InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Looking for affordable ways to keep your data secure? Sometimes the simplest solutions are the best â and nothing beats the simplicity of a book.
With books, you get expert advice at your fingertips. You can study whenever is convenient and the information is always there for you to reference.
So, which books are right for you? That depends on what you want to know. Fortunately, IT Governance has a selection of titles covering everything you need to know, including the GDPR, Cloud security and the CCPA.
Letâs take a look at some of our most popular titles. Below are the four best books on Data Privacy.
This bestselling guide is the ideal companion for those trying to understand how the GDPR affects their organisation.
It explains the Regulationâs requirements in terms you can understand and helps you understand data subjectsâ rights and the way consent requests have changed.
Youâll also gain a deeper understanding of the GDPRâs technical requirements, such as the appointment of a DPO (data protection officer), international data transfers and the obligations of data controllers and processors.
Written by Alan Calder, IT Governanceâs founder and executive chairman, this book is an essential introduction to the GDPR.
Itâs ideal for anybody who is new to the Regulation or needs a refresher, explaining the legal terminology and compliance in simple terms.
It also provides invaluable advice on how you can meet the GDPRâs requirements.
This includes broad measures that your organisation should implement as well as tips on things you should and shouldnât do when processing personal data.
If your organisation collects California residentsâ personal data, you must comply with the CCPA (California Consumer Privacy Act).
The law, which took effect on 1 January 2020, applies to certain companies depending on their annual turnover, how much personal data they collect and whether they sell the information for profit.
Written by data protection expert and consultant Preston Bukaty, this handbook provides a comprehensive explanation of the lawâs scope and how to achieve compliance.
Organisations have had to overcome countless challenges during the pandemic, but one that has continued to cause headaches is IT security for home workers.
A remote workforce comes with myriad dangers, with employees relying on their home networks â and sometimes their own devices â and without the assurance of a member of your IT team on hand if anything goes wrong.
But unlike many COVID-19 risks, these issues wonât go away when life eventually goes back to normal. Home working will remain prominent even when employees have the choice to return to the office, with a Gartner survey finding that 47% of organizations will give employees the choice of working remotely on a full-time basis.
Meanwhile, 82% said that employees would be able to work from home at least one day a week.
As such, organisations should reconsider if theyâre under the assumption that the defences theyâve implemented to protect remote workers are temporary.
Robust, permanent defences are required to tackle the array of threats they face. We explain how you can get starting, including our remote working security tips, in this blog.
Online work increases cyber security risks
Without the security protections that office systems afford us â such as firewalls and blacklisted IP addresses â and increased reliance on technology, we are far more vulnerable to cyber attacks.
The most obvious risk is that most of our tasks are conducted online. After all, if somethingâs on the Internet, then thereâs always the possibility of a cyber criminal compromising it.
They might attempt to do this by cracking your password. This could be easier than ever if youâre reusing login credentials for the various online apps you need to stay in touch with your team.
Meanwhile, according to CISOâs Benchmark Report 2020, organizations are struggling to manage remote workersâ use of phones and other mobile devices. It found that 52% of respondents said that mobile devices are now challenging to protect from cyber threats.
You can find more tips on how to work from home safely and securely by taking a look at our new infographic.
This guide explains five of the most significant risks you and your organisation face during the coronavirus crisis.
Alternatively, attackers could send phishing emails intended to trick you into either handing over your details or downloading a malicious attachment containing a keylogger.
The dangers of phishing should already be a top concern, but things are especially perilous during the coronavirus crisis.
Organisations should also be concerned about remote employees using their own devices.
This might have been unavoidable given how quickly the pandemic spiralled and the suddenness of the governmentâs decision to implement lockdown measures.
Still, where possible, all work should be done on a corporate laptop subject to remote access security controls. This should include, at the very least, 2FA (two-factor authentication), which will mitigate the risk of a crook gaining access to an employeeâs account.
This ensures that the necessary tools are in place to defend against potential risks, such as anti-malware software and up-to-date applications.
It also gives your IT team oversight of the organisationâs IT infrastructure and allows it to monitor any malicious activity, such as malware and unauthorised logins.
Control the risk
Any organisation with employees working from home must create a remote working policy to manage the risks.
If you donât know what this should contain, our Remote Working Policy Template provides everything you need to know.
It includes guidance on storing devices securely, creating and maintaining strong passwords, and an acceptable use policy for visiting websites that arenât work-related.
Organisations should also explain the technical solutions theyâve implemented to protect sensitive data and how employees can comply. For example, we recommend applying two-factor authentication to any third-party service that you use.
Although it shouldnât be a concern during the lockdown, your remote working policy should also address the risks that come with employees handling sensitive information in public places.
Security incidents are just as likely to occur even if there isnât a malicious actor. Consider how often you hear about employees losing their laptop, USB stick or paperwork.
Coronavirus: your biggest challenge yet
Disruption caused by COVID-19 is inevitable, and you have enough to worry about without contending with things like cyber security and compliance issues.
Unfortunately, cyber criminals have sensed an opportunity amid the pandemic, launching a spate of attacks that exploit peopleâs fear and uncertainty.
Therefore, itâs more important than ever to make sure your organisation is capable of fending off attacks and preventing data breaches.
To help you meet these challenges, weâve put together a series of packaged solutions. Meanwhile, most of our products and services are available remotely, so we donât need to be on-site to carry out things like security testing.
One virus is enough to worry about. Take action now to protect your business. Implement cyber security measures that help you respond to cyber attacks.
On March 2nd, Microsoft has released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported Microsoft Exchange versions that are actively exploited in the wild.
The IT giant reported that at least one China-linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments. According to Microsoft, the Hafnium APT exploited these vulnerabilities in targeted attacks against US organizations.Â
This week, the independent security researcher Nguyen Jang published on GitHub a proof-of-concept tool to hack Microsoft Exchange servers. The tool chains two of the ProxyLogon vulnerabilities recently addressed by Microsoft.
The availability of the proof-of-concept code was first reported by The Record.
âA Vietnamese security researcher has published today the first functional public proof-of-concept exploit for a group of vulnerabilities in Microsoft Exchange servers known as ProxyLogon, and which have been under heavy exploitation for the past week.â reads the post published by The Record. âThe proof-of-concept code was published on GitHub earlier today. A technical write-up (in Vietnamese) is also available on blogging platform Medium.â
The availability of the exploit online was immediately noticed by several cyber security experts, including Marcus Hutchins.
A few hours after the publication, GitHub took down the PoC hacking tool because it posed a threat to Microsoftâs customers using the Microsoft Exchange solution.
âWe understand that the publication and distribution of proof of concept exploit code has educational and research value to the security community, and our goal is to balance that benefit with keeping the broader ecosystem safe,â the spokesperson said in an email sent to the Vice.. âIn accordance with our Acceptable Use Policies, we disabled the gist following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited.â
MITRE ATT&CK is a tool to help cybersecurity teams get inside the minds of threat actors to anticipate their lines of attack and most effectively position defenses. MITRE ATT&CK works synergistically with FAIR to refine a risk scenario (âthreat actor uses a method to attack an asset resulting in a lossâ).
Enter an asset into the MITRE ATT&CK knowledge base and it returns a list of likely threat actors and their methods to inform a risk scenario statement. It also helps to fill in color and detail for the FAIR factors, such as the relative strength of threat actors likely to go after an asset or the resistance strength of the controls around the asset, as well as the frequency of attack one might expect from these actors, based on internal or industry data (housed in the Data Helpers and Loss Tables on the RiskLens platform). All these are ultimately fed into the Monte Carlo simulation engine to show probable loss exposure for the scenario. The data we collect on our assets and threat actors can be stored in libraries on the platform for repeat use.
MITRE ATT&CK also suggests controls for mitigation efforts specific to attacks. As with the controls suggested by NIST CSF, we can assess those in the platform for cost-effectiveness in risk reduction in financial terms.
Finally, RiskLens + MITRE ATT&CK can help refine tactics for the first line of defense. With a clear sense of top risk scenarios generated by RiskLens, and a clear sense of attack vectors for those scenarios, the SOC can better prioritize among the many incoming alerts based on potential bottom-line impact.
âApplication security was traditionally very low on CISOsâ priority list but, as the attacks targeting applications increase in frequency, itâs getting more attention,â Eugene Dzihanau, Senior Director of Technology Solutions at EPAM Systems, told Help Net Security.
âThe application layer is quickly becoming more exposed to the outside world, drastically increasing the attack surface. Applications are deployed on the public cloud, mobile phones and IoT devices. Also, applications process a lot more data than before, making them a more frequent target of an attack.â
In addition to that, modern applications and tech stacks are evolving and becoming increasingly complex â applications are integrating more external dependencies and are becoming very interconnected through API calls. The increased complexity significantly increase the chance of security issues
âSAST scan results are massive, with very little insight into prioritizing fixes for critical or exploitable vulnerabilities. DAST rarely brings desired results without additional steps; the out of the box crawlers can rarely traverse the modern web applications,â he explained.
âThis leaves glaring gaps in the security of deployment pipelines, security defects on the architecture level and third party/open source dependencies checks.â
âSAST scan results are massive, with very little insight into prioritizing fixes for critical or exploitable vulnerabilities. DAST rarely brings desired results without additional steps; the out of the box crawlers can rarely traverse the modern web applications,â he explained.
âThis leaves glaring gaps in the security of deployment pipelines, security defects on the architecture level and third party/open source dependencies checks.â
On March 2nd, Microsoft has released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported Microsoft Exchange versions that are actively exploited in the wild.
The IT giant reported that at least one China-linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments. According to Microsoft, the Hafnium APT exploited these vulnerabilities in targeted attacks against US organizations.Â
âThe Storting has again been hit by an IT attack. The attack is linked to vulnerabilities in Microsoft Exchange, which affected several businesses.â reads a statement issued by the Storting.
âThe Storting does not yet know the full extent of the attack. A number of measures have been implemented in our systems, and the analysis work is ongoing. The Storting has received confirmation that data has been extracted,â
Storting director Marianne Andreassen confirmed that the data breach.
âWe know that data has been extracted, but we do not yet have a full overview of the situation. We have implemented comprehensive measures and cannot rule out that it will be implemented further.â said Andreassen.
âThe work takes place in collaboration with the security authorities. The situation is currently unclear, and we do not know the full potential for damage.â
This isnât the first time that Storting was hit by a cyber attack, in August 2020 the authorities announced that Norway âs Parliament was the target of a major attack that allowed hackers to access emails and data of a small number of parliamentary representatives and employees. Norwayâs government blamed Russia for the cyberattack.
As Jack Jones, co-founder of RiskLens, tells the story, he started down the road to creating the FAIR™ model for cyber risk quantification because of âtwo questions and two lame answers.â As CISO at Nationwide insurance, he presented his pitch for cybersecurity investment and was asked:
âHow much risk do we have?â
âHow much less risk will we have if we spend the millions of dollars youâre asking for?â
To which Jack could only answer âLotsâ and âLess.â
âIf he had asked me to talk more about the âvulnerabilitiesâ we had or the threats we faced, I could have talked all day,â he recalled in the FAIR book, Measuring and Managing Information Risk.
In that moment, Jack saw the need for a way that cybersecurity teams could communicate risk to senior executives and boards of directors in the language of business, dollars and cents.
Some CISOs are still in the position of Jack pre-quantification â talking all day and delivering lame answers, from the boardâs point of view. Hereâs a short guide to what theyâre not saying â and how RiskLens, the analytics platform built on FAIR, can provide the right answers.
1. I donât really know what our top risks are
I can ask a group of subject matter experts in the company to vote on a top risks list based on their opinions, but thatâs as close as I can get.
Top Risks is the first report that many new RiskLens users run, and it only takes minutes, using the Rapid Risk Assessment capability of the RiskLens platform. The platform guides you through properly defining a set of risks (say, from your risk register) for quantitative analysis according to the FAIR standard. To speed the process, the platform draws on data from pre-populated loss tables. The resulting analysis quickly stack-ranks the risks for probable size of loss in dollar terms, across several parameters.
2. I canât give you an ROI on the money you give me to invest in cybersecurity
You see, cybersecurity is different from other programs youâre asked to invest in â itâs constantly changing and never-ending. You never really hit a point of success; you just chip away at the problem.
With Top Risks in hand, RiskLens clients can dig deeper on individual scenarios and run a Detailed Analysis to expose the drivers of risk to see, for instance, what types of threat actors account for the highest frequency of attacks or what classes of assets account for the highest probable losses. Then they can run the Risk Treatment Analysis capability of the platform to evaluate controls for their ROI in risk reduction.
3. I canât really tell you if things are getting better on cyber risk.
I can show you our progress with compliance checklists and maturity scales, and I hope youâll assume thatâs reducing risk.
While compliance with NIST CSF, CIS Controls, etc. is good and useful, these frameworks donât measure performance outcomes in reducing risk â that takes a quantitative approach. The RiskLens platform can aggregate risk scenarios to generate risk assessment reports showing risk across the enterprise or by business unit, in dollar terms â and to show risk exposure over time. Itâs easy to update and re-run risk assessments, thanks to the platformâs Data Helpers that store risk data for re-use. Update a Data Helper, and all the related risk scenarios update at the same time â and so do the aggregated risk assessments.
4. I canât help you set a risk appetite.
I donât really know how much risk we have and am pretty much operating on the principle that no risk is acceptable.
Boards should have a strong sense of their appetite for risk in cyber as in all fields, but qualitative (high-medium-low) cyber risk analysis only supports vague appetite statements that are difficult to follow in practice. On the RiskLens platform, a CISO can input a dollar figure for ârisk thresholdâ as a hypothetical, and run the analyses to rank how the various risk scenarios stack up against that limit, making a risk appetite a practical target.
5. I donât know how to align cyber risk management with the other forms of risk management we do.
Enterprise risk, operational risk, market risk, financial riskâIâve heard their board presentations in quantitative terms. But cyber is just different.
Quantification is the answer â reporting on cyber risk in the same financial terms that the rest of enterprise risk management programs employ finally gives the board what it wants to hear on cyber risk management. ISACA, the National Association of Corporate Directors and the COSO ERM framework have all recommended FAIR for board reporting. As an ISACA white paper said,
The more a risk-management measurement resembles the financial statements and income projections that the board typically sees, the easier it is for board members to manage cybersecurity riskâŠFAIR can enable the economic representation of cybersecurity risk that is sorely missing in the boardroom, but can illuminate cybersecurity exposure.
The hackersâ methods were unsophisticated: they gained access to Verkada through a âSuper Adminâ account, allowing them to peer into the cameras of all of its customers. Kottmann says they found a user name and password for an administrator account publicly exposed on the internet.
News outlet Bloomberg has gone public with a dramatic cybersecurity news story about surveillance.
Bloomberg claims that an âinternational hacker collectiveâ was responsible for breaking into a network of 150,000 surveillance cameras and accessing private footage from live video feeds.
According to Bloomberg, one of the hacking crew, Tillie Kottmann, claimed to have accessed cloud-based camera surveillance company Verkada and found themselves face-to-face with a huge swathe of internal data.
This data apparently included real-time feeds from up to 150,000 surveillance cameras at Verkada customer sites, as well as other real-time information such as access control data from Verkada customers.
Car maker Tesla, internet provider Cloudflare and numerous health and law enforcement organisations are claimed in Bloombergâs piece as some of those customers.
In this article, weâll outline the key areas you should consider if you want to keep your serverless architecture secure. While the solution that best fits your own ecosystem will be unique to you, the following will serve as strong foundations upon which to build your approach.
The sheer number of organizations moving to the cloud is staggering: weâre seeing 3-5 years-worth of business transformation happening in just months due to the pandemic. As cloud-enabled digital transformation continues to accelerate, there are a variety of concerns.
For example, the visibility of data. Organizations (and users) must assess what controls cloud services providers offer in order to understand the security risks and challenges. If data is stored unencrypted, that implies significant additional risk in a multi-tenant environment. Or what about the ability of security models to mimic dynamic behavior? Many anomaly detection and predictive ârisk-scoringâ algorithms look for abnormal user behavior to help identify security threats. With the sudden and dramatic shift to remote work last year, most models require significant adjustments and adaptation.
Normally, companies begin exploring the move to a cloud service provider with a detailed risk analysis assessment. This often involves examining assets, potential vulnerabilities, exploitation probabilities, anticipated breach-driven outcomes, and an in-depth evaluation of vendorsâ capacity to effectively manage a hybrid solution (including authentication services, authorization, access controls, encryption capabilities, logging, incident response, reliability and uptime, etc.).
Apple has released out-of-band security patches to address a critical iOS, macOS, watchOS, and Safari web browser to address a security flaw tracked as CVE-2021-1844.
The vulnerability is caused by a memory corruption issue that could be triggered to cause arbitrary code execution when processing specially crafted web content.
âProcessing maliciously crafted web content may lead to arbitrary code execution.â reads the advisory published by Apple. âDescription: A memory corruption issue was addressed with improved validation.â
Apple has improved validation to address the vulnerability.
In March, Pwn20wnd, the author of the jailbreaking tool âunc0ver,â has updated their software to support iOS 14.3 and earlier releases. The last release of the jailbreaking tool, unc0ver v6.0.0, now includes the exploit code for the CVE-2021-1782 vulnerability that Apple in January claimed was actively exploited by threat actors. The CVE-2021-1782 flaw is a race condition issue that resides in the iOS operating system kernel.
When Rinki Sethi heard that her 7th grade daughter applied to take a technology innovation class as an elective, she was thrilled. Sethi, who joined Twitter in September as its chief information security officer, said one of her passions is getting more young women interested in technology.
But when her daughter found out that she didnât get into the class, Sethi discovered a troubling statistic: 18 slots for the class went to boys, while only 9 were filled by girls. âI went and sat down with the principal and asked: âWhy are we turning down girls if thatâs what the ratio looks like?ââ Sethi recounted Monday at a virtual panel centered around women in cybersecurity. âWe need more women to enter this field, and I think thatâs the biggest problemâhow do we get more women and girls interested.âÂ
After learning that only 9 out of 27 kids in a #STEM elective @KMSCupertino are girls, I met with principal to discuss how can we can make this ratio more equal. After my meeting, I am happy to announce the principal has agreed to balance this out. @CUSDK8@CityofCupertino
Since cryptocurrency transactions are virtually anonymous, cybercriminals use them in dark markets for illicit trading. Through ransomware attacks like WannaCry, Petya, Locky, and Cerber, hackers receive a lot of money. Moreover, we learn about cryptocurrency trading hack every so often, wherein attackers steal thousands of dollars in Bitcoin. But how they cash out or convert stolen money into fiat currency?
An example of how much hackers are after cryptocurrencies is the recent news of âthefts of 2020â. Bitcoin is one of the massively valuable cryptocurrencies in which about half a billion dollars in total stolen.
After stealing thousands of cryptocurrencies from exchanges and ransomware targets, understandably, cybercriminals will not retain them in electronic form. The next move is to turn cryptocurrency into real-world currency. Several cryptocurrency platforms enable cybercriminals to cash out their bitcoin without being detected, i.e., anonymously.
According to Google researchers, many victims buy bitcoins through Craigslist and Localbitcoins. And since 2014, more than 95% of all bitcoin payments received from ransomware targets were cashed out through a Russian bitcoin exchange called BTC-E.
As per a report by Chainalysis, cybercriminals use progressively rigorous techniques to transform illicitly acquired cryptocurrency into real money. Criminal entities sent $2.8 billion in bitcoin via cryptocurrency exchanges in 2019. And attackers utlize platforms known as âover-the-counter brokersâ to turn cryptocurrency into real money.
Researchers at 360Netlab are warning of a cryptocurrency malware campaign targeting unpatched network-attached storage (NAS) devices.
via the unauthorized remote command execution vulnerability (CVE-2020-2506 & CVE-2020-2507)
Threat actors are exploiting two unauthorized remote command execution vulnerabilities, tracked as CVE-2020-2506 & CVE-2020-2507, in the Helpdesk app that have been fixed by the vendor in October 2020.
The flaws affect QNAP NAS firmware versions prior to August 2020.
The malware involved in the campaign was dubbed UnityMiner by 360 Netlab experts.
âOn March 2, 2021, 360Netlab Threat Detection System started to report attacks targeting the widely used QNAP NAS devices via the unauthorized remote command execution vulnerability (CVE-2020-2506 & CVE-2020-2507, upon successful attack, the attacker will gain root privilege on the device and perform malicious mining activities.â reads the analysis published by 360 Netlab.
Threat actors customized the program by hiding the mining process and the real CPU memory resource usage information to hide the malicious activity to QNAP owners that could check their system usage via the WEB management interface.
The mining program is composed of unity_install.sh and Quick.tar.gz. unity_install.sh downloads, set up and execute cryptocurrency miner and hijack the manaRequest.cgi program of the NAS. Quick.tar.gz contains the miner program, the miner configuration file, the miner startup script and the forged manaRequest.cgi. Unity is an XMRig cryptocurrency miner.
360 Netlab shared its findings with the vendor on March 3rd, and due to the possible big impact, the researchers publicly disclosed the attacks.
All NAS devices with QNAP firmware released before August 2020 are currently vulnerable to these attacks.
The experts reported 4,297,426 QNAP NAS potentially vulnerable devices exposed online, 951,486 having unique IP addresses, most of them are located in the United States, China, and Italy.
If youâve ever used the Python programming language, or installed software written in Python, youâve probably used PyPI, even if you didnât realize it at the time.
PyPI is short for the Python Package Index, and it currently contains just under 300,000 open source add-on modules (290,614 of them when we checked [2021-03-07T00:10Z]).
You can download and install any of these modules automatically just by issuing a command such as pip install [nameofpackage], or by letting a software installer fetch the missing components for you.
Crooks sometimes Trojanise the repository of a legitimate project, typically by guessing or cracking the password of a package ownerâs account, or by helpfully but dishonestly offering to âassistâ with a project that the original owner no longer has time to look after.
Once the fake version is uploaded to the genuine repository, users of the now-hacked package automatically get infected as soon as they update to the new version, which works just as it did before, except that it includes hidden malware for the crooks to exploit.
Another trick involves creating Trojanised public versions of private packages that the attacker knows are used internally by a software company.
However, Espinosaâs hard-earned experience is not simply limited to the boardroom. In his latest book, âThe Smartest Person in the Room: The Root Cause and New Solution for Cybersecurityâ, Espinosa shares his decades of experience in the fast-paced world of IT Security. The decades of combined experience can practically be felt dripping through the pages as the chapters outline the essential steps to overcome the biggest adversary in cybersecurity. No, not the cybercriminals, but the toxic culture that many cybersecurity professionals find themselves in. The book takes a holistic approach to self-betterment, discussing the importance of so called âsoft skillsâ in the world of cybersecurity.
![The Smartest Person in the Room: The Root Cause and New Solution for Cybersecurity by [Christian Espinosa]](https://m.media-amazon.com/images/I/41KIWmjt6sL.jpg)
