InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Given that, companies also need to carefully consider their ability to respond and recover from a ransomware incident. While the key component of recovery is maintaining and testing backups of critical data, one aspect of recovery thatās often overlooked is having access to the stored packet data from the lead-up and ransomware attack itself.
High-quality packet data is important for ransomware recovery in three critical ways: (a) For determining the timeframe for backup restoration; (b) For creating a record of the attack for incident response (especially for legal and compliance reporting); (c) and for analyzing the attack itself to prevent it from happening again.
In this post, Iāll collect links on Appleās iPhone backdoor for scanning CSAM images. Previous links areĀ hereĀ andĀ here.
AppleĀ saysĀ that hash collisions in its CSAM detection system were expected, and not a concern. Iām not convinced that this secondary system was originally part of the design, since it wasnāt discussed in the original specification.
GoodĀ op-edĀ from a group of Princeton researchers who developed a similar system:
Our system could be easily repurposed for surveillance and censorship. The design wasnāt restricted to a specific category of content; a service could simply swap in any content-matching database, and the person using that service would be none the wiser.
Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices
Researchers have disclosed a nasty new way for bad people to mess up the internet for the rest of us. Theyāve found a fantastically powerful reflective-amplification attack technique that could easily be used for distributed denial of service (DDoS).
Youāll be pleased to know the researchers havenāt wasted their time dreaming up a fancy name or a logo. On the other hand, theyāre far from hopeful that the problems can be fixed.
Nation-states would have to fix their firewalls, which aināt gonna happen. In todayās SB Blogwatch, this is why we canāt have nice things.
Weaponizing this attack is relatively simpleā Academics said they discovered a way to abuse the TCP protocol, firewalls, and other network middleboxes to launch giant distributed denial of service (DDoS) attacks. ā¦ The research is the first of its kind to describe a method to carry out DDoS reflective amplification attacks via the TCP protocol, previously thought to be unusable for such operations. ā¦ Reflective amplificationāā¦āhappens when an attacker sends network packets to a third-party server on the internet, the server processes and creates a much larger response packet, which it then sends to a victim instead of the attacker. ā¦ The amplification factor for these TCP-based attacks is also far larger than UDP protocols, making TCP protocol abuse one of the most dangerous forms ofāā¦āDDoS. ā¦ The flaw they found was in the design of middleboxes, which are equipment installed inside large organizations that inspect network traffic. ā¦ If the attacker tried to access a forbidden website, then the middlebox would respond with a āblock page,ā which would typically be much larger than the initial packetāhence an amplification effect. ā¦ Weaponizing this attack is relatively simple.
Distributed Denial of Service (DDoS) Attacks: Classification, Attacks, Challenges and Countermeasures
While Security Orchestration Automation and Response (SOAR) solutions help automate and structure these activities, the activities themselves requireĀ telemetryĀ data that provide the breadcrumbs to help scope, identify and potentially remedy the situation. This takes increasing significance in the cloud for a few reasons:
TheĀ public cloud shared security modelĀ may lead to gaps in the telemetry (e.g., lack of telemetry from the underlying infrastructure that could help correlate breadcrumbs at the infrastructure level to the application level).
Lack of consistency in telemetry information as applications increasingly segment into microservices, containers and Platform-as-a-Service, and as various modules come from different sources such as internal development, open source, commercial modules, and outsourced development.
Misconfigurations and misunderstandings as control shifts between DevOps, CloudOps and SecOps.
All the above coupled with a significant expansion of attack surface area with the decomposition of monolith applications into microservices.
When incidents occur, the ability to quickly size up the scope, impact and root cause of the incident is directly proportional to the availability of quality data, and its ability to be easily queried, analyzed, and dissected. As companies migrate to the cloud, logs have become the de-facto standard of gathering telemetry.
This book is designed for security and risk assessment professionals, DevOps engineers, penetration testers, cloud security engineers, and cloud software developers who are interested in learning practical approaches to cloud security. It covers practical strategies for assessing the security and privacy of your cloud infrastructure and applications and shows how to make your cloud infrastructure secure to combat threats, attacks, and prevent data breaches. The chapters are designed with a granular framework, starting with the security concepts, followed by hand-on assessment techniques based on real-world studies, and concluding with recommendations including best practices.
FEATURES:
Includes practical strategies for assessing the security and privacy of your cloud infrastructure and applications
Covers topics such as cloud architecture and security fundamentals, database and storage security, data privacy, security and risk assessments, controls related to continuous monitoring, and more
Presents several case studies revealing how threat actors abuse and exploit cloud environments to spread malware
ISO 45001 is the international standard that contains best practices for OH&S (occupational health and safety). Its goal is to reduce injuries and diseases in the workplace, including the promotion and protection of physical and mental health.
COVID-19 helped put some of those problems into relief, but itās something organisations must continue to be vigilant about as the pandemic subsides.
In this blog, we look at the mandatory documentation and records you must complete to comply with ISO 45001 ā as well as non-mandatory documents that can support your compliance activities.
Mandatory documentation
Clause 4.3 Scope of the OH&S management system
Clause 5.2 OH&S policy
Clause 5.3 Responsibilities and authorities within OH&SMS
Clause 6.1.1 OH&S process for addressing risks and opportunities
ClauseĀ
6.1.2.2
Ā Methodology and criteria for assessment of OH&S risks
Clause 6.2.2 OH&S objectives and plans for achieving them
Clause 8.2 Emergency preparedness and response process
Mandatory records
Clause 6.1.1 OH&S risks and opportunities and actions for addressing them
Clause 6.1.3 Legal and other requirements
Clause 7.2 Evidence of competence
Clause 7.4.1 Evidence of communications
Clause 8.2 Plans for responding to potential emergency situations
Clause 9.1.1 Results on monitoring, measurements, analysis and performance evaluation
Clause 9.1.1 Maintenance, calibration or verification of monitoring equipment
Clause 9.1.2 Compliance evaluation results
Clause 9.2.2 Internal audit program
Clause 9.2.2 Internal audit report
Clause 9.3 Results of management review
Clause 10.2 Nature of incidents or nonconformities and any subsequent action taken
Clause 10.2 Results of any action and corrective action, including their effectiveness
Clause 10.3 Evidence of the results of continual improvement
Non-mandatory documents
In addition to mandatory documentation, there are many other parts of ISO 45001 that organisations may find relevant. This includes:
Clause 4.1 Procedure for determining context of the organization and interested parties
Clause 5.4 Procedure for consultation and participation of workers
Clause 6.1.2.1 Procedure for hazard identification and assessment
Clause 6.1.3 Procedure for identification of legal requirements
Clause 7.4.1 Procedure for communication
Clause 7.5 Procedure for document and record control
Clause 8.1 Procedure for operational planning and control
Clause 8.1.3 Procedure for change management
Clause 9.1.1 Procedure for monitoring, measuring and analysis
Clause 9.1.2 Procedure for compliance evaluation
Clause 9.2 Procedure for internal audit
Clause 9.3 Procedure for management review
Clause 10.1 Procedure for incident investigation
Clause 10.1 Procedure for management of nonconformities and corrective actions
This book, written by consultant and trainer Naeem Sadiq, explains how organisations can use ISO 45001ās requirements to create a safer work environment.
Youāll find out the purpose and requirements of each clause in ISO 45001, learn how to build an OH&S management system in a step-by-step approach and receive real-world examples of health and safety issues along with the ideal way to handle that situation.
The main components of the security tool are the Cobalt Strike client ā also known as a Beacon ā and the Cobalt Strike team server, which sends commands to infected computers and receives the data they exfiltrate. An attacker starts by spinning up a machine running Team Server that has been configured to use specific āmalleabilityā customizations, such as how often the client is to report to the server or specific data to periodically send.
Researchers at the security consultancy Dolos Group, hired to test the security of one clientās network, received a new Lenovo computer preconfigured to use the standard security stack for the organization. They received no test credentials, configuration details, or other information about the machine.
They were not only able to get into the BitLocker-encrypted computer, but then use the computer to get into the corporate network.
Trusted Platform Modules: Why, when and how to use them
The RedMonk Programming Language Rankings: June 2021
This iteration of the RedMonk Programming Languages is brought to you by Microsoft. Developers build the future. Microsoft supports you in any language and Java is no exception; we love it. We offer the best Java dev tools, infrastructure, and modern framework support. Modernize yourĀ Java development with Microsoft.
While we generally try to have our rankings in July immediately after they are run, we generally operate these on a better late than never basis. On the assumption, then, that August is better than never, below are your RedMonk Q3 language rankings.
As always, these are a continuation of the work originally performed by Drew Conway and John Myles White late inĀ 2010. While the specific means of collection has changed, the basic process remains the same: we extract language rankings from GitHub and Stack Overflow, and combine them for a ranking that attempts to reflect both code (GitHub) and discussion (Stack Overflow) traction. The idea is not to offer a statistically valid representation of current usage, but rather to correlate language discussion and usage in an effort to extract insights into potential future adoption trends.
Our Current Process
The data source used for the GitHub portion of the analysis is the GitHub Archive. We query languages by pull request in a manner similar to the one GitHub used to assemble the State of the Octoverse. Our query is designed to be as comparable as possible to the previous process.
Language is based on the base repository language. While this continues to have the caveats outlined below, it does have the benefit of cohesion with our previous methodology.
We exclude forked repos.
We use the aggregated history to determine ranking (though based on the table structure changes this can no longer be accomplished via a single query.)
For Stack Overflow, we simply collect the required metrics using their useful data explorer tool.
Creation of the Joint Cyber Defense Collaborative follows high-profile cyberattacks on critical U.S. infrastructure
The U.S. government is enlisting the help of tech companies, includingĀ Amazon.comĀ Inc.,Ā MicrosoftĀ Corp.Ā and Google, to bolster the countryās critical infrastructure defenses against cyber threats after a string of high-profile attacks.
The Department of Homeland Security, on Thursday, is formally unveiling the initiative called the Joint Cyber Defense Collaborative. The effort will initially focus on combating ransomware and cyberattacks on cloud-computing providers, said Jen Easterly, director of the DHSās Cybersecurity and Infrastructure Security Agency. Ultimately, she said, it aims to improve defense planning and information sharing between government and the private sector.
āThis will uniquely bring people together in peacetime, so that we can plan for how weāre going to respond in wartime,ā she said in an interview. Ms. Easterly was sworn in as CISAās director last month. She was previously a counterterrorism official in the Obama White House, and the commander of the Armyās first cyber operations unit at the National Security Agency, Americaās cyberspy agency.
āThis will uniquely bring people together in peacetime, so that we can plan for how weāre going to respond in wartime.āā Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency
However, you might not be as familiar withĀ ISO 27002. Itās a supplementary standard that provides advice on how to implement the security controls listed inĀ Annex A of ISO 27001.
Although ISO 27001 is the more well-known standard ā and the one that organisations certify to ā neither can be considered in isolation. This blog explains why thatās the case, helping you understand how each standard works and the differences between them.
What is ISO 27001?
ISO 27001 is the central framework of theĀ ISO 27000 series, which is a series of documents relating to various parts of information security management.
The Standard contains theĀ implementation requirementsĀ for an ISMS. These are essentially an overview of everything you must do achieve compliance.
This is particularly useful at the start of your project, or if youāre looking for general advice but canāt commit to a full-scale implementation project.
ISO 27002 is a supplementary standard that focuses on the information security controls that organisations might choose to implement.
These controls are listed in Annex A of ISO 27001, which is what youāll often see information security experts refer to when discussing information security controls. However, whereas Annex A simply outlines each control in one or two sentences, ISO 27002 dedicates an average of one page per control.
This is because the Standard explains how each control works, what its objective is, and how you can implement it.
The differences between ISO 27001 and ISO 27002
There are three main differences between ISO 27001 and ISO 27001:
Detail
If ISO 27001 went into as much detail as ISO 27002, it would be unnecessarily long and complicated.
Instead, it provides an outline of each aspect of an ISMS, with specific advice being found in additional standards. ISO 27002 is only one of these. For example, ISO 27003 covers ISMS implementation guidance and ISO 27004 covers the monitoring, measurement, analysis and evaluation of the ISMS.
Certification
You can certify to ISO 27001 but not to ISO 27002. Thatās because ISO 27001 is a management standard that provides a full list of compliance requirements, whereas supplementary standards such as ISO 27002 address one specific aspect of an ISMS.
Applicability
A key thing to consider when implementing an ISMS is that not all information security controls will apply to your organisation.
ISO 27001 makes that clear, specifying that organisations conduct a risk assessment to identify and prioritise information security threats. ISO 27002 doesnāt mention this, so if you were to pick up the Standard by itself, it would be practically impossible to figure out which controls you should adopt.
When you should use each standard
ISO 27001 and ISO 27002 have different objectives and will be helpful in different circumstances.
If youāre starting out with the Standard or are planning your ISMS implementation framework, then ISO 27001 is ideal. You should refer to ISO 27002 once youāve identified the controls that youāll be implementing to learn more about how each one works.
This one-day course provides a comprehensive introduction to the key elements required to comply with ISO 27001. Youāll learn from expert information security consultants and have the chance to review case studies and participate in group discussions and practical exercises.
Developed by the team that led the worldās first successful ISO 27001 implementation project, this one-day course provides a comprehensive introduction to Standard.
Youāll learn from expert information security consultants, as they explain:
ISO 27001 management system documentation;.
How to plan, scope and communicate throughout your ISO 27001 project; and
The key steps involved in an ISO 27001 risk assessment.
Check Point ResearchĀ (CPR) experts have spotted a cheap malware, dubbed XLoader variant, which was upgraded to target both Windows and macOS PCs.
XLoader is a very cheap malware strain that is based on the popular Formbook Windows malware.
FormBook is a data-stealing malware that is used in cyber espionage campaigns, like other spyware it is capable of extracting data from HTTP sessions, keystroke logging, stealing clipboard contents. FormBook can also receive commands from a command-and-control (C2) server to perform many malicious activities, such as downloading more payloads. FormBook was offered for sale in the criminal underground since July, it goes for $29 a week up to a $299 full-package āproā deal. The customers pay for access to the platform and generate their executable files as a service.
The malware was pulled from sale in 2017, but it continued to infect systems across the world. In March 2020, MalwareHunterTeam uncovered a Coronavirus (COVID-19)-themed campaign that was distributing a malware downloader that delivers the FormBook information-stealing Trojan.
CPR team has now monitored XLoader since it first appeared in the threat landscape in February. XLoader borrows the code base with Formbook, but it also included major improvements, such as the capability of compromising macOS systems.
āOn February 6, 2020 a new era began: the era of the Formbook successor called XLoader. On this day, XLoader was advertised for sale in one of the underground groups.ā states theĀ reportĀ published by CheckPoint.Ā āOn October 20, 2020, XLoader was offered for sale on the same forum which was used for selling Formbook.ā
Whether employees have been with the company for seven years or seven months, when they return to the office they should be treated as if itās their first day at the company. All members of the team, no matter how veteran, should go through a refresher on security practices.
Your security team can do this by teaching or reminding staff how to properly manage and move data within its appropriate environment to minimize possible data exposure. This promotesĀ healthy security practicesĀ and provides regular and customized training for the entire team.
If your company is moving to aĀ hybrid workforce approach, ensure your employees are set up with the right knowledge and/or equipment they need for dual offices to minimize data loss. For instance, encourage use of company drives to access data from both locations rather than porting data via thumb drives.
There are many factors to considered when selecting a publicĀ cloud provider, but 56% in a recent survey said security concerns had the most significant influence during the selection process for public cloud providers, IT services management company Ensono said.
Above: Ensono Cloud Clarity Report uncovered several areas that significantly influenced buying decisions.
If you’re building a career in information security the Certified Information Systems Security Professional (CISSP) is the must-have qualification to help you progress. It is a globally recognized standard that demonstrates your competence as an IT professional.
This course will prepare you with the knowledge and skills to complete the CISSP exam, which will get you Certified Information Systems Security Professional status. professional. Covering topics including cloud computing, mobile security, application development security, and risk management, you will gain the knowledge to best manage information security issues back in your organization.
Duration: 5 days
“I would highly recommend the course to a friend, and in fact I already have! I’d also recommend it to a security team within an organization, even if they’re not specifically targeting a CISSP certification as it teaches a broad range of best practices and will help instill a culture of security and best practice in any organization.”
Who should attend?
This training course is intended for professionals who have at least 5 years of recent full-time professional work experience in 2 or more of the 8 domains of the CISSP common body of knowledge (CBK), such as:
Security consultants
Security managers
IT directors/managers
Security auditors
Security architects
Security analysts
Security systems engineers
Chief information security officers
Security directors
Network architects
Please note: A one year experience waiver is available with a 4-year college degree, or regional equivalent, or additional credentials from the (ISC)Ā² approved list, thus requiring four years of direct full-time professional security work experience in 2 or more of the 8 domains of the CISSP CBK.
Don’t have 5 years of experience? – Become an Associate of (ISC)Ā²
We all ought to know by now that passwords that are easy to guess will get guessed.
We recently reminded ourselves of that by guessing, by hand, 17 of the top 20 passwords in the Have I Been Pwned (HIBP) Pwned Passwords database in under two minutes.
We tried the 10 all-digit sequences 1, 12, 123 and so on up to 1234567890, and eight of them were in the top 20.
Then we tried other obvious digit combos such as 000000, 111111 and 123123 (we started with six digits because thatās Appleās current minimum length, and because we noted that 123456 came out well ahead of 12345 and 1234).
The others were equally easy: qwerty, password, abc123, password1, iloveyou and qwertyuiop, the last being a useful reminder that length alone counts for very little.
Donāt re-use passwords.Ā And donāt try to invent a technique for modifying each password slightly from an original template to make them seem different, because the crooks are on the lookout for that.
Consider a password manager.Ā Password managers generate random and unrelated passwords for each account, so there are no similarities a crook could figure out, even if one of the password gets compromised. Remember that you donāt have to put all your passwords into the manager app if you donāt want to: itās OK to have a special way of dealing with your most important accounts, especially if you donāt use them often.
Turn on 2FA if you can.Ā Two-factor authentication doesnāt guarantee to keep the crooks out, but it stops attacks like this one from being carried out so easily and on such a broad scale, because the passwords alone would not have been enough.
Report payment anomalies.Ā Obviously, you need to look for outgoing payments that shouldnāt have happened, and for incoming payments that never arrived. But also look out for outgoing payments that somehow failed when they should have gone through, or for incoming funds you didnāt expect, no matter how small the amount. The sooner you report any errors, even if you didnāt lose any money, the sooner you help both yourself and everyone else.
Our community ā that is, technologists, mathematicians and information assurance professionals ā has generally adapted well to changes in the technology landscape.
At the start of the Cold War, the western security apparatus sought to understand the actions of their adversaries by intercepting radio signals bouncing off the ionosphere and analyzing the messages they carried. Later, when the Soviets moved to microwave transmissions, that same security apparatus deployed cutting-edge line-of-sight interception techniques.
Then, in 1977, after the Soviets began to successfully encrypt their communications, the NSA launched the Bauded Signals Upgrade program, delivering a supercomputer designed to compare encrypted messages with elements of plain text transmitted by mistake, allowing the agency to break many of the Sovietsā high-level codes. Time and time again, our innovation has kept us safe, but only when we have prepared to meet the threat.
Quantum information theory, which has been explored since the beginning of the 20th century, has led to an exciting yet dangerous new prospect: new quantum algorithms to solve computational problems which have thus far proven to be intractable ā or at least unachievable within a useful period ā by classical computers. One such problem is the breaking of the Advanced Encryption Standard, a key pillar of modern data encryption.
A joint research team of engineers from Google and the Swedish Royal Institute of Technology published a study that theorized the breaking of a 2048 bit key in just 8 hours, something that would take todayās classical computers over 300 trillion years. The catch? This theory requires a 20 million-qubit computer, and the largest quantum computer that exists today has only 65.
Their study, alongside many like it, tells us that quantum technology will present the greatest threat to the security of our critical systems in the history of computing. It may even be useful to us in future conflicts. However, quantum computers will need considerably more processing power than is available today and will require a significantly lower error rate if they are to be utilized for cyberspace operations.
To meet this challenge, institutions across the world are rushing to develop quantum computers that are capable of delivering on the promising theory.
The U.S. National Institute of Standards and Technology is currently evaluating over 60 methods for post-quantum cryptography, quantum key distribution, and other security applications. Early indications are that quantum technology will provide an ability to detect, defend, and even retaliate against all manner of future threats.
Away from security, most people understand that quantum computing has immense potential for good ā with applications in the scientific and medical research fields easy to imagine. However, this vast computing power could also be used to undermine the classical computer systems that our nation relies upon so heavily.
In the modern cloud-based application era, securing hardware is often neglected, so the volume of unmanaged devices noted above is not surprising. Endpoint management is hard, itās boring, itās time-consuming ā but itās nevertheless extremely important to a robust security strategy.
Why? Bad actors know that machines arenāt getting configured and maintained at the rate at which they should. This makes them ripe for exploitation. One of the easiest ways to attack corporate networks is through a machine that is not configured correctly or that hasnāt downloaded a patch to shore up a certain vulnerability.
Endpoint management: Scaling for a new world
VPNs have been under significant strain throughout the pandemic, and bandwidth is at a premium. This is part of the reason weāre seeing such rapid migration to the cloud. While there are numerous benefits to this move, it still doesnātĀ protect actual endpoints. To do this, regardless of environment, you need to find an endpoint management solution that can scale rapidly and not affect network performance.
This requires a novel approach to drive continuous compliance and configuration management across the enterprise. Of note, the latest peer-to-peer solutions can check the configuration of local or remote endpoints, diagnose problems, and/or remediate any issues found. Because of the nature of peer-to-peer, these solutions can conduct routine and advanced endpoint management at massive scale, addressing hundreds of thousands of endpoints without bandwidth throttling or hindering network performance.
Workers donāt even realize their systems are being updated. Being able to protect endpoints at scale without degrading the user experience or getting in the way of business processes is a game-changer in the remote world. It means that you can institute or return to a regular endpoint management schedule.
![Department of Homeland Security and Information Sharing: Is It Working? by [United State Army War College, U.S Army U.S Army]](https://m.media-amazon.com/images/I/417d4jwJrTS.jpg)
