InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
As we continue to rely on technology more and more, we should also be increasingly thinking about protection. According to Cyber Security Hub, two-thirds of companies are spending more on cybersecurity in 2022 than last year — a pattern that should only continue.
On the heels of National Cybersecurity Awareness Month, it is the perfect time for business leaders and organizations to consider the cybersecurity safeguards they use to protect sensitive information. Cybersecurity can be a complex task for many organizations. Businesses, educational institutions and government entities often struggle to navigate the available options. Aside from IT professionals, finding the right solution requiressubject matter experts, a group of leaders who represent different lines of business, C-suite representatives and a thorough risk assessment to determine where to strike a balance between security and productivity.
Security is a constant discipline of due care and due diligence over time. It requires a mindset shift for employees and extends far beyond computers. Printers, scanners, fax machines, document management systems and other hardware and software solutions must contain the latest security features as well. While updating these devices may not be top of mind, neglecting them can pose a serious threat to your organization if compromised.
If you are just getting started, or need a refresher on cybersecurity, here are some of the first steps you should take:
Here are eight top security threats that IT is likely to see in 2023.
Top 8 security threats for next year
1. Malware
Malware is malicious software that is injected into networks and systems with the intention of causing disruption to computers, servers, workstations and networks. Malware can extract confidential information, deny service and gain access to systems.
IT departments use security software and firewalls to monitor and intercept malware before it gains entry to networks and systems, but malware bad actors continue to evolve ways to elude these defenses. That makes maintaining current updates to security software and firewalls essential.
2. Ransomware
Ransomware is a type of malware. It blocks access to a system or threatens to publish proprietary information. Ransomware perpetrators demand that their victim companies pay them cash ransoms to unlock systems or return information.
So far in 2022, ransomware attacks on companies are 33% higher than they were in 2021. Many companies agree to pay ransoms to get their systems back, only to be hit again by the same ransomware perpetrators.
Ransomware attacks are costly. They can damage company reputations. Many times ransomware can enter a corporate network through a channel that is open with a vendor or a supplier that has weaker security on its network.
One step companies can take is to audit the security measures that their suppliers and vendors use to ensure that the end-to-end supply chain is secure.
3. Phishing
Almost everyone has received a suspicious email, or worse yet, an email that appears to be legitimate and from a trusted party but isn’t. This email trickery is known as phishing.
Phishing is a major threat to companies because it is easy for unsuspecting employees to open bogus emails and unleash viruses. Employee training on how to recognize phony emails, report them and never open them can really help. IT should team with HR to ensure that sound email habits are taught.
4. IoT
In 2020, 61% of companies were using IoT, and this percentage only continues to increase. With the expansion of IoT, security risks also grow. IoT vendors are notorious for implementing little to no security on their devices. IT can combat this threat by vetting IoT vendors upfront in the RFP process for security and by resetting IoT security defaults on devices so they conform to corporate standards.
If your organization is looking for more guidance on IoT security, the experts at TechRepublic Premium have put together an ebook for IT leaders that is filled with what to look out for and strategies to deal with threats.
5. Internal employees
Disgruntled employees can sabotage networks or make off with intellectual property and proprietary information, and employees who practice poor security habits can inadvertently share passwords and leave equipment unprotected. This is why there has been an uptick in the number of companies that use social engineering audits to check how well employee security policies and procedures are working. In 2023, social engineering audits will continue to be used so IT can check the robustness of its workforce security policies and practices.
6. Data poisoning
An IBM 2022 study found that 35% of companies were using AI in their business and 42% were exploring it. Artificial intelligence is going to open up new possibilities for companies in every industry. Unfortunately, the bad actors know this, too.
Cases of data poisoning in AI systems have started to appear. In a data poisoning, a malicious actor finds a way to inject corrupted data into an AI system that will skew the results of an AI inquiry, potentially returning an AI result to company decision makers that is false.
Data poisoning is a new attack vector into corporate systems. One way to protect against it is to continuously monitor your AI results. If you suddenly see a system trending significantly away from what it has revealed in the past, it’s time to look at the integrity of the data.
7. New technology
Organizations are adopting new technology like biometrics. These technologies yield enormous benefits, but they also introduce new security risks since IT has limited experience with them. One step IT can take is to carefully vet each new technology and its vendors before signing a purchase agreement.
8. Multi-layer security
How much security is enough? If you’ve firewalled your network, installed security monitoring and interception software, secured your servers, issued multi-factor identification sign-ons to employees and implemented data encryption, but you forgot to lock physical facilities containing servers or to install the latest security updates on smartphones, are you covered?
There are many layers of security that IT must batten down and monitor. IT can tighten up security by creating a checklist for every security breach point in a workflow.
Data-deletion service’s patent covers removing personal information such as geolocation, biometrics, and phone records from a vehicle by using a user-computing device
— Privacy4Cars, the first privacy-tech company focused on solving the privacy and security issues posed by vehicle data to protect consumers and automotive businesses, announced today that it has secured a new patent, further expanding its patent coverage for removing privacy information from a vehicle by using a user computing device. This patent grant marks the fourth patent that the U.S. Patent & Trademark Office has awarded to Privacy4Cars in the past three years and provides further evidence that the company is the leading innovator in the vehicle data privacy and security field.
Since its launch in 2018, Privacy4Cars has emerged as the industry standard across auto finance companies (including captives, national and regional banks, auto lenders, and credit unions), fleets and fleet management companies, and franchised and independent dealerships. Many of today’s top companies in the automotive space — including the three largest OEM’s captives — have adopted the data-deletion service powered by the Privacy4Cars platform, and a growing number of industry associations have begun speaking out about the need to clear personal information from cars, and tapping Privacy4Cars as a resource to educate members.
“Used vehicles are akin to large, unencrypted hard drives full of consumers’ sensitive Personal Information, including identifiers, geolocation, biometrics, and phone records,” said Andrea Amico, CEO and founder of Privacy4Cars. “This creates service, reputation, and increasingly major regulatory challenges, including the obligations companies face under the new Safeguards Rule (coming into effect on Dec. 9, 2022) and a host of existing and new state laws. At the same time, federal and local agencies are increasingly concerned about the personal information vehicles capture and store — which is driving more and more auto businesses to look for reliable solutions to simply and effectively delete data from vehicles while creating by design detailed compliance logs that prove their efforts,” he continued. “This new patent demonstrates Privacy4Cars’ commitment to meet the growing compliance and service needs of our partners. Privacy4Cars has established itself as the clear leader in the vehicle privacy space and companies increasingly recognize the superior efficiency, effectiveness, and compliance outcomes our proprietary solution offers, making Privacy4Cars the only obvious choice”.
Privacy4Cars’ newly awarded U.S. Patent No. 11,494,514 expands the scope of patent protection for the vehicle data privacy and security innovations of Privacy4Cars’ U.S. Patent No. 11,256,827, U.S. Patent No. 11,157,648 and U.S. Patent No. 11,113,415. The new patent covers the use of a user computing device to remove privacy information from a vehicle and to create feedback about the information removal activity, including deletion logs for use in legal compliance applications.
Privacy4Cars is currently available in the US, Canada, UK, EU, Middle East, India, and Australia, and plans to further expand its geographical reach to address the growing number of countries that have comprehensive privacy and data security laws. Privacy4Cars is available to consumers as a free-to-download app, and to businesses as a subscription service. Businesses can use Privacy4Cars’ stand-alone app or choose to integrate Privacy4Cars’ Software Development Kit to easily embed its patented data deletion solution as a feature inside their own apps.
For more information about Privacy4Cars, please visit: https://privacy4cars.com.ABOUT PRIVACY4CARS
Privacy4Cars is the first and only technology company focused on identifying and resolving data privacy issues across the automotive ecosystem. Our mission, Driving Privacy, means offering a suite of services to expand protections for individuals and companies alike, by focusing on privacy, safety, security, and compliance. Privacy4Cars’ patented solution helps users quickly and confidently clear vehicle users’ personal information (phone numbers, call logs, location history, garage door codes, and more) while building compliance records. For more information, please visit: https://privacy4cars.com/
A new version of ISO 27001 was published this week, introducing several significant changes in the way organisations are expected to manage information security.
The Standard was last revised almost a decade ago (although a new iteration of the supplementary standard ISO 27002 was published in February 2022), meaning that the release of ISO 27001:2022 has been much needed and highly anticipated.
What’s changing?
The good news for organisations is that ISO 27001:2022 doesn’t drastically overhaul their compliance requirements. There are new requirements on planned changes and how your organisation should deal with them, as well as a greater focus on how you must deal with the needs and expectations of interested parties.
Annex A of ISO 27001 now refers to the updated information security controls in ISO 27002:2022, and the Standard requires organisations to document and monitor objectives.
It also aligns its terminology with that used across other ISO management system standards.
Another notable aspect of its terminology is that ISO 27002:2022 no longer refers to itself as a “code of practice”. This better reflects its purpose as a reference set of information security controls.
However, the most significant changes with the 2022 version of ISO 27002 are in its structure. It is no longer divided into 14 control categories, and is instead split into four ‘themes’: organisational, people, physical and technological.
Meanwhile, although the 2022 version of ISO 27002 is significantly longer than its predecessor, the total number of controls has decreased from 114 to 93.
This is because many of its controls have been reordered and merged. Only 35 controls are unchanged, while 11 completely new requirements have been added. These are:
Threat intelligence
Information security for use of cloud services
ICT readiness for business continuity
Physical security monitoring
Configuration management
Information deletion
Data masking
Data leakage prevention
Monitoring activities
Web filtering
Secure coding
The new and amended controls are also categorised according to five types of ‘attribute’: control type, operational capabilities, security domains, cybersecurity concepts and information security properties.
This change is intended to make it easier to highlight and view all controls of a certain type, such as all preventive controls, or all controls related to confidentiality.
How will this affect organisations implementing ISO 27001?
The introduction of ISO 27001:2022 won’t have an immediate effect on organisations that are currently certified to ISO 27001:2013 or are in the process of achieving certification.
For the time being, organisations should continue to follow the 2013 version of the Standard. This means, for example, that the SoA (Statement of Applicability) should refer to the controls listed in Annex A of ISO 27001:2013, while the 2022 version of the Standard should be used only as a reference.
Indeed, the reason that the updated version is being published now is to give organisations time to familiarise themselves with the new controls before embarking on an implementation project.
The controls listed in ISO 27002:2022 can be considered an alternative control set that you will have to compare with the existing Annex A – just as you would with any other alternative control set.
ISO 27002:2022 has an annex that compares its controls with the 2013 iteration of the Standard, so this should be relatively straightforward.
What next?
There is a three-year transition period for certified organisations to revise their management system to conform to a new version of a standard, so there will be plenty of time to make the necessary changes.
However, it’s never wise to put off the planning process until the last minute. Implementation will take several months, and it’s worth knowing what’s expected of you as soon as possible.
You can begin by reading the Standard for yourself. You can purchase a digital copy of ISO 27001:2022 from our website, and we recommend comparing the updated version to the 2013 edition and your current compliance practices to determine what adjustments you’ll have to make.
If you’re unsure how to proceed, our team of experts are here to help. Having led the world’s first ISO 27001 certification project, we understand what it takes to implement the Standard.
Speak to one of our experts for more information on how we can support you.
CrowdStrike achieved 99% detection coverage by conclusively reporting 75 of the 76 adversary techniques during the MITRE ATT&CK evaluation.
Leveraging the power of the CrowdStrike Falcon® platform with integrated threat intelligence and patented tooling, the CrowdStrike Falcon® Complete and CrowdStrike® Falcon OverWatch™ managed threat hunting teams identified the adversary and associated tradecraft within minutes.
Closed-book evaluations such as this provide the most realistic reflection of how a security vendor would perform in a customer environment. CrowdStrike’s combination of market-leading technology and elite human expertise led the evaluation, which is the gold standard in managed detection and response testing.
MITRE does not rank or rate participants; the following is CrowdStrike’s analysis of the results provided by MITRE Engenuity.
nformation Security Risks assisted Business models for banking & financial services(BFS) institutions have evolved from being a monolithic banking entity to multi-tiered service entity.
What this means to BFS companies is that they need to be more updated and relevant with regards to technology & the quality of all services provided to their clients. The most opted methodology to do that today is by means of outsourcing services to vendors & 3rd parties.
Though outsourcing is cost beneficial to companies, this approach comes with its own set of drawbacks. It is judicious to say that every outsourcing enterprise should be aware of the risks that vendors bring to the table.
Though vendors bring in a lot of operational Information Security Risks depending on the business engagement, a methodology to manage only the 3rd party Information Security Risks are discussed here.
Just to provide a sense of the impact that vendor Information Security Risks brings to organizations, below are some of the facts from surveys conducted by Big 4 consulting companies like PwC & Deloitte.
“The Number of data breaches attributed to 3rd party vendors has increased by 22% since 2015”- Source PwC
According to Deloitte “94.3% of executives have low to moderate confidence in their third-party risks management tools & technology, and 88.6% have low to moderate confidence in the quality of the underlying Information Security Risks management process” .
We know the problem now, how do you begin resolving it??
A perfect place to begin is with the sourcing team and /or procurement team depending on how your organization is set up. In an ideal world, these teams are expected to have an inventory of all vendors, 3rd parties & Partners of your organization.
Once we have this inventory in place, the IT vendor risk management (IT- VRM) team needs to segregate the IT vendors from the non-IT ones. This is a onetime activity. For future needs, it is recommended to have the sourcing team segregate vendors basis on their business engagement (IT vs Non-IT).
Understanding your Vendors & the Information Security Risks they carry:
One of the simplest & efficient way to understand your vendors is by having a scoping checklist, that details the vendor business with your organization, kind of data touchpoints & exchanges, kind of Information Security Risks that your organization is exposed by this outsourced business.
This information is usually available with the vendor manager representing your organization in the vendor relationships.
Below is the list of Information Security Risks pointers (not limited to) that you might want to consider asking your vendor manager.
Regulatory risk – Does this relationship affect your regulatory posture? What is the penalty associated with such regulatory non-compliance?
Reputational risk– Does this service impact your clients & the reputation you hold with them?
Financial risk– Any financial Information Security Risks associated with business engagement?
Information security risks – what data are shared as part of the business engagement with the vendor? how secure is the vendor with regards to protecting your organization data?
Resiliency risks – Does the vendor introduce any single point of failures to your business practices?
For understanding the level of assessment to be performed with the vendor, you will need to understand the vendor’s business operating model.
Below is an indicative list of themes that you might want to discuss with vendor manager to understand the scope of the vendor assessment.
Data attributes shared & received with the vendor, volume of data & frequency
Mode of communication/interfaces with a vendor – Mail, remote connection to vendor network, the remote connection from vendor to your internal network, data upload only, data download only, vendors are brought on-site & connect from your offices to provide services
Services provided – Data center services, Application provider, Cloud service provider, Data processing services, & many others.
33N Ventures is fundraising €150 million for investing in cybersecurity and infrastructure software companies across Europe, Israel, and the US. The fund will mostly target investments at Series A and B, with an average ticket size of around €10 million, and has an investment capacity of €20 million already committed by Alantra and its strategic partners.
Co-founders and managing partners Carlos Alberto Silva and Carlos Moreira da Silva have made more than 20 investments in cybersecurity and infrastructure software over the past 10 years, across Europe, Israel and the US – including most notably Arctic Wolf.
In this Help Net Security interview, they discuss the cybersecurity investment landscape in Europe, the strategies for finding the right companies, and more.
Company founders usually think mainly about California and Tel Aviv when discussing infosec investments. What’s your impression of the current cybersecurity VC landscape in Europe?
Carlos Alberto Silva: There’s no doubt that the US and Israeli startup ecosystems get more attention when it comes to cybersecurity. But that’s not to say there haven’t been success stories in Europe. Take IriusRisk, for example: the automated threat modeling platform raised a $28.7M Series B round just a few weeks ago.
By rights, Europe should be a world leader in this space. Talent is abundant here, and there is a very large addressable market. The challenge for companies in Europe is that, unlike their peers in the US and Israel, they often don’t get the specialized support they need to compete.
While there are a few specialized funds in Europe, most focus naturally only on one country or region and tend to invest in very early-stage companies. As a result, most entrepreneurs face the choice of working with a US investor (that lacks on-the-ground local knowledge) or working with a generalist fund that may not be able to open the right doors for them.
That’s why we’ve decided to create a fund with a truly pan-European focus. There’s such a large opportunity here for firms that are underserved by the current market. We’ll still be investing in some companies in the US and Israel – simply put, there are some amazing opportunities that we just don’t want to miss out on – but we’re most excited about capitalising on this relatively untapped opportunity in Europe.
What sort of challenges and opportunities are you currently facing? What’s your main focus?
Carlos Alberto Silva: Given that we only launched the fund last week, we’ve not run into too many challenges yet! That being said, of course, the economic climate is not the best. This is a challenge that every venture capital fund and company must face.
Cybersecurity as a whole is also well insulated from the economic downturn. That’s because strong cybersecurity is not a ‘nice-to-have’ – but critical. That’s not going to change – from digital transformation to national security, cyber will continue being a top priority for governments, institutions, companies, and investors across the globe, and the market is expected to reach $162 billion in 2022, with robust annual double-digit growth forecast for the coming years – and so the companies we’ll be looking at have some in-built resilience.
How can you find the right balance between locating promising new businesses and researching potential investments?
Carlos Moreira da Silva: This is not generally something we struggle with. This is probably because we follow a thesis-driven approach that means we spend a lot of time looking at which spaces we want to cover before making any investment decisions.
Of course, we stay up to date with the industry, look at all publicly available sources, and attend the most relevant cybersecurity events across Europe, Israel, and the US. This is all fairly common sense.
But we do rely heavily on our proprietary network of close VCs and advisors. Our network is always totally invaluable when we are looking to identify the best leads for future investments. Our strategic advisors – including leading entrepreneurs, experts, and cybersecurity decision-makers such Brian NeSmith (Arctic Wolf), Eyal Hayardeny (Reblaze), Nuno Sebastião (Feedzai), and Pierre Polette (Hackuity) – all founders of companies we’ve invested in in the past – possess an incredible depth and breadth of sector-specific knowledge and experience that, added to our own, really helps us identify and support the founders and companies with the biggest breakthrough and scaling potential.
We spend a long time talking to prospective investee companies, ideally as early in their journey as possible, and working out where we can help them. If we can make an introduction to a potential customer, for example, we will do so even before we have made any investment. We’ve worked hard to build a reputation in the industry for being supportive of the whole industry – that’s really important to us.
How much research does it take to identify companies you want to invest in? When it comes to cutting-edge technology, it can be complicated to distinguish between things that seem important but aren’t and things that don’t seem important but are.
Carlos Alberto Silva: For most first-time funds the process of identifying the right companies to invest in across such a large geographic area would be difficult. But our team has been together for many years now. We may be a first-time fund, but we’re far from a first-time team.
We know this space well and we have a strong network that reaches across the US, Europe, and Israel. In fact, much of the research you refer to has in effect already been done. We already have a list of companies that we’re interested in, and in many cases have already started the conversation.
We want to back visionary companies in emerging sectors. We want to invest in those who are the very first or one of the very first to solve a particular problem. In our view, jumping on bandwagons or entering already saturated markets will inevitably lead to meagre returns. Get in on the ground floor and you’ve got a lot more room to grow into.
What advice would you give to cybersecurity startup founders looking for investors?
Carlos Moreira da Silva: Beyond the obvious – how much are they willing to invest – there are a couple of really important things for founders to look at. Firstly, look at their track record. Cybersecurity is a space where deep technical knowledge is really important. Think of it this way: if you have to explain what your company does through metaphors and hand-holding, then they probably aren’t going to be much help beyond providing cash stimulus.
The second thing to look at is their network. Well-connected investors with the right contacts in cybersecurity will prove invaluable. Most venture capital investors will have a long list of contacts. You can pick that up by going to the right events and spending enough time in the space. But the investors that will provide you with real benefit are those who have a long list of friends – with deep and genuine relationships. The right introduction can be game-changing for a company, so it’s vital your investor’s network is robust.
What tips do you have for maintaining a positive rapport with company founders? What makes for a quality relationship?
Carlos Moreira da Silva: It may sound obvious, but in our experience, the most important thing for building rapport is having a solid understanding of the business. It is important to be there for the founders during the good times, but especially during the challenging times, when they really need that extra help. Of course, you must understand how the company’s key product or service works.
But beyond that, you must understand everything from the pain points of their customers to the market for talent in their sector to the opportunities for growth. This is not stuff you can pick up overnight, and entrepreneurs are good at picking those with genuine knowledge out from the blaggers.
And, in our case, we can share our global perspective regarding the wider market environment. You can provide an enormous amount of value here.
We also think it helps that we’ve been in their position before. We’re not just investors, we’ve held senior executive roles in cybersecurity companies and effectively built them from the ground up. So, we understand the nuances of the day-to-day running of a business, and that helps us build a foundation of trust – which really is essential to a successful relationship.
There is an unofficial patch from 0patch for a Zero-Day flaw in Microsoft Windows that allows bypassing the MotW (Mark-of-the-Web) protections that are built into the operating system and at moment it’s actively exploited.
By utilizing files signed with malformed signatures, this zero-day flaw is able to bypass MotW protections. Various legacy Windows versions as well as all versions that are supported by Microsoft are affected by the issue.
It has been determined by cybersecurity analysts that the Magniber ransomware was being installed on victims’ devices with the help of stand-alone JavaScript files by threat actors.
Why does Windows 8.1 not have the behavior where a corrupt signature skips the MotW prompting? Windows 10 and newer MotW prompting is sort of intermingled with SmartScreen by default. If you turn off "Check apps and files", you'll get behavior more like earlier Windows versions. pic.twitter.com/T6k3xNKOFY
0patch released this unofficial security patch to fix this flaw since it’s a critical zero-day vulnerability and is exploited by threat actors vigorously in the wild.
Why this patch has been tagged as “Unofficial”?
This patch is tagged as unofficial due to its release source, in short, this patch has not been released by Microsoft itself.
But, until the release of any official patch from Microsoft, users can use this security patch to keep their systems protected against threat actors exploiting this zero-day flaw.
Free Micropatch Availability
Due to this zero-day vulnerability, multiple Windows versions are affected and here below we have mentioned all the affected versions of Windows that are eligible for the free micropatches:-
Windows 11 v21H2
Windows 10 v21H2
Windows 10 v21H1
Windows 10 v20H2
Windows 10 v2004
Windows 10 v1909
Windows 10 v1903
Windows 10 v1809
Windows 10 v1803
Windows Server 2022
Windows Server 2019
The installation process for this micropatch will require an account on the 0patch website, and it can be created for free. Once done, you’ll need to download its agent for your Windows device which will automatically install this patch.
If you’re a security practitioner dealing with ISO 27001, you’re probably wondering what new things you will need to implement as part of the changes that will be made to this standard during 2022.
What you’ll notice is that some of these new controls are very similar to old controls from the 2013 revision; however, because these controls were categorized as new in ISO 27002:2022, I have listed all 11 in this article.
As the main source for this article, I’ve used guidelines from ISO 27002:2022 – I’ve given an overview of requirements, technology, people, and documentation, but if you’d like to learn about these controls in more depth, you can purchase the ISO 27002 2022 standard.
Finally, keep in mind that these controls are not mandatory – ISO 27001 allows you to exclude a control if (1) you identified no related risks, and (2) there are no legal/regulatory/contractual requirements to implement that particular control.
I’ve been meaning to talk more about what I actually do, which is help the teams within Microsoft who are threat modeling (for our boxed software) to do their jobs better. Better means faster, cheaper or more effectively. There are good reasons to optimize for different points on that spectrum (of better/faster/cheaper) at different times in different products. One of the things that I’ve learned is that we ask a lot of developers, testers, and PMs here. They all have some exposure to security, but terms that I’ve been using for years are often new to them.
I wanted to chime in and offer up this handy chart that we use. It’s part of how we teach people to go from a diagram to a set of threats. We used to ask them to brainstorm, and have discovered that that works a lot better with some structure.
From the basics to advanced techniques, here’s what you should know.
Source: Rancz Andrei via Alamy Stock Photo
Cybersecurity has been compared to a never-ending game of whack-a-mole, with an ever-changing cast of threats and threat actors. While the attacks that make headlines may change from year to year, the basic fact remains: Any network, no matter how obscure the organization it supports, most likely will come under attack at some point. Thus, attaining and maintaining a strong security posture is of critical importance for organizations of any size.
An organization’s security posture, however, is constantly changing. Employees join or leave the company; endpoints are added and discarded; and network and security technologies are deployed, decommissioned, configured, and updated. Each change in network elements can represent a potential attack vector for malware and other threats.
That’s why security teams should review their security processes periodically and keep aligned with new developments in defensive and offensive testing and modeling. Doing so can help move the needle on security maturity from the most basic to an advanced, much stronger security posture, and from a reactive to a proactive model.
The Basics: Vulnerability Scanning
The first step most IT organizations undertake is vulnerability scanning, which seeks out potential weaknesses in the network and endpoints that could be exploited by attackers. There’s a wide variety of scanners available as open source or commercial software, as managed services, and on cloud platforms like AWS and Alibaba. Some of the more popular scanners include Nessus, Burp Suite, Nmap, and Qualys, though each has its own area of focus. Several offer automatic patch remediation, as well.
Another consideration is whether to perform an external scan — which can discover potential vulnerabilities that hackers can exploit — or internal scanning that can find potential paths attackers would take once inside the network. Many, if not most, IT teams will do both.
While vulnerability scanning is relatively easy to use, it’s not the end-all, be-all of a security strategy. For example, scanning might not detect subtle misconfigurations or the more complicated attack paths that advanced persistent threats (APTs) might take. They’re also often prone to false positives and must be updated consistently.
Overall, though, vulnerability scanning is an important baseline step. Once it’s running well, the next step is penetration testing.
Penetration Testing
Penetration testing typically entails human ethical hackers who attempt to gain access to the network interior, much as an outside hacker would. Here, too, there’s a wide variety of tools and services available — many of the aforementioned vulnerability scanners offer tools that can be used in pen testing. Others include Metasploit, Kali Linux, Cobalt.io, and Acunetix.
Run periodically, pen testing can uncover weaknesses that aren’t found by vulnerability scanners. Furthermore, human-managed pen testing can explore more complex pathways and technique combinations that hackers increasingly leverage to exploit victims, such as phishing.
Not surprisingly, the biggest trends impacting networking and cybersecurity are essentially the same trends noted in penetration testing this year: rampant ransomware attacks, the newly distributed workforce, and the rise of Web applications and cloud usage to support remote workers. Each of these trends will require thoughtful consideration in choosing tools and designing plans for penetration testing.
While penetration testing can provide a great deal of benefit, it’s a good idea to periodically review the wealth of information on best practices available online.
Red Team/Purple Team
The third step in the quest for security maturity is usually the establishment of a red team that will manually attempt to attack and penetrate the organization’s security defenses. This may be a completely separate team, or it may be closely allied with the blue team (the defenders) in a combination called a purple team. As another option, some vendors offer red-team services on a subscription or one-off basis.
A red team will imitate the tactics, techniques, and procedures (TTPs) that attackers use — which usually turns up more points of vulnerability than penetration testing can reveal. The blue team can then begin to resolve these weaknesses, further hardening the network against attack.
But too often, red and blue teams devolve into an adversarial relationship that’s counterproductive. It’s also quite expensive to set up a red team, and given the shortage of cybersecurity professionals, it may not be feasible. Therefore, many CISOs are investigating two newer trends: adversary emulation and adversary simulation.
Using Adversary TTPs for Good
There are vast, freely available libraries of common tactics, techniques, and procedures used during attacks, such as MITRE’s ATT&CK framework. Adversary emulation and simulation leverage these libraries to evaluate security based on intelligence for specific attacks and then simulating the TTPs used.
For example, MITRE developed a sample adversary emulation plan for APT3, an advanced persistent threat that previously targeted mostly US entities. The emulation plan covers three phases from command-and-control setup to initial access; from host compromise through to execution; and data collection through exfiltration. The Center for Threat-Informed Defense has posted other emulation plans.
Adversary emulation lets security teams assess their defenses against real-world attacks. It can also be used to test the security infrastructure’s detection and response rates.
Looking Ahead
Security vendors are moving beyond simply advocating the concept of MITRE’s ATT&CK and MITRE Shield. Many vendors are leveraging one or both to improve their own products and services. For example, some security vendors map anomalies and events to the ATT&CK framework, making it easier for security teams to respond.
MITRE’s CALDERA also deserves attention. It provides an intelligent, automated adversary emulation system that can be programmed for a specific attack profile and launched into the network to test its defenses. Caldera can also be used to train blue teams on detecting and remediating specific attacks.
Keeping abreast of developments in key security processes is important for security teams as they strive to defend the network against changing threats. By so doing, they can move the organization closer to a far stronger security posture.
A WOMAN IN TEHRAN CLIMBED ONTO A CAR AND SET HER HIJAB ABLAZE. “AMIN” WAS JUST FIVE METERS AWAY. (PHOTO CREDIT: TWITTER)
The death of 22-year-old Mahsa Amini in Iran has ignited the most powerful protests the country has seen in years. Authorities there have rolled out a host of new tools to throttle mobile phone connections, block social media sites, and make it harder for people on the ground to organize. Our Click Here team spoke to one man who has been protesting since Amini’s death was announced, and he talked to us about the dangers of using social media and technology while participating in street demonstrations. He asked us not to use his real name because speaking to foreign reporters could get him arrested. Amin talked with us about getting around internet restrictions, the dangers of using social media in Iran, and how protesters handle their passwords.
Our interview with him has been edited and condensed for clarity.
About 1 in 5 phishing email messages reach workers’ inboxes, as attackers get better at dodging Microsoft’s platform defenses and defenders run into processing limitations.
Source: Andrea Danti via Alamy Stock Photo
This week’s report that cyberattackers are laser-focused on crafting attacks specialized to bypass Microsoft’s default security showcases an alarming evolution in phishing tactics, security experts said this week.
Threat actors are getting better at slipping phishing attacks through the weak spots in platform email defenses, using a variety of techniques, such as zero-point font obfuscation, hiding behind cloud-messaging services, and delaying payload activation, for instance. They’re also doing more targeting and research on victims.
As a result, nearly 1 in 5 phishing emails (18.8%) bypassed Microsoft’s platform defenses and landed in workers’ inboxes in 2022, a rate that increased 74% compared to 2020, according to research published on Oct. 6 by cybersecurity firm Check Point Software. Attackers increasingly used techniques to pass security checks, such as Sender Policy Framework (SPF), and obfuscate functional components of an e-mail, such as using zero-size fonts or hiding malicious URLs from analysis.
The increasing capabilities of attackers is due to the better understanding of current defenses, says Gil Friedrich, vice president of email security at Avanan, an email security firm acquired by Check Point in August 2021.
“It is a family of 10 to 20 techniques, but they all lead to the objective of deceiving a company’s security layers,” he says. “The end result is always an email that looks genuine to the recipient but looks different to the algorithm that analyzes the content.”
Meanwhile, cybercriminals services, such as phishing-as-a-service and malware-as-a-service, are encapsulating the most successful techniques into easy-to-use offerings. In a survey of penetration testers and red teams, nearly half (49%) considered phishing and social engineering to be the attack techniques with the best return on investment.
This October is Cyber Security Awareness Month, an event designed to educate people about information security and the steps they can take to stay safe online.
Now in its nineteenth year, the campaign provides tools and resources to help people learn more about the cyber security industry and the ways they can get involved.
This year’s event focuses on phishing and ransomware – two of the biggest threats that organisations currently face.
The attack method is often used to deliver ransomware, which itself is responsible for significant damage. Our research discovered more than 100 publicly disclosed ransomware attacks in the first half of 2022, with intrusions shuttering businesses and creating huge financial problems.
Getting involved
There are events being held throughout October as part of National Cyber Security Awareness Month. Both national governments and private organisations have supported the campaign and are running programmes online and in person.
You can find a full list of events on Stay Safe Online, where you can also find information security tips.
The theme of this year’s campaign is ‘See Yourself in Cyber’, and individuals are encouraged to get involved online with the hashtag #BeCyberSmart.
A key component of that is protecting yourself from scams. The campaign reminds people that: “The signs can be subtle, but once you recognize a phishing attempt you can avoid falling for it.
“Before clicking any links or downloading attachments, take a few seconds (like literally 4 seconds) and ensure the email looks legit.”
The campaign also highlights the benefits of multi-factor authentication, strong passwords and regularly updating software.
How IT Governance can help
You can also follow the latest developments with Cyber Security Awareness Month by following us on LinkedIn. We’ll will provide the latest updates on the campaign to help you get involved in events near you.
Plus, our experts will provide quick and simple tips to boost your cyber security awareness. Did you know, for example, that one of the most effective ways to boost your defences is also one of the simplest – ensuring that your accounts are protected by strong, unique passwords.
This applies not only to login credentials but also to databases and other sensitive information that you store online. The InterContinental Hotel Group was recently caught out by a cyber attack, after criminal hackers discovered a database protected by the password ‘Qwerty1234’.
The breach enabled the attackers to access the most sensitive parts of the hotel giant’s computer systems, and ultimately led to a phishing attack in which an employee was duped into downloading malware that destroyed huge volumes of sensitive data.
Another top tip for preventing cyber attacks is to test your employees with Phishing Challenge E-learning Game. These are messages that use the same techniques as genuine scams without the malicious payload.
The attacks give you the opportunity to monitor how your employees respond to a bogus email. Do they click a link right away? Do they recognise that it’s a scam and delete it? Do they contact the IT team to alert them of the threat?
Simulated phishing is an essential technique in an organisation’s cyber security practices. It complements traditional staff awareness training to assess the effectiveness of your programme in a real-world scenario.
In the private sector, hackers and cybercriminals are prone to leaving organizations with good security infrastructures alone. Because they often go after low-hanging fruit, hacking into a well-protected network is perceived as more trouble than it’s worth.
But the public sector is a different matter entirely. The government and government agencies have access to assets and data that criminals would love to get their hands on, even with the added trouble. So, even though the public sector is well protected, it will not stop cybercriminals from attempting to break in.
An IRONSCALES survey published in October 2021 shows over 80% of respondents experienced an increase in email phishing attacks since the start of the pandemic.
Phishing involves the utilization of legitimate-looking emails to steal the login credentials or other sensitive information of a target organization. While it’s just as much a risk for small and medium-sized businesses, in the public sector, phishing attacks could potentially be nation-state sponsored, making it a possible double whammy.
While taking advantage of the latest and greatest software to protect yourself from top cybersecurity threats is par for the course, what makes phishing so pernicious is that it relies on human error. With phishing emails looking more authentic than ever, they are harder to catch.
Distributed Denial of Service (DDoS) Attacks
A recent report says ransom DDoS attacks increased 29% year over year and 175% quarter over quarter in quarter four of 2021. Some of the biggest targets were the public sector, schools, travel organizations, and credit unions.
DDoS attacks are known to bring down some of the largest websites and are quite difficult to prevent. They are considered by some to be the most “powerful weapon” on the internet, easily making DDoS attacks one of the top cyber security threats to the government.
DDoS attacks can happen at any time, affect any part of a website, and disrupt and interrupt services, usually leading to massive financial damage.
Nation-State Sponsored Cyber Attacks
With mainstream media daily broadcasting events as they are occurring to every channel imaginable (cable TV, smartphones, social media, etc.) cyber warfare has become an increasingly common way to launch disinformation campaigns, perform cyber espionage or terrorism, and even cyber-sabotage targets.
Nation-state-sponsored cyber attacks aim to
Hinder communication
Gather intelligence
Steal intellectual property
Damage to digital and physical infrastructure
They are even used for financial gain.
Though cyber attacks are sometimes used in tandem with real life attacks, what makes cyber warfare especially challenging is that it happens virtually and often covertly. There usually isn’t any declaration of war. That makes it difficult to prove who is responsible for the attack.
Ransomware
Ransomware attacks may not be an emerging trend by any means. They may not even be anything new. But they do have a history of wreaking havoc on the public sector and therefore need to be taken seriously.
Rewind to 2019 when the U.S. was hit by an unrelenting barrage of ransomware attacks that ultimately affected at least 966 government agencies, educational establishments, and healthcare providers to $7.5 billion (Emsisoft).
These attacks resulted in 911 services being interrupted, surveillance systems going offline, badge scanners and building access systems not working, websites going down, extended tax payment deadlines, and much more.
The threat of ransomware attacks still looms today and is no less a concern in 2022 than they were in 2019. As far as cyber security threats to the government are concerned, ransomware attacks should be kept on the cybersecurity radar.
What The Public Sector Can Do to Stay Ahead?
Beyond taking full advantage of the latest tech, for the public sector to stay ahead of cyber security in the public sector, you have to create a culture of cybersecurity within your organizations, offering ongoing training to their teams.
You need to secure all infrastructure, including cloud, mobile, and Internet of Things (IoT). You also want to improve compromise detection and be fully prepared for any attack. Plans should be documented and practiced regularly, so detection and response are immediate.
If you’re into web API security testing, then you know that API hacking books are a valuable resource. They can teach you new things, introduce you to new concepts around breaking web application programming and help you stay up-to-date on the latest trends in your field. That’s why I’ve put together this list of 5 essential books for any API hacker!
API security and you
So before I go through the list of book recommendations, I want to preface that if you are a security researcher who wants to conduct web API security testing, the reality is it’s just as important to focus on the web applications themselves.
As such, a crash course in web hacking fundamentals never hurts. So some of my recommendations may seem more focused on that than on breaking web application programming interfaces.
You may also notice that I also recommend a few books that focus on bounty programs and make it possible to make a living as you break APIs.
The point is, regardless of where you are in your API hacking career, these books can help. I have organized them in such a way that if you can’t afford to buy them all just yet, start from the top and work your way down.
Book #1 : Hacking APIs: Breaking Web Application Programming Interfaces
This is one of the few books that is actually dedicated to API hacking.
This book is a great resource for anyone who wants to learn more about API security and how to hack into web applications. It provides in-depth information on how to break through various types of APIs, as well as tips on how to stay ahead of the curve in this rapidly changing field. Corey also shares his own personal experiences with API hacking, which makes the content even more valuable. If you’re interested in learning more about API security and want to start from the basics, then this is the perfect book for you!
Book #2 : The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
This book is a tomb of information. It’s the oldest book on the list and by far the largest.
The Web Application Hacker’s Handbook is an essential read for anyone looking to understand how web application vulnerabilities are discovered and exploited. The book is filled with in-depth technical information and real-world examples that will help you understand the inner workings of web applications and how to protect them from potential attacks.
One of the best features of this book is the “Hands-On” sections, which provide you with step-by-step instructions on how to find and exploit various vulnerabilities. This makes it an ideal resource for both beginner and experienced hackers alike.
If you’re looking to beef up your skills in web application security, then The Web Application Hacker’s Handbook is a must-read!
Book #3 : Web Application Security: Exploitation and Countermeasures for Modern Web Applications
Sometimes before focusing on offense, we have to know defensive tactics.
This book provides in-depth coverage of all the major areas of web application security, from vulnerabilities and exploits to countermeasures and defense strategies. Written by security expert Andrew Hoffman, this book is packed with real-world examples and step-by-step instructions that will help you understand how developers protect their web applications from potential attacks.
If you’re serious about web application security, then this is the perfect book for you!
Book #4 : Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities
If you are looking at being an independent security researcher focused on web API security testing, finding high payout API bugs may be important.
Bug Bounty Bootcamp is a guide to becoming a bug bounty hunter. The book covers the basics of hunting for bugs, including how to find and report them. It also includes a number of case studies of successful bug bounty hunting, detailing methods and strategies.
In chapter 24 of the Expert Techniques section, Vicki goes deeper into discussing multiple API attack techniques.
Overall, Bug Bounty Bootcamp is an informative and well-written guide that should be of interest to anyone considering a career in API hacking through bug bounty hunting.
Book #5 : Real-World Bug Hunting: A Field Guide to Web Hacking
“Real-World Bug Hunting” is a brilliant resource for anyone who aspires to be a professional bug hunter. The book is written by Peter Yaworski, who is himself a professional bug hunter.
He begins by delving into the mindset of a bug hunter – what drives them to find vulnerabilities in software and systems? He then provides an overview of the bug hunting process, from identifying potential targets to writing up a report. The bulk of the book is devoted to teaching readers how to find and exploit common web application vulnerabilities.
Yaworski provides clear and concise explanations of each vulnerability, along with examples of real-world exploits. He also offers advice on how to avoid getting caught by security teams and how to maximize the value of your findings. “Real-World Bug Hunting” is an essential read for anyone who wants to make a career out of finding bugs.
Conclusion
These five books are essential readings for anyone interested in hacking APIs. They provide detailed information on how to find and exploit vulnerabilities, as well as defensive tactics and strategies. If you want to be a successful API bug bounty hunter, then these books will also give you the tools and techniques you need to get started.
Can a device be hacked when switched off? Recent studies suggest so. Let’s see how this is even possible.
Researchers from the Secure Mobile Networking Lab at the University of Darmstadt, Germany, have published a paper describing a theoretical method for hacking an iPhone — even if the device is off. The study examined the operation of the wireless modules, found ways to analyze the Bluetooth firmware and, consequently, to introduce malware capable of running completely independently of iOS, the device’s operating system.
With a little imagination, it’s not hard to conceive of a scenario in which an attacker holds an infected phone close to the victim’s device and transfers malware, which then steals payment card information or even a virtual car key.
The reason it requires any imagination at all is because the authors of the paper didn’t actually demonstrate this, stopping one step short of a practical attack implementation in which something really useful nasty is loaded into the smartphone. All the same, even without this, the researchers did a lot to analyze the undocumented functionality of the phone, reverse-engineer its Bluetooth firmware, and model various scenarios for using wireless modules.
So, if the attack didn’t play out, what’s this post about? We’ll explain, don’t worry, but first an important statement: if a device is powered off, but interaction with it (hacking, for example) is somehow still possible, then guess what — it’s not completely off!
How did we get to the point where switching something off doesn’t necessarily mean it’s actually off? Let’s start from the beginning…
Apple’s Low Power Mode
In 2021, Apple announced that the Find My service, which is used for locating a lost device, will now work even if the device is switched off. This improvement is available in all Apple smartphones since the iPhone 11.
If, for example, you lose your phone somewhere and its battery runs out after a while, it doesn’t turn off completely, but switches to Low Power Mode, in which only a very limited set of modules are kept alive. These are primarily the Bluetooth and Ultra WideBand (UWB) wireless modules, as well as NFC. There’s also the so-called Secure Element — a secure chip that stores your most precious secrets like credit card details for contactless payments or car keys — the latest feature available since 2020 for a limited number of vehicles.
Bluetooth in Low Power Mode is used for data transfer, while UWB — for determining the smartphone’s location. In Low Power Mode, the smartphone sends out information about itself, which the iPhones of passers-by can pick up. If the owner of a lost phone logs in to their Apple account online and marks the phone as lost, information from surrounding smartphones is then used to determine the whereabouts of the device. For details of how this works, see our recent post about AirTag stalking.
The announcement quickly prompted a heated discussion among information security experts about the maze of potential security risks. The research team from Germany decided to test out possible attack scenarios in practice.
When powering off the phone, the user now sees the “iPhone Remains Findable After Power Off” message. Source
Find My after power off
First of all, the researchers carried out a detailed analysis of the Find My service in Low Power Mode, and discovered some previously unknown traits. After power off, most of the work is handled by the Bluetooth module, which is reloaded and configured by a set of iOS commands. It then periodically sends data packets over the air, allowing other devices to detect the not-really-off iPhone.
It turned out that the duration of this mode is limited: in version iOS 15.3 only 96 broadcast sessions are set with an interval of 15 minutes. That is, a lost and powered-off iPhone will be findable for just 24 hours. If the phone powered off due to a low battery, the window is even shorter — about five hours. This can be considered a quirk of the feature, but a real bug was also found: sometimes when the phone is off, the “beacon” mode is not activated at all, although it should be.
Of most interest here is that the Bluetooth module is reprogrammed before power off; that is, its functionality is fundamentally altered. But what if it can be reprogrammed to the detriment of the owner?
Attack on a powered-off phone
In fact, the team’s main discovery was that the firmware of the Bluetooth module is not encrypted and not protected by Secure Boot technology. Secure Boot involves multistage verification of the program code at start-up, so that only firmware authorized by the device manufacturer can be run.
The lack of encryption permits analysis of the firmware and a search for vulnerabilities, which can later be used in attacks. But the absence of Secure Boot allows an attacker to go further and completely replace the manufacturer’s code with their own, which the Bluetooth module then executes. For comparison, analysis of the iPhone’s UWB module firmware revealed that it’s protected by Secure Boot, although the firmware isn’t encrypted either.
Of course, that’s not enough for a serious, practical attack. For that, an attacker needs to analyze the firmware, try to replace it with something of their own making, and look for ways to break in. The authors of the paper describe in detail the theoretical model of the attack, but don’t show practically that the iPhone is hackable through Bluetooth, NFC or UWB. What’s clear from their findings is that if these modules are always on, the vulnerabilities likewise will always work.
Apple was unimpressed by the study, and declined to respond. This in itself, however, says little: the company is careful to keep a poker face even in cases when a threat is serious and demonstrated to be so in practice.
Bear in mind that Apple goes to great lengths to keep its secrets under wraps: researchers have to deal with closed software code, often encrypted, on Apple’s own hardware, with made-to-order third-party modules. A smartphone is a large, complex system that’s hard to figure out, especially if the manufacturer hinders rather than helps.
No one would describe the team’s findings as breathtaking, but they are the result of lots of painstaking work. The paper has merit for questioning the security policy of powering off the phone, but keeping some modules alive. The doubts were shown to be justified.
A half powered-off device
The paper concludes that the Bluetooth firmware is not sufficiently protected. It’s theoretically possible either to modify it in iOS or to reprogram the same Low Power Mode by expanding or changing its functionality. The UWB firmware can also be examined for vulnerabilities. The main problem, however, is that these wireless modules (as well as NFC) communicate directly with the protected enclave that is Secure Element. Which brings us to some of the paper’s most exciting conclusions:
Theoretically, it’s possible to steal a virtual car key from an iPhone — even if the device is powered off! Clearly, if the iPhone is the car key, losing the device could mean losing the car. However, in this case the actual phone remains in your possession while the key is stolen. Imagine it like this: an intruder approaches you at the mall, brushes their phone against your bag, and steals your virtual key.
It is theoretically possible to modify the data sent by the Bluetooth module, for example, in order to use a smartphone to spy on a victim — again, even if the phone is powered off.
Having payment card information stolen from your phone is another theoretical possibility.
But all this of course still remains to be proven. The work of the team from Germany shows once more that adding new functionality carries certain security risks that must be taken into account. Especially when the reality is so different from the perception: you think your phone is fully off, when in fact it isn’t.
This is not a completely new problem, mind. The Intel Management Engine and AMD Secure Technology, which also handle system protection and secure remote management, are active whenever the motherboard of a laptop or desktop computer is connected to a power source. As in the case of the Bluetooth/UWB/NFC/Secure Element bundle in iPhones, these systems have extensive rights inside the computer, and vulnerabilities in them can be very dangerous.
On the bright side, the paper has no immediate impact on ordinary users: the data obtained in the study is insufficient for a practical attack. As a surefire solution, the authors suggest that Apple should implement a hardware switch that kills the power to the phone completely. But given Apple’s physical-button phobia, you can be sure that won’t happen.
