InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
An overall prevalence of high-severity vulnerabilities such as remote code execution, SQL injection, and cross-site scripting;
Medium-severity vulnerabilities such as denial-of-service, host header injection and directory listing, remained present in 63% of web apps in 2020;
Several high-severity vulnerabilities did not show improvement in 2020 despite being well understood, such as the incidence of remote code execution, which increased by one percentage point last year.
COVID-19 pushed organizations and consumers to an even greater reliance on web applications. As organizations depend on web applications – ranging from web conferencing and collaboration environments to e-commerce sites – to handle what were once in-person tasks, web application security has become even more critical than ever. And that’s what makes a lost year of web application security so troublesome.
Web attacks reached new highs during the pandemic, according to Interpol, and that puts the security of companies at greater risk.
“It’s very troubling to see this loss of momentum due to reduced attention to web application security,” said Invicti president and COO Mark Ralls in a formal statement. “As we look ahead, we hope to see organizations adopt best practices and invest in security, so that they can continue to advance their web security posture, protect their customers, and avoid being the next big security breach headline.”
A zero-day is where the crooks find an exploitable security hole before the good guys do, and start abusing that bug to do bad stuff before a patch exists.
The name reflects the annoying fact that there were zero days that you could possibly have been ahead of the crooks, even if you are the sort of accept-no-delays user who always patches on the very same day that software updates first come out.
To be fair to the Chromium team, the most recent zero-day hole, patched in version 90 of the Chrome and Chromium projects, is best described as half-a-hole. You have to go out of your way to run the browser with its protective sandbox turned off, something that you will probably not do by choice, and are unlikely to do by mistake.
While developing a seamless and successful digital mindset with a security strategy is not a simple task, the effort is crucial for the health of a company. Unfortunately, security tools haven’t always gotten the best rep with developers, who feared the tools would slow them down, reflect poorly on their work, or even cost them their job if something were to go wrong. For example, static application security tools (SAST) often yield false positives requiring significant resources to remediate.
Since remediation advice is often generic, in some cases, developers wind up spending an extensive amount of time reading through lengthy documentation to understand the right fix. So how can organizations create a security-first culture despite these barriers?
Researchers from the FireEye’s Mandiant team have breached the network of a North American utility and turn off one of its smart meters.
Over the years, the number of attacks against ICS/SCADA systems used by industrial organizations worldwide has rapidly increased. Many security firms highlighted the risks related to attacks targeting OT networks used in utilities.
Recently FireEye’s incident response unit Mandiant demonstrated how to infiltrate the network of a North American utility and hack into its industrial control systems to turn off one of its smart meters.
The scope of the test was to demonstrate tactics, techniques, and procedures used by threat actors to breach the protected perimeter between an IT network and an OT network.
In the first phase of the attack, the Mandiant team adopted techniques used by TEMP.Veles to breach the OT network during the TRITON attack.
“Mandiant’s experience during red team engagements highlights that collecting information from IT network assets plays a crucial role in targeted OT attacks. As a result, the internal reconnaissance phase for OT targeted attacks begins in the enterprise network, where the actor obtains knowledge and resources to propagate from an initial compromise in the IT network to remote access in the OT network.” states the FireEye’s report. “Detailed information collected about the target, their security operations, and their environment can also support an actor’s attempts at remaining undetected while expanding operations.”
The Washington Post has published a long story on the unlocking of the San Bernardino Terrorist’s iPhone 5C in 2016. We all thought it was an Israeli company called Cellebrite. It was actually an Australian company called Azimuth Security.
Azimuth specialized in finding significant vulnerabilities. Dowd, a former IBM X-Force researcher whom one peer called “the Mozart of exploit design,” had found one in open-source code from Mozilla that Apple used to permit accessories to be plugged into an iPhone’s lightning port, according to the person.
The year 2020 broke all records when it came to data lost in breaches and sheer numbers of cyber-attacks on companies, government, and individuals. In addition, the sophistication of threats increased from the application of emerging technologies such as machine learning, artificial intelligence, and 5G, and especially from greater tactical cooperation among hacker groups and state actors. The recent Solar Winds attack, among others, highlighted both the threat and sophistication of those realities.
The following informational links are compiled from recent statistics pulled from a variety of articles and blogs. As we head deeper into 2021, it is worth exploring these statistics and their potential cybersecurity implications in our changing digital landscape.
To make the information more useable, I have broken down the cybersecurity statistics in several categories, including Top Resources for Cybersecurity Stats, The State of Cybersecurity Readiness, Types of Cyber-threats, The Economics of Cybersecurity, and Data at Risk.
There are many other categories of cybersecurity that do need a deeper dive, including perspectives on The Cloud, Internet of Things, Open Source, Deep Fakes, the lack of qualified Cyber workers, and stats on many other types of cyber-attacks. The resources below help cover those various categories.
Top Resources for Cybersecurity Stats:
If you are interested in seeing comprehensive and timely updates on cybersecurity statistics, I highly recommend you bookmark these aggregation sites:
The Best Cybersecurity Predictions For 2021 RoundupWhy Adam Grant’s Newest Book Should Be Required Reading For Your Company’s Current And Future LeadersIonQ Takes Quantum Computing Public With A $2 Billion Deal
Guardicore unveiled new zero trust assessment capabilities in Infection Monkey, its open source breach and attack simulation tool. Available immediately, security professionals will now be able to conduct zero trust assessments of AWS environments to help identify the potential gaps in an organization’s AWS security posture that can put data at risk.
Infection Monkey helps IT security teams assess their organization’s resiliency to unauthorized lateral movement both on-premises and in the cloud.
The tool enables organizations to see the network through the eyes of a knowledgeable attacker – highlighting the exploits, vulnerabilities and pathways they’re most likely to exploit in your environment.
Zero trust maturity assessment in AWS
New integrations with Scout Suite, an open source multi-cloud security auditing tool, enable Infection Monkey to run zero trust assessments of AWS environments.
Infection Monkey highlights the potential security issues and risks in cloud infrastructure, identifying the potential gaps in AWS security posture. It presents actionable recommendations and risks within the context of the zero trust framework’s key components established by Forrester.
Expanded MITRE ATT&CK techniques
Infection Monkey applies the latest MITRE ATT&CK techniques to its simulations to help organizations harden their systems against the latest threats and attack techniques. The four newest ATT&CK techniques the software can equip are:
COVID-19 has impacted everything over the past year, and mobile app security is no exception. The Synopsys Cybersecurity Research Center (CyRC) took an in-depth look at application security, and discovered just how vulnerable apps that use open source code really are. According to the report, 98% of apps use open source code, and 63% of those apps have at least one known vulnerability.
Open source code is no more or less vulnerable than any other code, Jonathan Knudsen, senior security strategist with Synopsys, was quick to point out in an email interview. The prime security task for any organization that uses open source code is how to manage the code correctly.
“The report underscores, among other things, that managing security vulnerabilities in open source software components is a very real problem,” Knudsen said. The challenge lies in the self-service nature of open source use. With no commercial vendor to push out updates and patches, it then becomes the responsibility of the developers and the business to evaluate and monitor for security risks and come up with a strategy for the inevitable security problems.
Adoption of Open Source
Developers turn to open source because it helps them code 20 to 30 times faster than writing their own from scratch; getting a mobile application into the marketplace quickly is a top priority. This need to move fast has created a dependency on open source. It has also led to the prioritization of development over security in many IT organizations just to remain competitive in the market.
“To stay competitive, software development teams must figure out how to write code quickly, while not sacrificing security to create value and preserve competitive advantage for their organizations,” said Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber. Until that happens, open source will continue to be the go-to code.
In late March 2021, Representative Susan DelBene (D-WA 01) introduced legislation to the 116th Congress to protect consumer privacy and put control of consumers’ data in their own hands.
DelBene noted that states are surging ahead of the federal government in creating privacy laws, each with their own flavor and each serving the needs of a particular constituency/demographic. DelBene argued that having a federal policy will stem consumer confusion and put the United States back into the conversation on global privacy policies. The EU, for example, is pushing their General Data Protection Regulation (GDPR) as the global standard.
Companies produce their privacy policies in “plain English” within 90 days of the bill’s passage.
Users must “opt in” before companies my use their sensitive PII. In doing so, the user is made aware of how the information may be used and more importantly how it is not to be used. Companies will have 90 days to put in place this capability once the legislation becomes law.
Companies must be transparent when it comes to sharing user information – who, what, where, how and why.
The Federal Trade Commission (FTC) will be given the authority to fine bad actors on their first offense and empower state attorneys general to pursue offenders. If the FTC doesn’t act on a complaint within 60 days, the state attorney general may pursue legal remedies.
Trust, yet verify by requiring, every two years, a “neutral” privacy audit to ensure companies (with information from 250,000 or more people) are handling PII in accordance with the provisions of the Act.
The bill will provide to the FTC 50 additional full-time employees, of which 15 must be technical experts (not further defined), and initial funding for the program will be $35 million.
When IT and security professionals plan how to respond, they must not underestimate the degree to which many of the transformative changes to our working patterns enacted due to COVID-19 have already changed our risk of ransomware attacks.
After the first “shelter in place” orders were issued, many organizations swung into action to accommodate work-from-anywhere policies. The ability of these teams to accommodate their businesses and the flexibility in modifying working practices which, in some cases, had been set in stone for years, was remarkable.
Now, many organizations are assuming a more distributed and hybrid workforce as their new normal in order to provide resilience, agility and a far broader reach in the battle for talent. However, this change has led to an uptick in focused ransomware campaigns by targeting the “human attack surface” of such organizations in a more subtle, insidious manner.
NSA helps out Microsoft with critical Exchange Server vulnerability disclosures in an April shower of patches
100+ fixes for the Windows world – plus holes in SAP, Adobe, FreeBSD, etc
“This month’s release includes a number of critical vulnerabilities that we recommend you prioritize, including updates to protect against new vulnerabilities in on-premise Exchange Servers,” Microsoft said in its blog post.
“These new vulnerabilities were reported by a security partner through standard coordinated vulnerability disclosure and found internally by Microsoft. We have not seen the vulnerabilities used in attacks against our customers.
Clicking through Microsoft’s coy links to CVE-2021-28480 (9.8 severity), CVE-2021-28481 (9.8 severity), CVE-2021-28482 (8.8 severity), and CVE-2021-28483 (9.0 severity), you’ll find the unspecified security partner is the NSA
Exchange Server 2013 CU23, Exchange Server 2016 CU19 and CU20, and Exchange Server 2019 CU8 and CU9 are affected by this set of problems.
“NSA urges applying critical Microsoft patches released today, as exploitation of these #vulnerabilities could allow persistent access and control of enterprise networks,” the signals intelligence agency said via Twitter.
Consumers seem somehow unable or unwilling to protect themselves. But our research reveals an interesting knock-on effect from this: consumers welcome organizations who take the security initiative – and actively move their business to them.
Good security is good for business
This situation is a huge opportunity for organizations to make security a differentiator. Our research reveals that consumers value companies they perceive as more secure, with 64% saying they would recommend a large organization that they think makes a big effort to keep their data secure. A business with clearly visible cybersecurity will reassure consumers and create confidence in its digital products and services, carving itself a competitive advantage.
The NAME:WRECK report isn’t just one bug or one vulnerability, and all of them date back to last year except for one.
Fortunately, they are all patched (at least one has had an update out for nearly a year already) but together they constitute a worthwhile reminder that even in the modern age, programmers continue to make old-school coding mistakes.
The vulnerabilities that have been lumped together under the NAME:WRECK “brand” were found in three different operating systems.
Two were low-level operating systems, often known as RTOSes (short for real-time operating systems) dedicated to internet-of-things (IoT) devices, namely Nucleus NET from Siemens and NetX from Microsoft.
The third was FreeBSD, widely used as both a mainstream server operating system and as an operating system for embedded devices. (As the name suggests, FreeBSD is available for free, like Linux, but it uses a much more easy-going and liberal open source licence.)
In January, we learned about a Chinese espionage campaign that exploited four zero-days in Microsoft Exchange. One of the characteristics of the campaign, in the later days when the Chinese probably realized that the vulnerabilities would soon be fixed, was to install a web shell in compromised networks that would give them subsequent remote access. Even if the vulnerabilities were patched, the shell would remain until the network operators removed it.
Now, months later, many of those shells are still in place. And they’re being used by criminal hackers as well.
On Tuesday, the FBI announced that it successfullyreceived a court order to remove “hundreds” of these web shells from networks in the US.
FireEye published its M-Trend 2021 report based on the data collected during the investigation, 650 new threat groups were tracked in 2020
FireEye published its annual report, titled M-Trend 2021, which is based on the data collected during the investigation on security incidents it managed. Most of the incidents investigated by Mandiant (59%) in 2020 were initially detected by the victims, a data that is an improvement of 12% from 2019.
Since its launch, Mandiant tracked more than 2,400 threat groups, 650 of them were tracked in 2020. Over the years, the experts combined or eliminated approximately 500 groups, leaving more than 1,900 distinct groups tracked at this time (+100 compared to 2019).
The threat actors tracked by Mandiant include nation-state actors, financially motivated groups, and uncategorized groups (known as UNCs).
“In 2020, Mandiant experts investigated intrusions that involved 246 distinct threat groups. Organizations faced intrusions by four named financial threat (FIN) groups; six named advanced persistent threat (APT) groups, including groups from the nation-states of China, Iran and Vietnam; and 236 uncategorized threat (UNC) groups. Of the 246 threat groups observed at intrusion clients, 161 of these threat groups were newly tracked threat groups in 2020.” reads the report published byFireEye.
ISO is shaking up the familiar structure of the ISO 27001/27002 control framework after over 20 years of stability.
Originally published as British Standard BS 7799 Part 1 and 2 in the late 1990s, adopted as the ISO 17799 standard in 2000, and then renumbered as ISO 27001/27002, the name has changed a few times but the structure of the controls has remained intact until now.
Historically ISO has resisted major changes given that so many organizations globally have adopted ISO 27001/27002 for their security policies, security programs and certifications, and considering that numerous countries have adopted or incorporated them into their own national standards.
Publication of the final standard is expected to occur in the next year.
The country’s top nuclear official … Ali Akbar Salehi, did not say who was to blame for the “terrorist act”, which caused a power failure … a day after it unveiled new uranium enrichment equipment. … Israeli public media, however, cited intelligence sources who said it was the result of an Israeli cyber-attack. … On Saturday, Iran’s President Hassan Rouhani inaugurated new centrifuges at the Natanz site in a ceremony that was broadcast live. … It represented another breach of the country’s undertakings in the 2015 deal, which only permits Iran to produce and store limited quantities of enriched uranium. [The] deal, known as the Joint Comprehensive Plan of Action (JCPOA), has been in intensive care since Donald Trump pulled the US out of it. … Later state TV read out a statement by … Atomic Energy Organisation of Iran (AEOI) … head Ali Akbar Salehi, in which he described the incident as “sabotage” and “nuclear terrorism.” … Last July, sabotage was blamed for a fire at the Natanz site which hit a central centrifuge assembly workshop.
[The] power failure … appeared to have been caused by a deliberately planned explosion. … American and Israeli intelligence officials said there had been an Israeli role. Two intelligence officials briefed on the damage said it had been caused by a large explosion that completely destroyed the … power system that supplies the underground centrifuges. … The officials, who spoke on the condition of anonymity to describe a classified Israeli operation, said that the explosion had dealt a severe blow to Iran’s ability to enrich uranium and that it could take at least nine months to [recover]. Some Iranian experts dismissed initial speculation that a cyberattack could have caused the power loss. … The United States and Israel have a history of covert collaboration, dating to the administration of President George W. Bush, to disrupt Iran’s nuclear program. The best-known operation under this collaboration … was a cyberattack disclosed during the Obama administration that disabled nearly 1,000 centrifuges at Natanz.
As required by ISO27001 the risks identified in the risk assessment need to be ones that if they happened would result in the loss of Confidentiality Integrity and/or Availability (CIA) of information in the scope of the ISMS. As also required by ISO27001 those controls that are necessary to modify each risk need to be determined. Each risk gets a list of one or more controls.
This article gives some advice about how to choose/determine the controls for each risk and how control sets (e.g. Annex A, ISO27017, ISO27018, NIST CSF, CSA) can be used to help with this and as a quality check on the risk assessment.
What do we mean by necessary?
A good question!
“Needed to manage the risk”. Yes, I know that this just rephrases the word “necessary”….
In many cases this is a simple (or perhaps tricky!) matter of judgment but each control should be checked if it is necessary by asking questions like these:
what effect this control has on the likelihood or impact of this risk? Only controls that have more than a negligible effect on the likelihood or impact should be designated as “necessary”.
what would happen to this risk if this control is not in place or stops working properly? Your answer should be “the business continues to operate and deliver all its services but we have just increased the likelihood and/or impact of something going wrong that stops us delivering this service and/or gets in the way of meeting our objectives”. If this is not your answer then this control is unlikely to be “necessary” and should not be included.
Extended detection and response (XDR) is a designation used when you do not have the ability to cover a wide range of threat vectors.
Simply put, XDR encompasses more than one type of detection, but it can be as little as two in some cases. But threats can come via desktop, web, SaaS applications, cloud providers, and so on, and you need more than a couple of detection capabilities to secure you systems.
So, why XDR and why now? Many providers only have a couple of threat vectors covered, and if they do not manage them for you they cannot claim to provide a managed service. Instead, they call it XDR — a great marketing term to hide the lack of coverage they provide.
Gartner defines XDR products as platforms that automatically collect and correlate data from multiple components. XDR promises to make security teams more efficient, productive and effective via centralized historic and real-time event data in common formats, and with scalable, high-performance storage, fast-indexed searches and automation-driven responses.
However, XDR solutions are pulling data from a variety of solution sets possibly comprised of even more tools, and they are flooding analysts with an overwhelming amount of threat data to be analyzed.
XDR represents a natural evolution of endpoint detection and response (EDR) solutions. It seeks to provide an all-in-one platform which includes endpoint protection, cloud access security brokers (CASBs), secure web gateways (SWGs), secure email gateways (SEGs), network firewalls, network intrusion prevention systems (NIPs), unified threat management (UTM) and identity and access management (IAM).
It takes a proverbial village of acronyms to describe what XDR is, exactly. But here’s one thing that none of this cybersecurity-speak covers — people.
XDR investments are set up for failure because they overlook the human factor. XDR is just a tool. To derive any of the tool’s value potential, you need talent empowered with the intelligence required to parse through it, apply the analytics, sort real incidents from the noise, and prioritize responses. Without them, using XDR amounts to simply dumping everything you can possibly collect about threats in a big pot and letting it simmer. Plus, attackers will continue to find new approaches to get through.
It’s similar to the more traditional industry staple, security information and event management (SIEM), which arrived as an answer for organizations with several different analysts and consoles, each one looking for smoking guns.
Through SIEM, companies sought to eliminate these inefficiencies by aggregating all consoles and putting everything in one place (including the smoking guns). Thus, at their core, SIEM and XDR are conceptually the same and hindered by the same problem: you need people on board who know what to do with these tools to get anything out of them.
In addressing this missing factor organizations are turning to what will be the last of our acronyms: MDR (managed detection and response). This security as a service (SaaS) offering provides companies access to outside analysts who command expertise in all XDR capabilities for comprehensive coverage, detection, and response. They remove the burden of triage from in-house IT teams with the ability to continuously and effectively receive and prioritize events. They reduce false positives while investigating high-risk incidents before they escalate, with up-to-date intelligence across all customer deployments.
In other words, proper MDR is managed XDR. As a result, the customer’s security team members don’t have to procure their own intelligence feeds and the solution is more than just a tool. They no longer handle up to 10,000 alerts a day, or suffer from alert fatigue. They are liberated from these burdens so they can focus instead on bigger-picture, strategic initiatives to improve the overall security posture of their companies.
Because of these advantages, MDR is positioned for broader adoption, as one-quarter of organizations are now using an MDR service, with 72 percent of them decreasing the time it takes to resolve attacks by 25 to 100 percent. Among those that do not currently use it, 79 percent are either evaluating or are considering the adoption of such a service.
These organizations are still getting XDR. However, as indicated, they’re acquiring a managed services version of it, which means they’re buying the external staffing and know-how that can transform a tool into a comprehensive, impact-making capability. This drives toward the inherent value of the human touch — a value which especially benefits companies that can’t afford to internally staff 24/7/365 coverage for threat detection and response.
An XDR solution without adequate human expertise/staffing behind it will only ever be a tool. With a managed services model in play, you’re getting both the comprehensive technology capabilities and the people required to make it work — which is why MDR may be the only acronym that your organization needs.
![The iPhone Manual - Tips and Hacks: A complete user guide to getting the best out of your iPhone and iOS 14 by [Wallace Wang]](https://m.media-amazon.com/images/I/51NuzznCXbL.jpg)
![Secure & Simple – A Small-Business Guide to Implementing ISO 27001 On Your Own: The Plain English, Step-by-Step Handbook for Information Security Practitioners by [Dejan Kosutic]](https://m.media-amazon.com/images/I/51BN2rT3+yL.jpg)
