Jun 25 2024

In what situations would a vCISO or CISOaaS service be appropriate?

Category: CISO,vCISOdisc7 @ 11:48 am

A virtual Chief Information Security Officer (vCISO) service or (CISOaaS) may be appropriate for a variety of scenarios, including:

Your clients, collaborators (partners) and some regulatory requirements anticipate the presence of an individual fulfilling the position of Chief Information Security Officer (CISO).
  1. Companies without an in-house CISO: Small and medium-sized companies may not have the budget or need for a full-time CISO. A vCISO service can provide these companies with access to a seasoned cybersecurity professional without having to hire a full-time employee.
  1. Companies experiencing rapid growth or change: Companies that are growing quickly or undergoing significant changes, such as mergers or acquisitions, may benefit from the expertise of a vCISO to help them navigate the cybersecurity implications of these changes.
  1. Companies with limited cybersecurity resources: Some companies may have an IT team but lack dedicated cybersecurity resources. A vCISO can help fill this gap by providing strategic guidance and oversight of the company’s cybersecurity program.
  1. Compliance requirements: Companies in regulated industries, such as healthcare or financial services, may require a CISO to meet regulatory requirements. A vCISO can help these companies meet compliance requirements with standards (ISO 27001) and regulations (PCI, HIPAA, NIST CSF, etc.) without having to hire a full-time CISO.
  1. Cybersecurity incident response: In the event of a cybersecurity incident, a vCISO can provide expertise and guidance to help the company respond effectively and minimize the impact of the incident.

Overall, a vCISO service can be a cost-effective way for companies to gain access to the expertise of a seasoned cybersecurity professional without having to hire a full-time employee.

Which organizations may need vCISO services:

  1. Small to Medium-Sized Enterprises (SMEs):
    • These businesses may not have the resources to hire a full-time CISO but still require expert guidance to manage their cybersecurity needs.
    • Industries: Technology startups, healthcare practices, legal firms, financial services, retail businesses, etc.
  2. Large Enterprises:
    • Large companies with existing security teams may use vCISO services for additional expertise, specific projects, or temporary coverage to assist in house CISO.
    • Industries: Finance, healthcare, manufacturing, utilities, telecommunications, etc.
  3. Non-Profit Organizations:
    • These organizations often need to protect sensitive donor and beneficiary information but might lack the budget for a full-time CISO.
    • Examples: Charitable organizations, educational institutions, and research entities.
  4. Government Agencies:
    • Small to mid-sized government entities may utilize vCISO services to bolster their cybersecurity posture and comply with regulations.
    • Examples: Local municipalities, state agencies, and public health departments.
  5. Regulated Industries:
    • Companies in heavily regulated industries need to adhere to strict compliance standards and may require specialized cybersecurity expertise.
    • Industries: Healthcare (HIPAA), finance (GLBA, SOX), and retail (PCI-DSS).
  6. Organizations Undergoing Digital Transformation:
    • Businesses that are adopting new technologies, moving to the cloud, or modernizing their IT infrastructure may need vCISO services to manage the associated security risks.
    • Examples: Companies implementing IoT, AI, or big data solutions.
  7. Businesses Experiencing Rapid Growth:
    • Fast-growing companies may face evolving cybersecurity challenges and can benefit from the strategic oversight of a vCISO.
    • Examples: Tech startups, e-commerce platforms, and fintech companies.
  8. Companies Preparing for Mergers and Acquisitions:
    • Businesses involved in M&A activities need to ensure that cybersecurity due diligence is performed and that their security posture is strong to protect sensitive data.
    • Examples: Investment firms, private equity groups, and merging corporations.
  9. Organizations Recovering from a Security Incident:
    • Companies that have experienced a breach or other security incident may hire a vCISO to help with incident response, recovery, and the implementation of stronger security measures.
    • Examples: Any business recovering from ransomware attacks, data breaches, or significant cybersecurity incidents to mitigate risk to an acceptable level and improves security posture

DISC InfoSec can offer tailored cybersecurity solutions that align with the specific needs and constraints of different types of organizations.

CISOaaS

Organizations committed to prioritizing security encounter the difficulty of locating a Chief Information Security Officer (CISO) possessing the appropriate skills and knowledge. It becomes necessary for someone to take charge of the security and compliance strategy, but this requirement often surpasses the expertise possessed by operational IT/CIO.

What is CISOaaS?
Chief Information Security Officer-as-a-Service (CISOaaS) provides information security leadership from an appropriate pool of expertise. CISOaaS provides security guidance to senior management and drives the organization’s information security program.

Cert-In issues new guidelines for government bodies, mandates appointment of CISO, Read more at: https://lnkd.in/dKcdHMtP

The benefits of our CISOaaS

  • Gain access to a diverse pool of highly experienced and specialized senior cyber security professionals.
  • Rapidly access valuable resources and eliminate the necessity of retaining talent.
  • Reduce your expenses by paying solely for the necessary support, effectively minimizing costs.
  • Based on CISOaaS being engaged for four days a month annually at current prices. 
  • Based on your requirements, you can hire a vCISO 5-10 hours a week or per month.
  • Mitigate your risk by strengthening your cyber and information strategy through the implementation of a clearly defined roadmap, thereby enhancing your overall security posture.
  • Acquire valuable experience in effectively educating and presenting to board members, and non-technical senior staff across functional diverse backgrounds.
  • Leverage our independent perspective and established credibility to secure comprehensive cross-business support and successfully accomplish your information security objectives.

Are you Ready? DISC InfoSec offers a free consultation to evaluate your security posture and GRC requirements, providing you with an actionable plan that starts here…

Deura InfoSec Partners with Ostendio to Streamline Compliance & Security Offerings

  • Strategic Partnership: Ostendio and Deura InfoSec have formed a partnership to enhance compliance and risk management services for Deura InfoSec clients using Ostendio’s GRC platform.
  • Efficiency Gains: Deura InfoSec will leverage Ostendio’s platform to streamline compliance processes, significantly reducing the time clients spend on information security management by up to 50%.
  • Client Benefits: The partnership allows Deura InfoSec to overcome the challenges of fragmented security and simplify the processes and costs of delivering complex cybersecurity programs.

DISC-vCISO-v3-0-1Download

Previous posts on vCISO/CISO

CISO Conversations: The Role of the vCISO

6 ways the CISO role is evolving today

A CISO’s Guide to Avoiding Jail After a Breach

Cybersecurity: The CISO’s View

We’d love to hear from you! If you have any questions, comments, or feedback, don’t hesitate to get in touch. Our team is here to help, and we’re always looking to improve our services. You can reach us by email at info@deurainfosec.com or through our website. contact form.

We offer discounted initial assessment based on various industry standards and regulations to demonstrate our value and identify possible areas for improvement. Potentially a roadmap for the to-be state.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: CISO, CISOaaS, FractionalCISO, GRC, Ostendio, vCISO


Sep 13 2023

vCISO services solve the CISO talent shortage

Category: vCISOdisc7 @ 9:35 pm

vCISO services solve the CISO talent shortage:

Instead of hiring full time CISO, many organizations are hiring vCISO on subscription basis or on a retainer to gain access to expert cyber security advice in form of a virtual CISO when required.  vCISO offer C level strategic assistance and tactical level guidance in devising and implementing strategy to build a security program, to assess security program, to reduce risk and to prevent or mitigate the impact of the attacks. 

What may be the primary concern for an organization to seek vCISO services: The primary concern for an organization seeking Information Security (InfoSec) services is the protection of their sensitive data and digital assets. They are deeply concerned about potential cyber threats and vulnerabilities that could compromise the confidentiality, integrity and availability of their information systems. These concerns often stem from the increasing frequency and sophistications of cyberattacks, as well as the potential legal and reputational consequences of data breaches.

Organizations may also worry about compliance and industry regulations and data protection laws, as failing to meet these requirements can result in severe penalties and damage to their reputation. Moreover, organizations frequently express worries regarding the expenses associated with Information Security services and their ability to seamlessly integrate these services into their current IT infrastructure without causing disruptions. The aim of an organization is to find a harmonious equilibrium between security and operational effectiveness while adhering to budget limitations. 

A Virtual CISO can effectively address primary concerns for organizations seeking information security services by providing expert guidance and support without the need for a full-time in-house CISO. They assist in identifying and mitigating security risks, ensuring cost-effectiveness, seamless integration into existing IT infrastructure and finding the right balance between security and operational efficiency, all while staying within budget constraints.

In what situations would a vCISO Service be appropriate?

DISC-vCISO-v3-0-1Download

Checkout our previous posts on vCISO topic

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CISO talent shortage


Jul 18 2023

Stabilizing The Cybersecurity Landscape: The CISO Exodus And The Rise Of VCISOs

Category: CISO,vCISOdisc7 @ 10:50 pm
Getty

https://www-forbes-com.cdn.ampproject.org/c/s/www.forbes.com/sites/theyec/2023/07/14/stabilizing-the-cybersecurity-landscape-the-ciso-exodus-and-the-rise-of-vcisos/amp/

In today’s evolving digital landscape, the role of a chief information security officer (CISO) is critical. These professionals defend against the rising tide of daily cyberthreats. Yet we’re seeing a trend: Many CISOs are leaving or considering leaving their jobs, a phenomenon coined the “Great CISO Resignation.”

This trend seems to reflect the intense pressure CISOs endure. They face a constant stream of complex cyberthreats, manage compliance issues and struggle with a talent deficit in cybersecurity. Paired with high expectations, many reconsider their roles, which can lead to a leadership gap.

However, this situation opens a strategic opportunity for innovation. As the founder and president of a company that offers virtual chief information security officer (vCISO) services, I’ve seen this model gaining momentum.

Understanding The vCISO Model

A vCISO is an outsourced security practitioner or provider who offers their expertise to businesses on a part-time or contractual basis. These professionals provide many of the same services as a traditional CISO, such as developing and implementing security strategies, ensuring compliance with regulations, training staff and managing a company’s cybersecurity posture. The key difference is that vCISOs offer these services remotely and often to multiple companies at once.

This model brings flexibility and scalability, allowing businesses to tailor cybersecurity leadership to their specific needs. It also provides access to a breadth of expertise that is often unaffordable in a full-time, in-house CISO.

Leveraging The vCISO Model Amid The CISO Exodus

With the current trend of CISOs leaving their positions, the vCISO model offers a practical solution to maintain cybersecurity leadership. Here are some ways businesses can take advantage of this model:

Plug Leadership Gaps Quickly

When a CISO departs, they leave a leadership void that’s hard to fill quickly, especially considering the shortage of cybersecurity talent. By leveraging a vCISO, businesses can plug this gap swiftly, ensuring continued oversight and direction in their cybersecurity efforts.

Access A Broader Skill Set

vCISOs, often being part of a larger team, can bring a wide range of experiences and skills. They are exposed to diverse security landscapes across industries, which can provide a fresh perspective and innovative solutions to your security challenges.

Cost Efficiency

Hiring a full-time CISO can be prohibitively expensive for some companies. vCISO services, on the other hand, can be scaled to fit budgetary constraints, giving businesses access to top-tier security leadership without as much of a hefty price tag.

Flexibility And Scalability

As your business grows and evolves, so too can your cybersecurity needs. A vCISO’s flexible engagement model means you can scale cybersecurity leadership to match your changing requirements.

Deciphering The vCISO Selection: A Strategic Perspective

Selecting the right virtual chief information security officer is pivotal to the success of your cybersecurity strategy, especially in the wake of the “Great CISO Resignation.” You’re essentially recruiting an outsourced leader who can help guide your organization’s information security infrastructure and strategy, so you need to ensure that they not only have the expertise but that they also align with your organization’s culture and values. Here are some strategic suggestions for identifying the perfect vCISO for your business:

Evaluate Their Background And Experience

Start by examining the vCISO’s professional background. This includes their level of experience in your specific industry, as well as their familiarity with the size and type of businesses like yours. Their past roles and achievements can provide valuable insight into their ability to handle the unique cybersecurity threats and risks your business may face. Don’t hesitate to ask for a detailed track record of their experience and successes.

Assess Their Expertise

Probe into their knowledge of current cybersecurity trends, their ability to create a cybersecurity strategy, their understanding of regulatory requirements that are relevant to your industry and their experience in managing security incidents. You should also ask about their experience with various cybersecurity tools and technologies. A vCISO’s expertise should encompass not only tactical but also strategic thinking and planning.

Understand Their Approach

Get a sense of their management style, communication skills and approach to problem-solving. Cybersecurity is a team effort, so the vCISO needs to effectively work with and guide your in-house team. Are they able to communicate complex security concepts in a way that everyone in your organization can understand? Can they foster a security-first culture within the company?

Determine Alignment With Business Goals

The right vCISO should understand your business strategy and align security strategies to business objectives. They should be able to strike a balance between the necessary security measures and the operational needs of your company.

In what situations would a vCISO or CISOaaS Service be appropriate?

DISC-vCISO-v3-0-1Download

Previous posts on vCISO/CISO

CISO Conversations: The Role of the vCISO

Cybersecurity: The CISO’s View

We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form.

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: CISO, vCISO


Mar 02 2023

In what situations would a vCISO or CISOaaS Service be appropriate?

Category: CISO,vCISODISC @ 12:06 am
5 Reasons Why a Virtual CISO (vCISO) May Be Right for Your Business - Pratum

A virtual Chief Information Security Officer (vCISO) service or (CISOaaS) may be appropriate for a variety of scenarios, including:

Your clients, collaborators (partners) and some regulatory requirements anticipate the presence of an individual fulfilling the position of Chief Information Security Officer (CISO).
  1. Companies without an in-house CISO: Small and medium-sized companies may not have the budget or need for a full-time CISO. A vCISO service can provide these companies with access to a seasoned cybersecurity professional without having to hire a full-time employee.
  1. Companies experiencing rapid growth or change: Companies that are growing quickly or undergoing significant changes, such as mergers or acquisitions, may benefit from the expertise of a vCISO to help them navigate the cybersecurity implications of these changes.
  1. Companies with limited cybersecurity resources: Some companies may have an IT team but lack dedicated cybersecurity resources. A vCISO can help fill this gap by providing strategic guidance and oversight of the company’s cybersecurity program.
  1. Compliance requirements: Companies in regulated industries, such as healthcare or financial services, may require a CISO to meet regulatory requirements. A vCISO can help these companies meet compliance requirements with standards (ISO 27001) and regulations (PCI, HIPAA, NIST CSF, etc.) without having to hire a full-time CISO.
  1. Cybersecurity incident response: In the event of a cybersecurity incident, a vCISO can provide expertise and guidance to help the company respond effectively and minimize the impact of the incident.

Overall, a vCISO service can be a cost-effective way for companies to gain access to the expertise of a seasoned cybersecurity professional without having to hire a full-time employee.

CISOaaS

Organizations committed to prioritizing security encounter the difficulty of locating a Chief Information Security Officer (CISO) possessing the appropriate skills and knowledge. It becomes necessary for someone to take charge of the security and compliance strategy, but this requirement often surpasses the expertise possessed by operational IT/CIO.

What is CISOaaS?
Chief Information Security Officer-as-a-Service (CISOaaS) provides information security leadership from an appropriate pool of expertise. CISOaaS provides security guidance to senior management and drives the organization’s information security program.

Cert-In issues new guidelines for government bodies, mandates appointment of CISO
https://lnkd.in/db6PsxYQ, Read more at: https://lnkd.in/dKcdHMtP

Process:

Scoping -> Assessment (business, legal and contractual reqs) -> Gap analysis (based on stds and regulations) -> provide a roadmap to-be state -> implementation of roadmap -> Evaluation and Continual improvement (of security program)

The benefits of our CISOaaS

  • Gain access to a diverse pool of highly experienced and specialized senior cyber security professionals.
  • Rapidly access valuable resources and eliminate the necessity of retaining talent.
  • Reduce your expenses by paying solely for the necessary support, effectively minimizing costs.
  • Based on CISOaaS being engaged for four days a month annually at current prices. ($37,000 per year)
  • Based on your requirements, you can hire a vCISO 5-10 hours a week or per month. ($125 per hour)
  • Mitigate your risk by strengthening your cyber and information strategy through the implementation of a clearly defined roadmap, thereby enhancing your overall security posture.
  • Acquire valuable experience in effectively educating and presenting to board members, and non-technical senior staff across functional diverse backgrounds.
  • Leverage our independent perspective and established credibility to secure comprehensive cross-business support and successfully accomplish your information security objectives.

Collaborate with government authorities

Previous posts on vCISO/CISO

CISO Conversations: The Role of the vCISO

Cybersecurity: The CISO’s View

We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form.

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: CISOaaS, FractionalCISO, vCISO


Jan 12 2023

vCISO Services – value added benefits of vCISO

Category: CISO,vCISODISC @ 3:37 pm

Most small-to medium-sized business (SMBs) hiring a CISO may be challenging business decision to find a suitable and affordablee candidate and the impacts of cyber breach to the SMBs can be devastating since many of those businesses are unable to sustain the costs of breach. A vCISO can provide the expertise needed to ensure your information security, privacy programs are succeeding and your company is prepared to assess and analyze an incident, all at cost-effective price.

DISC’s Virtual CISO (vCISO) service assists organizations to design, develop and implement information security programs based on various standards and regulations. We provide professional security services which includes but not limited to leadership team (strategic) but also a support team of security analysts (tactical) to solve distinct cybersecurity challenges to every organization.

Reasons to Consider a Virtual CISO (vCISO)

Expertise covering Industries:
vCISOs work with various clients across industries, opening them to events not attainable to CISOs experience in an isolated industry. The security knowledge gained by a vCISO from each client environment is different which ensures an improved expertise to assess the next organization, which positively impacts on the next client project.

Flexibility in Unique Business Environments:
vCISOs first gain a thorough understanding of each organization’s business model, company culture, risk tolerance, and objectives. From there, they gain an understanding of security risks faced by the organization. With a full view of the security landscape, the vCISO will communicate the findings to help clients make the appropriate security decisions for their environment.

Efficiency with Core Competencies:
A virtual CISO fills will prioritize security findings where organizations need it most. By focusing on cybersecurity strategy and implementation, vCISOs helps internal security team with control understanding and implementation responsibility. This enables both staff and cybersecurity leadership to remain dedicated to their respective core competencies.

Objective Independence:
vCISOs are an independent third party with an objective viewpoint and goals of helping clients make the best security decisions for their business.

Economical:
DISC’s vCISO programs generally cost a fraction of a full-time CISO and supporting security team. According to salary.com report, the average salary for a CISO is $260,000 per year in California. On average, DISC’s vCISO clients pay a fraction of what it would cost to hire an in-house CISO.

Most important skills of vCISO: is to translate between business and IT as a facilitator

vCISO risk remediation solution:

  1. What is risk to business
  2. Likelihood of occurrence and what will be the risk to business
  3. Impact of occurring and what will be the risk to business
  4. Cost of fixing, implementing or remediating and what will be the residual risk

Infosec books | InfoSec tools | InfoSec services

Tags: vCISO, Virtual CISOs


Nov 10 2021

vCISO as a service

Category: Information Security,vCISODISC @ 10:05 pm

Virtual CISO

Ransomware's Silver Bullet - The Virtual CISO Publication Series: Cybersecurity: Publication #1 Ransomware by [Virtual CISO]

Tags: vCISO as a service


Nov 18 2019

CISO or vCISO? The Benefits of a Contractor C-level Security Role

Category: CISODISC @ 12:40 pm

Read how a virtual chief information security officer (vCISO) can help you uplift a struggling information security program.

Source: CISO or vCISO? The Benefits of a Contractor C-level Security Role

Webinar: vCISO vs CISO – Which is the right path for you?
httpv://www.youtube.com/watch?v=HIvuIIQob7o

CISO as a Service or Virtual CISO
httpv://www.youtube.com/watch?v=X8XSe3ialNk

The Benefits of a vCISO
httpv://www.youtube.com/watch?v=jQsG-65wxyU


Subscribe to DISC InfoSec blog by Email




Tags: vCISO


Jul 24 2024

Cybersecurity jobs available right now

Category: Cyber career,Information Security,InfoSec jobsdisc7 @ 12:31 pm

Cybersecurity jobs available right now…

Applied Cryptographer

Quantstamp | EMEA | Remote – View job details

As an Applied Cryptographer, you will research about various cryptographic protocols and have knowledge of cryptographic primitives or concepts, like elliptic curve cryptography, hash functions, and PCPs. You should have experience with at least one major language, like Rust, Python, Java, or C; the exact language is not too important. You should be familiar with versioning software (specifically, GitHub), testing, and a familiarity with algorithms and data structures.

Cloud Security Specialist

KMS Lighthouse | Israel | On-site – View job details

As a Cloud Security Specialist, you will design, implement, and manage Azure and Microsoft 365 security solutions. Monitor security alerts, lead incident response, and conduct regular assessments. Ensure compliance with ISO 27001, SOC2 Type II and NIST standards.

CISO

CYBERcom | Israel | Hybrid – View job details

As a CISO, you will develop and implement comprehensive cybersecurity policies and procedures. Ensure compliance with relevant regulations and standards (e.g., GDPR, ISO 27001). Conduct risk assessments and develop mitigation strategies. Advise on security best practices and emerging threats. Collaborate with clients to enhance their security posture.

Cyber Range Lead

Booz Allen Hamilton | Japan | On-site – No longer accepting applications

As a Cyber Range Lead, you will lead a team of professionals as they use cyberspace capabilities to evaluate potential weaknesses as well as the effectiveness of mitigations for cyber security solutions. You will leverage cyberspace operations systems to aggregate threat feeds that inform briefings for senior leadership aligned to our client’s mission area.

Cybersecurity Technical Consultant

Thales | Mexico | Hybrid – View job details

As a Cybersecurity Technical Consultant, you will provide onsite or remote consulting services and support to Thales customer with a focus on high quality, accuracy and customer satisfaction. Develop and deliver technical hands-on product deep knowledge transfer to customers. Track and ensure successful completion of high impact projects by creating project scoping plans, design guides and relevant documentation.

Cyber Security Advisor

H&M | Sweden | On-site – View job details

As a Cyber Security Advisor, you will conduct security assessment of in-house developed and/or by third-party provided solutions in order to ensure that they are in compliance with H&M’s security standards. Conduct security maturity and risk assessment for internal and external partners.

Cyber Security Engineer

PetroApp | Egypt | Remote – View job details

As a Cyber Security Engineer, you will develop and implement cyber security policies, procedures, and controls to protect the company’s digital assets. Conduct Pen-tests, monitor network traffic and security alerts to detect and respond to potential security breaches. Perform vulnerability assessments and penetration testing to identify and remediate security vulnerabilities. Conduct regular audits of security systems and processes to ensure compliance with industry standards and regulations.

Cyber Security Governance Risk & Compliance Manager

Munster Technological University | Ireland | On-site – View job details

As a Cyber Security Governance Risk & Compliance Manager, you will develop, implement, and maintain a robust IT governance, risk, and compliance framework in line with industry best practices and regulatory requirements. Drive risk maturity through project lifecycle and provide independent assessments, challenge inherent risks in material changes e.g., business decisions, projects, process changes, implementation of new systems, applications, and infrastructure.

Cyber Security Instructor

ABM College | Canada | On-site – View job details

As a Cyber Security Instructor, you will create dynamic classroom learning experiences using various teaching strategies to facilitate adult learners in achieving learning objectives in accordance with the program objectives as set out in the curriculum. Ensure students are motivated to learn and to maximize their potential. Develop different classroom strategies to ensure knowledge and skills acquisition and retention.

Digital Forensics and Incident Response Analyst

Accenture | Philippines | On-site – View job details

As a Digital Forensics and Incident Response Analyst, you will perform incident response to cybersecurity incidents, including but not limited to APT & Nation State attacks, Ransomware infections and Malware outbreaks, Insider Threats, BEC, DDOS, Security and Data breach, etc. Conduct in-depth investigations of cybersecurity incidents, identifying the root cause, the extent of the impact, and recommended actions for containment, eradication, and recovery, and providing a final report that contains recommendations on how to prevent the same attack in the future by strengthening security posture.

Director of Information Security, Cyber Risk and Compliance

S&P Global | Italy | On-site – No longer accepting applications

As a Director of Information Security, Cyber Risk and Compliance, you will become familiar with the Cyber Risk and Compliance team activities and Market Intelligence regarding SOC reporting, relevant regulatory requirements, control frameworks, internal and external audit processes, customer interactions including security questions and audits, and overall company and divisional cyber security processes and controls. Make recommendations related to balancing requirements and deadlines made by corporate departments with human resource and technical capabilities that exist in Market Intelligence. Negotiate differences to find and implement solutions acceptable to both corporate groups and Market Intelligence.

Head of Identity Management Platform

Nexi Croatia | Croatia | Hybrid – View job details

As Head of Identity Management Platform, you will leverage your strong background in Identity and Privileged Access Management, expertise in IT technologies, and in-depth knowledge of IT security to organize and lead complex projects, manage third-party teams, and oversee platform lifecycle activities such as upgrades and integrations.

Head of Consulting

Orange Cyberdefense | Norway | Hybrid – View job details

As a Head of Consulting, you will lead, mentor, and develop a team of cybersecurity consultants, fostering a culture of excellence and continuous improvement. Define and implement the consultancy department’s strategy in alignment with the company’s goals, ensuring the delivery of innovative and effective cybersecurity solutions. Ensure that all consultancy activities adhere to industry standards, regulatory requirements, and best practices, mitigating risks to both clients and the company.

Head of Security CU TH

Ericsson | Thailand | On-site – View job details

As a Head of Security CU TH, you will facilitate execution of and follow up on security strategy, policies & instructions, governance model and frameworks. Support the business in implementation and maintenance of ISO 27001 controls across the CU as per the MA scope and Ericsson Global ISO 27001 control framework. Manage local security incidents and support investigations.

IT Program Manager

Bose Corporation | USA | On-site – View job details

As an IT Program Manager, you will develop, implement, and manage cybersecurity programs in alignment with the organization’s strategic objectives. Oversee the security projects related to enterprise applications, with a focus on safeguarding sensitive data and ensuring compliance with regulatory standards. Facilitate regular security assessments and audits to identify vulnerabilities and implement corrective actions.

Penetration Tester

Navy Federal Credit Union | USA | On-site – View job details

As a Penetration Tester, you will manage penetration tests from inception through delivery. Identify and prescribe remediation for vulnerabilities in NFCU applications, systems, and networks. Leverage complex tactics including, but not limited to, lateral movement, network tunneling/pivoting, credential compromise, and hash cracking.

Principal Data Security Specialist

Oracle | Spain | On-site – View job details

As a Principal Data Security Specialist, you will focus on delivering technical and procedural guidance to assist customers in defining the platform requirement though to realisation of the subscription value. Research and evaluate emerging solutions and services to drive continuous improvement.

Senior Architect – Cyber Security

Presight | UAE | On-site – View job details

As a Senior Architect – Cyber Security, you will develop and implement security architecture solutions to secure the organization’s IT infrastructure. Design and review security policies, standards, and procedures. Conduct security assessments and risk analysis to identify vulnerabilities and recommend mitigation strategies. Lead security projects and collaborate with cross-functional teams to integrate security measures.

Senior CyberSecurity Architect

Hexagon Geosystems | European Economic Area | Remote – View job details

As a Senior CyberSecurity Architect, you will plan, organize, test, and document the implementation of new security systems and tools; define the success criteria and security requirements, and develop reference architecture, functional and non-functional requirements for proof-of-concept efforts and projects. Lead in performing threat modeling, security architecture review, and risk assessments of new and existing technical solutions.

(Senior) Information Security Officer

Oetker Digital | Germany | Hybrid – View job details

As a (Senior) Information Security Officer, you will develop, implement, and monitor a strategic, comprehensive company information security and IT risk management program, based on the Oetker Group-wide security directive. Manage and assist in the development in implementation of the information security policies, procedures, and guidelines. Provide guidance and counsel to the C-Level, the senior management team, and staff about information security and its alignment with business objectives and risk management.

Technology & Cyber Risk: Senior Officer – Cybersecurity Risk

Citi | Poland | On-site – View job details

As a Technology & Cyber Risk: Senior Officer – Cybersecurity Risk, you will review and evaluate compliance and cyber policies and procedures, technology and tools, and governance processes to provide credible challenge for minimizing losses from cyber risks. Assess cyber risks and evaluates actions to address the root causes that persistently lead to operational risk losses by challenging both historical and proposed practices. Support independent assurance activities to assess areas of concern including substantive and controls testing.

Vulnerability Manager

TTM Technologies | USA | Remote – View job details

As a Vulnerability Manager, you will be responsible for identifying, assessing, prioritizing, and managing vulnerabilities across our systems and networks. Conduct regular vulnerability assessments and penetration tests across our systems, applications, and networks.

Starting Your Cyber Security Career: Building a Successful Career in Cyber Security

Cybersecurity Career Master Plan


InfoSec services
 | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Cybersecurity Career Master Plan, Cybersecurity jobs


Jul 23 2024

Microsoft releases tool to speed up recovery of systems borked by CrowdStrike update

Category: Security Toolsdisc7 @ 9:20 am

By now, most people are aware of – or have been personally affected by – the largest IT outage the world have ever witnessed, courtesy of a defective update for Crowdstrike Falcon Sensors that threw Windows hosts into a blue-screen-of-death (BSOD) loop.

“We currently estimate that CrowdStrike’s update affected 8.5 million Windows devices, or less than one percent of all Windows machines. While the percentage was small, the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services,” David Weston, Microsoft’s VP of Enterprise and OS Security, stated on Saturday.

CrowdStrike claimed earlier today that “a significant number” of affected systems are back online and operational.

“Together with customers, we tested a new technique to accelerate impacted system remediation. We’re in the process of operationalizing an opt-in to this technique,” they noted on their remediation and guidance hub. “Customers are encouraged to follow the Tech Alerts for latest updates as they happen and they will be notified when action is needed.”

Microsoft collaborates with Crowdstrike, provides recovery tool

Microsoft is, understandably, doing everything it can to speed up worldwide recovery from the issue, has deployed hundreds of Microsoft engineers and experts to work with customers to restore services, and is collaborating with CrowdStrike.

“CrowdStrike has helped us develop a scalable solution that will help Microsoft’s Azure infrastructure accelerate a fix for CrowdStrike’s faulty update. We have also worked with both AWS and GCP to collaborate on the most effective approaches,” Weston explained.

Microsoft has also released a recovery tool that can be downloaded and used by IT admins to make the repair process less time-consuming.

The tool provides two repair options.

The first one – Recover from WinPE (Preinstallation Environment) – does not require local admin privileges, but requires the person to manually enter the BitLocker recovery key (if BitLocker is used on the device).

The second one – Recover from safe mode – may allow recovery without entering the BitLocker recovery keys.

“For this option, you must have access to an account with local administrator rights on the device. Use this approach for devices using TPM-only protectors, devices that are not encrypted, or situations where the BitLocker recovery key is unknown,” the Intune Support Team noted.

They also included detailed recovery steps for Windows clients, servers, and OSes hosted on Hyper-V.

Microsoft has previously confirmed that the buggy CrowdStrike update affected Windows 365 Cloud PCs and that users “may restore their Windows 365 Cloud PC to a known good state prior to the release of the update (July 19, 2024)”. The company has also provided guidance for restoring affected Azure virtual machines.

Cloud security company Orca has released a script that automates the remediation of Windows virtual machines hosted on AWS.

Threat actor exploiting the situation

As expected, scammers and threat actors have immediately started taking advantage of the chaos that resulted from the faulty update.

Trend Micro researchers provided examples of tech support scams doing the rounds, and even legal scams.

A tech support scam exploiting the situation (Source: Trend Micro)

CrowdStrike warned about:

  • Attackers offering a fake utility for automating recovery that loads the Remcos remote access tool
  • Phishers and vishers impersonating CrowdStrike support and contacting customers
  • Scammers posing as independent researchers, claiming to have evidence the technical issue is linked to a cyberattack and offering remediation insights

“CrowdStrike Intelligence recommends that organizations ensure they are communicating with CrowdStrike representatives through official channels,” the company said.

UPDATE (July 23, 2024, 05:15 a.m. ET):

CrowdStrike has provided a way for remediating affected systems more quickly. Customers must opt in to use the technique via the support portal. (A Reddit user has explained the process involved.)

The company has also released a video explaining how users can self-remediate affected remote Windows laptops.

Fake CrowdStrike repair manual pushes new infostealer malware

“Resiliency in the digital age isn’t just about preventing outages; it’s about being prepared to respond effectively when they happen.”

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: CrowdStrike, Microsoft


Jul 18 2024

Threat Actors Ramp Up Use of Encoded URLs to Bypass Secure Email

Category: Cyber Threats,Email Securitydisc7 @ 10:36 am

https://www.darkreading.com/cyberattacks-data-breaches/threat-actors-ramp-up-use-of-encoded-urls-to-bypass-secure-email

Secure email gateways (SEG) do a lot to protect organizations from malware, spam, and phishing email. For some threat actors though, they also offer an attractive option for sneaking malicious mail past other SEGs.

Security researchers from Cofense this week reported observing a recent surge in attacks, where threat actors have used SEGs to encode or to rewrite malicious URLs embedded in their emails to potential victims. In many cases, when the emails arrived at their destination, SEGs allowed the malicious URLs to go through without properly vetting the link.

The SEG Versus SEG Threat

The reason, says Max Gannon, threat intelligence manager at Cofense, is that some secure email gateway products appear not to be handling SEG-encoded URLs properly and assume them to be always safe, when in reality they are not.

“We do not have access to the internals of SEGs, so I can’t say for certain,” Gannon says. “But they likely either implicitly trust the URLs or they attempt to scan them, but the domain of the SEG that encodes the URL is trusted, so the [receiving] SEG assumes the URL itself is legitimate.”

In SEG encoding, a secure email gateway product essentially rewrites every URL in an outgoing email into a link that points to its own infrastructure. When a recipient clicks on the encoded link, the user is first directed to the sender’s SEG system, which checks if the URL is safe before redirecting the user to the intended destination. The checks usually involve assessing the URL using reputation, blacklists, signatures, and other mechanisms, which means sometimes it might take an SEG days and even weeks before it designates a URL as malicious.

In these situations, problems can arise if the recipient’s secure email gateway technology does not recognize an already encoded URL as needing scanning, or if the recipient’s SEG scans the URL, but only sees the sending email gateway’s domain and not the final destination.

“Oftentimes when SEGs detect URLs in emails that are already SEG-encoded they do not scan the URLs, or the scanning shows only the security tool’s scanning page and not the actual destination,” Cofense wrote in its report this week. “As a result, when an email already has SEG-encoded URLs, the recipient’s SEG often allows the email through without properly checking the embedded URLs.”

A Substantial Increase

Attackers have abused SEG encoding previously to sneak malicious emails into target environments. But there has been a substantial increase in use of the tactic in the second quarter of this year, May in particular. Cofense said.

According to the security vendor, the four email security gateways that threat actors have abused the most to encode URLs and sneak them past email defense mechanisms are VIPRE Email Security, Bitdefender LinkScan, Hornet Security Advanced Threat Protection URL Rewriting, and Barracuda Email Gateway Defense Link Protection.

Cofense said its researchers had observed attackers using these SEGs to encode malicious URLs in variously themed campaigns targeted at users protected by SEGs from a variety of vendors.

Gannon says some SEG encodings would require the threat actor to run their URL through the SEG. “Other encodings like Barracuda Link Protect would let you simply prepend their URL to the malicious URL you are trying to bypass with,” he says. “For example, to use Barracuda Link Protect to bypass SEGs with the URL hxxp[:]//badplace[.]com/, I would simply add the Barracuda Link Protect URL and make it: hxxps://linkprotect[.]cudasvc[.]com/url?a=hxxp[:]//badplace[.]com/.”

Gannon says one reason why threat actors likely aren’t using the tactic on a much broader scale is because it involves additional work. “The biggest thing it comes down to is effort,” he says. If a threat actor can take an hour to encode all the URLs in a campaign and reach 500 more inboxes, they could take the same hour and just find an additional 1,000 email addresses to send the campaign to.”

Protecting against the tactic can be relatively difficult, as most SEGs don’t have tuning methods for ignoring other SEG encodings, Gannon says. Therefore, the best way to combat the tactic remains user awareness and training. “A vigilant and informed employee is not going to click a link in a suspect email, even if the URL is encoded by a SEG.”

SOURCE: CHIM VIA SHUTTERSTOCK

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Encoded URLs


Jul 16 2024

Understanding Compliance With the NIST AI Risk Management Framework

Category: NIST Privacy,Risk Assessmentdisc7 @ 10:06 am

Incorporating artificial intelligence (AI) seems like a logical step for businesses looking to maximize efficiency and productivity. But the adverse effects of AI use, such as data security risk and misinformation, could bring more harm than good.

According to the World Economic Forum’s Global Risks Report 2024, AI-generated misinformation and disinformation are among the top global risks businesses face today.

To address the security risks posed by the increasing use of AI technologies in business processes, the National Institute of Standards and Technology (NIST) released the Artificial Intelligence Risk Management Framework (AI RMF 1.0) in January 2023. 

Adhering to this framework not only puts your organization in strong position to avoid the dangers of AI-based exploits, it also adds an impressive type of compliance to your portfolio, instilling confidence in external stakeholders. Moreover, while NIST AI RMF is more of a guideline than a regulation, today there are several AI laws in the process of being enacted, so adhering to NIST’s framework helps CISOs to future-proof their AI compliance postures.

Let’s examine the four key pillars of the framework – govern, map, measure and manage – and see how you can incorporate them to better protect your organization from AI-related risks.

1.Establish AI Governance Structures

In the context of NIST AI RMF, governance is the process of establishing processes, procedures, and standards that guide responsible AI development, deployment, and use. Its main goal is to connect the technical aspect of AI system design and development with organizational goals, values, and principles.

Strong governance starts from the top, and NIST recommends establishing accountability structures with the appropriate teams responsible for AI risk management, under the framework’s “Govern” function. These teams will be responsible for putting in place structures, systems and processes, with the end goal of establishing a strong culture of responsible AI use throughout the organization.

Using automated tools is a great way to streamline the often tedious process of policy creation and governance. “We view it as our responsibility to help organizations maximize the benefits of AI while effectively mitigating the risks and ensuring compliance with best practices and good governance,” said Arik Solomon, CEO of Cypago, a SaaS platform that automates governance, risk management, and compliance (GRC) processes in line with the latest frameworks.

“These latest features ensure that Cypago supports the newest AI and cyber governance frameworks, enabling GRC and cybersecurity teams to automate GRC with the most up-to-date requirements.”

Rather than existing as a stand-alone component, governance should be incorporated into every other NIST AI RMF function, particularly those associated with assessment and compliance. This will foster a strong organizational risk culture and improve internal processes and standards.

2.Map And Categorize AI Systems

The framework’s “Map” function supports governance efforts while also providing a foundation for measuring and managing risk. It’s here that the risks associated with an AI system are put into context, which will ultimately determine the appropriateness or need for the given AI solution.

As Opice Blum data privacy expert Henrique Fabretti Moraes explained, “Mapping the tools in use – or those intended for use – is crucial for understanding and fine-tuning acceptable use policies and potential mitigation measures to decrease the risks involved in their utilization.” 

But how do you actually put this mapping process into practice?

NIST recommends the following approach:

  • Clearly establish why you need or want to implement the AI system. What are the expectations? What are the prospective settings where the system will be deployed? You should also determine the organizational risk tolerance for operating the system.
  • Map all of the risks and benefits associated with using the system. Here is where you should also determine your risk tolerance, not only with monetary costs but also those stemming from AI errors or malfunctions.
  • Analyze the likelihood and magnitude of the impact the AI system will have on the organization, including employees, customers, and society as a whole.

3.Measure AI Performance and Risk

The “Measure” function utilizes qualitative and quantitative techniques to analyze and monitor the AI-related risks identified in the “Map” function.

AI systems should be tested before deployment and frequently thereafter. But measuring risk with AI systems can be tricky. The technology is fairly new, so there are no standardized metrics yet. This might change in the near future, as developing these metrics is a high priority for many consulting firms. For example, Ernst & Young (EY) is developing an AI Confidence Index

“Our confidence index is founded on five criteria – privacy and security, bias and fairness, reliability, transparency and explainability, and the last is accountability,” noted Kapish Vanvaria, EY Americas Risk Market Leader. The other axis includes regulations and ethics. 

“Then you can have a heat map of the different processes you’re looking at and the functions in which they’re deployed,” he says. “And you can go through each one and apply a weighted scoring method to it.”

In the NIST framework’s priorities, there are three main components of an AI system that must be measured: trustworthiness, social impact, and how humans interact with the system. The measuring process will likely consist of extensive software testing, performance assessments and benchmarks, along with reporting and documentation of results.

4.Adopt Risk Management Strategies

The “Manage” function puts everything together by allocating the necessary resources to regularly attend to uncovered risks during the previous stages. The means to do so are typically determined with governance efforts, and can be in the form of human intervention, automated tools for real-time detection and response, or other strategies.

To manage AI risks effectively, it’s crucial to maintain ongoing visibility across all organizational tools, applications, and models. AI should not be handled as a separate entity but integrated seamlessly into a comprehensive risk management framework.

Ayesha Gulley, an AI policy expert from Holistic AI, urges businesses to adopt risk management strategies early, taking into account five factors: robustness, bias, privacy, exploitability and efficacy. Holistic’s software platform includes modules for AI auditing and risk posture reporting.

“While AI risk management can be started at any point in the project development,” she said, “implementing a risk management framework sooner than later can help enterprises increase trust and scale with confidence.”

Evolve With AI

The NIST AI Framework is not designed to restrict the efficient use of AI technology. On the contrary, it aims to encourage adoption and innovation by providing clear guidelines and best practices for developing and using AI securely and responsibly.

Implementing the framework will not only help you reach compliance standards but also make your organization much more capable of maximizing the benefits of AI technologies without compromising on risk.

AI-RMF A Practical Guide for NIST AI Risk Management Framework

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: NIST AI Risk Management Framework


Jul 10 2024

Attackers Already Exploiting Flaws in Microsoft’s July Security Update

Category: Cyber Attack,Security vulnerabilitiesdisc7 @ 10:12 am

Microsoft has given administrators plenty of work to do with July’s security update that contains patches for a brutal 139 unique CVEs, including two that attackers are actively exploiting and one that’s publicly known but remains unexploited for the moment.

The July update contains fixes for more vulnerabilities than the previous two monthly releases combined and addresses issues that left unmitigated could enable remote code execution, privilege escalation, data theft, security feature bypass, and other malicious activities. The update included patches for four non-Microsoft CVEs, one of which is a publicly known Intel microprocessor vulnerability.

Lack of Details Heighten Urgency to Fix Zero-Days

One of the zero-day vulnerabilities (CVE-2024-38080) affects Microsoft’s Windows Hyper-V virtualization technology and allows an authenticated attacker to execute code with system-level privileges on affected systems. Though Microsoft has assessed the vulnerability as being easy to exploit and requiring no special privileges or user interaction to exploit, the company has given it only a moderate — or important — severity rating of 6.8 on the 10-point CVSS scale.

As is typical, Microsoft provided scant information on the flaw in its release notes. But the fact that attackers are already actively exploiting the flaw is reason enough to patch now, said Kev Breen, senior director threat research at Immersive Labs, in an emailed comment. “Threat hunters would benefit from additional details, so that they can determine if they have already been compromised by this vulnerability,” he said.

The other zero-day bug, tracked as CVE-2024-38112, affects the Windows MSHTML Platform (aka Trident browser engine) and has a similarly moderate CVSS severity rating of 7.0. Microsoft described the bug as a spoofing vulnerability that an attacker could exploit only by convincing a user to click on a malicious link.

That description left some wondering about the actual nature of the threat it represented. “This bug is listed as ‘spoofing’ for the impact, but it’s not clear exactly what is being spoofed,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative (ZDI), wrote in a blog post. “Microsoft has used this wording in the past for NTLM relay attacks, but that seems unlikely here.”

Rob Reeves, principal cybersecurity engineer at Immersive Labs, viewed the vulnerability as likely enabling remote code execution but potentially complex to exploit, based on Microsoft’s sparse description. “Exploitation also likely requires the use of an ‘attack chain’ of exploits or programmatic changes on the target host,” he said in prepared comments. “But without further information from Microsoft or the original reporter … it is difficult to give specific guidance.”

Other High-Priority Bugs

The two bugs that were publicly known prior to Microsoft’s July update — and hence are also technically zero-day flaws — are CVE-2024-35264, a remote code execution vulnerability in .Net and Visual Studio, and CVE-2024-37985, which actually is a third-party (Intel) CVE that Microsoft has integrated into its release.

In all, Microsoft rated just four of the flaws in its enormous update as being of critical severity. Three are of them, each with a near maximum severity rating of 9.8 on 10, affect the Windows Remote Desktop Licensing Service component that manages client access licenses (CALs) for remote desktop services. The vulnerabilities, identified as CVE-2024-38076CVE-2024-38077, and CVE-2024-38089, all enable remote code execution and should be on the top of the list of bugs to prioritize this month. “Exploitation of this should be straightforward, as any unauthenticated user could execute their code simply by sending a malicious message to an affected server,” Child said in his post.

Microsoft wants organizations to disable the Remote Desktop Licensing Service if they are not using it. The company also recommends organizations immediately install the patches for the three vulnerabilities even if they plan to disable the service.

One eyebrow-raising aspect in this month’s Microsoft security update is the number of unique CVEs that affect Microsoft SQL Server — some 39, or more than a quarter of the 139 disclosed vulnerabilities. “Thankfully, none of them are critical based on their CVSS scores and they’re all listed as ‘Exploitation Less Likely,'” saysTyler Reguly, associate director of security R&D at Fortra. “Even with those saving graces, there are still a lot of CVSS 8.8 vulnerabilities that SQL Server customers will be looking to patch,” he noted.

As has been the trend in recent months, there were 20 elevation of privilege (EoP) bugs in this month’s update, slightly outnumbering remote code execution vulnerabilities (18). Though Microsoft and other software vendors often tend to rate EoP bugs overall as being less severe than remote code execution vulnerabilities, security researchers have advocated that security teams pay equal attention to both. That’s because privilege escalation bugs often allow attackers to take complete admin control of affected systems and wreak the same kind of havoc as they would by running arbitrary code on it remotely.

https://www.darkreading.com/application-security/attackers-already-exploiting-flaws-in-microsofts-july-security-update

SOURCE: ANUCHA CHEECHANG VIA SHUTTERSTOCK

Zero Day: Novice No More: Expose Software Vulnerabilities And Eliminate Bugs

This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Microsoft's Security Update


Jul 09 2024

How nation-state cyber attacks disrupt public services and undermine citizen trust

Category: APT,Cyber Attackdisc7 @ 11:25 am

In this Help Net Security interview, Rob Greer, VP and GM of the Enterprise Security Group at Broadcom, discusses the impact of nation-state cyber attacks on public sector services and citizens, as well as the broader implications for trust and infrastructure.

Greer also discusses common vulnerabilities in government IT systems and the potential of AI and public-private collaborations to enhance cybersecurity defenses.

How do nation-state attacks affect the public sector and services provided to citizens?

All attacks, nation-state or not, have the potential to impact public sector services and the citizens who rely on them.

Just recently on June 3, 2024, Synnovis, a provider to the UK National Health Service (NHS), suffered a cyber attack preventing the processing of blood test results and impacting thousands of patient appointments and surgeries. In 2017, the WannaCry attack, which spread to 150 countries across the world, disrupted the UK NHS, limiting ambulance service, patient appointments, medical tests and results, and forcing the closure of various facilities.

In the United States, many private sector organizations that provide public or critical infrastructure services have been significantly affected by cyberattacks. In 2021, JBS Foods, the largest US meat processor, was breached, forcing it to cease operations at 13 of its meat processing plants, impacting the US meat supply. One month prior, Colonial Pipeline was hit with a ransomware cyberattack, causing a run on gas in the eastern seaboard and requiring a presidential executive order to allow gas transport via semi-trucks.

A cyber attack in the Ukraine in 2015 brought down power for 230,000 customers, and such attacks have continued to disrupt the Ukrainian power grid since then.

In the US, we have seen the same nation-states employ less aggressive but potentially more disruptive strategies of espionage and misinformation in an effort to undermine the public’s trust in the electoral system.

While these are just a few notable examples, the impact ranges from delays and inconveniences to more significant repercussions like reduced capacity of healthcare services and other critical infrastructure. What’s harder to calculate is the degradation of trust when the public sector is compromised due to a cyber attack.

What are the most common vulnerabilities within government IT systems that cyber attackers exploit?

Many of the attack techniques that we see nation-states use are picked up by more common cyber criminals shortly after. While nation-states do have advanced capabilities and visibility that are hard or impossible for cyber criminals to replicate, the general strategy for attackers is to target vulnerable perimeter devices such as VPNs or firewalls as an entry point to the network. Next they focus on obtaining privileged credentials while leveraging legitimate software to masquerade as normal activity while they scout the environments for valuable data or large repositories to disrupt.

It’s important to note that the commonly exploited vulnerabilities in government IT systems are not distinctly different from the vulnerabilities exploited more broadly. Government IT systems are often extremely diverse and thus, subject to a variety of exploits. CISA actively maintains a Known Exploited Vulnerabilities (KEV) Catalog. These are vulnerabilities known to be exploited in the wild and pose an increased risk of exploitation for government organizations using any of the technologies cataloged.

How can governments use AI to strengthen cybersecurity defenses against sophisticated attacks?

AI has been in use for more than a decade in state-of-the-art security technologies, primarily to detect novel and constantly evolving attacks. Detecting the sheer volume of attacks today, as well as finding the singular “needle in a haystack” cannot be done by classic technologies, but is possible with sophisticated AI techniques. As a baseline, governments should evaluate their security technology to understand how effective AI and machine learning are at detecting the latest threats.

The more advanced capabilities can analyze the infrastructure to determine typical behavior and usage patterns and auto-configure security settings and policies, providing adaptive security that is even more efficient at detecting anomalous activities.

The latest generative AI technologies are also helping drive efficiency in the Security Operations Center (SOC). GenAI can help SOC analysts more quickly and fully understand attacks, and provide guidance to analysts using natural language. This is especially important as we face continued challenges staffing security professionals.

Are there any specific regulatory frameworks or policies that must be implemented or improved?

Currently, there are numerous policies and regulations, both domestically and internationally, which are inconsistent and vary in their requirements. These administrative requirements take significant resources which could otherwise be used to strengthen a company’s cybersecurity program. Therefore, it is imperative that existing and forthcoming cybersecurity regulations be harmonized and policies be considered comprehensively.

The recent summary from the Office of the National Cyber Director (ONCD) on the 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI) shows that the U.S. Government understands this problem. The report finds that the “lack of harmonization and reciprocity harms cybersecurity outcomes while increasing compliance costs through additional administrative burdens.” The ONCD is working with other federal agencies as well as the private sector to address these issues by seeking to “simplify oversight and regulatory responsibilities of cyber regulators” and “substantially reduce the administrative burden and cost on regulated entities.”

This is a much-needed exercise and it’s encouraging to see steps being taken to ensure that cybersecurity regulations are comprehensive, effective, and efficient.

What role should the private sector play in supporting government cybersecurity efforts?

The private sector has threat intelligence that the government often doesn’t have. This makes the bidirectional sharing of information between the private and public sectors essential in combating bad actors. Partnerships between leading cybersecurity research groups and vendors like the Cyber Threat Alliance (CTA), as well as public and private sector partnerships like the Joint Cyber Defense Collaborative (JCDC), help the cybersecurity community at large bring its combined intelligence to bear to help defend our global digital ecosystem.

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: nation-state cyber attacks


Jul 08 2024

Apple Geolocation API Exposes Wi-Fi Access Points Worldwide

Category: Access Control,API security,Wi-Fi Securitydisc7 @ 1:09 pm

https://www.darkreading.com/endpoint-security/apple-geolocation-api-exposes-wi-fi-access-points-worldwide

Beyond the devices that use them, Wi-Fi hubs themselves can leak interesting data, thanks to some quirks in Apple’s geolocation system.

SOURCE: FRANTIC VIA ALAMY STOCK PHOTO

Apple’s Wi-Fi Positioning System (WPS) can be used to map and track Wi-Fi access points (APs) around the globe. But in a presentation at Black Hat 2024, University of Maryland researcher Erik Rye will demonstrate how he mapped hundreds of millions of APs in a matter of days, without even needing an Apple device or any kind of permissions along the way.

How Apple Exposes Global APs

Have you ever wondered how your phone knows where it is in the world?

The Global Positioning System (GPS) is one tool it uses, of course, but it’s not a perfect one. It becomes less effective when the device loses a clear line to the sky, and it consumes a good deal of power, which isn’t ideal for such a persistent task. 

That’s where the Wi-Fi Positioning System comes in. WPS works a bit like GPS, if you substitute the satellites with Wi-Fi access points (APs).

For details:

https://www.darkreading.com/endpoint-security/apple-geolocation-api-exposes-wi-fi-access-points-worldwide

API Security for White Hat Hackers: https://amzn.to/45UJmsg

Wireless Security Architecture: https://amzn.to/4cCpNYb

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Apple Geolocation


Jul 03 2024

10 Clear Signs Your Business Needs a Cybersecurity Consultant—And What to Expect

Category: cyber security,Selling cyber securitydisc7 @ 8:37 am
https://www.linkedin.com/pulse/10-clear-signs-your-business-needs-cybersecurity-what-svyac/

You Can’t Keep Up with Emerging Threats or Technologies

Business Impact: Staying ahead of emerging threats and technologies is essential for protecting your business from cyberattacks. Falling behind can leave your business vulnerable to breaches, resulting in data loss, financial damage, and reputational harm. A cybersecurity consultant can help you stay current and implement the latest defenses, ensuring your business remains secure and competitive.

Expectation: CEOs should expect cybersecurity consultants to provide continuous education and training programs for their staff, ensuring the team stays updated with the latest cybersecurity trends and technologies. This empowers employees to recognize and respond to threats more effectively and reinforces a culture of security within the organization.

You Need an Impartial Security Assessment

Business Impact: Internal disagreements about security protocols can lead to inefficiencies and increased risk. An impartial assessment from a cybersecurity consultant can provide clarity, help to align your team and ensure that security measures are effective and unbiased. This can lead to a more cohesive security strategy and a more robust overall security posture.

Expectation: CEOs should expect cybersecurity consultants to conduct regular third-party security audits. These audits maintain an unbiased perspective on the company’s cybersecurity posture, uncover hidden vulnerabilities, and ensure that security measures evolve with the changing threat landscape.

You’re Lacking Innovation in Your Security Strategies

Business Impact: Innovation in security strategies is vital to staying ahead of cyber threats. A consultant brings fresh perspectives and innovative solutions that can enhance your existing security measures, leading to improved efficiency and effectiveness. This can result in cost savings, better resource allocation, and a more robust defense against cyber threats.

Expectation: CEOs should expect consultants to help establish a dedicated innovation team within the security department. This team should explore and integrate new technologies and methodologies, collaborating with the consultants to bring cutting-edge solutions to the organization.

You’re Unable to Meet Your Security Goals

Business Impact: Failing to meet security goals can expose your business to risks and hinder growth. A consultant can help identify the root causes of these challenges and provide actionable insights to achieve your objectives. Meeting security goals can enhance your business’s credibility, reduce the risk of breaches, and support overall business growth.

Expectation: CEOs should expect cybersecurity consultants to implement a structured framework like the NIST Cybersecurity Framework. This framework guides the security strategy and goal-setting processes, helping to identify gaps, set realistic goals, and track progress effectively.

Your Business Isn’t Growing, and You Don’t Know Why

Business Impact: Stagnant growth can indicate underlying security issues that are not immediately apparent. A cybersecurity consultant can conduct a thorough analysis to uncover hidden problems and provide solutions. Addressing these issues can remove barriers to growth, improve operational efficiency, and enhance your business’s financial performance.

Expectation: CEOs should expect cybersecurity consultants to perform a comprehensive security health check during the business strategy review. This health check identifies unseen security issues that may be hindering growth, and addressing them can streamline operations and enhance overall performance.

You’re Stalling on Implementing New Security Measures

Business Impact: Delaying important security initiatives can leave your business vulnerable and impede progress. A consultant can provide the expertise and resources needed to implement new security measures promptly. This can improve your security posture, reduce risk, and enable you to confidently take advantage of new business opportunities.

Expectation: CEOs should expect cybersecurity consultants to develop a clear, phased implementation plan for new security measures, prioritizing critical vulnerabilities first. This plan should include milestones and timelines to ensure steady progress and accountability.

You’re Working Outside Your Expertise

Business Impact: Focusing on areas outside your expertise can lead to suboptimal decisions and wasted resources. By hiring a cybersecurity consultant, you can ensure that specialized tasks are handled by experts, allowing you to focus on your strengths. This can lead to better decision-making, increased efficiency, and a higher quality of security measures.

Expectation: CEOs should expect cybersecurity consultants to establish a strategic partnership to handle specialized tasks. This ensures reliance on expert advice and services, allowing the CEO to focus on core business activities and leading to better overall outcomes.

You Lack In-House Security Expertise

Business Impact: A lack of in-house cybersecurity expertise can leave your business vulnerable to attacks and regulatory non-compliance. A consultant can fill this gap, providing the necessary skills and knowledge to protect your business. This can enhance your security posture, ensure compliance with industry regulations, and reduce the risk of costly breaches.

Expectation: CEOs should expect cybersecurity consultants to help implement an MSSP to supplement in-house capabilities. An MSSP provides continuous monitoring, threat detection, and response services, ensuring robust security even with limited internal resources.

You Have Tunnel Vision Regarding Security Issues

Business Impact: Working too closely on security problems can limit your perspective and lead to missed solutions. A consultant brings fresh eyes and can identify issues and solutions you might overlook. This can lead to more effective problem-solving, reduced risk, and improved overall security.

Expectation: CEOs should expect cybersecurity consultants to host regular brainstorming sessions with cross-functional teams. These sessions encourage diverse insights into security challenges, helping to uncover innovative solutions and prevent oversight.

You’re Working on a Time-Sensitive Security Project

Business Impact: Urgent security projects require expertise and efficiency to ensure success. A consultant can provide support to meet tight deadlines and achieve project goals.

Expectation: CEOs should expect cybersecurity consultants to utilize project management tools and methodologies like Agile to manage time-sensitive security projects efficiently. These tools streamline workflows, enhance collaboration, and meet critical deadlines without compromising quality.

FAQ’s

How do you verify the credentials and experience of a cybersecurity consultant?

To verify a cybersecurity consultant’s credentials and experience, you can:

  1. Check Certifications: Look for reputable certifications like CISSP, CISM, CEH, or others recognized in the industry.
  2. Review Past Projects: Ask for case studies or examples of past work that demonstrate their ability to handle challenges similar to yours.
  3. Seek References: Contact previous clients to get feedback on their experiences with the consultant.
  4. Interview Thoroughly: Conduct in-depth interviews to assess their knowledge, approach, and how they keep up with industry changes.
  5. Assess Continuous Learning: Inquire about their commitment to ongoing education and professional development.

What are the typical costs associated with hiring a cybersecurity consultant?

The cost can vary widely based on factors such as the scope of work, the consultant’s experience, and the duration of the engagement. Typical costs might include:

  1. Hourly Rates: Ranging from $150 to $500+ per hour.
  2. Project-Based Fees: Project fees can range from a few thousand dollars to hundreds of thousands, depending on the complexity.
  3. Retainer Agreements: Monthly retainers can range from $5,000 to $20,000 or more for ongoing support.
  4. Discussing and agreeing on the fee structure upfront is essential to ensure it aligns with your budget and expectations.

What are the common red flags when interviewing potential cybersecurity consultants?

Some red flags to watch out for include:

  1. Lack of Specific Experience: They must provide detailed examples of past projects or relevant experience.
  2. Overemphasis on Certifications: While important, certifications alone don’t guarantee practical expertise.
  3. Poor Communication Skills: Inability to clearly explain complex concepts or their approach to your specific issues.
  4. Vague proposals lack details about how they will address your needs or what deliverables you can expect.
  5. Unrealistic Promises: Guarantees of absolute security or immediate fixes are often unrealistic and should be scrutinized.

Can you provide examples of successful cybersecurity consultant engagements?

Examples of successful engagements include:

  1. Incident Response: A consultant helped a mid-sized company recover from a ransomware attack by quickly identifying the breach, containing the threat, and restoring data from backups, minimizing downtime and data loss.
  2. Security Program Development: A consultant worked with a healthcare provider to develop a comprehensive security program, achieving regulatory compliance and significantly reducing the risk of data breaches.
  3. Vulnerability Assessment: For a financial services firm, a consultant conducted a thorough vulnerability assessment, identifying and addressing critical security gaps that previously went unnoticed, enhancing overall security posture.

.

How do cybersecurity consultants stay updated on the latest threats and technologies?

Cybersecurity consultants stay current by:

  1. Continuous Education: Regularly attend training sessions and webinars and obtain advanced certifications.
  2. Professional Networks: Being active in professional organizations like (ISC)², ISACA, and others, which offer resources and networking opportunities.
  3. Industry Conferences: Participating in conferences such as Black Hat, DEF CON, and RSA Conference to learn about the latest trends and technologies.
  4. Research and Publications: I read industry publications and research papers and participated in cybersecurity forums and discussions.

Hands-On Experience: Engaging in ongoing practical work and simulations to apply new techniques and tools in real-world scenarios.

  1. This commitment to continuous learning ensures they can provide up-to-date and effective security solutions.

In what situations would a vCISO or CISOaaS service be appropriate?

CyberSecurity Consultants Playbook

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Cybersecurity Consultant


Jul 01 2024

New Hacker Group Attacking Systems With 10 Malware At Same Time

Category: Malwaredisc7 @ 8:03 am

A malware campaign of huge magnitude, and perhaps run by just one group, is using artificially nested files for distribution named ‘WEXTRACT.EXE            .MUI’.

More than 50,000 files worldwide featuring this method are delivered by different stealers and loaders such as Redline, RisePro, and Amadey.

Several samples are associated with an Eastern European cybercriminal-linked Autonomous System.

Cybersecurity researchers at OutPost24 recently detected that a new hacker group has been attacking the system with 1o malware at the same time.

10 Malware At Same Time

The “WEXTRACT.EXE            .MUI” malware distribution system is one that makes use of nested cabinet files to distribute a number of malware samples such as stealers and loaders.

This method’s complex execution sequence drops and runs malware in reverse order, which may result in bypassing security measures.

The technique could cause multiple infections as the loaders may download more malware.

From February 2023 through the start of 2024, a massive malware distribution campaign nested multiple malware families, such as Redline, Mystic Stealer, RisePro, Amadey, and SmokeLoader.

The campaign developed over time, incorporating obfuscation tools and different distribution methods.

An examination of over two thousand one hundred examples showed some malware combinations in which victims might be infected by several stealers and loaders simultaneously.

This suggests that there was a single actor behind the infrastructure and tactics for this campaign.

Distribution steps of one sample of WEXTRACT (Source – OutPost24)

It is likely that the campaign to distribute malware called “Unfurling Hemlock” buys distribution services from other actors.

Its earliest phases were in email attachments and downloads from hacked or hoax websites.

The infrastructure, mostly based on AS 203727, uses both exclusive and shared IPs for distributing WEXTRACT and other malware.

This indicates one actor or entity that is responsible for the campaign but delegates some of its distribution aspects to others.

The malware campaign uses different C2 URLs and IP addresses, some of which are specific to the WEXTRACT-related malware and others that are common to other campaigns.

The diversity in infrastructure supports the insight that this actor could be supplying samples from other campaigns, possibly encouraged by financial interest.

While the upload locations may not indicate the actual infection sites, the infection sources cut across several countries.

Here below we have mentioned the countries:-

Origin of the samples (Source – OutPost24)

Unlike the usual trend, this huge malware attack mainly targets Western institutions, including Russia.

This operation launched different types of malware simultaneously to increase the possibilities of infection and diversify potential paybacks.

Though not highly developed, this “cluster bomb” method may be adopted by threat actors in the future.

Researchers recommended using the latest anti-malware tools, performing analysis of packed files, and user alertness to be cautious about suspicious downloads and emails.

Evasive Malware: Understanding Deceptive and Self-Defending Threats

CrowdStrike Falcon Go | Premier Antivirus Protection for Small Businesses 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Cluster bomb


Jun 30 2024

Fake IT support sites push malicious PowerShell scripts as Windows fixes

Category: Malware,PowerShell Securitydisc7 @ 9:51 am

Fake IT support sites promote malicious PowerShell “fixes” for common Windows errors, like the 0x80070643 error, to infect devices with information-stealing malware.

First discovered by eSentire’s Threat Response Unit (TRU), the fake support sites are promoted through YouTube channels that have been compromised and hijacked to add legitimacy to the content creator.

In particular, the threat actors are creating fake videos promoting a fix for the 0x80070643 error that millions of Windows users have been dealing with since January.

“There were some problems installing updates, but we’ll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x80070643),” reads the Windows Update error.

0x80070643 in Windows Update
Source: BleepingComputer

It turns out that Windows Update is displaying an incorrect error message, as it was supposed to display a CBS_E_INSUFFICIENT_DISK_SPACE error on systems with a Windows Recovery Environment (WinRE) partition that’s too small for the update to install.

Microsoft explained that the new security update requires that the WinRE partition have 250 megabytes of free space, and if it doesn’t, you must manually expand the partition yourself.

However, expanding the WinRE partition is complicated, if not impossible, for those whose WinRE is not the last partition on the drive.

Due to this, many are unable to install the security update and are left with the 0x80070643 error message every time they use Windows Update.

These errors have caused many frustrated Windows users to seek a solution online, allowing threat actors to capitalize on their search for a fix.

Fake IT sites promote PowerShell fixes

According to eSentire, threat actors are creating numerous fake IT support sites that are specifically designed to help users with common Windows errors, heavily focusing on the 0x80070643 error.

“In June 2024, eSentire’s Threat Response Unit (TRU) observed an intriguing case involving a Vidar Stealer infection initiated through a fake IT support website (Figure 1),” explains the eSentire report.

“The infection began when the victim performed a web search for solutions to a Windows Update Error code.”

The researchers found two fake IT support sites promoted on YouTube named pchelprwizzards[.]com and pchelprwizardsguide[.]com. While writing this article, BleepingComputer found additional sites at pchelprwizardpro[.]com, pchelperwizard[.]com, and fixedguides[.]com.

Like the other videos eSentire found for the PCHelperWizard typo sites, BleepingComputer also found YouTube videos for the FixedGuides site, also promoting fixes for the 0x80070643 errors.

These sites all offer fixes that either require you to copy and run a PowerShell script or import the contents of a Windows Registry file.

Regardless of which “solution” is used, a PowerShell script will be executed that downloads malware on the device.

eSentire’s report outlines how the PCHelperWizard sites (not to be confused with the legitimate course site) will walk users through copying a PowerShell script into the Windows Clipboard and execute it in a PowerShell prompt.

Malicious PowerShell script disguised as a Windows error fix
Source: BleepingComputer

This PowerShell script contains a Base64 encoded script that will connect to a remote server to download another PowerShell script, which installs the Vidar information-stealing malware on the device.

When the script is finished, it will display a message that the fix was successful and to restart the computer, which will also launch the malware.

The FixedGuides site does it a bit differently, using an obfuscated Windows Registry file to hide autostarts that launch a malicious PowerShell script.

However, when I extracted the strings from the above file, you can see that it contains a valid Registry file that adds a Windows autostart (RunOnce) entry that runs a PowerShell script. This script ultimately downloads and installs information-stealing malware on the computer.

Using either fake fix will result in the information-stealing malware launching after Windows is restarted. Once started, the malware will extract saved credentials, credit cards, cookies, and browsing history from your browser.

Vidar can also steal cryptocurrency wallets, text files, and Authy 2FA authenticator databases, as well as take screenshots of your desktop.

This data is compiled into an archive called a “log,” which is then uploaded to the attacker’s servers. The stolen data is then used to fuel other attacks, such as ransomware attacks, or sold to other threat actors on dark web marketplaces.

However, the infected user is now left with a nightmare, having all their accounts compromised and potentially suffering financial fraud.

While Windows errors can be annoying, it is crucial to download software and fixes only from trusted websites, not from random videos and websites with little or no reputation.

Your credentials have become a valuable commodity and threat actors are coming up with sneaky and creative methods to steal them, so unfortunately, everyone needs to stay vigilant against unusual attack methods.

As for the 0x80070643 errors, if you are unable to resize the WinRE partition, your best bet is to use Microsoft’s Show or Hide Tool to hide the KB5034441 update so that Windows Update no longer offers it on your system and not search on the Internet for a magic fix.

https://www.bleepingcomputer.com/news/security/fake-it-support-sites-push-malicious-powershell-scripts-as-windows-fixes/

CrowdStrike Falcon Go | Premier Antivirus Protection for Small Businesses

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Fake IT support sites


Jun 28 2024

Your Phone’s 5G Connection Is Vulnerable to Bypass, DoS Attacks

Category: DDoS,Security vulnerabilities,Smart Phonedisc7 @ 9:33 am

https://www.darkreading.com/mobile-security/your-phone-s-5g-connection-is-exposed-to-bypass-dos-attacks

SOURCE: PETER GALLEGHAN VIA ALAMY STOCK PHOTO

Mobile devices are at risk of wanton data theft and denial of service, thanks to vulnerabilities in 5G technologies.

At the upcoming Black Hat 2024 in Las Vegas, a team of seven Penn State University researchers will describe how hackers can go beyond sniffing your Internet traffic by literally providing your Internet connection to you. From there, spying, phishing, and plenty more are all on the table.

It’s a remarkably accessible form of attack, they say, involving commonly overlooked vulnerabilities and equipment you can buy online for a couple of hundred dollars.

Step 1: Set Up a Fake Base Station

When a device first attempts to connect with a mobile network base station, the two undergo an authentication and key agreement (AKA). The device sends a registration request, and the station replies with requests for authentication and security checks.

Though the station vets the phone, the phone does not initially vet the station. Its legitimacy is essentially accepted as a given.

“Base stations advertise their presence in a particular area by broadcasting ‘sib1’ messages every 20 milliseconds, or 40 milliseconds, and none of those broadcast messages have authentication, or any kind of security mechanisms,” explains Penn State assistant professor Syed Rafiul Hussain. “They’re just plaintext messages. So there’s no way that a phone or a device can check whether it’s coming from a fake tower.”

Setting up a fake tower isn’t as tall a task as it might seem. You just need to mimic a real one using a software-defined radio (SDR). As Kai Tu, another Penn State research assistant points out, “People can purchase them online — they’re easy to get. Then you can get some open source software (OSS) to run on it, and this kind of setup can be used as a fake base station.” Expensive SDRs might cost tens of thousands of dollars, but cheap ones that get the job done are available for only a few hundred.

It might seem counterintuitive that a small contraption could seduce your phone away from an established commercial tower. But a targeted attack with a nearby SDR could provide even greater 5G signal strength than a tower servicing thousands of other people at the same time. “By their nature, devices try to connect to the best possible cell towers — that is, the ones providing the highest signal strength,” Hussain says.

Step 2: Exploit a Vulnerability

Like any security process, AKA can be exploited. In the 5G modem integrated in one popular brand of mobile processor, for example, the researchers found a mishandled security header that an attacker could use to bypass the AKA process entirely.

This processor in question is used in the majority of devices manufactured by two of the world’s biggest smartphone companies. Dark Reading has agreed to keep its name confidential.

After having attracted a targeted device, an attacker could use this AKA bypass to return a maliciously crafted “registration accept” message and initiate a connection. At this point the attacker becomes the victim’s Internet service provider, capable of seeing everything they do on the Web in unencrypted form. They can also engage the victim by, for example, sending a spear phishing SMS message, or redirecting them to malicious sites.

Though AKA bypass was the most severe, the researchers discovered other vulnerabilities that would allow them to determine a device’s location, and perform denial of service (DoS).

How to Secure 5G

The Penn State researchers have reported all the vulnerabilities they discovered to their respective mobile vendors, which have all since deployed patches.

A more permanent solution, however, would have to begin with securing 5G authentication. As Hussain says, “If you want to ensure the authenticity of these broadcast messages, you need to use public key infrastructure (PKI). And deploying PKI is expensive — you need to update all of the cell towers. And there are some non-technical challenges. For example, who will be the root certificate authority of the public keys?”

It’s unlikely that such an overhaul will happen any time soon, as 5G systems were knowingly built to transmit messages in plaintext for specific reasons.

“It’s a matter of incentives. Messages are sent in milliseconds, so if you incorporate some kind of cryptographic mechanism, it will increase the computational overhead for the cell tower and for the user device. Computational overhead is also associated with time, so performance-wise it will be a bit slower,” Hussain explains.

Perhaps the performance incentives outweigh security ones. But whether it be via a fake cell tower, Stingray device, or any other means, “They all exploit this feature — the lack of authentication of the initial broadcast messages from the cell towers.”

“This is the root of all evil,” Hussain adds.

Mastering 5G Network Design, Implementation, and Operations: A comprehensive guide to understanding, designing, deploying, and managing 5G networks

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: 5G Connection


Jun 27 2024

HACKING MICROSOFT MMC: DISCOVER THE GRIMRESOURCE EXPLOIT

Category: Hackingdisc7 @ 7:04 am

Elastic Security Labs has uncovered a novel technique, GrimResource, that leverages specially crafted Microsoft Management Console (MMC) files for initial access and evasion, posing a significant threat to cybersecurity.

In response to Microsoft’s decision to disable Office macros by default for internet-sourced documents, attackers have been forced to adapt, exploring new infection vectors like JavaScript, MSI files, LNK objects, and ISOs. These traditional methods are now heavily scrutinized by defenders, pushing well-resourced attackers to innovate further. A recent example includes North Korean actors using a novel command execution technique within MMC files.

Elastic researchers have identified GrimResource, a new infection technique that exploits MSC files, allowing attackers to execute arbitrary code in the context of mmc.exe when a user opens a specially crafted MSC file. The first sample leveraging GrimResource was uploaded to VirusTotal on June 6th.

Key Takeaways

  • GrimResource enables attackers to execute arbitrary code in Microsoft Management Console with minimal security warnings, making it ideal for initial access and evasion.
  • Elastic Security Labs provides analysis and detection guidance to help the community defend against this technique.

Detailed Analysis

INITIAL DISCOVERY

The GrimResource method was identified after a sample was uploaded to VirusTotal on June 6th, 2024. This sample demonstrated a novel way to achieve code execution by exploiting the MSC file format, commonly used in administrative tools within Windows.

TECHNICAL BREAKDOWN

Exploitation of apds.dll Vulnerability

The core of the GrimResource technique exploits an old cross-site scripting (XSS) flaw in the apds.dll library. By crafting an MSC file that includes a reference to this vulnerable library in the StringTable section, attackers can execute arbitrary JavaScript in the context of mmc.exe. This approach leverages the following steps:

  1. StringTable Manipulation: The MSC file is modified to include a reference to apds.dll.
  2. JavaScript Execution: The XSS flaw in apds.dll allows JavaScript execution within MMC, enabling further payload delivery.

Combination with DotNetToJScript

To execute arbitrary code, attackers combine the XSS exploit with the DotNetToJScript technique:

  1. Obfuscation Techniques: The initial sample uses the transformNode method for obfuscation, a technique also seen in recent macro-based attacks. This helps evade ActiveX security warnings.
  2. Embedded VBScript: The obfuscated script within the MSC file sets environment variables with the target payload.
  3. DotNetToJScript Execution: The script then uses DotNetToJScript to run an embedded .NET loader, named PASTALOADER, which retrieves the payload from the environment variables and executes it.

PASTALOADER Execution

PASTALOADER is designed to execute the payload in a stealthy manner:

  1. Payload Injection: PASTALOADER injects the payload into a new instance of dllhost.exe, a legitimate system process, to avoid detection.
  2. Stealth Techniques: The injection uses DirtyCLR, function unhooking, and indirect syscalls to minimize detection chances.
https://www.securitynewspaper.com/2023/09/29/send-phishing-emails-with-content-font-size-0px-can-to-hack-into-microsoft-outlook-365-accounts/embed/#?secret=RSwxVMwOix#?secret=Nug7FeGVNf

Final Payload: Cobalt Strike

In the identified sample, the final payload is the Cobalt Strike Beacon, a widely used post-exploitation tool. The injection into dllhost.exe is done carefully to avoid triggering security mechanisms.

DETECTION METHODS

Elastic Security Labs’ Detection Techniques

Elastic Security Labs has developed several detection methods to identify GrimResource activity:

  1. Suspicious Execution via Microsoft Common Console:
    • This detection looks for unusual processes spawned by mmc.exe, indicating potential malicious activity.
  2. .NET COM Object Created in Non-standard Windows Script Interpreter:
    • Detects memory allocations by .NET on behalf of Windows Script Host (WSH) engines, indicative of DotNetToJScript usage.
  3. Script Execution via MMC Console File:
    • Monitors file operations and process behaviors related to MSC file execution, particularly looking for the creation and use of apds.dll references.
  4. Windows Script Execution via MMC Console File:
    • Correlates the creation of temporary HTML files in the INetCache folder, a hallmark of the APDS XSS redirection.

Example EQL Rules

sequence by process.entity_id with maxspan=1m

[process where event.action == “start” and process.executable : “?:\\Windows\\System32\\mmc.exe” and process.args : “*.msc”]

[file where event.action == “open” and file.path : “?:\\Windows\\System32\\apds.dll”]

Detecting Temporary HTML Files:

sequence by process.entity_id with maxspan=1m

[process where event.action == “start” and process.executable : “?:\\Windows\\System32\\mmc.exe” and process.args : “*.msc”]

[file where event.action in (“creation”, “overwrite”) and process.executable : “?:\\Windows\\System32\\mmc.exe” and file.name : “redirect[?]” and file.path : “?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*\\redirect[?]”]

Forensic Artifacts

The technique leaves several forensic artifacts, including:

  • MSC File Manipulations: Unusual references in StringTable sections.
  • Temporary Files: HTML files in the INetCache directory named “redirect[?]”.
  • Process Anomalies: Unexpected process creation and memory allocations by mmc.exe and dllhost.exe.

Attackers have developed a new technique to execute arbitrary code in Microsoft Management Console using crafted MSC files. Elastic’s defense-in-depth approach has proven effective against this novel threat. Defenders should implement the provided detection guidance to protect themselves and their customers from GrimResource before it proliferates among commodity threat groups.

Windows Security Internals: A Deep Dive into Windows Authentication, Authorization, and Auditing

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: GRIMRESOURCE EXPLOIT, MICROSOFT MMC


Jun 19 2024

Pentesting Azure Applications

Category: Pen Testdisc7 @ 5:54 pm

🔵 Important reminder for Azure users! When utilizing Azure cloud for your application, don’t overlook key testing areas such as user access, data protection, secure deployment, and other critical functions…

Top 10 threats to Azure applications

When deploying and managing applications on Microsoft Azure, it is essential to be aware of various security threats that could compromise the integrity, availability, and confidentiality of your services. Here are the top 10 threats to Azure applications:

  1. Misconfiguration of Security Settings:
    • Misconfigured security settings in Azure resources such as Storage Accounts, Virtual Networks, and Azure Active Directory can lead to unauthorized access and data breaches.
  2. Insecure APIs and Endpoints:
    • APIs and endpoints that are not properly secured can be exploited by attackers to gain unauthorized access or manipulate data.
  3. Insufficient Identity and Access Management (IAM):
    • Weak IAM policies can result in inadequate permission controls, allowing unauthorized users or applications to access sensitive resources.
  4. Data Breaches and Data Leakage:
    • Data stored in Azure services, if not properly encrypted and secured, can be susceptible to breaches and leakage.
  5. Denial of Service (DoS) Attacks:
    • Azure applications can be targeted by DoS attacks, which aim to overwhelm the application with traffic, making it unavailable to legitimate users.
  6. Vulnerable Virtual Machines and Containers:
    • Unpatched or poorly configured VMs and containers can be exploited by attackers to gain access to the underlying infrastructure.
  7. Insufficient Logging and Monitoring:
    • Lack of comprehensive logging and monitoring can prevent detection of security incidents and hinder incident response efforts.
  8. Weak Network Security:
    • Inadequate network security measures such as poorly configured Network Security Groups (NSGs) and lack of Virtual Network (VNet) isolation can expose Azure resources to external threats.
  9. Phishing and Social Engineering Attacks:
    • Azure accounts and services can be compromised through phishing and social engineering attacks, leading to unauthorized access.
  10. Vulnerabilities in Third-Party Dependencies:
    • Applications often rely on third-party libraries and services, which may have vulnerabilities that could be exploited by attackers if not properly managed and updated.

Mitigation Strategies

To mitigate these threats, organizations should implement a comprehensive security strategy that includes:

  • Regular Audits and Penetration Testing: Conduct regular security audits and penetration testing to identify and fix vulnerabilities.
  • Secure Configuration Management: Utilize Azure Security Center and Azure Policy to enforce security best practices and compliance.
  • Robust Identity and Access Management: Implement multi-factor authentication (MFA), role-based access control (RBAC), and conditional access policies.
  • Data Protection: Encrypt data at rest and in transit using Azure Key Vault and other encryption services.
  • Network Security: Use Azure Firewall, NSGs, and VNets to segment and secure network traffic.
  • Threat Detection and Response: Enable Azure Monitor, Azure Sentinel, and other logging and monitoring tools to detect and respond to security incidents.
  • Secure Development Practices: Follow secure coding practices and regularly update third-party dependencies to mitigate known vulnerabilities.
  • User Training and Awareness: Conduct regular training sessions to educate users about phishing and social engineering threats.

By being proactive and implementing these strategies, organizations can significantly reduce the risk of security threats to their Azure applications.

Ensuring thorough testing is vital for a secure seamless experience 🔴

The Definitive Guide to Testing and Securing Deployments…

Penetration Testing Azure for Ethical Hackers: Develop practical skills to perform pentesting and risk assessment of Microsoft Azure environments

Building and Automating Penetration Testing Labs in the Cloud: Set up cost-effective hacking environments for learning cloud security on AWS, Azure, and GCP

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Azure Applications


Next Page »