What are the differences between the 2013 and 2022 editions of ISO/IEC 27002
Aug 22 2022
Hiding a phishing attack behind the AWS cloud
Scammers are using cloud services to create and host web pages that can be used to lure victims into handing over their credentials
Criminals are slipping phishing emails past automated security scanners inside Amazon Web Services (AWS) to establish a launching pad for attacks.
Scammers have latched onto the ability for people to use an AWS service to build and host web pages using WordPress or their own custom code. From there they can send phishing messages carrying the AWS name into corporate emails systems to both get past scanners that typically would block suspicious messages and to add greater legitimacy to fool victims, according to email security vendor Avanan.
In a report this week, researchers with Avanan – acquired last year by cybersecurity company Check Point – outlined a phishing campaign that uses AWS and unusual syntax construction in the messages to get past scanners.
“Email services that use static Allow or Block Lists to determine if email content is safe or not are not immune to these attacks,” they wrote. “Essentially, these services will determine whether a website is safe or not. Amazon Web Services will always be marked as safe. It’s too big and too prevalent to block.”
Piggybacking on well-known brand names for phishing campaigns isn’t unusual. Avanan this year has documented such efforts leveraging QuickBooks, PayPal, and Google Docs to ensure messages land in an inbox.
Now the public cloud is a vehicle and using AWS makes sense. It is the largest public cloud player, owning a third of a global cloud infrastructure market that generated almost $55 billion in the second quarter, according to Synergy Research Group. Combined, AWS, Microsoft Azure, and Google Cloud account for 65 percent of the space.
“Attacks using public cloud is becoming my common for many reasons, in part because infrastructure is so transient, reputational systems cannot help. We can block bulletproof hosting providers but we can’t just block AWS,” John Bambenek, principal threat hunter at Netenrich, told The Register. “These services are cheap, easy to use, and can spin up and down services quickly. Public clouds are usually whitelisted, so IP reputation doesn’t work, and people are getting more and more used to services in public clouds so they don’t look as suspect.”
The trend will only grow, according to Davis McCarthy, principal security researcher at Valtix.
“As the enterprise embraces the multiple clouds, cybercriminals will have more options to choose from and abuse,” McCarthy told The Register. “Benefiting from the lack of visibility and the disjointed topology, attack surfaces will be difficult to fingerprint. Organizations will need to standardize on security across clouds and have the ability to consolidate visibility to ensure prevention and detection processes are implemented efficiently.”
Cybercriminals are “creating phishing pages on AWS using the site’s legitimacy to steal credentials,” Avanan researchers wrote. “Sending a link to this page via email is a way to bypass scanners and get users to hand over credentials.”
They pointed to a campaign where the cybercriminal sent a phishing message created and hosted on AWS telling recipients that their password was about to expire. The email came with a Microsoft logo and told the user to click on a button to either keep or change the password.
The use of AWS’ name isn’t the only tactic for getting past the scanners, according to the researchers. They also use unusual content in the email’s text to confuse scanners, they wrote. When the message in the example was opened, the text wasn’t related to the attack. Instead, it was written in Spanish that when translated talks about a price quote for an “earthquake monitoring system.”
When the user clicks on button, they’re taken to a fake password reset page that includes the domain name of the victim’s company and most of the fields populated. The user is asked only to type in their password. If that’s done, the scammers can steal the credentials.
“With an easy way into the inbox, plus a low lift from end-users, this type of attack can be quite successful for hackers,” the researchers wrote, who added that they notified Amazon of what they found.
Avanan researchers wrote that enterprise users need to hover over links to see the destination URL before clicking on it and look at the email content before clicking on it. Hank Schless, senior manager of security solutions at Lookout, told The Register that Secure web gateways (SWGs) can help identify risk behavior on the network beyond what typical scanners do. If part of a larger cloud security platform, administrators can implement more data protection tools to identify risk behavior, even if it’s coming from a legitimate source.
Automation also is key given the lack of in-house skills to run continuous monitoring, according to Ryan McCurdy, vice president of marketing at Bolster.
“Moreover, they do not have the relationships nor access to perform the takedowns, such as asking an internet service provider to take down a fake website, let alone have the access to underground forums and chat rooms, which is not something that can be acquired overnight,” McCurdy told The Register. “It’s critical that companies take a platform approach and leverage automation to detect, analyze, and take down fraudulent sites and content across the web, social media, app stores, and the dark web.”
https://www.theregister.com/2022/08/22/aws_cloud_phishing/
Aug 18 2022
Hacker tournament brings together world’s best in Las Vegas
(Reuters) – A team of hackers from two North American universities won the “Capture the Flag” championship, a contest seen as the “Olympics of hacking,” which draws together some of the world’s best in the field.
In the carpeted ballroom of one of the largest casinos in Las Vegas, the few dozen hackers competing in the challenge sat hunched over laptops from Friday through Sunday during the DEF CON security conference that hosts the event.
The winning team, called Maple Mallard Magistrates, included participants from Carnegie Mellon University, its alumni, and the University of British Columbia.
The contest involves breaking into custom-built software designed by the tournament organizers. Participants must not only find bugs in the program but also defend themselves from hacks coming from other competitors.
The hackers, mostly young men and women, included visitors from China, India, Taiwan, Japan and South Korea. Some worked for their respective governments, some for private firms and others were college students.
While their countries may be engaged in cyber espionage against one another, the DEF CON CTF contest allows elite hackers to come together in the spirit of sport.
The reward is not money, but prestige. “No other competition has the clout of this one,” said Giovanni Vigna, a participant who teaches at the University of California in Santa Barbara. “And everybody leaves politics at home.”
“You will easily find a participant here going to another who may be from a so-called enemy nation to say ‘you did an amazing job, an incredible hack.'”
The game has taken on new meaning in recent years as cybersecurity has been elevated as a national security priority by the United States, its allies and rivals. Over the last 10 years, the cybersecurity industry has boomed in value as hacking technology has evolved.
Winning the title is a lifelong badge of honor, said Aaditya Purani, a participant who works as an engineer at electric car maker Tesla Inc (TSLA.O).
This year’s contest was broadcast for the first time on YouTube, with accompanying live commentary in the style of televised sports.
DEF CON itself, which began as a meetup of a few hundred hackers in the late 1990s, was organized across four casinos this year and drew a crowd of more than 30,000, according to organizing staff.
On Saturday afternoon, participants at the “Capture the Flag” contest sat typing into their laptops as conference attendees streamed in and out of the room to watch. Some participants took their meals at the tables, munching on hamburgers and fries with their eyes fixed on screens.
Seungbeom Han, a systems engineer at Samsung Electronics, who was part of a South Korean team, said it was his first time at the contest and it had been an honor to qualify.
The competition was intense and sitting for eight hours a day at the chairs was not easy. They did take bathroom breaks, he said with a laugh, “but they are a waste of time.”
Reporting by Zeba Siddiqui in Las Vegas Editing by Matthew Lewis
Aug 16 2022
Clop Ransomware Gang Breaches Water Utility, Just Not the Right One
South Staffordshire in the UK has acknowledged it was targeted in a cyberattack, but Clop ransomware appears to be shaking down the wrong water company.
South Staffordshire plc, a UK water-supply company, has acknowledged it was the victim of a cyberattack. Around the same time, the Clop ransomware group started threatening Thames Water that it would release data it has stolen from the utility unless Thames Water paid up.
The problem? Thames Water wasn’t breached.
Apparently, Clop got its UK water companies confused.
South Staffordshire serves about 1.6 million customers and recently reported that it was targeted in a cyberattack and was “experiencing a disruption to out corporate IT network and our teams are working to resolve this as quickly as possible.” It added there has been no disruption on service.
“This incident has not affected our ability to supply safe water, and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers,” the water company said.
Meanwhile, Thames Water, the UK’s largest water supplier to more than 15 million people, was forced to deny it was breached by Clop ransomware attackers, who threatened they now had the ability to tamper with the water supply, according to reports.
“As providers of critical national infrastructure, we take the security of our networks and systems very seriously and are focused on protecting them, so that we can continue to provide resilient services to our customers and the environment,” the larger water company told the UK Mirror.
While Clop seems to have its records all wrong, both water utilities mounted capable responses to the ransomware group’s attack on critical infrastructure, according to Edward Liebig, global director of cyber ecosystem at Hexagon Asset Lifecycle Intelligence.
“I’m impressed by South Staffordshire Water’s ability to defend against the cyberattack in the IT systems and buffer the OT systems from impact,” Liebeg said. “And had Thames Water not done an investigation of the ‘proof of compromise,’ they may very well have decided to negotiate further. In both instances, each organization did their due diligence.”
https://www.darkreading.com/attacks-breaches/clop-ransomware-gang-breaches-water-utility
Ransomware Protection Playbook
Aug 16 2022
Organisations Must Invest in Cyber Defences Before It’s Too Late
We’ve all been feeling the effects of inflation recently. Prices rose by 8.2% in the twelve months to June 2022, with the largest increases being seen in electricity, gas and transport prices.
Meanwhile, the cost of renting commercial property continues to rise, despite the decreased demand for office space amid the uptick in remote work.
It should be obvious why costs are on the rise; substantial disruption remains related to COVID-19, Russia’s invasion of Ukraine has disrupted supply chains and interest rates have been raised several times this year.
The Bank of England says that the causes of rising inflation are not likely to last, but it has warned that the prices of certain things may never come down.
Clearly, then, rising costs are not simply a temporary issue that we must get through. We must instead carefully plan for how we will deal with increased costs on a permanent basis.
One apparent measure is to look at ways your organisation can cut costs. For better or worse, the most likely targets will be parts of the business that don’t contribute to a direct return on investment.
However, before you start slashing budgets, you should consider the full effects of your decisions.
Take cyber security for example. It’s already notoriously underfunded, with IT teams and other decision makers being forced to make do with limited resources.
According to a Kaspersky report, a quarter of UK companies admit underfunding cyber security even though 82% of respondents have suffered data breaches.
The risk of cyber security incidents is even higher in the summer months, when staff holidays mean that cyber security resources are even more stretched than usual.
What’s at stake?
The global cost of cyber crime is predicted to reach $10.5 trillion (£8.8 trillion) in the next three years, more than triple the $3 trillion (£2.5 trillion) cost in 2015.
We’ve reached record numbers of phishing attacks, with the Anti-Phishing Working Group detecting more than one million bogus emails last quarter. Meanwhile, there were more ransomware attacks in the first quarter of 2022 than there were in the whole of 2021.
These are worrying signs for organisations, and an economic downturn will only make cyber criminals more determined to make money – especially as they know their targets are focusing on cutting costs.
But it’s not just the immediate costs associated with cyber attacks and disruption that organisations should be worried about. There are also long-term effects, whether that’s lingering operational disruption, reputational damage or regulatory action.
Consider the ongoing problems that British Airways faced after it suffered a cyber attack in 2018. It took the airline more than two months to detect the breach, creating enduring difficulties and ultimately resulting in a £20 million fine.
The ICO (Information Commissioner’s Office), which investigated the incident, found that British Airways was processing a significant amount of personal data without adequate security measures in place, and had it addressed those vulnerabilities, it would have prevented the attack.
There were several measures that British Airways could have used to mitigate or prevent the damage, including:
- Applying access controls to applications, data and tools to ensure individuals could only access information relevant to their job;
- Performing penetration tests to spot weaknesses; and
- Implementing multi-factor authentication.
In addition to the fine, British Airways settled a class action from as many as 16,000 claimants. The amount of the settlement remains confidential, but the cost of the payout was estimated to be as much as £2,000 per person.
Remarkably, the penalty and the class action represent a case of strikingly good fortune for British Airways. Had it come earlier, it would have been at the height of the COVID-19 pandemic when airlines were severely affected, and were it any later, it would have come during a period of massive inflation.
It’s a lesson that other organisations must take to heart. The GDPR is being actively enforced throughout the EU and UK, so organisations must ensure compliance.
Failure to do so will result in unforeseen costs at a time when every precaution must be taken to reduce costs.
Invest today, secure tomorrow
It’s long been accepted that it’s a matter of ‘when’ rather than ‘if’ you will suffer a cyber attack. When you do, you’ll have to invest heavily in security solutions on top of having to paying remediation costs.
In times of uncertainty, you need your services to be as reliable as possible. The challenges your organisation will face in the coming months as a result of falling consumer confidence are enough to deal with without having to contend with cyber crime and its inevitable fallout.
Investing in effective cyber security measures will enable your organisation to make the most of its opportunities in straightened circumstances.
You can find out how you can bolster your organisation’s defences quickly and efficiently with IT Governance’s range of training courses.
We want to help our customers get the most from their cyber security training this August.
Book any classroom, Live Online or self-paced training course before the end of this month and automatically receive:
- A free Cyber Security for Executive Management Self-Paced Online Training Course; and
- A free 1-year licence for the Cyber Resilience Staff Awareness E-learning Suite.
Aug 15 2022
Zoom for Mac patches get-root bug – update now!
At the well-known DEF CON security shindig in Las Vegas, Nevada, last week, Mac cybersecurity researcher Patrick Wardle revealed a “get-root” elevation of privilege (EoP) bug in Zoom for Mac:
Aug 15 2022
Patch Madness: Vendor Bug Advisories Are Broken, So Broken
Dustin Childs and Brian Gorenc of ZDI take the opportunity at Black Hat USA to break down the many vulnerability disclosure issues making patch prioritization a nightmare scenario for many orgs.
BLACK HAT USA – Las Vegas – Keeping up with security-vulnerability patching is challenging at best, but prioritizing which bugs to focus on has become more difficult than ever before, thanks to context-lacking CVSS scores, muddy vendor advisories, and incomplete fixes that leave admins with a false sense of security.
That’s the argument that Brian Gorenc and Dustin Childs, both with Trend Micro’s Zero Day Initiative (ZDI), made from the stage of Black Hat USA during their session, “Calculating Risk in the Era of Obscurity: Reading Between the Lines of Security Advisories.”
ZDI has disclosed more than 10,000 vulnerabilities to vendors across the industry since 2005. Over the course of that time, ZDI communications manager Childs said that he’s noticed a disturbing trend, which is a decrease in patch quality and reduction of communications surrounding security updates.
“The real problem arises when vendors release faulty patches, or inaccurate and incomplete information about those patches that can cause enterprises to miscalculate their risk,” he noted. “Faulty patches can also be a boon to exploit writers, as ‘n-days’ are much easier to use than zero-days.”
The Trouble With CVSS Scores & Patching Priority
Aug 11 2022
AWS and Splunk partner for faster cyberattack response
OCSF initiative will give enterprise security teams an open standard for moving and analyzing threat data
BLACK HAT AWS and Splunk are leading an initiative aimed at creating an open standard for ingesting and analyzing data, enabling enterprise security teams to more quickly respond to cyberthreats.
Seventeen security and tech companies at the Black Hat USA 2022 show this week unveiled the Open Cybersecurity Schema Framework (OCSF) project, which will use the ICD Schema developed by Symantec as the foundation for the vendor-agnostic standard.
The creation of the OCSF, licensed under the Apache License 2.0, comes as organizations are seeing their attack surfaces rapidly expand as their IT environments become increasingly decentralized, stretching from core datacenters out to the cloud and the edge. Parallel with this, the number and complexity of the cyberthreats they face is growing quickly.
“Today’s security leaders face an agile, determined and diverse set of threat actors,” officials with cybersecurity vendor Trend Micro, one of the initial members of OCSF, wrote in a blog post. “From emboldened nation state hackers to ransomware-as-a-service (RaaS) affiliates, adversaries are sharing tactics, techniques and procedures (TTPs) on an unprecedented scale – and it shows.”
Trend Micro blocked more than 94 billion threats in 2021, a 42 percent year-on-year increase, and 43 percent of organizations responding to a survey from the vendor said their digital attack surface is getting out of control.
Cybersecurity vendors have responded by creating platforms that combine attack surface management, threat prevention, and detection and response to make it easier and faster for enterprises to counter attacks. They streamline processes, close security gaps, and reduce costs, but they’re still based on vendor-specific products and point offerings.
Vendors may use different data formats in their products, which means moving datasets from one vendor’s product to that of another often requires the time-consuming task of changing the format of the data.
“Unfortunately, normalizing and unifying data from across these disparate tools takes time and money,” Trend Micro said. “It slows down threat response and ties up analysts who should be working on higher value tasks. Yet up until now it has simply become an accepted cost of cybersecurity. Imagine how much extra value could be created if we found an industry-wide way to release teams from this operational burden?”
Dan Schofield, program manager for technology partnerships at IBM Security, another OCSF member, wrote that the lack of open industry standards for logging and event purposes creates challenges when it comes to detection engineering, threat hunting, and analytics, and until now, there has been no critical mass of vendors willing to address the issue.
Source: AWS and Splunk partner for faster cyberattack response
Aug 09 2022
Scientists hid encryption key for Wizard of Oz text in plastic molecules
It’s “a revolutionary scientific advance in molecular data storage and cryptography.”
Scientists from the University of Texas at Austin sent a letter to colleagues in Massachusetts with a secret message: an encryption key to unlock a text file of L. Frank Baum’s classic novel The Wonderful Wizard of Oz. The twist: The encryption key was hidden in a special ink laced with polymers, They described their work in a recent paper published in the journal ACS Central Science.
When it comes to alternative means for data storage and retrieval, the goal is to store data in the smallest amount of space in a durable and readable format. Among polymers, DNA has long been the front runner in that regard. As we’ve reported previously, DNA has four chemical building blocks—adenine (A), thymine (T), guanine (G), and cytosine (C)—which constitute a type of code. Information can be stored in DNA by converting the data from binary code to a base-4 code and assigning it one of the four letters. A single gram of DNA can represent nearly 1 billion terabytes (1 zettabyte) of data. And the stored data can be preserved for long periods—decades, or even centuries.
There have been some inventive twists on the basic method for DNA storage in recent years. For instance, in 2019, scientists successfully fabricated a 3D-printed version of the Stanford bunny—a common test model in 3D computer graphics—that stored the printing instructions to reproduce the bunny. The bunny holds about 100 kilobytes of data, thanks to the addition of DNA-containing nanobeads to the plastic used to 3D print it. And scientists at the University of Washington recently recorded K-Pop lyrics directly onto living cells using a “DNA typewriter.”
But using DNA as a storage medium also presents challenges, so there is also great interest in coming up with other alternatives. Last year, Harvard University scientists developed a data-storage approach based on mixtures of fluorescent dyes printed onto an epoxy surface in tiny spots. The mixture of dyes at each spot encodes information that is then read with a fluorescent microscope. The researchers tested their method by storing one of 19th-century physicist Michael Faraday’s seminal papers on electromagnetism and chemistry, as well as a JPEG image of Faraday.
Other scientists have explored the possibility of using nonbiological polymers for molecular data storage, decoding (or reading) the stored information by sequencing the polymers with tandem mass spectrometry. In 2019, Harvard scientists successfully demonstrated the storage of information in a mixture of commercially available oligopeptides on a metal surface, with no need for time-consuming and expensive synthesis techniques.
This latest paper focused on the use of sequence-defined polymers (SDPs) as a storage medium for encrypting a large data set. SDPs are basically long chains of monomers, each of which corresponds to one of 16 symbols. “Because they’re a polymer with a very specific sequence, the units along that sequence can carry a sequence of information, just like any sentence carries information in the sequence of letters,” co-author Eric Anslyn of UT told New Scientist.
But these macromolecules can’t store as much information as DNA, per the authors, since the process of storing more data with each additional monomer becomes increasingly inefficient, making it extremely difficult to retrieve the information with the current crop of analytic instruments available. So short SDPs must be used, limiting how much data can be stored per molecule. Anslyn and his co-authors figured out a way to improve that storage capacity and tested the viability of their method.
First, Anslyn et al. used a 256-bit encryption key to encode Baum’s novel into a polymer material made up of commercially available amino acids. The sequences were comprised of eight oligourethanes, each 10 monomers long. The middle eight monomers held the key, while the monomers on either end of a sequence served as placeholders for synthesis and decoding. The placeholders were “fingerprinted” using different isotope labels, such as halogen tags, indicating where each polymer’s encoded information fit within the order of the final digital key,
Then they jumbled all the polymers together and used depolymerization and liquid chromatography-mass spectrometry (LC/MS) to “decode” the original structure and encryption key. The final independent test: They mixed the polymers into a special ink made of isopropanol, glycerol, and soot. They used the ink to write a letter to James Reuther at the University of Massachusetts, Lowell. Reuther’s lab then extracted the ink from the paper and used the same sequential analysis to retrieve the binary encryption key, revealing the text file of The Wonderful Wizard of Oz.
In other words, Anslyn’s lab wrote a message (the letter) containing another secret message (The Wonderful Wizard of Oz) hidden in the molecular structure of the ink. There might be more pragmatic ways to accomplish the feat, but they successfully stored 256 bits in the SDPs, without using long strands. “This is the first time this much information has been stored in a polymer of this type,” Anslyn said, adding that the breakthrough represents “a revolutionary scientific advance in the area of molecular data storage and cryptography.”
Anslyn and his colleagues believe their method is robust enough for real-world encryption applications. Going forward, they hope to figure out how to robotically automate the writing and reading processes.
DOI: ACS Central Science, 2022. 10.1021/acscentsci.2c00460 (About DOIs).
Aug 07 2022
SMB’s cybersecurity solutions to remediate risk
We have build cybersecurity solution sheets for our clients which we would like to share with you. This can be a useful resource when there is a need to remediate risk. These are in pdf format which you can download.
Privacy guidance, audits, tools, training and software
Certification of individuals
Cybersecurity Solutions
NIST Gap Assessment Tool
ITGP comprehensive set of Toolkits
What are the differences between the 2013 and 2022 editions of ISO/IEC 27002?
You can choose the course based on your specific needs:
- ISO 27001 Foundations course – you’ll learn about all of the standard’s requirements and the best practices for compliance.
- ISO 27001 Internal Auditor course – besides the knowledge about the standard, you’ll also learn how to perform an internal audit in the company.
- ISO 27001 Lead Auditor course – besides the knowledge about the standard, it also includes the training you need to become certified as a certification auditor.
- ISO 27001 Lead Implementer course – besides the knowledge about the standard, it also includes the training you need to become an independent consultant for Information Security Management System implementation.
The online courses are suitable both for beginners and experienced professionals.
Learn at your preferred speed from any location at any time.
If you have any questions, feel free to send us an email to info@deurainfosec.com
Aug 03 2022
Start as you mean to go on: the top 10 steps to securing your new computer
Whether you are getting ready for back-to-school season, getting new work laptop or fancying a new gamer’s pc, learn the steps to protect your new PC from cyberthreats.
With Windows 11 making headlines for all the right reasons, it could be a great time to invest in a new PC for the family or the home office. But any new household computing device should come with an attendant safety warning. Hackers will be after your data the minute it’s connected to the internet. And they have numerous ways to get it.
That’s why you need to think about cybersecurity even before plugging your machine in and switching it on. Take time out now to refresh your memory and make cyber-hygiene a number one priority.
What are the main threats to my PC?
As soon as you’re connected to the internet, malicious actors will be looking to steal your data, encrypt and hold your machine ransom, lift financial details, secretly mine for cryptocurrency, and much more. They’ll do so via some tried and true methods, which often rely on cracking, stealing or guessing passwords, or exploiting software vulnerabilities. Top threats include:
Phishing: One of the oldest con tricks in the book. Cybercriminals masquerade as legitimate and trustworthy sources (banks, tech providers, retailers etc) and try to persuade users into clicking on links and/or opening attachments in emails. Doing so will take users to a spoofed site requesting that they fill in personal information (like logins and/or address/financial details) or could trigger a covert malware download.
Drive-by downloads and malicious ads: Sometimes merely visiting an infested website or a site running a malicious ad could trigger a malware download. We may think that well-known sites may be less compromised in this way as they are better resourced and can afford enhanced protection. But there have been plenty of counter-example through the years showing that it’s not always the case. That’s why its essential to invest in security software from a reputable provider and ensure that your browser’s security settings are correct.
Digital skimming: Hackers may also compromise the payment pages of e-commerce sites with malware designed to silently harvest your card data as it is entered. This is difficult to guard against as the issue is with the provider. However, shopping with better-known sites can reduce risk.
Malicious apps and files: Cybercriminals also hide malware inside legitimate-looking applications and downloads. Many of these are posted to online forums, P2P sites, and other third-party platforms. That’s why it makes sense to download only from trusted sources, and to use an effective security software tool to scan for malicious software.
Ten tips to keep your computer safe
Many of the below steps may be taken care of automatically by your PC manufacturer/Microsoft, but it pays to dig a little deeper to make sure all the settings are as secure as you need them to be. Here are our top 10 tips for computer safety:
- Apply automatic updates for the OS and any software running on the PC
- Remove bloatware that often comes with PCs. Check beforehand if you don’t recognize any software to ensure removing it won’t degrade the performance. The fewer pieces of software on the machine, the less opportunity for attackers to exploit bugs in it
- Install multi-layered security software from a reputable third-party vendor and keep it up to date
- Configure backups, and ideally back up a copy of data to a remote storage device kept offline
- Secure the browser by adjusting privacy and security settings and ensuring it is on the latest version
- Switch on and configure your firewall on the OS and home router, ensuring it is protected with a strong password
- Download a multi-factor authentication app in order to help protect your accounts from being hijacked via phishing and other attacks
- Avoid using USBs that you don’t own, in case they are loaded with malware
- Use a password manager to ensure that all your credentials are unique, strong, and hard-to-crack
- Only download apps/files from trusted sources and avoid pirated material, which can often be booby-trapped with malware
It goes without saying that, even by following these best practices, you could still be at risk when browsing online. Always proceed with caution, don’t reply to unsolicited emails/online messages, and ensure device encryption is switched on.
by Phil Muncaster, ESET
https://wordpress.com/read/blogs/19067844/posts/17162
Internet attack on computer systems is pervasive. It can take from less than a minute to as much as eight hours for an unprotected machine connected to the Internet to be completely compromised. It is the information security architect’s job to prevent attacks by securing computer systems. This book describes both the process and the practice of assessing a computer system’s existing information security posture. Detailing the time-tested practices of experienced security architects, Securing systems explains how to deliver the right security at the right time in the implementation lifecycle.
Aug 01 2022
Privacy guidance, audits, tools, training and software
Privacy guidance, audits, tools, training and software
DISC InfoSec
#InfoSecTools and #InfoSectraining
Ask DISC an InfoSec & compliance related question
Jul 28 2022
State of Cybersecurity 2022
State of Cybersecurity 2022 – via ISACA
State of Cybersecurity 2022, Global Update on Workforce Efforts, Resources and Cyberoperations reports the results of an eighth annual global study that looks at the following topics and more:
- What are the top cybersecurity hiring challenges today?
- Which cybersecurity skills are in highest demand?
- How can companies improve retention?
- How are cybersecurity budgets changing?
- Which threat vectors are the most concerning?
- How frequently are companies conducting cyber risk assessments?
See what your peers have to say and how your organization’s challenges, actions and priorities compare to other companies around the world.
Get your free copy by completing the form on ISACA site.
Jul 28 2022
Messaging Apps Tapped as Platform for Cybercriminal Activity
Built-in Telegram and Discord services are fertile ground for storing stolen data, hosting malware and using bots for nefarious purposes.
Cybercriminals are tapping the built-in services of popular messaging apps like Telegram and Discord as ready-made platforms to help them perform their nefarious activity in persistent campaigns that threaten users, researchers have found.
Threat actors are tapping the multi-feature nature of messaging apps—in particularly their content-creation and program-sharing components—as a foundation for info-stealing, according to new research from Intel 471.
Specifically, they use the apps “to host, distribute, and execute various functions that ultimately allow them to steal credentials or other information from unsuspecting users,” researchers wrote in a blog post published Tuesday.
“While messaging apps like Discord and Telegram are not primarily used for business operations, their popularity coupled with the rise in remote work means a cybercriminal has a bigger attack surface at their disposal than in past years,” researchers wrote.
Intel 471 identified three key ways in which threat actors are leveraging built-in features of popular messaging apps for their own gain: storing stolen data, hosting malware payloads, and using bots that perform their dirty work, they said.
Storing Exfiltrated Data
Having one’s own dedicated and secure network to store data stolen from unsuspecting victims of cybercrime can be costly and time-consuming. Instead, threat actors are using data-storage features of Discord and Telegram as repositories for info-stealers that actually depend upon the apps for this aspect of functionality, researchers have found.
Indeed, novel malware dubbed Ducktail that steals data from Facebook Business users was recently seen storing exfiltrated data in a Telegram channel, and it’s far from the only one.
Researchers from Intel 471 observed a bot known as X-Files that uses bot commands inside Telegram to steal and store data, they said. Once the malware infects a system, threat actors can swipe passwords, session cookies, login credentials and credit-card details from popular browsers– including Google Chrome, Chromium, Opera, Slimjet and Vivaldi–and then deposit that stolen info “into a Telegram channel of their choosing,” researchers said.
Another stealer known as Prynt Stealer functions in a similar fashion, but does not have the built-in Telegram commands, they added.
Other stealers use Discord as their messaging platform of choice for storing stolen data. One stealer observed by Intel 471, known as Blitzed Grabber, uses Discord’s webhooks feature to deposit data lifted by the malware, including autofill data, bookmarks, browser cookies, VPN client credentials, payment card information, cryptocurrency wallets and passwords, researchers said. Webhooks are similar to APIs in that they simplify the transmission of automated messages and data updates from a victim’s machine to a particular messaging channel.
Blitzed Grabber and two other stealers observed using messaging apps for data storage–—Mercurial Grabber and 44Caliber–also target credentials for the Minecraft and Roblox gaming platforms, researchers added.
“Once the malware spits that stolen information back into Discord, actors can then use it to continue their own schemes or move to sell the stolen credentials on the cybercrime underground,” researchers noted.
Payload Hosting
Jul 28 2022
ENISA provides data related to major telecom security incidents in 2021
ENISA published a report that includes anonymised and aggregated information about major telecom security incidents in 2021.
ENISA published a report that provides anonymized and aggregated information about major telecom security incidents in 2021.
Every European telecom operator that suffers a security incident, notifies its national authorities which share a summary of these reports to ENISA at the start of every calendar year.
The reporting of security incidents has been part of the EU’s regulatory framework for telecoms
since the 2009 reform of the telecoms package.
This year the report includes data related to reports of 168 incidents submitted by national authorities from 26 EU Member States (MS) and 2 EFTA countries.
The incident had a significant impact on the victim, the total user hours lost (resulted by
multiplying for each incident the number of users by the number of hours) was 5,106 million user
hours. Experts noticed a huge increase compared to 841 million user hours lost in 2020. The reason for this is the impact of a notable EU-wide incident that was reported separately by three MS. ENISA has published technical guidelines on incident reporting under the EECC1, including on thresholds and calculating hours lost.
Below are the takeaways from incidents that took place in 2021:
- 4,16% of reported incidents in 2021 refer to OTT communication services, for this reason the European Agency required further attention for security incidents related to OTT services.
- This is the first time that incidents concerning confidentiality and authenticity were reported.
- The number of incidents labeled as malicious actions passed from 4% in 2020 to 8% in 2021.
- System failures continue to dominate in terms of impact but the downward trend continues. System failures accounted for 363 million user hours lost compared to 419 million user hours in 2020.
- The number of Incidents caused by human errors is the same as in 2020.
- Only 22% of incidents were reported as being related to third-party failures compared to 29%
Let me suggest reading the full report for additional information:
DISC InfoSec
#InfoSecTools and #InfoSectraining
Ask DISC an InfoSec & compliance related question
Jul 27 2022
How DDoSecrets built the go-to home for Russian leaks
American investigative reporter Emma Best knows how arduous it is to ask for information from government agencies.
She made more than 5,000 such requests during her career at MuckRock, a non-profit news site that publishes original government documents and conducts investigations based on them. Best was so persistent that the FBI temporarily banned her from filing any more information requests.
She found a way to cut through the government bureaucracy. Together with an anonymous partner known as The Architect, Best founded the whistleblower site Distributed Denial of Secrets (DDoSecrets) in 2018.
Since then, it has distributed hacked and leaked data from more than 200 entities, including U.S. law enforcement agencies, fascist groups, shell companies, tax havens, and the far-right social media sites Gab and Parler.
Unlike cybercriminals who sell hacked data on the darknet for personal gain, DDoSecrets says it exposes leaked information for the public good. “Secrets can be used for extortion by threatening to make it public, while public information can’t,” Best said.
Her website has become a go-to place for whistleblowers and hackers, especially given the absence of its most famous predecessor, WikiLeaks, which has been inactive for the last two years.
Russian leaks
https://therecord.media/how-ddosecrets-built-the-go-to-home-for-russian-leaks/
Jul 26 2022
Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands
Instances of phishing attacks leveraging the Microsoft brand increased 266 percent in Q1 compared to the year prior.
The bloom is back on phishing attacks with criminals doubling down on fake messages abusing popular brands compared to the year prior. Microsoft, Facebook and French bank Crédit Agricole are the top abused brands in attacks, according to study on phishing released Tuesday.
According to the report by researchers at Vade, phishing attacks abusing the Microsoft brand increased 266 percent in the first quarter of 2022, compared to the year prior. Fake Facebook messages are up 177 percent in the second quarter of 2022 within the same timeframe.
The study by Vade analyzed unique instances of phishing URLs used by criminals carrying out phishing attacks and not the number of phishing emails associated with the URLs. The report tallied the 25 most commonly targeted companies, along with the most abused industries and days of the week for phishing emails.
Phishing By the Numbers
Other top abused brands in phishing attacks include Credit Agricole, WhatsApp, and French telecommunications company Orange. Popular brands also included PayPal, Google and Apple (see chart).
Through the first half of 2022, 34 percent of all unique phishing attacks tracked by the researchers impersonated financial services brands. The next most popular industry for criminals to abuse is cloud and the firms Microsoft, Google and Adobe. Social media was also a popular target with Facebook, WhatsApp and Instagram leading the list of brands leveraged in attacks.
The report revealed the most popular days for sending phishing emails is between Monday and Wednesday. Less than 20 percent of malicious emails are sent on the weekend.
“Phishing attacks are more sophisticated than ever,” wrote Adrien Gendre, chief tech and product officer at Vade in an email to Threatpost.
“Hackers have an arsenal of tools at their disposal to manipulate end users and evade email security, including phishing kits that can identify when they are being scanned by a vendor and trigger benign webpages to avoid detection. End users need to be continually trained to identify the latest phishing techniques,” he wrote.
Phishing Attacks: Advanced Attack Techniques
Jul 26 2022
Twitter hacker touting the data of over 5.4 million users, including celebrities and companies, for $30,000
Over 5.4 million Twitter users have reportedly been targeted in a major breach of personal data following revelations earlier this year that the site had a serious security flaw.
The security flaw came to light in January, when a user on HackerOne named “zhirinovskiy” pointed out that Twitter was vulnerable to hackers seeking to use information for malicious purposes.
At the time, Zhirinovskiy detailed exactly how to exploit the bug and described it as a “serious threat” even in the hands of those with only a “basic knowledge” of scripting and coding.
Twitter acknowledged the problem five days later and appeared to have fixed the problem a week after that, when it rewarded Zhirinovskiy with a $5,040 bounty for bringing the vulnerability to its attention.
A seller with the username ‘devil’ claims that “Celebrities, to Companies, randoms, OGs, etc” are included in the data set and is asking for at least $30,000, RestorePrivacy says.
A spokesperson from Twitter told Fortune: “We received a report of this incident several months ago through our bug bounty program, immediately investigated thoroughly and fixed the vulnerability.”
The spokesperson added that Twitter was “reviewing the latest data to verify the authenticity of the claims and ensure the security of the accounts in question.”
Jul 23 2022
Hackers for Hire: Adversaries Employ ‘Cyber Mercenaries’
Also known as the Atlantis Cyber-Army, the emerging organization has an enigmatic leader and a core set of admins that offer a range of services, including exclusive data leaks, DDoS and RDP.
A for-hire cybercriminal group is feeling the talent-drought in tech just like the rest of the sector and has resorted to recruiting so-called “cyber-mercenaries” to carry out specific illicit hacks that are part of larger criminal campaigns.
Dubbed Atlas Intelligence Group (A.I.G.), the cybergang has been spotted by security researchers recruiting independent black-hat hackers to execute specific aspects of its own campaigns. A.I.G., also known as Atlantis Cyber-Army, functions as a cyber-threats-as-a-service criminal enterprise. The threat group markets services that include data leaks, distributed denial of service (DDoS), remote desktop protocol (RDP) hijacking and additional network penetration services, according to a Thursday report by threat intelligence firm Cyberint.
“[A.I.G.] has introduced us to out-of-the-box thinking,” Cyberint’s Shmuel Gihon wrote in the report.
[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]
A.I.G., according to researchers, is unique in its outsourcing approach to committing cybercrimes. Organized threat groups tend to recruit individuals with certain capabilities that they can reuse and incent them with profit sharing. For example, Ransomware-as-a-Service organized crime campaigns can involve multiple threat actors – each getting a cut of any extorted lucre or digital assets stolen. What makes A.I.G. different is it outsources specific aspects of an attack to “mercenaries” who have no further involvement in an attack.
The report’s author, Gihon, said only A.I.G. administrators and the group’s leader—dubbed Mr. Eagle—know fully what the campaign will be and outsource isolated tasks to hired guns based on their skillsets.
Unique Business Model
This uncommon business model also allows the group, which has been operating since the beginning of May, to offer a range of cybercriminal services instead of a single core competency, he said.
“While many groups are focusing on one, maybe two, services that they offer, Atlas seems to grow rapidly and expand its operations in an efficient way which allows them to offer many services,” Gihon wrote.
A.I.G. tends to target government and state assets in countries all over the world, including the United States, Pakistan, Israel, Colombia and United Arab Emirates, researchers found.
Mr. Eagle not only leads the campaigns but also doubles as a chief marketing officer of sorts, putting a significant effort into advertising A.I.G.’s various cybercriminal services, he said.
Anatomy of a Threat Group
Jul 18 2022
Virtual CISOs Are the Best Defense Against Accelerating Cyber-Risks
A poor, permanent hire can be a very expensive error, whereas a mis-hire on a virtual CISO can be rapidly corrected.
The cybersecurity challenges that companies are facing today are vast, multidimensional, and rapidly changing. Exacerbating the issue is the relentless evolution of threat actors and their ability to outmaneuver security controls effortlessly.
As technology races forward, companies without a full-time CISO are struggling to keep pace. For many, finding, attracting, retaining, and affording the level of skills and experience needed is out of reach or simply unrealistic. Enter the virtual CISO (vCISO). These on-demand experts provide security insights to companies on an ongoing basis and help ensure that security teams have the resources they need to be successful.
How a vCISO Works
Typically, an engagement with a vCISO is long lasting, but in a fractional delivery model. This is very different from a project-oriented approach that requires a massive investment and results in a stack of deliverables for the internal team to implement and maintain. A vCISO not only helps to form the approach, define the action plan, and set the road map but, importantly, stays engaged throughout the implementation and well into the ongoing management phases.
The best vCISO engagements are long-term contracts, such as 12 to 24 months. Typically, there’s an upfront effort where the vCISO is more engaged in the first few months to establish an understanding, develop a road map, and create a rhythm with the team. Then, their support drops into a regular pace which can range from two to three days per week or five to ten days per month.
What to Expect From a vCISO
When bringing a vCISO on board, it’s important that person has three key attributes: broad and extensive experience in addressing cybersecurity challenges across many industries; business acumen and the ability to rapidly absorb complex business models and strategies; and knowledge of technology solutions and dynamics that can be explored to meet specific organizational needs.
The first thing a vCISO will focus on is prioritization, beginning with understanding a company’s risks. They will then organize actions that provide the greatest positive influence on mitigating these risks while ensuring sustainability in the program. The goal is to establish a security approach that addresses the greatest risks to the business in a way that has staying power and can provide inherent value to additional downstream controls.
Having extensive experience in the technical space, a vCISO can take into consideration the full spectrum of options — those existing within the business environment, established products and services in the marketplace, and new solutions entering the market. Just within that context, a vCISO can collaborate with the technical team to take advantage of existing solutions and identify enhancements that can further capabilities in a cost-efficient manner.
The Value of a vCISO
One of the most common findings is that companies often have a large portfolio of cybersecurity technology, but very little is fully deployed. Additionally, most tech teams are not leveraging all of the capabilities, much less integrating with other systems to get greater value. Virtual CISOs help companies save money by exploiting existing technical investments that dramatically improve security. And, since the improvement is focused on existing tools, the transition for the IT and security staff is virtually eliminated due to established familiarity with the environment.
Another essential value point of a vCISO is access to an informed and well-balanced view on risk and compliance. While cybersecurity is dominated by technical moving parts, the reality is the board, executive leadership, and management team needs to incorporate cyber-risks and related liabilities into the overall scope of risk across the business at an executive level. In this sense, leadership has a vast array of competing challenges, demands, and risks and some can be even more impactful than cybersecurity.
How to Convince the Executive Team
A CEO is under a constant barrage of challenges, problems, risks, and opportunities. Cybersecurity needs to be part of that formula. If one of the core values of having a vCISO is getting meaningful cyber-risk insights, then trust and confidence in that person is paramount and needs to be established from the beginning.
Another challenge is the team dynamic — at the heart of being a CEO is their success as a leader. Introducing what is essentially a consultant can be an adjustment for the team. It’s important that the vCISO hire fits the culture and can easily integrate with everyone on the team including the CIO, CTO, CPO, CRO, etc.
The conversation with the CFO will understandably have a heavy financial tone. For companies debating between a full-time CISO or a vCISO, it’s clear a poor permanent hire can be a very expensive error, whereas a mis-hire on a vCISO can be rapidly corrected.
As organizations continue to come to grips with the byproducts of digitization and new security challenges that often seem insurmountable, a vCISO can be an enormous value. Beyond offering an efficient and cost-effective model, they bring many advantages to businesses with fewer risks than a dedicated resource.
Ransomware’s Silver Bullet – The Virtual CISO Publication Series: Cybersecurity
DISC InfoSec
#InfoSecTools and #InfoSectraining
Ask DISC an InfoSec & compliance related question
« Previous Page — Next Page »
