Mar 30 2021
Five signs a virtual CISO makes sense for your organization
Here are five signs that a virtual CISO may be right for your organization.
1. You have a lot to protect
Companies produce more data than ever, and keeping track of it all is the first step to securing it. A virtual CISO can identify what data needs to be protected and determine the negative impact that compromised data can have, whether that impact is regulatory, financial or reputational.
2. Your organization is complex
Risk increases with employee count, but there are many additional factors that contribute to an organization’s complexity: the number of departments, offices and geographies; how data is used and shared; the distribution of architecture; and the life cycle of applications, data and the technology stack.
A virtual CISO offers an unbiased, objective view, and can sort out the complexity of a company’s IT architecture, applications and services. They can also determine how plans for the future add complexity, identify and account for the corresponding risk, and recommend security measures that will scale to support future demand.
3. Your attack surface is broad
For many organizations, potential vulnerabilities, especially those that share a great deal of data within the organization, may not be obvious at first glance. Virtual CISOs can identify both internal and external threats, determine their probability and quantify the impact they could have on your organization. And at a more granular level, they can determine if those same threats are applicable to competitors, which can help maintain competitiveness within your market.
4. Your industry is highly regulated
Organizations in regulated industries like healthcare, finance, energy/power and insurance will have data that is more valuable, which could make them a bigger target for bad actors. Exposure is even more of a concern due to potential noncompliance. Virtual CISOs bring a wealth of expertise on regulatory standards. They can implement processes to maintain compliance and offer recommendations based on updates to applicable rules and regulations.
5. Your risk tolerance is low
An organization without a great deal of sensitive data may have a much greater tolerance for risk than a healthcare provider or a bank, but an honest assessment is important in determining how much risk each organization should accept. A virtual CISO can coordinate efforts to examine perceived and actual risk, identify critical vulnerabilities and provide a better picture of risk exposure that can inform future decisions.
Cybersecurity is growing more complex, and organizations of all sizes, especially those in regulated industries, require a proven security specialist who can address the aforementioned challenges and ensure that technology and processes are in place to mitigate security risks.
Mar 26 2021
Alan Turing’s £50 banknote officially unveiled
Regular Naked Security readers will know we’re huge fans of Alan Turing OBE FRS.
He was chosen in 2019 to be the scientist featured on the next issue of the Bank of England’s biggest publicly available banknote, the bullseye, more properly Fifty Pounds Sterling.
(It’s called a bullseye because that’s the tiny, innermost circle on a dartboard, also known as double-25, that’s worth 2×25 = 50 points if you hit it.)
Turing beat out an impressive list of competitors, including STEM visionaries and pioneers such as Mary Denning (first to unravel the paleontological mysteries of what is now known as Dorset’s Jurassic Coast), Rosalind Franklin (who unlocked the structure of DNA before dying young and largely unrecognised), and the nineteenth-century computer hacking duo of Ada Lovelace and Charles Babbage.
The Universal Computing Machine
Turing was the groundbreaking computer scientist who first codified the concept of a “universal computing machine”, way back in 1936.
At that time, and indeed for many years afterwards, all computing devices then in existence could typically solve only one specific variant of one specific problem.
They would need rebuilding, not merely “reinstructing” or “reprogramming”, to take on other problems.
Turing showed, if you will pardon our sweeping simplification, that if you could build a computing device (what we now call a Turing machine) that could perform a certain specific but simple set of fundamental operations, then you could, in theory, program that device to do any sort of computation you wanted.
The device would remain the same; only the input to the device, which Turing called the “tape”, which started off with what we’d now call a “program” encoded onto it, would need to be changed.
So you could program the same device to be an adding machine, a subtracting machine, or a multiplying machine.
You could compute numerical sequences such as mathematical tables to any desired precision or length.
You could even, given enough time, enough space, enough tape and a suitably agreed system of encoding, produce all possible alphabetic sequences of any length…
…and therefore ultimately, like the proverbially infinite number of monkeys working at an infinite number of typewriters, reproduce the complete works of William Shakespeare.
More on: You can extend the halting problem result in important ways for cybersecurity
Mar 25 2021
Chrome to Enforce HTTPS Web Protocol (Like It or Not)
If you type in securityboulevard.com, Chrome version 90 will send you directly to the secure version of the site. Surprisingly, that’s not what it currently does—instead, Google’s web browser relies on the insecure site to silently redirect you.
That’s slow. And it’s a privacy problem, potentially. This seemingly unimportant change could have a big—if unseen—impact.
So long, cleartext web. In today’s SB Blogwatch, we hardly knew ye.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Making breakfast.
What a Difference an ‘s’ Makes
What’s the craic? Thomas Claburn reports—“Chrome 90 goes HTTPS by default”:
Lack of security is currently the norm in Chrome. … The same is true in other browsers. … This made sense in the past when most websites had not implemented support for HTTP.
…
But these days, most of the web pages loaded rely on secure transport. … Among the top 100 websites, 97 of them currently default to HTTPS. [So] when version 90 of Google’s Chrome browser arrives in mid-April, initial website visits will default to a secure HTTPS connection.
Chrome to Enforce HTTPS Web Protocol (Like It or Not)
Mar 23 2021
Best Practices for Data Hygiene
Data hygiene consists of actions that organizations can, and should, take as a matter of following not only compliance requirements, but also as part of basic risk management program practices. Consistent, risk-specific data hygiene practices supports not only a very wide range and number of data protection compliance requirements, but performing data hygiene activities also demonstrably improves an organization’s data security effectiveness without significantly increasing IT or information security costs. Most of these actions involve people performing activities that all personnel within an enterprise can take. No specialized tools are typically needed—just some training and ongoing awareness reminders, or periodic use of data management tools.
These actions serve to:
- limit the amount of data collected to only that which is necessary to support the purposes of the data collection
- keep data from being modified in unauthorized ways, or accidentally
- destroy/delete data when it is no longer needed to support the purpose(s) for which it was collected and to meet legal retention requirements
- prevent access to data to only those entities (devices, individuals, accounts, etc.) that have a business/validated need to access the data
- not share data with others unless necessary and with the consent of those about whom the data applies, as applicable
- keep your own personal and business data from being used and posted in ways for which you did not consent or is not necessary to support the purposes for which you originally allowed the data to be collected or derived
- keep unauthorized entities from accessing data
Source: Best Practices for Data Hygiene
Mar 22 2021
The MITRE Att&CK Framework
A recent article from Gartner states that, “Audit Chiefs Identify IT Governance as Top Risk for 2021.” I agree that IT governance is important but I question how much does the IT governance board understand about the day to day tactical risks such as the current threats and vulnerabilities against a companies attack surface? How are the tactical risks data being reported up to the board? Does the board understand the current state of threats and vulnerabilities or is this critical information being filtered on the way up?
If the concept of hierarchy of needs was extended to cyber security it may help business owners and risk management teams asses how to approach implementing a risk management approach for the business.
There are three key questions to ask:
- How confident are you in your organization’s ability to inventory and monitor IT assets?
- How confident are you in your organization’s ability to “detect unauthorized activity”?
- How confident are you in your organization’s ability to identify and respond to true positive incidents within a reasonable time to respond?
Layers 1-2 – Inventory and Telemetry – The first two layers are related to asset inventory which is part of the CIS Controls 1-2. How can you defend the vulnerable Windows 2003 server that is still connected to your network at a remote site?
Layers 3-4 – Detection and Triage – These layers are related to a SOC/SIEM/SOAR program which will allow the cyber security team to begin to detect threats through logging and monitoring.
Layers 5-10 – Threats, Behaviors, Hunt, Track, Act – The final layers are threat hunting, tracking and incident response and this is where the MITRE framework is very helpful to identify threats, understand the data sources, build use cases and prepare the incident response playbooks based on real world threat intelligence.
To more about What is the MITRE’s Att&CK Framework? Source: The MITRE Att&CK Framework
Mar 21 2021
Dirt Cheap DDoS for Hire, via D/TLS Amplification
A new way of sending powerful denial of service traffic emerged this week. Malefactors are now misusing servers that talk Datagram Transport Layer Security (D/TLS).
Typified by Cisco’s Netscaler ADC product, before a patch was released in January, some D/TLS servers don’t check for forged requests. That allows scrotes to misuse these high-bandwidth servers to deny internet service to people they want to extort money from.
This possibly includes Sony, whose LittleBigPlanet service has been AWOL for a week. In today’s SB Blogwatch, we ask the question.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: But is it art?
Dirty Deeds: DDoS D/TLS
What’s the craic? Dan Goodin reports in—“~4,300 publicly reachable servers are posing a new DDoS hazard to the Internet”:
DDoSes are attacks that flood a website or server with more data than it can handle. The result is a denial of service to people trying to connect to the service. As DDoS-mitigation services develop protections … the criminals respond with new ways to make the most of their limited bandwidth.
…
In so-called amplification attacks, DDoSers send requests of relatively small data sizes to certain types of intermediary servers. … DDoS-for-hire services [are] adopting a new amplification vector … D/TLS, which (as its name suggests) is essentially the Transport Layer Security for UDP data packets.
…
The biggest D/TLS-based attacks Netscout has observed delivered about 45 Gbps of traffic. The people responsible for the attack combined it with other amplification vectors to achieve a combined size of about 207 Gbps.
…
Abusable D/TLS servers are the result of misconfigurations or outdated software that causes an anti-spoofing mechanism to be disabled. While the mechanism is built in to the D/TLS specification, hardware including the Citrix Netscaler Application Delivery Controller didn’t always turn it on by default.
Dirt Cheap DDoS for Hire, via D/TLS Amplification
Mar 21 2021
Ransomware Payments Jumped 171% In 2020: Report
A new report has emerged stating that average ransomware payments jumped by more than 171% in 2020, suggesting that cybercriminals have benefitted from an extremely lucrative period throughout the pandemic.
The numbers come from Palo Alto Networks, who noted an 171% increase in ransomware payments from organisations and individuals that had been hit by the malicious software.
In essence, malicious software like ransomware takes control of a user’s computer, and encrypts the data. This encryption leaves the data on that device locked up, and can only be made accessible again once a password – or decryption tool – is offered by the hacker in question.
Hackers are happy to make these tools available to their victims, so long as they pay a price.
According to the report in question, that price has been skyrocketing as cybercriminals look to exploit those impacted by ransomware software that often have sensitive private and corporate information stored on their device.
That report was published recently after analysing more than 19,000 network sessions, data from more than 250 ransomware leak websites and thanks to information provided by 337 organisations that had been hit by a ransomware attack.
The Ransomware Threat Report 2021 states that on average, ransoms paid by victims to hackers has increased from USD $115,123 to more than $312,000 in 2020.
Authors of the report say that they noted the largest ransomware payment paid to hackers had also doubled, from $5 million to more than $10 million.
Ransomware Payments Jumped 171% In 2020: Report
Mar 19 2021
Serious Security: Mac “XcodeSpy” backdoor takes aim at Xcode devs
Remember XcodeGhost?
It was a pirated and malware-tainted version of Apple’s XCode development app that worked in a devious way.
You may be wondering, as we did back in 2015, why anyone would download and use a pirated version of Xcode.app when the official version is available as a free download anyway.
Nevertheless, this redistributed version of Xcode seems to have been popular in China at the time – perhaps simply because it was easier to acquire the “product”, which is a multi-gigabyte download, directly from fast servers inside China.
The hacked version of Xcode would add malware into iOS apps when they were compiled on an infected system, without infecting the source code of the app itself.
The implanted malware was buried in places that looked like Apple-supplied library code, with the result that Apple let many of these booby-trapped apps into the App Store, presumably because the components compiled from the vendor’s own source code were fine.
As we said at the time, “developers with sloppy security practices, such as using illegally-acquired software of unvetted origin for production builds, turned into iOS malware generation factories for the crooks behind XcodeGhost.”
As you probably know, this sort of security problem is now commonly known as a supply chain attack, in which a product or service that you assumed you could trust turned out to have had malware inserted along the way.
Mar 17 2021
Hackable: How to Do Application Security Right
If you don’t fix your security vulnerabilities, attackers will exploit them. It’s simply a matter of who finds them first. If you fail to prove that your software is secure, your sales are at risk too.
Whether you’re a technology executive, developer, or security professional, you are responsible for securing your application. However, you may be uncertain about what works, what doesn’t, how hackers exploit applications, or how much to spend. Or maybe you think you do know, but don’t realize what you’re doing wrong.
To defend against attackers, you must think like them. As a leader of ethical hackers, Ted Harrington helps the world’s foremost companies secure their technology. Hackable teaches you exactly how. You’ll learn how to eradicate security vulnerabilities, establish a threat model, and build security into the development process. You’ll build better, more secure products. You’ll gain a competitive edge, earn trust, and win sales.
Hackable: How to Do Application Security Right
Mar 16 2021
Magecart hackers hide captured credit card data in JPG file
Cybercriminals have devised a new method to hide credit card data siphoned from compromised online stores, experts from Sucuri observed Magecart hackers hiding data in JPG files to avoid detection and storing them on the infected site.
The new exfiltration technique was uncovered while investigating a Magecart attack against an e-store running the e-commerce CMS Magento 2.
“A recent investigation for a compromised Magento 2 website revealed a malicious injection that was capturing POST request data from site visitors. Located on the checkout page, it was found to encode captured data before saving it to a .JPG file.” reads the post published by Sucuri.
The researchers discovered a PHP code that was found injected to the file ./vendor/magento/module-customer/Model/Session.php. The attackers use the getAuthenticates function to load the rest of the malicious code onto the compromised environment.
The code stored the siphoned data in the image file “pub/media/tmp/design/file/default_luma_logo.jpg,” in this way it is easy to hide, access, and download the stolen information without rising suspicious.
The PHP code injected into the site leverages the Magento function getPostValue to capture the POST data within the checkout page, then the captured POST data is encoded with base64 before the PHP operator ^ is used to XOR the stolen data.
“To successfully capture the POST data, the PHP code needs to use the Magento code framework. It relies on the Magento function getPostValue to capture the checkout page data within the Customer_ POST parameter.” continues the post.
“Using the Magento function isLoggedIn, the PHP code also checks whether the victim that sent the POST request data is logged in as a user. If they do happen to be logged in, it captures the user’s email address.”
Customer_ parameter contains almost all of the information submitted by the victim on the checkout page, including full names and addresses, payment card details, telephone numbers, and user agent details.
Sucuri experts pointed out that captured data could be used for credit card fraud, spam campaigns, or spear-phishing attacks.
“Bad actors are always actively searching for new methods to prevent any detection of their malicious behavior on compromised websites.” concludes the post. “The creative use of the fake .JPG allows an attacker to conceal and store harvested credit card details for future use without gaining too much attention from the website owner.”
Source: Magecart hackers hide captured credit card data in JPG file
Codes, Ciphers, Steganography & Secret Messages
Mar 15 2021
Forget Covid, The Global Elites are Now Warning us About a Cyber Pandemic
The exercise/event is called “Cyber Polygon” and it will take place this July. It is being sponsored by the WEF (World Economic Forum) and this is what they will focus on during the simulated cyber attack. This is from their website.
“Cyber Polygon 2021 will draw together leading global experts to discuss the key risks posed by digitalisation and share best practices in developing secure ecosystems. During the technical exercise, the participants will practise mitigating a targeted supply chain attack on a corporate ecosystem.”
Also from Technocracy news: Last year, the World Economic Forum teamed up with the Russian government and global banks to run a high-profile cyberattack simulation that targeted the financial industry, an actual event that would pave the way for a “reset” of the global economy. The simulation, named Cyber Polygon, may have been more than a typical planning exercise and bears similarities to the WEF-sponsored pandemic simulation Event 201 that briefly preceded the COVID-19 crisis.
Mar 11 2021
Getting your application security program off the ground
“Application security was traditionally very low on CISOs’ priority list but, as the attacks targeting applications increase in frequency, it’s getting more attention,” Eugene Dzihanau, Senior Director of Technology Solutions at EPAM Systems, told Help Net Security.
“The application layer is quickly becoming more exposed to the outside world, drastically increasing the attack surface. Applications are deployed on the public cloud, mobile phones and IoT devices. Also, applications process a lot more data than before, making them a more frequent target of an attack.”
In addition to that, modern applications and tech stacks are evolving and becoming increasingly complex – applications are integrating more external dependencies and are becoming very interconnected through API calls. The increased complexity significantly increase the chance of security issues
“SAST scan results are massive, with very little insight into prioritizing fixes for critical or exploitable vulnerabilities. DAST rarely brings desired results without additional steps; the out of the box crawlers can rarely traverse the modern web applications,” he explained.
“This leaves glaring gaps in the security of deployment pipelines, security defects on the architecture level and third party/open source dependencies checks.”
“SAST scan results are massive, with very little insight into prioritizing fixes for critical or exploitable vulnerabilities. DAST rarely brings desired results without additional steps; the out of the box crawlers can rarely traverse the modern web applications,” he explained.
“This leaves glaring gaps in the security of deployment pipelines, security defects on the architecture level and third party/open source dependencies checks.”
Getting your application security program off the ground
Mar 11 2021
Hackers stole data from Norway parliament exploiting Microsoft Exchange flaws
On March 2nd, Microsoft has released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported Microsoft Exchange versions that are actively exploited in the wild.
The IT giant reported that at least one China-linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments. According to Microsoft, the Hafnium APT exploited these vulnerabilities in targeted attacks against US organizations.
“The Storting has again been hit by an IT attack. The attack is linked to vulnerabilities in Microsoft Exchange, which affected several businesses.” reads a statement issued by the Storting.
“The Storting does not yet know the full extent of the attack. A number of measures have been implemented in our systems, and the analysis work is ongoing. The Storting has received confirmation that data has been extracted,”
Storting director Marianne Andreassen confirmed that the data breach.
“We know that data has been extracted, but we do not yet have a full overview of the situation. We have implemented comprehensive measures and cannot rule out that it will be implemented further.” said Andreassen.
“The work takes place in collaboration with the security authorities. The situation is currently unclear, and we do not know the full potential for damage.”
This isn’t the first time that Storting was hit by a cyber attack, in August 2020 the authorities announced that Norway ‘s Parliament was the target of a major attack that allowed hackers to access emails and data of a small number of parliamentary representatives and employees. Norway‘s government blamed Russia for the cyberattack.
Mar 09 2021
How a push to remote work could help fix cybersecurity’s diversity problem
When Rinki Sethi heard that her 7th grade daughter applied to take a technology innovation class as an elective, she was thrilled. Sethi, who joined Twitter in September as its chief information security officer, said one of her passions is getting more young women interested in technology.
But when her daughter found out that she didn’t get into the class, Sethi discovered a troubling statistic: 18 slots for the class went to boys, while only 9 were filled by girls. “I went and sat down with the principal and asked: ‘Why are we turning down girls if that’s what the ratio looks like?’” Sethi recounted Monday at a virtual panel centered around women in cybersecurity. “We need more women to enter this field, and I think that’s the biggest problem—how do we get more women and girls interested.”
Source: How a push to remote work could help fix cybersecurity’s diversity problem
Mar 08 2021
Starting your cybersecurity career path: What you need to know to be successful
A comprehensive guide to getting started in cybersecurity
Mar 04 2021
Distance Learning Training Courses
Get 50% Off Our ITIL Distance Learning Training Course
ITIL qualifications are in high demand! We’re currently offering 50% off our ITIL 4 Foundation distance learning training course with promo code ITIL50. https://tidd.ly/3eb99n8
Get 30% Off Distance Learning Training Courses
ITG distance learning courses let you train at a time and place that suits you! We’re currently offering 30% off all our distance learning training courses with promo code DL30. https://tidd.ly/3sNintQ
Get 20% Off Our Live-Online Training Courses
Train from home or the office with 20% off our Live-Online training courses with promo code ONLINE20. https://tidd.ly/3rhitcT
Get 15% Off Our Toolkits Speed up your implementation and compliance projects with 15% off all our toolkits with promo code Toolkit15. https://tidd.ly/3uUB0Op
Mar 02 2021
Cybersecurity Best Practices for 2021
CYBERSECURITY: It’s not just a good idea. Register to learn more.
« Previous Page — Next Page »
