May 14 2024

Free & Downloadable Access Control Policy Template

Category: Access Control,Information Securitydisc7 @ 7:18 am
https://heimdalsecurity.com/blog/access-control-policy-template/

Ensuring the security of your organization’s information systems is crucial in today’s digital landscape.

Access Control is a fundamental aspect of cybersecurity that safeguards sensitive data and protects against unauthorized access. To assist you in establishing robust access control measures, we are pleased to offer a comprehensive Access Control Policy Template, available for download.

Download the templates

  1. Access Control Policy Template – PDF
  2. Access Control Policy Template – Word
  3. Access Control Policy Template – Google Docs.

What does the Access Control Policy template include?

Our Access Control Policy template is designed to provide a clear, structured framework for managing access to your organization’s information systems.

Here are some of the key components included in the template:

  • Document Control;
  • Purpose and Scope;
  • Policy Statement;
  • Roles & Responsibilities;
  • Access Control Principles;
  • Access Control Measures;
  • Access Control Technologies;
  • Monitoring and Auditing;
  • Incident Management;
  • Policy Compliance;
  • Policy Review.

Benefits of using our Access Control Policy template

Implementing an effective access control policy offers several key benefits:

  • Enhanced security: Protects sensitive data and systems from unauthorized access and potential breaches.
  • Regulatory compliance: Helps ensure compliance with relevant regulations and standards.
  • Operational efficiency: Clearly defined roles and responsibilities streamline access management processes.
  • Risk mitigation: Regular monitoring and auditing identify and address vulnerabilities proactively.

To take advantage of our comprehensive Access Control Policy Template, simply click on the links at the top of the article to download them. The download will start automatically.

You can then customize the template to fit the specific needs and context of your organization.

By doing so, you’ll be taking a significant step towards securing your information systems and safeguarding your valuable data.

Feel free to check out our other cybersecurity templates, such as patch management templatesincident response plan templatesemail security policy templatesthreat and vulnerability management templates, and more.

Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company’s social media channels. Her contributions amplify the brand’s voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.

RELATED ARTICLES

Free and Downloadable Account Management Policy Template [2024]

Free and Downloadable Email Security Policy Template [2024]

[Free & Downloadable] Cybersecurity Incident Response Plan Templates – 2024

[Free & Downloadable] Cybersecurity Risk Assessment Templates – 2024[Free & Downloadable] Threat & Vulnerability Management Templates – 2024

[Free & Downloadable] Patch Management Templates – 2024

Privacy Policy Template

Employee policy handbook template

The Complete Company Policies

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot


May 07 2024

Hackers Use Custom Backdoor & Powershell Scripts To Attack Windows Machines

Category: Information Securitydisc7 @ 7:45 am

The Damselfly Advanced Persistent Threat (APT) group, also known as APT42, has been actively utilizing custom backdoor variants, NiceCurl and TameCat, to infiltrate Windows machines.

These backdoors are primarily delivered through spear-phishing campaigns, marking a significant escalation in the capabilities and focus of this Iranian state-sponsored hacking group.

Sophisticated Tools For Stealthy Operations

The NiceCurl and TameCat backdoors represent a sophisticated toolkit in Damselfly’s arsenal, enabling threat actors to gain initial access to targeted environments discreetly.

NiceCurl, a VBScript-based malware, is designed to download and execute additional malicious modules, enhancing the attackers’ control over compromised systems.

On the other hand, the TameCat backdoor facilitates the execution of PowerShell and C# scripts, allowing for further exploitation by downloading additional arbitrary content.

These tools are part of a broader strategy employed by Damselfly to conduct espionage and potentially disrupt operations at targeted facilities.

According to Broadcom report, the group’s activities have been primarily directed at energy companies and other critical infrastructure sectors across the U.S., Europe, and the Middle East.

The sophistication of their methods and the critical nature of their targets underscore the high level of threat they pose.

These include adaptive, behavior, file, and network-based detection mechanisms, ensuring robust defense against Damselfly’s tactics.

The security firm’s efforts are crucial in mitigating the risks posed by such state-sponsored cyber activities, characterized by their complexity and stealth.

The operations of the Damselfly group highlight the ongoing challenges in cybersecurity, where state-sponsored actors employ advanced techniques and malware to achieve their objectives.

Using custom backdoors like NiceCurl and TameCat, coupled with spear-phishing campaigns, enables these actors to maintain persistence in their target networks and carry out their missions with a high degree of secrecy and efficiency.

Ethical Hacking Module 6 – Trojans and Backdoors

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot


May 03 2024

What is Smishing?

Category: Information Security,Phishingdisc7 @ 10:21 am
https://www.sans.org/blog/a-tale-of-the-three-ishings-part-02-what-is-smishing/?

What is Smishing and Why?

Smishing is a type of social engineering attack. Social engineering is when a cyber attacker tricks their victim into doing something they should not do, such as giving money, their password, or access to their computer. Cyber attackers have learned the easiest way to get something is just ask for it. This concept is not new, con artists and scammers have existed for thousands of years, it’s just that the Internet makes it very simple for any cyber attacker to pretend to be anyone they want and target anyone they want.

Phishing is one of the most common forms of social engineering as it’s one of the simplest and most effective and an attack method we are all familiar with. However, both organizations and individuals are becoming not only far more aware of how phishing attacks work, but much better at spotting and stopping them. Phishing is still an effective attack method, but it is getting harder and harder for cyber criminals to be effective with phishing. This is where smishing comes in.

Smishing vs Phishing

Smishing is very similar to phishing, but instead of sending emails trying to trick people, cyber attackers send text messages. The term smishing is a combination of the words SMS messaging and phishing. You may have noticed a rise in random text messages that are trying to get you to click on links or respond to text messages. That’s smishing.

Why the Increase in Smishing Attacks?

  1. It is harder for organizations to secure mobile devices. Security teams often have neither the visibility nor control of employees’ mobile devices like they do for workstations. This means it’s harder to both secure and monitor mobile devices.
  2. There are far fewer security controls that effectively identify and filter smishing attacks. This means when a cyber attacker sends a smishing text message to victims, that message is far more likely to make it and not be filtered.
  3. A text message tends to be much shorter than an email, there is far less context or information, making it harder to determine if the message is legitimate or not. In other words, people are more likely to fall victim.
  4. Texting tends to be far more informal than email, as such people tend to trust and act on text messages more. In other words, people are more likely to fall victim.

The Smishing Attacks

So, what type of text messaging attacks are there? While these attacks are always evolving, some of the most common are detailed below.

Links

The text message entices you to click on a link, often through a sense of urgency, something too good to be true, or simple curiosity. Once you click on the link, the goal is usually to harvest your personal information (by getting you to fill out a survey) or your login and password (to your bank or email account, for example). Notice how, in the link in the message below, the cyber attacker uses HTTPS, an encrypted connection to make the link look more legitimate.

Scams

In these attacks, the cyber attacker will attempt to start a conversation with you, build trust, and ultimately scam you. Romance scams are one common example where cyber criminals randomly text millions of people to find those who are lonely or emotionally vulnerable, build a pretend romance, and then take advantage of them.

Call-Back

Like some phishing emails, the text message has a phone number in it and is urging the victim to call. Once the victim calls the phone number they are then scammed.

What to Do About Smishing Attacks?

While many security training programs focus on phishing, we far too often neglect text based smishing attacks. In fact, this can create a situation where your workforce is highly aware of phishing attacks but may mistakenly think that cyber attackers only use email for attacks. From a training perspective, we recommend you teach people that cyber attackers can use a variety of different methods to trick people, to include both email phishing and text based smishing. For smishing, we do not recommend that you try to teach people about every different type of attack possible. Not only will this likely overwhelm your workforce, but cyber attackers are constantly changing their lures and techniques. Instead, like in phishing training, focus on the most commonly shared indicators and clues of an attack. This way, your workforce will be trained and enabled regardless of the method or lures cyber attackers use. Of note, the indicators below are the same indicators of an email phishing attack.

  • Urgency: Any message that creates a tremendous sense of urgency, trying to rush the victim into making a mistake. An example is a message from the government stating your taxes are overdue and if you don’t pay right away you will end up in jail.
  • Pressure: Any message that pressures an employee to ignore or bypass company policies and procedures. Gift card scams are often started with a simple text message.
  • Curiosity: Any message that generates a tremendous amount of curiosity or is too good to be true such as notice of an undelivered UPS package or receiving an Amazon refund.
  • Sensitive: Any message that requests (or requires) highly sensitive information such as your password or unique codes.
  • Tone: Any message that appears to be coming from a coworker, but the wording does not sound like them, or the overall tone is wrong.

Smishing Minefield: Defusing Text Message Threats

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Smishing


Apr 08 2024

Implement Network Segmentation and Encryption in Cloud Environments

Explore Cloud Security

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: cloud security, encryption, Network segmentation


Apr 03 2024

ISO27k bot

Category: AI,Information Securitydisc7 @ 2:03 pm
Hey 👏 I’m the digital assistance of DISCInfoSec for ISO 27k implementation. I will try to answer your question. If I don’t know the answer, I will connect you with one my support agents. Please type your query regarding ISO 27001 implementation 👇

ISO 27k Chat bot

Tags: Chat bot, ISO 27k bot


Mar 29 2024

Compromised SaaS Supply Chain Apps: 97% Of Organizations At Risk Of Cyber Attacks

Category: Cloud computing,Cyber Attack,Information Securitydisc7 @ 7:55 am

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation, and growth.

However, this shift towards a more interconnected digital ecosystem has not come without its risks.

According to the “2024 State of SaaS Security Report” by Wing Security, a staggering 97% of organizations faced exposure to attacks through compromised SaaS supply chain applications in 2023, highlighting a critical vulnerability in the digital infrastructure of modern businesses.

The report, which analyzed data from 493 companies in the fourth quarter of 2023, illuminates the multifaceted nature of SaaS security threats.

From supply chain attacks taking center stage to the alarming trend of exploiting exposed credentials, the findings underscore the urgent need for robust security measures.

Supply Chain Attacks: A Domino Effect

Supply chain attacks have emerged as a significant threat, with 96.7% of organizations using at least one app that had a security incident in the past year.

The MOVEit breach, which directly and indirectly impacted over 2,500 organizations, and North Korean actors’ targeted attack on JumpCloud’s clients are stark reminders of the cascading effects a single vulnerability can have across the supply chain.

The simplicity of credential stuffing attacks and the widespread issue of unsecured credentials continue to pose a significant risk.

The report highlights several high-profile incidents, including breaches affecting Norton LifeLock and PayPal customers, where attackers exploited stolen credentials to gain unauthorized access to sensitive information.

MFA Bypassing And Token Theft

Despite adopting Multi-Factor Authentication (MFA) as a security measure, attackers have found ways to bypass these defenses, targeting high-ranking executives in sophisticated phishing campaigns.

Additionally, the report points to a concerning trend of token theft, with many unused tokens creating unnecessary risk exposure for many organizations.

Looking Ahead: SaaS Threat Forecast For 2024

As we move into 2024, the SaaS threat landscape is expected to evolve, with AI posing a new threat.

The report identifies two primary risks associated with AI in the SaaS domain: the vast volume of AI models in SaaS applications and the potential for data mismanagement.

Furthermore, the persistence of credential-based attacks and the rise of interconnected threats across different domains underscore the need for a holistic cybersecurity approach.

Practical Tips For Enhancing SaaS Security

The report offers eight practical tips for organizations to combat these growing threats, including discovering and managing the risk of third-party applications, leveraging threat intelligence, and enforcing MFA.

Additionally, regaining control of the AI-SaaS landscape and establishing an effective offboarding procedure are crucial steps in bolstering an organization’s SaaS security.

The “2024 State of SaaS Security Report” by Wing Security serves as a wake-up call for businesses to reassess their SaaS security strategies.

With 97% of organizations exposed to attacks via compromised SaaS supply chain apps, the need for vigilance and proactive security measures has never been more critical.

As the digital landscape continues to evolve, so must our approaches to protect it.

Mitigating Supply Chain Attacks in the Digital Age

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: supply chain attacks


Mar 26 2024

Eliminating SQL Injection Vulnerabilities in Software

Category: Data Breach,data security,Information Securitydisc7 @ 8:37 am

Eliminating SQL Injection Vulnerabilities in Software

SQL Injection Strategies: Practical techniques to secure old vulnerabilities against modern attacks

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: SQL Injection Vulnerabilities


Mar 22 2024

Python for Cybersecurity

Category: Information Security,Pythondisc7 @ 9:08 am

Are you interested in cybersecurity?

Interested in discovering how Python can bolster your abilities in safeguarding digital assets? Delve into the potential of Python for cybersecurity.

In the current digital era, cybersecurity holds greater significance than ever before. Python, renowned for its versatility and resilience, has emerged as a fundamental tool for cybersecurity professionals globally.

🔹 How Python can streamline threat detection and analysis.
🔹 Practical examples of Python scripts for automating security tasks.
🔹 Resources and tools to kickstart your journey into Python for cybersecurity.

Regardless of whether you’re an experienced cybersecurity professional or new to the field, Python has the potential to transform your approach to security challenges.

Python for Cybersecurity Cookbook: 80+ practical recipes for detecting, defending, and responding to Cyber threats

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Python for Cybersecurity


Mar 21 2024

ChatGPT for Offensive Security

Category: ChatGPT,Information Securitydisc7 @ 7:42 am

ChatGPT for Cybersecurity 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory


Mar 10 2024

ISO 27001 standards and training

Category: Information Security,ISO 27kdisc7 @ 9:29 pm

There’s more to cyber security than just ISO 27001. Protect your business with the full family of ISO standards.

Protect your organisation from cyber crime with ISO 27001 Training – Instructor-led live online, self-paced online and classroom.

Equip your staff to identify and address cyber security and privacy risks.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: iso 27001, ISO 27001 training


Feb 28 2024

Industrial Cyber Espionage France’s Top Threat Ahead of 2024 Paris Olympics

https://www.infosecurity-magazine.com/news/cyber-espionage-france-2024/

France’s National Cybersecurity Agency (ANSSI) observed a significant rise in cyber espionage campaigns targeting strategic organizations in 2023.

These operations are increasingly focused on individuals and non-governmental structures that create, host or transmit sensitive data, ANSSI observed in its 2023 Cyber Threat Landscape report, published on February 27, 2024.

Besides public administration, the primary targets of cyber espionage activity included organizations associated with the French government, such as technology and defense contractors, research institutes and think tanks.

Overall, cyber espionage remained the top cyber threat ANSSI’s teams dealt with in 2023.

ANSSI has also noted an increase in attacks against business and personal mobile phones aimed at targeted individuals.

There has also been an upsurge in attacks that have used methods publicly associated with the Russian government.

“These attacks are not limited to mainland French territory: in 2023, ANSSI dealt with the compromise of an IT network located in a French overseas territory using an attack modus operandi publicly associated with China,” reads the report.

30% Rise in Ransomware

Meanwhile, financially motivated attacks were also on the rise, with an observed 30% increase in ransomware attacks compared to 2022.

Monthly and yearly breakdown of ransomware attacks reported to ANSSI in 2022 (in blue) and in 2023 (in green). Source: ANSSI
Monthly and yearly breakdown of ransomware attacks reported to ANSSI in 2022 (in blue) and in 2023 (in green). Source: ANSSI

Small and medium enterprises (SMEs) and mid-sized businesses were the most targeted organizations, representing 34% of all cyber-attacks observed by ANSSI in 2023. Local administration came second, suffering 24% of all attacks in 2023.

In total in 2023, ANSSI recorded 3703 cyber events, 1112 of which were labeled as cyber incidents. In 2022, it recorded 3018 cyber events, including 832 cyber incidents.

The latest version of the LockBit ransomware, LockBit 3.0 (aka LockBit Black), was the most used malware in financially motivated cyber-attacks in 2023, taking over previous ransomware versions from the same threat group that dominated the ransomware landscape in 2022.

Top Ransomware versions detected by ANSSI in cyber-attacks targeting French organizations. Source: ANSSI
Top Ransomware versions detected by ANSSI in cyber-attacks targeting French organizations. Source: ANSSI

Read more: LockBit Takedown – What You Need to Know about Operation Cronos

Software Supply Chain Vulnerabilities Rule Supreme

Overall, 2023 has seen significant changes in the structure and methods of attackers. They are perfecting their techniques in order to avoid being detected, tracked, or even identified.

“Despite efforts to improve security in certain sectors, attackers continue to exploit the same technical weaknesses to gain access to networks. Exploiting ‘zero-day’ vulnerabilities remains a prime entry point for attackers, who all too often still take advantage of poor administration practices, delays in applying patches and the absence of encryption mechanisms,” reads the report, translated from French to English by Infosecurity.

The top five vulnerabilities exploited by threat actors to compromise French organizations’ IT systems in 2023 include flaws in VMWare, Cisco, Citrix, Atlassian and Progress Software products.

These include the Citrix Bleed and the MOVEit vulnerabilities.

Read more: MOVEit Exploitation Fallout Drives Record Ransomware Attacks

Pre-Positioning Activities on ANSSI’s Radar for 2024

Finally, in a tense geopolitical context, ANSSI noted new destabilization operations aimed mainly at promoting a political discourse, hindering access to online content or damaging an organization’s image.

“While distributed denial of service (DDoS) attacks by pro-Russian hacktivists, often with limited impact, were the most common, pre-positioning activities targeting several critical infrastructures in Europe, North America and Asia were also detected.

“These more discreet activities may nevertheless be aimed at larger-scale operations carried out by state actors waiting for the right moment to act,” the report explained.

Vincent Strubel, ANSSI’s director general, commented: “While financially motivated attacks and destabilization operations saw a clear upturn in 2023, it was once again the less noisy threat, which remains the most worrying, that of strategic and industrial espionage and pre-positioning for sabotage purposes, which mobilised the ANSSI teams the most.”

These geopolitically driven threats will particularly be on ANSSI’s radar in 2024, as Paris is prepares to host the 2024 Olympic and Paralympic Games.

Spy in your Pocket….

An Investigator’s Guide to Espionage, Ransomware, and Organized Cybercrime

Tags: 2024 Paris Olympics, Pegasus, Spy in Your Pocket


Feb 13 2024

New Azure Hacking Campaign Steals Senior Executive Accounts

Category: Hacking,Information Securitydisc7 @ 7:25 am

An ongoing campaign of cloud account takeover has affected hundreds of user accounts, including those of senior executives, and impacted dozens of Microsoft Azure environments.

Threat actors attack users with customized phishing lures inside shared documents as part of this ongoing effort.

Some documents that have been weaponized have embedded links to “View document,” which, when clicked, take users to a malicious phishing webpage to steal sensitive information and commit financial fraud.

Attackers Targeting Wide Range Of Individuals

Threat actors appear to target a broad spectrum of people with varying titles from various organizations, affecting hundreds of users worldwide.

“The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers,” Proofpoint researchers shared with Cyber Security News.

“Individuals holding executive positions such as “Vice President, Operations,” “Chief Financial Officer & Treasurer” and “President & CEO” were also among those targeted.”

Threat actors have a realistic approach, as seen by the variety of positions they have targeted, intending to compromise accounts that have varying degrees of access to important resources and responsibilities across organizational activities. 

In this campaign, researchers observed the usage of a particular Linux user agent that attackers employed during the attack chain’s access phase.

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 

The ‘OfficeHome’ sign-in application is primarily accessed by attackers using this user-agent, along with other native Microsoft365 apps, like:

  • ‘Office365 Shell WCSS-Client’ (indicative of browser access to Office365 applications) 
  • ‘Office 365 Exchange Online’ (indicative of post-compromise mailbox abuse, data exfiltration, and email threats proliferation) 
  • ‘My Signins’ (used by attackers for MFA manipulation; for more info about this technique, see our recent Cybersecurity Stop of the Month blog) 
  • ‘My Apps’ 
  • ‘My Profile’

Attackers use their own MFA techniques to keep accessing systems permanently. Attackers choose various authentication techniques, such as registering additional phone numbers to authenticate via SMS or phone calls.

MFA manipulation events executed by attackers in a compromised cloud tenant
MFA manipulation events executed by attackers in a compromised cloud tenant

Criminals get access to and download confidential data such as user credentials, internal security protocols, and financial assets.

Mailbox access is also used to target individual user accounts with phishing threats and migrate laterally across compromised organizations.

Internal emails are sent to the impacted companies’ finance and human resources departments to commit financial fraud.

Attackers design specialized obfuscation rules to hide their activities and erase any proof of malicious activity from the inboxes of their victims.

Obfuscation mailbox rules created by attackers following successful account takeover
Obfuscation mailbox rules created by attackers following successful account takeover

“Attackers were observed employing proxy services to align the apparent geographical origin of unauthorized activities with that of targeted victims, evading geo-fencing policies,” researchers said.

Thus, in your cloud environment, be aware of account takeover (ATO) and possible illegal access to key resources. Security solutions must offer precise and prompt identification of both initial account compromise and post-compromise actions, together with insight into services and applications that have been misused.

Hacking Executive Leadership

A Leader’s Guide to Cybersecurity: Why Boards Need to Lead–and How to Do It

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Azure Hacking


Feb 09 2024

Key strategies for ISO 27001:2022 compliance adoption

Category: Information Security,ISO 27kdisc7 @ 1:18 pm

In this Help Net Security interview, Robin Long, founder of Kiowa Security, shares insights on how best to approach the implementation of the ISO/IEC 27001 information security standard.

Long advises organizations to establish a detailed project roadmap and to book certification audits at an early stage. He also recommends selecting an internal team that includes a leader with the ISO 27001 Lead Implementer qualification and suggests that in some cases, the best approach to the standard may be to start by prioritizing a limited number of “security wins” before embarking on full implementation.

A few general points about ISO 27001, before getting onto the questions:

1. The documentation behind ISO/IEC 27001:2022 (“ISO 27001”) is broken into two main parts: ISO/IEC 27001 itself, which contains the primary guidance, and a ‘guidance document’ called ISO/IEC 27002, which lists suggested information security controls that may be determined and implemented based on the risk analysis that is carried out according to the requirements of the primary document.

ISO 27001 is also supported by the other standards ISO/IEC 27000:2018 (IT security techniques) and ISO/IEC 27005:2022 (Information security, cybersecurity, and privacy protection), among others.

All these are developed and maintained by the International Organization for Standardization (ISO), which is based in Geneva, Switzerland.

2. Although there are a number of things that you are obliged to do if you’re seeking certified conformity to the standard, it is actually quite flexible about the details. Even the “requirements” – the obligatory clauses in the 27001 document – generally allow a fairly broad range of interpretation. This makes sense when you think that ISO 27001 has been developed as a one-size-fits-all system for all types and sizes of organization that handle sensitive information.

When you look at it like that, it immediately becomes less intimidating.

3. If you decide to go ahead and implement ISO 27001, it’s highly recommended to put together a detailed road map that defines targets of what should be achieved by what date in the timeline of the project (Gantt charts are good for this – look them up!). This helps to keep the project under control and reduces the risk of time and budget overrun. Breaking the project up into weekly components also makes it less daunting.

4. You’ll also need to define a (small) group of people to carry out, maintain and be accountable for implementation of the standard. You might call this the ‘ISMS Team’ (where ISMS means Information Security Management System, another way to describe ISO 27001). This team should ideally incorporate expertise and experience in IT, business development and data protection, and have a channel to senior management.

How do you recommend organizations approach understanding and implementing ISO 27001’s wide range of controls and requirements, especially those new to information security management?

As a consultant myself, I’m aware of the conflict of interest, but I have to say that I do think it makes sense to hire external advice for assistance with implementation of ISO 27001, for internal audit, and interaction with certification auditors.

One of the main responsibilities of such an advisor is to assist with understanding of the standard and information security management generally, at both high and low levels. The range of ISO27002 controls – for example – is wide indeed, but a competent consultant will break them down into manageable portions that are taken on one by one, in a carefully planned order.

Whether or not you decide to hire a consultant, it’s a pretty good idea also to send the leader of the ISMS Team on an ISO2 7001 Lead Implementer (LI) course. These courses typically run for about three days, and they are helpful. Note that ISO 27001 requires the organisation to provide evidence of the competence of key participants in the project, and the LI qualification for a team member indicates a reasonable degree of knowledge and commitment regarding the standard.

Of course, there are also a number of helpful online resources including the ISO27k Forum.

Implementing ISO 27001 can be resource-intensive. What advice do you have for organizations, particularly SMEs, in effectively allocating resources and budget for ISO 27001 implementation?

It’s true that implementation of ISO 27001 necessarily consumes resources, in terms of money and other assets – particularly people’s time. The critical question is whether the resource cost is offset by perceived gains, and this is largely about efficiency of allocation. Among other methods that we can use to attempt to optimise this are:

1. Use of a roadmap – as mentioned above – that takes the organisation all the way through to the two-stage certification audit process at a granular (weekly) level.

2. Early selection of the certification auditor and agreement of tentative dates for the certification audits. The benefits of doing this include the psychological one of getting an end date in the diary to help define the project roadmap. The cost of certification audits is also an important part of the overall budget, and the certification body will provide quotes for these at this stage.

Note that along with the two initial certification audits, there are a couple of (roughly annual) surveillance audits and a recertification audit after three years. These audits all cost money, of course, and require budgeting.

3. Watching out for some of the less obvious costs, including the potential charges associated with:

  • Legal work on modifications/additions to employment contracts, NDAs etc.
  • Pen testing/vulnerability scanning if necessary
  • Software that you choose to install e.g., anti-malware, IDS, etc.
What strategies can be employed to convince top management of the necessity and benefits of ISO 27001 compliance?

Consultancy companies love to answer this question – on their websites – with a list of bullet points.

However, I can tell you that in nearly all cases there is just a single key factor at play, and it is a commercial one: Potential important clients or partners have been identified that require certification to the standard. Organisations that operate in sensitive sectors (finance, critical infrastructure, healthcare…) have already learned this or are in the process of learning it, and don’t need to be told about it. If they don’t know, then by all means tell them!

Other reasons that I consider completely valid and credible include:

  • Perceived improvement in the level of an organisation’s information security provides assurance to other stakeholders apart from clients – investors, senior management, regulators, suppliers and so on – regarding information security risks to the organisation.
  • Implementation of ISO 27001 can help smaller companies with their expansion. For example, it can help with the development of sound HR policies, with procedures around business continuity, disaster recovery and change management, and several other areas.
  • Note that ISO 27001 isn’t by any means just about personal data but is also concerned with other types of sensitive information, in particular intellectual property or “IP” (including trade secrets and source code). For many tech start-ups, these are the main assets of the business, and need to be well protected.
Risk management and performance evaluation are critical yet challenging aspects of ISO 27001. How should organizations approach these elements to ensure an effective Information Security Management System (ISMS)?

These are indeed arguably the core areas of ISO 27001. Among the critical things to remember regarding risk assessments are:

  • You should really at least try to come up with all the possible information security risks (internal and external) that are or might be faced by your organisation. This is best done by brainstorming in a group based around the ISMS Team.

ISO 27001 fundamentally breaks down to: “What information security risks do we face? How should we best manage them?”

  • Just as the chicken may come before the egg, note that what should happen in this case is that you identify the risks first and then select the controls that help to manage those risks.

You definitely don’t have to apply all of the controls, and nearly all organisations treat some, validly, as non-applicable in their Statement of Applicability. For example, businesses where all employees work remotely simply don’t have the full range of risks that can benefit from mitigation by the physical controls.

When it comes to performance evaluation, it’s largely a case of working through the relevant clauses and controls and agreeing how good a job the organisation is doing trying to meet the associated requirements. The ones that are selected for monitoring, measurement and evaluation will depend on the type and size of the organisation and its business objectives. These are basically key performance indicators (KPIs) for information security and might include supplier evaluations and documented events, incidents, and vulnerabilities.

Specifically for cloud solutions like Microsoft 365, what unique challenges do organizations face in implementing ISO 27001, and how can they be addressed?

The switch towards remote working and use of cloud resources has been quite disruptive for ISO 27001. The 2022 version has been somewhat adapted (via modifications to the controls) to reflect the change in working conditions. However, it still gives a lot of attention to traditional physical places of work, networks, and pre-SaaS style suppliers.

The big switch away from locally downloaded software to cloud services means that we need to take advantage of the flexibility of ISO 27001 to interpret the 27002 controls in a corresponding way, for example:

  • Thinking less about networks and more about secure configuration of cloud resources.
  • Focusing on aspects of the ‘supplier relationships’ controls that are relevant to SaaS suppliers.
  • Remembering that if cloud resources are very important for handling and storage of sensitive data in your business, then the new control 5.23 (Information security for use of cloud services) is correspondingly important for your business and must be tackled carefully and rigorously. It almost definitely applies to you – and there’s a lot there.
  • Note that business continuity/disaster recovery for an organisation with employees that work remotely using cloud services becomes largely a question of how the relevant cloud provider(s) manage backups, redundancy of storage/compute etc.
ISO 27001 requires a commitment to continuous improvement. How should organizations approach this, particularly regarding incident management and response?

This is an enigmatic section of clause 10 (Improvement) that organisations tend to struggle with (the second part is about dealing with non-conformities and is much clearer regarding what needs to be done).

It seems to me that the best approach is to raise the question of ‘how can we make the ISMS better?’ at the periodic ISMS management meetings, come up with some examples whereby this may be achieved and then provide any observed progress in the right direction. That means that by the time of the first follow-up (surveillance) audit you should be able to present a list of several potential improvements along with how they are being achieved.

I’d like to finish up by mentioning that nothing stops your organisation implementing ISO 27001 without getting the certification, or even doing a partial implementation. Many businesses like the concept of ISO 27001 but aren’t quite ready to commit fully. In that case, I highly recommend the following implementation model:

1. Decide which areas of information security are priorities for your organisation in terms of incremental increase in security, resources (money, time, personnel) required and ease of implementation. You can call these your ‘lowest-hanging security fruit’ if you must. Possible examples include access control, HR security or endpoint security.
2. Work through these one by one according to the relevant 27002 controls.
3. Once you have the highest priority areas covered off, start working on lower levels of priority.
4. After a few months of this, you may feel that ISO 27001 isn’t quite so formidable, and that you are ready to tackle it. Go for it!

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: ISO 27001 2022, ISO 27001 compliance


Feb 06 2024

20 free cybersecurity tools you should know about

Category: Information Security,Security Toolsdisc7 @ 10:36 am

https://www.techtarget.com/whatis/feature/17-free-cybersecurity-tools-you-should-know-about

Cybersecurity products can get pricy but there are many excellent open source tools to help secure your systems and data. Here’s a list of some of the most popular with cyber pros.

Cybersecurity tools aren’t just for the enterprise anymore; they’re essential for every type and size of organization.

Some tools specialize in antivirus, while others focus on spear phishing, network security or scripting. Even the best cybersecurity products can only do a few things very well, and there is no room for error.

Effective products, coupled with in-depth cybersecurity planning, are a must for all. Whether businesses have an in-house security team or outsource these services, every entity needs cybersecurity pros to discover and fix any points of weakness in computer systems. This reality can tax the bottom line, but luckily there are many free cybersecurity tools available.

Here is a rundown of some of the top free tools cybersecurity professionals use every day to identify vulnerabilities.

1. Aircrack-ng

Aircrack-ng is a must-have suite of wireless security tools that focus on different aspects of Wi-Fi security. Aircrack-ng focuses on monitoring, attack testing and cracking your Wi-Fi network. This package of tools can capture, analyze and export packet data, spoof access points or routers and crack complex Wi-Fi passwords. The Aircrack-ng suite of programs includes Airdecap-ng, which decrypts WEP or WPA-encrypted capture files; Airodump-ng, a packet sniffer; Airtun-ng, a virtual tunnel interface creator; and Packetforge-ng, which creates encrypted packets for injection. All of it is free and open source.

2. Burp Suite

Burp is a suite of tools specifically focused on debugging and testing web app security. Burp Suite includes a spider for crawling web app content, a randomness tool for testing session tokens and a sophisticated request repeater to resend manipulated requests. The real power of Burp Suite, however, is the intercepting proxy tool, which enables Burp to intercept, inspect, modify and send traffic from the browser to a target. This powerful feature makes it possible to creatively analyze a web app’s attack vectors from all angles — a key reason it’s often ranked as one of the best free cybersecurity tools. The community version of Burp Suite is free, but there is also a paid Enterprise Edition designed for enabling testing in DevSecOps.

3. Defendify

Defendify is an all-in-one product that provides multiple layers of protection and offers consulting services if needed. With Defendify, organizations can streamline cybersecurity assessments, testing, policies, training, detection and response in one consolidated cybersecurity tool.

Features include cybersecurity risk assessments, technology and data use policies, incident response plans, penetration testing, threat alerts, phishing simulations and cybersecurity awareness training.

4. Gophish

Many of the costliest data breaches and ransomware attacks in recent years can be traced back to simple phishing campaigns because many company workers fall for them. One of the best protections is to secretly test your staff to see who is gullible, and for that you can use the free program Gophish. Gophish is open source and provides a full-featured toolkit for security administrators to build their own phishing campaigns with relative ease. The overall goal is not to embarrass staff, but find out who needs greater phishing awareness and foster better security training within their organization.

5. Have I Been Pwned

Created by award-winning cybersecurity thought leader and teacher Troy Hunt, Have I Been Pwned is a website where you enter your email address to check if your address has been revealed in a data breach. Have I Been Pwned’s database is filled with billions of usernames, passwords, email addresses and other information that hackers have stolen and published online. Just enter your address in the search box.

6. Kali Linux

Kali Linux is a Debian Linux derivative specifically designed toward testing for security tasks, such as penetration testing, security auditing and digital forensics. Kali includes roughly 600 pre-installed programs, each included to help computer security experts carry out a specific attack, probe or exploit against a target. Aircrack-ng, Nmap, Wireshark and Metasploit are a few of the pre-installed tools that ship with the Kali Linux download.

7. Metasploit Framework

Similar to Kali Linux but at the application layer rather than OS, the Metasploit Framework can test computer system vulnerabilities or can be used to break into remote systems. It is, in other words, a network penetration “Swiss Army knife” used by both ethical hackers and criminal gangs to probe networks and applications for flaws and weaknesses. There is both a free and a commercial version — known as the Framework and Pro editions, respectively — which are available for trial. Both editions are de facto standard for penetration testing with more than 1,500 exploits. Metasploit comes pre-installed on Kali Linux.

8. Nmap

Nmap is a free network mapper used to discover network nodes and scan systems for vulnerability. This popular free cybersecurity tool provides methods to find open ports, detect host devices, see which network services are active, fingerprint operating systems and locate potential backdoors.

While Nmap provides users immense power and capability to explore networks, the program has a rather steep learning curve to get over before one becomes truly proficient in using it.

9. Nikto

Nikto is an ultra-powerful, command-line tool useful for uncovering vulnerabilities in web apps, services and web servers. Originally launched in the early 2000s, Nikto is still widely used by both blue and red teams that want to quickly scan web servers for unpatched software, misconfigurations and other security issues. The program also features built-in support for SSL proxies and intrusion detection system evasion. Nikto can run on any computer capable of supporting the Perl programming language.

10. Open Vulnerability Assessment Scanner

OpenVAS is an all-in-one vulnerability scanner that comprehensively tests for security holes, misconfigured systems and outdated software. The scanner gets the tests for detecting vulnerabilities from a feed with daily updates. Much of the program’s power stems from its built-in programming interface, which enables developers to create custom scans that fit niche needs.

Its capabilities include unauthenticated and authenticated testing, high-level and low-level internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.

11. OSSEC

OSSEC is a free program for cybersecurity professionals that’s been touted as one of the most popular systems for intrusion detection and prevention. Made up of multiple components — including a server, agent and router monitor — OSSEC is capable of rootkit detection, system integrity checking, threat alerts and response. One of OSSEC’s highlights is its comprehensive log analysis tool, empowering users to compare and contrast log events from many different sources.

OSSEC comes in three versions: standard; OSSEC+, which includes machine learning and real-time community update; and Atomic OSSEC, with more advanced functions.

12. Password managers

Using only strong passwords — and keeping them secure — is an essential step in the security of any system. But since a best practice is to use a unique password for every website, app and service, that can get tricky. A good password manager makes it possible to safely store all passwords together so a user only needs to remember one master key rather than dozens of unique passwords. This is especially true for cybersecurity professionals tasked with guarding passwords to mission-critical systems. Fortunately, there are free password management tools. Three good, free options for cybersecurity pros are KeePassBitwarden and Psono.

13. PfSense

The firewall/router software pfSense can be installed on either a physical computer or virtual machine to protect networks. PfSense is based on the FreeBSD OS, and has become one of the most popular open source firewall/router projects available. PfSense can also be configured for intrusion detection and prevention, traffic shaping, load balancing and content filtering. The pfSense site includes a tour, a community page, a link to both training and support and a download of the latest version of the community edition of the software.

14. P0f

Endpoint fingerprinting is analysis of web traffic to find patterns, responses and packets sent and received in a particular direction — even if they are encrypted. This works even with “dumb” devices that don’t interact with the network but can still enable unauthorized access to an organization’s systems.

P0f is a simple yet powerful network-level fingerprinting and forensics program. While other free cybersecurity programs do a similar job, p0f is unique in that it’s designed for stealth. Where most other programs rely on active scanning and packet injection, p0f can identify fingerprints and other vital information without network interference. Being passive rather than active means p0f is nearly impossible to detect and even harder to block, making it a favorite tool for ethical hackers and cybercriminals alike.

15. REMnux

Normally the dissection and examination of malware is left to the antimalware vendors. But if you would like to do the job yourself, there is REMnux, a free Linux toolkit for reverse-engineering and analyzing malware.

Included in every REMnux distribution are tools to analyze Windows executables, reverse-engineer binaries and inspect suspicious documents. It also includes a collection of free tools cybersecurity professionals can use to monitor networks, gather data and conduct memory forensics. 

16. Security Onion

Security Onion is an open source software collection based on the Linux kernel that helps cybersecurity professionals develop a comprehensive profile of their system’s security posture. Security Onion provides network monitoring using full packet capture, host-based and network-based intrusion detection systems, log indexing, search and data visualization features.

The operating system emphasizes ease of use and makes it possible to interweave data and analytics from multiple tools into a unified dashboard. The overarching goal of the project is to offer teams a foolproof security monitoring solution that reduces decision paralysis and false alerts.

17. Snort

Snort is an open source network intrusion prevention and intrusion detection system capable of real-time traffic analysis and logging. It uses a series of rules to identify malicious network activity, find the packets and generate alerts. This packet sniffer — managed by Cisco — actively searches and analyzes networks to detect probes, attacks and intrusions. Snort accomplishes this by fusing a sniffer, packet logger and intrusion detection engine into a single package.

Its developer recently released version 3, which includes a new rule parser and rule syntax, support for multiple packet-processing threads, use of a shared configuration and attribute table, access to more than 200 plugins, rewritten TCP handling and new performance monitoring.

18. Sqlmap

Sqlmap is an open source penetration testing tool that automates detecting and exploiting SQL injection flaws of database servers, enabling a remote hacker to take control. It comes with a detection engine and many niche features for the ultimate penetration tester. It supports a variety of databases — including Oracle and open source — and a number of injection types.

19. Wireshark

Wireshark is considered by many to be an indispensable tool to locate, identify and examine network packets to diagnose critical issues and spot security weaknesses. The website for Wireshark outlines its broad set of features and provides a user’s guide and other resources for putting this free cybersecurity tool to best use.

20. Zed Attack Proxy (ZAP)

ZAP is an open source penetration testing tool designed specifically for testing web applications. It is known as a “man-in-the-middle proxy,” where it intercepts and inspects messages sent between browsers and web applications.

ZAP provides functionality for developers, testers new to security testing and security testing specialists. There are also versions for each major operating system and Docker. Additional functionality is available via add-ons in the ZAP Marketplace.

Every cybersecurity expert carries a different set of tools, depending on their mission and skill set. However, the free cybersecurity tools here serve as an entry point for those looking to increase their cybersecurity skills and knowledge. Cyberthreats are getting more lethal every year — and more efficient.

The Ultimate Kali Linux Book: Perform advanced penetration testing using Nmap, Metasploit, Aircrack-ng, and Empire

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: free cybersecurity tools


Jan 31 2024

Wireshark Pen Tester Guide

Category: Information Security,Pen Testdisc7 @ 7:51 am

WireShark Cheat Sheet

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: wireshark


Jan 30 2024

Aembit Announces New Workload IAM Integration With CrowdStrike To Help Enterprises Secure Workload-To-Workload Access

Category: Access Control,Information Securitydisc7 @ 3:12 pm

Aembit Becomes the First Workload IAM Platform to Integrate with the Industry-Leading CrowdStrike Falcon Platform to Drive Workload Conditional Access

Aembit, the Workload Identity and Access Management (IAM) platform that enables DevOps and security teams to discover, manage, enforce and audit access between workloads, today announced the availability of a new integration with the industry-leading CrowdStrike Falcon® platform to give enterprises the ability to dynamically manage and enforce conditional access policies based on the real-time security posture of their applications and services.

This integration signifies a significant leap in Aembit’s mission to empower organizations to apply Zero Trust principles to make workload-to-workload access more secure and manageable. 

Workload IAM transforms enterprise security by securing workload-to-workload access through policy-driven, identity-based, and secretless access controls, moving away from the legacy unmanaged, secrets-based approach. 

Through this partnership, the Aembit Workload IAM solution checks to see if a CrowdStrike Falcon agent is running on the workload and evaluates its real-time security posture to drive workload access decisions to applications and data.

With this approach, now enterprises can protect their workloads from unauthorized access, even against the backdrop of changing conditions and dynamic access requirements. Additional customer benefits from this partnership include:

  • Managed Workload-to-Workload Access: Enforce and manage workload access to other applications, SaaS services, and third-party APIs based on identity and policy set by the security team, driving down risk.
  • Seamless Deployment: Drive consolidation by effortlessly integrating the Aembit Workload IAM Platform with the Falcon platform in a few clicks, providing a unified experience for managing workload identities while understanding workload security posture.
  • Zero Trust Security Model: Embrace a Zero Trust approach, ensuring that every access request, regardless of the source, is verified before granting access rights. Aembit’s solution enforces the principle of least privilege based on identity, policy, and workload security posture, minimizing potential security vulnerabilities.
  • Visibility and Monitoring: Gain extensive visibility into workload identities and access permissions, enabling swift detection and response to potential security threats. Monitor and audit access logs based on identity for comprehensive security oversight.

This industry-first collaboration builds on the recent CrowdStrike Falcon Fund strategic investment in Aembit, underscoring the global cybersecurity leader’s commitment to fostering innovation within the space. The investment reflects the recognition of the growing demands for securing workload access.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Aembit, CrowdStrike Falcon, IAM


Jan 18 2024

How Do You Protect Your APIs From DDoS Attacks?

Category: API security,Information Securitydisc7 @ 8:22 am

Today, DDoS attacks stand out as the most widespread cyber threat, extending their impact to APIs. 

When successfully executed, these attacks can cripple a system, presenting a more severe consequence than DDoS incidents targeting web applications. 

The increased risk amplifies the potential for reputational damage to the company associated with the affected APIs.

How Does DDoS Affect Your APIs?

A DDoS attack on an API involves overwhelming the targeted API with a flood of traffic from multiple sources, disrupting its normal functioning and causing it to become unavailable to legitimate users.

This attack can be particularly damaging as APIs play a crucial role in enabling communication between different software applications, and disruption can impact the overall functionality of interconnected systems.

The impact of DDoS attacks is particularly severe for businesses and organizations that depend on their APIs to deliver essential services to customers. These attacks, employing methods such as UDP floods, SYN floods, HTTP floods, and others, pose a significant threat.

Typically orchestrated through botnets—networks of compromised devices under the control of a single attacker—DDoS attacks can cripple a target’s functionality.

DDoS attacks on APIs focus on the server and each part of your API service. But how do attackers manage to exploit DDoS attacks on APIs?

This Webinar on API attack simulation shows an example of a DDoS attack on APIs and how WAAP can protect the API endpoints. 

Several factors can make APIs vulnerable to DDoS attacks:

Absence or insufficient Rate-Limiting: If an API lacks robust rate-limiting mechanisms, attackers can exploit this weakness by sending a massive volume of requests in a short period, overwhelming the system’s capacity to handle them.

Inadequate Authentication and Authorization: Weak or compromised authentication measures can allow malicious actors to gain unauthorized access to an API. Once inside, they may misuse the API by flooding it with requests, leading to a DDoS scenario.

Insufficient Monitoring and Anomaly Detection: Ineffective monitoring and anomaly detection systems can make identifying abnormal traffic patterns associated with a DDoS attack challenging. Prompt detection is crucial for implementing mitigation measures.

Scalability Issues: APIs that cannot scale dynamically in response to increased traffic may become targets for DDoS attacks. A sudden surge in requests can overload the system if it cannot scale its resources efficiently.

How Do WAAP Solutions Protect Against DDoS Attacks on API?

Web Application and API Protection (WAAP) platform offers in-line blocking capabilities for all layer seven traffic, comprehensively securing web applications and APIs.

To guarantee robust security, WAFs incorporated into WAAP solutions provide immediate defense by filtering, monitoring, detecting, and automatically blocking malicious traffic, thereby preventing its access to the server.

Active monitoring of traffic on an API endpoint enables the identification of abnormal traffic patterns commonly linked to DDoS attacks. Instances of sudden spikes in traffic volume serve as red flags for potential attacks, and a proficient monitoring system can promptly detect and address such increases.

In addition, WAAP enforces rate limits by assessing the number of requests from an IP address. API rate limiting is critical in mitigating DDoS damage and reducing calls, data volume, and types. Setting limits aligned with API capacity and user needs enhances security and improves the user experience. 

To avoid impacting genuine users, find solutions that use behavioral analysis technologies to establish a baseline for rate limiting.

AppTrana WAAP’s DDoS mitigation employs adaptive behavioral analysis for comprehensive defense, detecting and mitigating various DDoS attacks with a layered approach. It distinguishes between “flash crowds” and real DDoS attacks, using real-time behavioral analysis for precise mitigation. This enhances accuracy compared to static rate limit-based systems.

Advanced API Security: OAuth 2.0 and Beyond

API Security in Action

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: API Security


Jan 12 2024

Fake Recruiters Defraud Facebook Users via Remote-Work Offers

Category: Information Securitydisc7 @ 8:56 am

Scammers are targeting multiple brands with “job offers” on Meta’s social media platform, that go as far as to offer what look like legitimate job contracts to victims.

https://www.darkreading.com/remote-workforce/fake-recruiters-defraud-facebook-users-remote-work-offers

A fresh wave of job scams is spreading on Meta’s Facebook platform that aims to lure users with offers for remote-home positions and ultimately defraud them by stealing their personal data and banking credentials.

Researchers from Qualys are warning of “ongoing attacks against multiple brands” offering remote work through Facebook ads that go so far as to send what look like legitimate work contracts to victims, according to a blog post published Jan. 10 by Jonathan Trull, Qualys CISO and senior vice president of solutions architecture.

The attackers dangle offers of work-at-home opportunities to lure Facebook users to install or move to a popular chat app with someone impersonating a legitimate recruiter to continue the conversation. Eventually, attackers ask for personal information and credentials that potentially can allow attackers to defraud them in the future.

Likely aiming to take advantage of people’s tendency to make resolutions in the new year, these fake job ads — a persistent online threat — typically “see a rise in prevalence following the holidays” when people are primed for new opportunities, Trull wrote.

Qualys Caught Up in Scam

The researchers discovered the scams because fake recruiters were purporting to be from Qualys with offers of remote work. The company, however, never posts its job listings on social media, only on its own website and reputable employment sites, Trull said.

The initial text lures for the scam occur in group chats that solicit users to move to private messaging with the scammer who posts the job opening. “In several cases, the scammer appears to have compromised legitimate Facebook users and then targeted their direct connections,” Trull wrote.

Once a victim installs Go Chat or Signal — the messaging apps used in the scam — attackers ask for additional details so they can receive and sign what appears to be an official Qualys job offer complete with logos, correct corporate addresses, and signature lines.

Attackers then ask victims to send a copy of a government-issued photo ID, both front and back, and told to digitally cash a check to buy software for a new computer that their new employer will ship to them.

Qualys has notified both Facebook and law enforcement of the scam and encourages users to do the same if they observe it on the platform. The blog post did not list the names of other companies or brands that might also be targeted in the attacks.

Avoid Being Scammed

Job scams are indeed a constant online security issue, one that’s on the rise, according to the US Better Business Bureau (BBB). Online ads and phishing campaigns are popular conduits for job scammers, which use social engineering to bait people into responding and then either steal their personal data, online credentials, and/or money. Scams also can have a negative reputational impact on the companies whose brands are used in the scam.

To avoid being scammed by a fake job listing, Qualys provided some best practices for online employment seekers to follow when using the Internet to search for opportunities.

In general, a mindset of “if it’s too good to be true, it probably is” is a good rule of thumb to approaching online job listings, Trull wrote. “Listen to your intuition,” he added. “If it doesn’t feel right, you should probably not proceed.”

Qualys also advised that people always verify offers by looking up a job opening on an organization’s official website and contacting the company directly instead of using social media contacts that could be abused as part of a scam.

People also should be “highly skeptical” of any job solicitation that doesn’t come from an official source, even if the social media source making the offer appears trusted. Since social media accounts can be hijacked, the source can appear legitimate but isn’t.

Further, if an online recruiter asks a person to install an app to apply for a position, it’s probably a scam, Trull warned. “Real recruiters will call you, email, or set up a multimedia interview call at their expense without any concern — they are set up for it if they are a recruiter,” he wrote.

Fake: Fake Money

FAKE: Fake Money

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Fake Money, Fake Recuriter


Jan 06 2024

Red Team Guide

Category: Information Security,Pen Testdisc7 @ 9:59 am

Red Team Guide by Hadess

RTFM – Red Team Field Manual

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Red team, Rtfm


Jan 04 2024

Google Chrome Use After Free Flaw Let Attacker Hijack Browser

Category: Cyber Attack,Information Security,Web Securitydisc7 @ 10:26 am

The latest stable channel update for Google Chrome, version 120.0.6099.199 for Mac and Linux and 120.0.6099.199/200 for Windows, is now available and will shortly be rolled out to all users.

Furthermore, the Extended Stable channel has been updated to 120.0.6099.200 for Windows and 120.0.6099.199 for Mac.

There are six security fixes in this release. Three of these flaws allowed an attacker to take control of a browser through use-after-free conditions.

Use-after-free is a condition in which the memory allocation is freed, but the program does not clear the pointer to that memory. This is due to incorrect usage of dynamic memory allocation during an operation. 

CVE-2024-0222: Use After Free In ANGLE

Use after free in ANGLE in Google Chrome presents a high-severity vulnerability that might have led to a remote attacker compromising the renderer process and using a crafted HTML page to exploit heap corruption.

Google awarded $15,000 to Toan (suto) Pham of Qrious Secure for reporting this vulnerability.

CVE-2024-0223: Heap Buffer Overflow In ANGLE

This high-severity flaw was a heap buffer overflow in ANGLE that could have been exploited by a remote attacker using a crafted HTML page to cause heap corruption. 

Toan (suto) Pham and Tri Dang of Qrious Secure received a $15,000 reward from Google for discovering this vulnerability.

CVE-2024-0224: Use After Free In WebAudio

A high-severity use after free in WebAudio in Google Chrome might potentially allow a remote attacker to exploit heap corruption through a manipulated HTML page.

Google awarded Huang Xilin of Ant Group Light-Year Security Lab a $10,000 reward for finding this issue.

CVE-2024-0225: Use After Free In WebGPU

A remote attacker may have been able to exploit heap corruption through a specifically designed HTML page due to high severity vulnerability in Google’s use after free in WebGPU.

The details about the reporter of this vulnerability were mentioned as anonymous. 

The use after free conditions existed in Google Chrome before version 120.0.6099.199. To avoid exploiting these vulnerabilities, Google advises users to update to the most recent version of Google Chrome.

How To Update Google Chrome

  • Open Chrome.
  • At the top right, click More.
  • Click Help About Google Chrome.
  • Click Update Google Chrome. Important: If you can’t find this button, you’re on the latest version.
  • Click Relaunch.

Browser Security Platform Checklist

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Google Chrome


Next Page »