InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
There is a misconception among security professionals: the belief that all information security risks will result in significant business risks. This perspective is misleading because not every information security incident has a severe impact on an organization’s bottom line. Business decision-makers can become desensitized to security alerts if they are inundated with generalized statements, leading them to ignore real risks. Thus, it is essential for security experts to present nuanced, precise analyses that distinguish between minor and significant threats to maintain credibility and ensure their assessments are taken seriously.
There are two types of risks:
Information Security Risk: This occurs when a threat (e.g., a virus) encounters a vulnerability (e.g., lack of antivirus protection), potentially compromising confidentiality, availability, or integrity of information. Depending on the severity, it can range from a minor issue, like a temporary power outage, to a critical breach, such as theft of sensitive data.
Business Risk: This affects the organization’s financial stability, compelling decision-makers to act. It can manifest as lost revenue, increased costs (e.g., penalties), or reputational damage, especially if regulatory fines are involved.
Not all information security risks translate directly to business risks. For example, ISO27001 emphasizes calculating the Annual Loss Expectation (ALE) and suggests that risks should only be addressed if their ALE exceeds the organization’s acceptable threshold.
Example:
Small Business Data Breach: A small Apple repair company faced internal sabotage when a disgruntled employee reformatted all administrative systems, erasing customer records. The company managed to recover by restoring data from backups and keeping customer communication open. Despite the breach’s severity, the company retained its customers, and the incident was contained. This case underscores the importance of adequate data management and disaster recovery planning.
Several factors to consider when assessing the relationship between information security and business risk:
Business Model: Certain businesses can withstand breaches with minimal financial impact, while others (e.g., payment processors) face more significant risks.
Legal Impact: Fines and legal costs can sometimes outweigh the direct costs of a breach. Organizations must assess regulatory requirements and contractual obligations to understand potential legal implications.
Direct Financial Impact: While breaches can lead to financial loss, this is sometimes treated as a routine cost of doing business, akin to paying for regular IT services.
Affected Stakeholders: It is crucial to identify which parties will bear the brunt of the damage. In some cases, third parties, like investors, may suffer more than the organization experiencing the breach.
Ultimately, information security risks must be evaluated within the broader business context. A comprehensive understanding of the company’s environment, stakeholders, and industry will help in prioritizing actions and reducing overall breach costs.
The article emphasizes that AI cybersecurity must be multi-layered, like the systems it protects. Cybercriminals increasingly exploit large language models (LLMs) with attacks such as data poisoning, jailbreaks, and model extraction. To counter these threats, organizations must implement security strategies during the design, development, deployment, and operational phases of AI systems. Effective measures include data sanitization, cryptographic checks, adversarial input detection, and continuous testing. A holistic approach is needed to protect against growing AI-related cyber risks.
Benefits and Concerns of AI in Data Security and Privacy
Predictive analytics provides substantial benefits in cybersecurity by helping organizations forecast and mitigate threats before they arise. Using statistical analysis, machine learning, and behavioral insights, it highlights potential risks and vulnerabilities. Despite hurdles such as data quality, model complexity, and the dynamic nature of threats, adopting best practices and tools enhances its efficacy in threat detection and response. As cyber risks evolve, predictive analytics will be essential for proactive risk management and the protection of organizational data assets.
AI raises concerns about data privacy and security. Ensuring that AI tools comply with privacy regulations and protect sensitive information.
AI systems must adhere to privacy laws and regulations, such as GDPR, CPRA to protect individuals’ information. Compliance ensures ethical data handling practices.
Implementing robust security measures to protect data (data governance) from unauthorized access and breaches is critical. Data protection practices safeguard sensitive information and maintain trust.
1. Predictive Analytics in Cybersecurity
Predictive analytics offers substantial benefits by helping organizations anticipate and prevent cyber threats before they occur. It leverages statistical models, machine learning, and behavioral analysis to identify potential risks. These insights enable proactive measures, such as threat mitigation and vulnerability management, ensuring an organization’s defenses are always one step ahead.
2. AI and Data Privacy
AI systems raise concerns regarding data privacy and security, especially as they process sensitive information. Ensuring compliance with privacy regulations like GDPR and CPRA is crucial. Organizations must prioritize safeguarding personal data while using AI tools to maintain trust and avoid legal ramifications.
3. Security and Data Governance
Robust security measures are essential to protect data from breaches and unauthorized access. Implementing effective data governance ensures that sensitive information is managed, stored, and processed securely, thus maintaining organizational integrity and preventing potential data-related crises.
DISC LLC, situated at Sonoma county, CA, is dedicated to offering premier information security services. As a consultant specializing in information security, we pride ourselves in helping businesses across the United States build resilient security programs.
Our Expertise
vCISO Services
When are vCISO services most appropriate? Our expert virtual Chief Information Security Officer (vCISO) services are designed to build a robust security program that effectively detects and mitigates risks. Reach out to us today to develop a security program tailored to today’s challenges.
ISO 27001 and ISMS Implementation
We specialize in implementing ISO 27001 standards and establishing Information Security Management Systems (ISMS) that ensure your organization’s compliance with the highest industry standards. Achieve certification and maintain a strong competitive edge in security compliance.
Our detailed security risk assessment services identify potential threats and vulnerabilities in your systems. By understanding these risks, we develop strategic measures to counteract them, safeguarding your business from data breaches and other security incidents.
Ensuring Security Compliance – GRC Consulting
In the Information Security and Compliance industry, organizations are increasingly seeking services that help them manage the growing complexity of cyber threats and regulatory requirements.
Maintaining security compliance is crucial in today’s digital landscape. DISC LLC helps organizations navigate complex regulatory requirements, ensuring they meet all necessary standards to protect their data and operations.
Overview: As regulations and standards like GDPR, HIPAA, CCPA, and ISO 27001 become stricter, organizations seek expert advice to ensure compliance and reduce risk.
With the rapid adoption of cloud services, securing cloud environments (e.g., AWS, Azure, Google Cloud) is critical. Cloud security solutions focus on protecting data, identities, and workloads in cloud infrastructure.
With regulations like GDPR and CCPA, and with advent of an AI organizations need to implement measures that protect sensitive data, data governance and ensure that personal information is handled according to legal standards.
Protecting sensitive data and complying with privacy regulations is essential. AI systems must be designed to handle data securely and adhere to relevant legal and ethical standards
Expertise: Our team consists of experienced professionals with extensive knowledge in infosec and compliance.
Customized Solutions: We provide tailored security solutions that align with your unique business needs.
Proactive Approach: Our proactive approach ensures timely detection and mitigation of security risks.
Contact DISC LLC today at info@deurainfosec.com or call us at +17079985164 to learn more about how our services can fortify your organization’s security posture. Build a secure future with DISC LLC.
WordPress admins using the Litespeed Cache plugin must update their sites with the latest plugin release to address a critical vulnerability. Exploiting the flaw allows an unauthenticated attacker to take control of target websites.
LiteSpeed Cache Plugin Vulnerability Could Allow Site Takeover
The security researcher John Blackbourn from PatchStack discovered a critical privilege escalation vulnerability in the LiteSpeed Cache plugin. LiteSpeed Cache for WordPress offers an exclusive server-level cache and numerous site optimization features. The plugin boasts over 5 million active installations, indicating its popularity among WordPress users. Nonetheless, it also shows how any vulnerability in the plugin potentially threatens millions of websites. Specifically, the vulnerability existed in the plugin’s crawler feature that exhibits a user simulation functionality to perform crawler requests as authenticated users. However, due to a weak security hash in this feature, the plugin allowed an unauthenticated adversary to spoof an authenticated user and gain elevated site privileges. The worst exploitation scenarios even allowed the installation of malicious plugins and a complete site takeover. This vulnerability, identified as CVE-2024-28000, received a critical severity rating and a CVSS score of 9.8. It affected all plugin releases until 6.3.0.1. Detailed technical analysis of the vulnerability is available in the recent post from PatchStack.
Vulnerability Patched With Latest Plugin Release
Upon noticing the vulnerability, Blackbourn responsibly disclosed the flaw via Patchstack to the plugin developers. In response, the developers patched the vulnerability with the LiteSpeed Cache plugin version 6.4. The researcher also received a $14,400 bounty under the Patchstack Zero Day program for this bug report. Since the patch has arrived, all WordPress admins must update their sites with the latest plugin release to avoid potential threats. Ideally, users should update to the LiteSpeed Cache plugin version 6.4.1, which appears as the latest release on the plugin’s official page.
Deura Information Security Consulting offers comprehensive vCISO services designed to build robust security programs that effectively detect and mitigate risks. Our seasoned consultants will work with you to develop a security strategy tailored to meet today’s challenges.
Achieve Compliance with ISO 27001
Securing your information assets and achieving compliance is crucial. Our experts specialize in assisting businesses with ISO 27001 implementation. Benefit from our extensive experience in information security management systems (ISMS) to ensure your organization meets the stringent requirements of ISO 27001.
Services Offered
vCISO Services: Enhance your organization’s security posture with our virtual Chief Information Security Officer services.
ISO 27001 Implementation: Guidance on compliance and certification processes to achieve ISO 27001.
Security Risk Assessment:
Information Security Management Systems (ISMS):
Security Compliance Management:
Why Choose Us
At Deura Information Security Consulting, our focus is on creating and implementing security programs that address your specific needs. Contact us at info@deurainfosec.com or call +1 707-998-5164 to schedule a consultation.
Our extensive industry knowledge ensures that your security infrastructure is built to detect and mitigate risks effectively. Choose Deura Information Security Consulting for expert vCISO services and ISO 27001 compliance support.
Injecting spoofed headers with email relaying involves manipulating the email headers to disguise the true origin of an email, making it appear as if it was sent from a legitimate source. Here’s a detailed explanation of how this process works:
1. Understanding Email Headers
Email headers contain vital information about the sender, recipient, and the path an email takes from the source to the destination. Key headers include:
From: The email address of the sender.
To: The recipient’s email address.
Subject: The subject line of the email.
Received: Information about the mail servers that handled the email as it traveled from sender to recipient.
Return-Path: The email address where bounces and error messages should be sent.
2. Email Relaying
Email relaying is the process of sending an email from one server to another. This is typically done by SMTP (Simple Mail Transfer Protocol) servers. Normally, email servers are configured to relay emails only from authenticated users to prevent abuse by spammers.
3. Spoofing Headers
Spoofing email headers involves altering the email headers to misrepresent the email’s source. This can be done for various malicious purposes, such as phishing, spreading malware, or bypassing spam filters. Here’s how it can be done:
a. Crafting the Spoofed Email
An attacker can use various tools and scripts to create an email with forged headers. They might use a command-line tool like sendmail, mailx, or a programming language with email-sending capabilities (e.g., Python’s smtplib).
b. Setting Up an Open Relay
An open relay is an SMTP server configured to accept and forward email from any sender to any recipient. Attackers look for misconfigured servers on the internet to use as open relays.
c. Injecting Spoofed Headers
The attacker crafts an email with forged headers, such as a fake “From” address, and sends it through an open relay. The open relay server processes the email and forwards it to the recipient’s server without verifying the authenticity of the headers.
d. Delivery to Recipient
The recipient’s email server receives the email and, based on the spoofed headers, believes it to be from a legitimate source. This can trick the recipient into trusting the email’s content.
4. Example of Spoofing Email Headers
Here’s an example using Python’s smtplib to send an email with spoofed headers:
import smtplib
from email.mime.text import MIMEText
# Crafting the email
msg = MIMEText("This is the body of the email")
msg['Subject'] = 'Spoofed Email'
msg['From'] = 'spoofed.sender@example.com'
msg['To'] = 'recipient@example.com'
# Sending the email via an open relay
smtp_server = 'open.relay.server.com'
smtp_port = 25
with smtplib.SMTP(smtp_server, smtp_port) as server:
server.sendmail(msg['From'], [msg['To']], msg.as_string())
via Frontend Transport
The statement about the term “via Frontend Transport” in header values refers to a specific configuration in Microsoft Exchange Server that could suggest a misconfiguration allowing email relaying without proper verification. Let’s break down the key elements of this explanation:
1. Frontend Transport in Exchange
In Microsoft Exchange Server, the Frontend Transport service is responsible for handling client connections and email traffic from the internet. It acts as a gateway, receiving emails from external sources and forwarding them to the internal network.
2. Email Relaying
Email relaying is the process of forwarding an email from one server to another, eventually delivering it to the final recipient. While this is a standard part of the SMTP protocol, it becomes problematic if a server is configured to relay emails without proper authentication or validation.
3. The Term “via Frontend Transport”
When email headers include the term “via Frontend Transport”, it indicates that the email passed through the Frontend Transport service of an Exchange server. This can be seen in the Received headers of the email, showing the path it took through various servers.
4. Suggestion of Blind Email Relaying
The concern arises when these headers suggest that Exchange is configured to relay emails without altering them or without proper checks. This could imply that:
The Exchange server is not adequately verifying the sender’s authenticity.
The server might be forwarding emails without checking if they come from trusted sources.
Such a configuration can be indicative of an open relay, where the server forwards any email it receives, which is highly vulnerable to abuse.
5. Abuses of Open Relays
Open relays are notorious for being exploited by spammers and malicious actors because they can be used to send large volumes of unsolicited emails while obscuring the true origin of the message. This makes it difficult to trace back to the actual sender and can cause the relay server’s IP address to be blacklisted.
Attackers Use a Genuine Microsoft Office 365 Account
The attackers have managed to send an email from a genuine Microsoft Office 365 account. This could be through compromising an account or using a trial account.
Email Branded as Disney
The email is branded as coming from Disney (disney.com). This branding could involve setting the “From” address to appear as if it’s from a Disney domain, which can trick recipients into believing the email is legitimate.
Gmail’s Handling of Outlook’s Servers
Gmail has robust mechanisms to handle high volumes of emails from trusted servers like Outlook’s (Microsoft’s email service). These servers are built to send millions of emails per hour, so Gmail will not block them due to rate limits.
SPF (Sender Policy Framework)
SPF is a protocol that helps prevent email spoofing by allowing domain owners to specify which mail servers are authorized to send emails on their behalf. The attackers benefit from this because:
The email is sent through Microsoft’s official relay server, protection.outlook.com.Disney’s SPF record includes spf.protection.outlook.com, which means emails sent through this relay server are authorized by Disney’s domain.
.
Spoofed Headers
Spoofed headers involve altering the email headers to make the email appear as if it originated from a different source. In this scenario, the attackers have spoofed headers to make the email look like it’s from Disney.
SPF Check Passed
Since the email is sent via a server included in Disney’s SPF record (protection.outlook.com), it will pass the SPF check, making it seem legitimate to the recipient’s email server.
DKIM (DomainKeys Identified Mail)
DKIM is another email authentication method that allows the receiver to check if an email claiming to come from a specific domain was indeed authorized by the owner of that domain. This is done by verifying a digital signature added to the email.
Points of Concern
SPF Check Passed
The email passed the SPF check because it was sent through an authorized server (protection.outlook.com) included in Disney’s SPF record.
Spoofed Headers
The headers were manipulated to make the email appear as if it came from Disney, which can deceive recipients.
Gmail Handling
Gmail will trust and not rate-limit emails from Outlook’s servers, ensuring the email is delivered without being flagged as suspicious due to high sending volumes.
Potential for DKIM
To fully understand if the email can pass DKIM checks, we would need to know if the attackers can sign the email with a valid DKIM key. If they manage to:
DKIM Alignment
Ensure the DKIM signature aligns with the domain in the “From” header (disney.com).
Valid DKIM Signature
Use a valid DKIM signature from an authorized domain (which would be difficult unless they have compromised Disney’s signing keys or a legitimate sending infrastructure).
Proofpoint and similar services are email security solutions that offer various features to protect organizations from email-based threats, such as phishing, malware, and spam. They act as intermediaries between the sender and recipient, filtering and relaying emails. However, misconfigurations or overly permissive settings in these services can be exploited by attackers. Here’s an explanation of how these services work, their roles, and how they can be exploited:
Roles and Features of Proofpoint-like Services
Email Filtering and Protection
Spam and Phishing Detection: Filters out spam and phishing emails.
Malware Protection: Scans and blocks emails containing malware or malicious attachments.
Content Filtering: Enforces policies on email content, attachments, and links.
Email Relay and Delivery
Inbound and Outbound Filtering: Manages and filters both incoming and outgoing emails to ensure compliance and security.
Email Routing: Directs emails to the appropriate recipients within an organization.
DKIM Signing: Adds DKIM signatures to outgoing emails to authenticate them.
Authentication and Authorization
IP-Based Authentication: Uses IP addresses to authenticate incoming email servers.
SPF, DKIM, and DMARC Support: Implements these email authentication protocols to prevent spoofing.
How Misconfigurations Allow Exploitation
Permissive IP-Based Authentication
Generic Configuration: Proofpoint is often configured to accept emails from entire IP ranges associated with services like Office365 or Google Workspace without specifying particular accounts.
IP Range Acceptance: Once a service like Office365 is enabled, Proofpoint accepts emails from any IP within the Office365 range, regardless of the specific account.
Exploitation StepsStep 1: Setting Up the Attack
Attacker’s Office365 Account: The attacker sets up or compromises an Office365 account.
Spoofing Email Headers: The attacker crafts an email with headers that mimic a legitimate sender, such as Disney.
Step 2: Leveraging Proofpoint Configuration
Sending Spoofed Emails: The attacker sends the spoofed email from their Office365 account.
Proofpoint Relay Acceptance: Proofpoint’s permissive configuration accepts the email based on the IP range, without verifying the specific account.
Step 3: Proofpoint Processing
DKIM Signing: Proofpoint processes the email, applying DKIM signatures and ensuring it passes SPF checks because it comes from an authorized IP range.
Email Delivery: The email is then delivered to the target’s inbox, appearing legitimate due to the DKIM signature and SPF alignment.
Example of a Permissive Configuration in Proofpoint
Admin Setup
Adding Hosted Services: Proofpoint allows administrators to add hosted email services (e.g., Office365) with a single-click configuration that relies on IP-based authentication.
No Specific Account Configuration
Generic Acceptance: The setup does not specify which particular accounts are authorized, leading to a scenario where any account within the IP range is accepted.
Exploitation of Misconfiguration
Blind Relay: Due to this broad acceptance, attackers can send emails through Proofpoint’s relay, which then processes and delivers them as if they were legitimate.
A recent attack exploited a misconfiguration in Proofpoint’s email routing, allowing millions of spoofed phishing emails to be sent from legitimate domains like Disney and IBM. The attackers used Microsoft 365 tenants to relay emails through Proofpoint, bypassing SPF and DKIM checks, which authenticate emails. This “EchoSpoofing” method capitalized on Proofpoint’s broad IP-based acceptance of Office365 emails. Proofpoint has since implemented stricter configurations to prevent such abuses, emphasizing the need for vigilant security practices.
As an Applied Cryptographer, you will research about various cryptographic protocols and have knowledge of cryptographic primitives or concepts, like elliptic curve cryptography, hash functions, and PCPs. You should have experience with at least one major language, like Rust, Python, Java, or C; the exact language is not too important. You should be familiar with versioning software (specifically, GitHub), testing, and a familiarity with algorithms and data structures.
As a Cloud Security Specialist, you will design, implement, and manage Azure and Microsoft 365 security solutions. Monitor security alerts, lead incident response, and conduct regular assessments. Ensure compliance with ISO 27001, SOC2 Type II and NIST standards.
As a CISO, you will develop and implement comprehensive cybersecurity policies and procedures. Ensure compliance with relevant regulations and standards (e.g., GDPR, ISO 27001). Conduct risk assessments and develop mitigation strategies. Advise on security best practices and emerging threats. Collaborate with clients to enhance their security posture.
Cyber Range Lead
Booz Allen Hamilton | Japan | On-site – No longer accepting applications
As a Cyber Range Lead, you will lead a team of professionals as they use cyberspace capabilities to evaluate potential weaknesses as well as the effectiveness of mitigations for cyber security solutions. You will leverage cyberspace operations systems to aggregate threat feeds that inform briefings for senior leadership aligned to our client’s mission area.
As a Cybersecurity Technical Consultant, you will provide onsite or remote consulting services and support to Thales customer with a focus on high quality, accuracy and customer satisfaction. Develop and deliver technical hands-on product deep knowledge transfer to customers. Track and ensure successful completion of high impact projects by creating project scoping plans, design guides and relevant documentation.
As a Cyber Security Advisor, you will conduct security assessment of in-house developed and/or by third-party provided solutions in order to ensure that they are in compliance with H&M’s security standards. Conduct security maturity and risk assessment for internal and external partners.
As a Cyber Security Engineer, you will develop and implement cyber security policies, procedures, and controls to protect the company’s digital assets. Conduct Pen-tests, monitor network traffic and security alerts to detect and respond to potential security breaches. Perform vulnerability assessments and penetration testing to identify and remediate security vulnerabilities. Conduct regular audits of security systems and processes to ensure compliance with industry standards and regulations.
As a Cyber Security Governance Risk & Compliance Manager, you will develop, implement, and maintain a robust IT governance, risk, and compliance framework in line with industry best practices and regulatory requirements. Drive risk maturity through project lifecycle and provide independent assessments, challenge inherent risks in material changes e.g., business decisions, projects, process changes, implementation of new systems, applications, and infrastructure.
As a Cyber Security Instructor, you will create dynamic classroom learning experiences using various teaching strategies to facilitate adult learners in achieving learning objectives in accordance with the program objectives as set out in the curriculum. Ensure students are motivated to learn and to maximize their potential. Develop different classroom strategies to ensure knowledge and skills acquisition and retention.
As a Digital Forensics and Incident Response Analyst, you will perform incident response to cybersecurity incidents, including but not limited to APT & Nation State attacks, Ransomware infections and Malware outbreaks, Insider Threats, BEC, DDOS, Security and Data breach, etc. Conduct in-depth investigations of cybersecurity incidents, identifying the root cause, the extent of the impact, and recommended actions for containment, eradication, and recovery, and providing a final report that contains recommendations on how to prevent the same attack in the future by strengthening security posture.
Director of Information Security, Cyber Risk and Compliance
S&P Global | Italy | On-site – No longer accepting applications
As a Director of Information Security, Cyber Risk and Compliance, you will become familiar with the Cyber Risk and Compliance team activities and Market Intelligence regarding SOC reporting, relevant regulatory requirements, control frameworks, internal and external audit processes, customer interactions including security questions and audits, and overall company and divisional cyber security processes and controls. Make recommendations related to balancing requirements and deadlines made by corporate departments with human resource and technical capabilities that exist in Market Intelligence. Negotiate differences to find and implement solutions acceptable to both corporate groups and Market Intelligence.
As Head of Identity Management Platform, you will leverage your strong background in Identity and Privileged Access Management, expertise in IT technologies, and in-depth knowledge of IT security to organize and lead complex projects, manage third-party teams, and oversee platform lifecycle activities such as upgrades and integrations.
As a Head of Consulting, you will lead, mentor, and develop a team of cybersecurity consultants, fostering a culture of excellence and continuous improvement. Define and implement the consultancy department’s strategy in alignment with the company’s goals, ensuring the delivery of innovative and effective cybersecurity solutions. Ensure that all consultancy activities adhere to industry standards, regulatory requirements, and best practices, mitigating risks to both clients and the company.
As a Head of Security CU TH, you will facilitate execution of and follow up on security strategy, policies & instructions, governance model and frameworks. Support the business in implementation and maintenance of ISO 27001 controls across the CU as per the MA scope and Ericsson Global ISO 27001 control framework. Manage local security incidents and support investigations.
As an IT Program Manager, you will develop, implement, and manage cybersecurity programs in alignment with the organization’s strategic objectives. Oversee the security projects related to enterprise applications, with a focus on safeguarding sensitive data and ensuring compliance with regulatory standards. Facilitate regular security assessments and audits to identify vulnerabilities and implement corrective actions.
As a Penetration Tester, you will manage penetration tests from inception through delivery. Identify and prescribe remediation for vulnerabilities in NFCU applications, systems, and networks. Leverage complex tactics including, but not limited to, lateral movement, network tunneling/pivoting, credential compromise, and hash cracking.
As a Principal Data Security Specialist, you will focus on delivering technical and procedural guidance to assist customers in defining the platform requirement though to realisation of the subscription value. Research and evaluate emerging solutions and services to drive continuous improvement.
As a Senior Architect – Cyber Security, you will develop and implement security architecture solutions to secure the organization’s IT infrastructure. Design and review security policies, standards, and procedures. Conduct security assessments and risk analysis to identify vulnerabilities and recommend mitigation strategies. Lead security projects and collaborate with cross-functional teams to integrate security measures.
Senior CyberSecurity Architect
Hexagon Geosystems | European Economic Area | Remote – View job details
As a Senior CyberSecurity Architect, you will plan, organize, test, and document the implementation of new security systems and tools; define the success criteria and security requirements, and develop reference architecture, functional and non-functional requirements for proof-of-concept efforts and projects. Lead in performing threat modeling, security architecture review, and risk assessments of new and existing technical solutions.
As a (Senior) Information Security Officer, you will develop, implement, and monitor a strategic, comprehensive company information security and IT risk management program, based on the Oetker Group-wide security directive. Manage and assist in the development in implementation of the information security policies, procedures, and guidelines. Provide guidance and counsel to the C-Level, the senior management team, and staff about information security and its alignment with business objectives and risk management.
As a Technology & Cyber Risk: Senior Officer – Cybersecurity Risk, you will review and evaluate compliance and cyber policies and procedures, technology and tools, and governance processes to provide credible challenge for minimizing losses from cyber risks. Assess cyber risks and evaluates actions to address the root causes that persistently lead to operational risk losses by challenging both historical and proposed practices. Support independent assurance activities to assess areas of concern including substantive and controls testing.
As a Vulnerability Manager, you will be responsible for identifying, assessing, prioritizing, and managing vulnerabilities across our systems and networks. Conduct regular vulnerability assessments and penetration tests across our systems, applications, and networks.
The hardest part of many projects is knowing where to start.
ISO 27001 is no exception. This standard describes best practice for an ISMS (information security management system).
In other words, it lays out the requirements you must meet, but doesn’t show you the how. How you can adopt or implement them.
With ISO 27001:2013 certification no longer available, many organisations are preparing to adopt the 2022 version of the standard – which means tackling a new Annex A control set, among other new requirements.
The implementation project should begin by appointing a project leader.
They’ll work with other members of staff to create a project mandate, which is essentially a set of answers to these questions:
What do we hope to achieve?
How long will the project take?
Does the project have top management support?
What resources – financial and otherwise – will the project need?
2. Develop the ISO 27001 implementation plan
The next step is to use your project mandate to create a more detailed outline of:
Your information security objectives;
Your project risk register;
Your project plan; and
Your project team.
Information security objectives
Your information security objectives should be more granular and specific than your answer to ‘What do we hope to achieve?’ from step 1.
They’ll inform and be included in your top-level information security policy. They’ll also shape how the ISMS is applied.
Project risk register
Your project risk register should account for risks to the project itself, which might be:
Managerial – will operational management continue to support the project?
Budgetary – will funding continue to see the project through?
Legal – are specific legal obligations at risk?
Cultural – will staff resist change?
Each risk in the register should have an assigned owner and a mitigation plan. You should also regularly review the risks throughout the project.
Project plan
The project plan should detail the actions you must take to implement the ISMS.
This should include the following information:
Resources required
Responsibilities
Review dates
Deadlines
Project team
The project team should represent the interests of every part of the organisation and include various levels of seniority.
Drawing up a RACI matrix can help with this. This identifies, for the project’s key decisions, who’s:
Responsible;
Accountable;
Consulted; and
Informed.
One critical person to appoint and include in the project team is the information security manager. They’ll have a central role in the implementation project and eventually be responsible for the day-to-day functioning of the ISMS.
3. ISMS initiation
You’re now ready to initiate your ISMS!
Documentation structure
A big part of this is establishing your documentation structure – any management system is very policy- and procedure-driven.
We recommend a four-tier approach:
A. Policies These are at the top of the ‘pyramid’, defining your organisation’s position and requirements.
B. Procedures These enact the requirements of your policies at a high level.
C. Work instructions These set out how employees implement individual elements of the procedures.
D. Records These track the procedures and work instructions, providing evidence that you’re following them consistently and correctly.
This structure is simple enough for anyone to grasp quickly. At the same time, it provides an effective way of ensuring you implement policies at each level of your organisation. Plus, that you develop well-functioning, cohesive processes.
Tips for more effective policies and procedures
Your policies and procedures must also be effective. Here are four tips:
Keep them practicable by balancing aspirations against the reality. If your policies and/or procedures appear too idealised, staff will be much less likely to follow them.
Keep them clear and straightforward, so staff can easily follow your procedures.
Use version control, so everyone knows which is the latest document.
Avoid duplication. This will also help with the version control.
Make sure you systematically communicate your documentation – particularly new or updated policies – throughout your organisation. Be sure to also communicate them to other stakeholders.
Continual improvement
As part of your ISMS initiation, you’ll need to select a continual improvement methodology.
First, understand that continual improvement might sound expensive, but is cost-effective if done well. As ISO 27001 pioneer Alan Calder explains:
Continual improvement means getting better results for your investment. That typically means one of two things:
1. Getting the same results while spending less money. 2. Getting better results while spending the same amount of money.
Yes, you need to be looking at your objectives, and asking yourself how well your ISMS is currently meeting them. And where your management system falls short, money may have to be spent.
But many improvements have little financial cost. You can make a process more efficient – perhaps by cutting out a step, or automating some manual work.
While continual improvement is a critical element of an ISO 27001 ISMS, the Standard doesn’t specify any particular continual improvement methodology.
Instead, you can use whatever method you wish, so long as it continually improves the ISMS’s “suitability, adequacy and effectiveness” (Clause 10.1). That can include a continual improvement model you’re already using for another activity.
Ensuring the security of your organization’s information systems is crucial in today’s digital landscape.
Access Control is a fundamental aspect of cybersecurity that safeguards sensitive data and protects against unauthorized access. To assist you in establishing robust access control measures, we are pleased to offer a comprehensive Access Control Policy Template, available for download.
What does the Access Control Policy template include?
Our Access Control Policy template is designed to provide a clear, structured framework for managing access to your organization’s information systems.
Here are some of the key components included in the template:
Document Control;
Purpose and Scope;
Policy Statement;
Roles & Responsibilities;
Access Control Principles;
Access Control Measures;
Access Control Technologies;
Monitoring and Auditing;
Incident Management;
Policy Compliance;
Policy Review.
Benefits of using our Access Control Policy template
Implementing an effective access control policy offers several key benefits:
Enhanced security: Protects sensitive data and systems from unauthorized access and potential breaches.
Regulatory compliance: Helps ensure compliance with relevant regulations and standards.
Operational efficiency: Clearly defined roles and responsibilities streamline access management processes.
Risk mitigation: Regular monitoring and auditing identify and address vulnerabilities proactively.
To take advantage of our comprehensive Access Control Policy Template, simply click on the links at the top of the article to download them. The download will start automatically.
You can then customize the template to fit the specific needs and context of your organization.
By doing so, you’ll be taking a significant step towards securing your information systems and safeguarding your valuable data.
Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company’s social media channels. Her contributions amplify the brand’s voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.
The Damselfly Advanced Persistent Threat (APT) group, also known as APT42, has been actively utilizing custom backdoor variants, NiceCurl and TameCat, to infiltrate Windows machines.
These backdoors are primarily delivered through spear-phishing campaigns, marking a significant escalation in the capabilities and focus of this Iranian state-sponsored hacking group.
Sophisticated Tools For Stealthy Operations
The NiceCurl and TameCat backdoors represent a sophisticated toolkit in Damselfly’s arsenal, enabling threat actors to gain initial access to targeted environments discreetly.
NiceCurl, a VBScript-based malware, is designed to download and execute additional malicious modules, enhancing the attackers’ control over compromised systems.
On the other hand, the TameCat backdoor facilitates the execution of PowerShell and C# scripts, allowing for further exploitation by downloading additional arbitrary content.
These tools are part of a broader strategy employed by Damselfly to conduct espionage and potentially disrupt operations at targeted facilities.
According to Broadcom report, the group’s activities have been primarily directed at energy companies and other critical infrastructure sectors across the U.S., Europe, and the Middle East.
The sophistication of their methods and the critical nature of their targets underscore the high level of threat they pose.
These include adaptive, behavior, file, and network-based detection mechanisms, ensuring robust defense against Damselfly’s tactics.
The security firm’s efforts are crucial in mitigating the risks posed by such state-sponsored cyber activities, characterized by their complexity and stealth.
The operations of the Damselfly group highlight the ongoing challenges in cybersecurity, where state-sponsored actors employ advanced techniques and malware to achieve their objectives.
Using custom backdoors like NiceCurl and TameCat, coupled with spear-phishing campaigns, enables these actors to maintain persistence in their target networks and carry out their missions with a high degree of secrecy and efficiency.
Smishing is a type of social engineering attack. Social engineering is when a cyber attacker tricks their victim into doing something they should not do, such as giving money, their password, or access to their computer. Cyber attackers have learned the easiest way to get something is just ask for it. This concept is not new, con artists and scammers have existed for thousands of years, it’s just that the Internet makes it very simple for any cyber attacker to pretend to be anyone they want and target anyone they want.
Phishing is one of the most common forms of social engineering as it’s one of the simplest and most effective and an attack method we are all familiar with. However, both organizations and individuals are becoming not only far more aware of how phishing attacks work, but much better at spotting and stopping them. Phishing is still an effective attack method, but it is getting harder and harder for cyber criminals to be effective with phishing. This is where smishing comes in.
Smishing vs Phishing
Smishing is very similar to phishing, but instead of sending emails trying to trick people, cyber attackers send text messages. The term smishing is a combination of the words SMS messaging and phishing. You may have noticed a rise in random text messages that are trying to get you to click on links or respond to text messages. That’s smishing.
Why the Increase in Smishing Attacks?
It is harder for organizations to secure mobile devices. Security teams often have neither the visibility nor control of employees’ mobile devices like they do for workstations. This means it’s harder to both secure and monitor mobile devices.
There are far fewer security controls that effectively identify and filter smishing attacks. This means when a cyber attacker sends a smishing text message to victims, that message is far more likely to make it and not be filtered.
A text message tends to be much shorter than an email, there is far less context or information, making it harder to determine if the message is legitimate or not. In other words, people are more likely to fall victim.
Texting tends to be far more informal than email, as such people tend to trust and act on text messages more. In other words, people are more likely to fall victim.
The Smishing Attacks
So, what type of text messaging attacks are there? While these attacks are always evolving, some of the most common are detailed below.
Links
The text message entices you to click on a link, often through a sense of urgency, something too good to be true, or simple curiosity. Once you click on the link, the goal is usually to harvest your personal information (by getting you to fill out a survey) or your login and password (to your bank or email account, for example). Notice how, in the link in the message below, the cyber attacker uses HTTPS, an encrypted connection to make the link look more legitimate.
Scams
In these attacks, the cyber attacker will attempt to start a conversation with you, build trust, and ultimately scam you. Romance scams are one common example where cyber criminals randomly text millions of people to find those who are lonely or emotionally vulnerable, build a pretend romance, and then take advantage of them.
Call-Back
Like some phishing emails, the text message has a phone number in it and is urging the victim to call. Once the victim calls the phone number they are then scammed.
What to Do About Smishing Attacks?
While many security training programs focus on phishing, we far too often neglect text based smishing attacks. In fact, this can create a situation where your workforce is highly aware of phishing attacks but may mistakenly think that cyber attackers only use email for attacks. From a training perspective, we recommend you teach people that cyber attackers can use a variety of different methods to trick people, to include both email phishing and text based smishing. For smishing, we do not recommend that you try to teach people about every different type of attack possible. Not only will this likely overwhelm your workforce, but cyber attackers are constantly changing their lures and techniques. Instead, like in phishing training, focus on the most commonly shared indicators and clues of an attack. This way, your workforce will be trained and enabled regardless of the method or lures cyber attackers use. Of note, the indicators below are the same indicators of an email phishing attack.
Urgency: Any message that creates a tremendous sense of urgency, trying to rush the victim into making a mistake. An example is a message from the government stating your taxes are overdue and if you don’t pay right away you will end up in jail.
Pressure: Any message that pressures an employee to ignore or bypass company policies and procedures. Gift card scams are often started with a simple text message.
Curiosity: Any message that generates a tremendous amount of curiosity or is too good to be true such as notice of an undelivered UPS package or receiving an Amazon refund.
Sensitive: Any message that requests (or requires) highly sensitive information such as your password or unique codes.
Tone: Any message that appears to be coming from a coworker, but the wording does not sound like them, or the overall tone is wrong.
Hey 👏 I’m the digital assistance of DISCInfoSec for ISO 27k implementation.
I will try to answer your question. If I don’t know the answer, I will connect you with one my support agents.
Please type your query regarding ISO 27001 implementation 👇
Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation, and growth.
However, this shift towards a more interconnected digital ecosystem has not come without its risks.
According to the “2024 State of SaaS Security Report” by Wing Security, a staggering 97% of organizations faced exposure to attacks through compromised SaaS supply chain applications in 2023, highlighting a critical vulnerability in the digital infrastructure of modern businesses.
The report, which analyzed data from 493 companies in the fourth quarter of 2023, illuminates the multifaceted nature of SaaS security threats.
From supply chain attacks taking center stage to the alarming trend of exploiting exposed credentials, the findings underscore the urgent need for robust security measures.
Supply Chain Attacks: A Domino Effect
Supply chain attacks have emerged as a significant threat, with 96.7% of organizations using at least one app that had a security incident in the past year.
The MOVEit breach, which directly and indirectly impacted over 2,500 organizations, and North Korean actors’ targeted attack on JumpCloud’s clients are stark reminders of the cascading effects a single vulnerability can have across the supply chain.
The simplicity of credential stuffing attacks and the widespread issue of unsecured credentials continue to pose a significant risk.
The report highlights several high-profile incidents, including breaches affecting Norton LifeLock and PayPal customers, where attackers exploited stolen credentials to gain unauthorized access to sensitive information.
MFA Bypassing And Token Theft
Despite adopting Multi-Factor Authentication (MFA) as a security measure, attackers have found ways to bypass these defenses, targeting high-ranking executives in sophisticated phishing campaigns.
Additionally, the report points to a concerning trend of token theft, with many unused tokens creating unnecessary risk exposure for many organizations.
Looking Ahead: SaaS Threat Forecast For 2024
As we move into 2024, the SaaS threat landscape is expected to evolve, with AI posing a new threat.
The report identifies two primary risks associated with AI in the SaaS domain: the vast volume of AI models in SaaS applications and the potential for data mismanagement.
Furthermore, the persistence of credential-based attacks and the rise of interconnected threats across different domains underscore the need for a holistic cybersecurity approach.
Practical Tips For Enhancing SaaS Security
The report offers eight practical tips for organizations to combat these growing threats, including discovering and managing the risk of third-party applications, leveraging threat intelligence, and enforcing MFA.
Additionally, regaining control of the AI-SaaS landscape and establishing an effective offboarding procedure are crucial steps in bolstering an organization’s SaaS security.
The “2024 State of SaaS Security Report” by Wing Security serves as a wake-up call for businesses to reassess their SaaS security strategies.
With 97% of organizations exposed to attacks via compromised SaaS supply chain apps, the need for vigilance and proactive security measures has never been more critical.
As the digital landscape continues to evolve, so must our approaches to protect it.
Interested in discovering how Python can bolster your abilities in safeguarding digital assets? Delve into the potential of Python for cybersecurity.
In the current digital era, cybersecurity holds greater significance than ever before. Python, renowned for its versatility and resilience, has emerged as a fundamental tool for cybersecurity professionals globally.
🔹 How Python can streamline threat detection and analysis. 🔹 Practical examples of Python scripts for automating security tasks. 🔹 Resources and tools to kickstart your journey into Python for cybersecurity.
Regardless of whether you’re an experienced cybersecurity professional or new to the field, Python has the potential to transform your approach to security challenges.
France’s National Cybersecurity Agency (ANSSI) observed a significant rise in cyber espionage campaigns targeting strategic organizations in 2023.
These operations are increasingly focused on individuals and non-governmental structures that create, host or transmit sensitive data, ANSSI observed in its 2023 Cyber Threat Landscape report, published on February 27, 2024.
Besides public administration, the primary targets of cyber espionage activity included organizations associated with the French government, such as technology and defense contractors, research institutes and think tanks.
Overall, cyber espionage remained the top cyber threat ANSSI’s teams dealt with in 2023.
ANSSI has also noted an increase in attacks against business and personal mobile phones aimed at targeted individuals.
There has also been an upsurge in attacks that have used methods publicly associated with the Russian government.
“These attacks are not limited to mainland French territory: in 2023, ANSSI dealt with the compromise of an IT network located in a French overseas territory using an attack modus operandi publicly associated with China,” reads the report.
30% Rise in Ransomware
Meanwhile, financially motivated attacks were also on the rise, with an observed 30% increase in ransomware attacks compared to 2022.
Monthly and yearly breakdown of ransomware attacks reported to ANSSI in 2022 (in blue) and in 2023 (in green). Source: ANSSI
Small and medium enterprises (SMEs) and mid-sized businesses were the most targeted organizations, representing 34% of all cyber-attacks observed by ANSSI in 2023. Local administration came second, suffering 24% of all attacks in 2023.
In total in 2023, ANSSI recorded 3703 cyber events, 1112 of which were labeled as cyber incidents. In 2022, it recorded 3018 cyber events, including 832 cyber incidents.
The latest version of the LockBit ransomware, LockBit 3.0 (aka LockBit Black), was the most used malware in financially motivated cyber-attacks in 2023, taking over previous ransomware versions from the same threat group that dominated the ransomware landscape in 2022.
Top Ransomware versions detected by ANSSI in cyber-attacks targeting French organizations. Source: ANSSI
Overall, 2023 has seen significant changes in the structure and methods of attackers. They are perfecting their techniques in order to avoid being detected, tracked, or even identified.
“Despite efforts to improve security in certain sectors, attackers continue to exploit the same technical weaknesses to gain access to networks. Exploiting ‘zero-day’ vulnerabilities remains a prime entry point for attackers, who all too often still take advantage of poor administration practices, delays in applying patches and the absence of encryption mechanisms,” reads the report, translated from French to English by Infosecurity.
The top five vulnerabilities exploited by threat actors to compromise French organizations’ IT systems in 2023 include flaws in VMWare, Cisco, Citrix, Atlassian and Progress Software products.
Pre-Positioning Activities on ANSSI’s Radar for 2024
Finally, in a tense geopolitical context, ANSSI noted new destabilization operations aimed mainly at promoting a political discourse, hindering access to online content or damaging an organization’s image.
“While distributed denial of service (DDoS) attacks by pro-Russian hacktivists, often with limited impact, were the most common, pre-positioning activities targeting several critical infrastructures in Europe, North America and Asia were also detected.
“These more discreet activities may nevertheless be aimed at larger-scale operations carried out by state actors waiting for the right moment to act,” the report explained.
Vincent Strubel, ANSSI’s director general, commented: “While financially motivated attacks and destabilization operations saw a clear upturn in 2023, it was once again the less noisy threat, which remains the most worrying, that of strategic and industrial espionage and pre-positioning for sabotage purposes, which mobilised the ANSSI teams the most.”
These geopolitically driven threats will particularly be on ANSSI’s radar in 2024, as Paris is prepares to host the 2024 Olympic and Paralympic Games.
An ongoing campaign of cloud account takeover has affected hundreds of user accounts, including those of senior executives, and impacted dozens of Microsoft Azure environments.
Threat actors attack users with customized phishing lures inside shared documents as part of this ongoing effort.
Some documents that have been weaponized have embedded links to “View document,” which, when clicked, take users to a malicious phishing webpage to steal sensitive information and commit financial fraud.
Attackers Targeting Wide Range Of Individuals
Threat actors appear to target a broad spectrum of people with varying titles from various organizations, affecting hundreds of users worldwide.
“The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers,” Proofpoint researchers shared with Cyber Security News.
“Individuals holding executive positions such as “Vice President, Operations,” “Chief Financial Officer & Treasurer” and “President & CEO” were also among those targeted.”
Threat actors have a realistic approach, as seen by the variety of positions they have targeted, intending to compromise accounts that have varying degrees of access to important resources and responsibilities across organizational activities.
In this campaign, researchers observed the usage of a particular Linux user agent that attackers employed during the attack chain’s access phase.
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
The ‘OfficeHome’ sign-in application is primarily accessed by attackers using this user-agent, along with other native Microsoft365 apps, like:
‘Office365 Shell WCSS-Client’ (indicative of browser access to Office365 applications)
‘Office 365 Exchange Online’ (indicative of post-compromise mailbox abuse, data exfiltration, and email threats proliferation)
‘My Signins’ (used by attackers for MFA manipulation; for more info about this technique, see our recent Cybersecurity Stop of the Month blog)
‘My Apps’
‘My Profile’
Attackers use their own MFA techniques to keep accessing systems permanently. Attackers choose various authentication techniques, such as registering additional phone numbers to authenticate via SMS or phone calls.
MFA manipulation events executed by attackers in a compromised cloud tenant
Criminals get access to and download confidential data such as user credentials, internal security protocols, and financial assets.
Mailbox access is also used to target individual user accounts with phishing threats and migrate laterally across compromised organizations.
Internal emails are sent to the impacted companies’ finance and human resources departments to commit financial fraud.
Attackers design specialized obfuscation rules to hide their activities and erase any proof of malicious activity from the inboxes of their victims.
Obfuscation mailbox rules created by attackers following successful account takeover
“Attackers were observed employing proxy services to align the apparent geographical origin of unauthorized activities with that of targeted victims, evading geo-fencing policies,” researchers said.
Thus, in your cloud environment, be aware of account takeover (ATO) and possible illegal access to key resources. Security solutions must offer precise and prompt identification of both initial account compromise and post-compromise actions, together with insight into services and applications that have been misused.
