critical to America’s future than hardware such as big-budget fifth-generation fighter jets such as the F-35.
…
Senior defence officials have acknowledged they “must do better” to attract, train and retain young cyber talent. … Chaillan announced his resignation in a blistering letter at the start of September, saying military officials were repeatedly put in charge of cyber initiatives for which they lacked experience, decrying Pentagon “laggards” and absence of funding.
…
Chaillan said he plans to testify to Congress about the Chinese cyber threat to US supremacy, including in classified briefings, over the coming weeks. … He added US cyber defences in some government departments were at “kindergarten level.”

Ex-DoD Security Chief: China is Winning—it’s ‘A Done Deal’

The New Art of War: China’s Deep Strategy Inside the United States 

A recent phishing campaign targeting Coinbase users shows thieves are getting smarter about phishing one-time passwords (OTPs) needed to complete the login process. It also shows that phishers are attempting to sign up for new Coinbase accounts by the millions as part of an effort to identify email addresses that are already associated with active accounts.

Coinbase is the world’s second-largest cryptocurrency exchange, with roughly 68 million users from over 100 countries. The now-defunct phishing domain at issue — coinbase.com.password-reset[.]com — was targeting Italian Coinbase users (the site’s default language was Italian). And it was fairly successful, according to Alex Holden, founder of Milwaukee-based cybersecurity firm Hold Security.

More details on: How Coinbase Phishers Steal One-Time Passwords

It’s the second week of Cybersecurity Awareness Month 2021, and this week’s theme is an alliterative reminder: Fight the Phish!

Unfortunately, anti-phishing advice often seems to fall on deaf ears, because phishing is an old cybercrime trick, and lots of people seem to think it’s what computer scientists or mathematical analysts call a solved game.

Tic-tac-toe (noughts and crosses outside North America), for example, is a solved game, because it’s easy to create a list of every possible play, and figure out the best possible move from every game position on the list. (If neither player makes a mistake then the game will always be a draw.)

Even games that are enormously more complex have been “solved” in this way too, such as checkers (draughts)…

…and in comparison to playing checkers, spotting phishing scams feels like an easy contest that the recipient of the message should always win.

And if phishing is a “solved game”, surely it’s not worth worrying about any more?

How hard can it be?

Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails

Don’t Get Caught

The development team behind the Git GUI client GitKraken has fixed a vulnerability that was leading to the generation of weak SSH keys. The developers addressed the flaw with the release of version 8.0.1.

The issue resides in the open-source library used by the Git GUI client to generate SSH keys, all the keys generated using versions 7.6.x, 7.7.x, and 8.0.0 of GitKraken are potentially affected.

The latest version of the Git GUI client (version 8.0.1) uses a new SSH key generation library.

“This issue only affects GitKraken users who generated SSH keys through the GitKraken interface using versions 7.6.x, 7.7.x,  8.0.0. If you are not sure what version you used to generate your SSH key, we encourage you to renew your key through the following process.” reads the advisory.

“Affected users need to:

  1. Remove all old generated SSH keys stored locally. 

  2. Generate new SSH keys using GitKraken 8.0.1, or later, for each of your Git service providers.“

The development team already notified the Git hosting service providers GitHub, Bitbucket, GitLab, and Azure DevOps, they also revoked the weak public keys used.

The development team is not aware of any accounts being compromised due to this weakness.

Jack draws on years of experience introducing quantified risk analysis to organizations like yours, to write An Adoption Guide For FAIR. In this free eBook, he’ll show you how to:

Lay the foundation for a change in thinking about risk

Plan an adoption program that suits your organization’s style.

Identify stakeholders and key allies for socialization of FAIR

Select and achieve an initial objective, then integrate business-aligned, risk-based practices across your organization.

Software patches are sometimes a bit like buses.

You don’t get one for a while, and then three come at once.

For buses on busy urban routes, at least, the explanation of the phenomenon goes something like this.

If three buses start out travelling the same route together in a nicely spaced sequence, then the first one is most likely to be the slowest, because it will be stopping to scoop up most of the waiting passengers, while the ones behind will tend to travel faster because they need to stop less often or for shorter periods.

So buses naturally tend to scrunch up and arrive in bursts.

Burst-mode software patches

When it comes to software patches, however, the problem often works the other way around.

If the first patch arrives too quickly, then it may not have been reviewed or tested quite as much as you might like.

So it’s not so much that the next patch in the queue catches up because the first one is too slow, but that the next one has to be completed in a rush to keep up…

…and, if you aren’t careful, then that second patch might itself beget a third patch, needed to patch the patch that patched the first patch.

Three Apache buses

And thus with Apache: just two days ago, we reported a path validation bug dubbed CVE-2021-41773 that was introduced in Apache 2.4.49:

We advised you to update to 2.4.50, which would indeed have protected you against at least some of the known exploits already circulating on Twitter.