InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
The popular jailbreaking tool called “unc0ver” now supports iOS 14.3 and earlier releases, and is able to unlock almost every iPhone device.
Pwn20wnd, the author of the jailbreaking tool “unc0ver,” has updated their software to support iOS 14.3 and earlier releases. The last release of the jailbreaking tool, unc0ver v6.0.0, now includes the exploit code for the CVE-2021-1782 vulnerability that Apple in January claimed was actively exploited by threat actors.
Jailbreaking an iOS mobile device it is possible to remove hardware restrictions implemented by the Apple’s operating system, Jailbreaking gives users root access to the iOS file system and manager, this allows them to download and install applications and themes from third-party stores.
Apple did not disclose info about the attacks in the wild exploiting this vulnerability.
The CVE-2021-1782 flaw is a race condition issue that resides in the iOS operating system kernel.
“A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.” reads the advisory. “A race condition was addressed with improved locking.”
unc0ver v6.0.0 could be used to unlock any device running iOS 11.0 through iOS 14.3, below the announcement made by Pwn20wnd on Twitter.
Ransomware gets the big headlines, because of the enormous blackmail demands that typically arrive at the end of ransomware attacks.
Indeed, the word “ransom” only expresses half the drama these days, because modern ransomware attacks usually involve the crooks making copies of all your data first before scrambling it.
The crooks then demand a combination payout, part ransom and part hush-money.
You’re not only paying to get the local copies of your data unscrambled, but also paying for a promise from the crooks that they’ll delete all the data they just stole instead of releasing it to the public.
But what about the very start of a ransomware attack?
Technically, that’s often a lot more interesting – and often more important, too, given that many ransomware attacks are merely the final blow to your network at the end of what may well have been an extended attack lasting days, weeks or even months.
Given the danger that arises as soon as the crooks sneak into your network, it’s as important to learn how malware gets delivered in the first place as it is to know what happens to your files when ransomware finally scrambles them.
With this in mind, SophosLabs has just published an intriguing report on a malware delivery ecosystem dubbed Gootloader.
You may have heard reference to Gootkit, a name given to the malware family of which Gootloader forms a part, because it’s been around for several years already.
But SophosLabs decided to give the initial delivery mechanism a name of its own and study it in its own right:
The Gootkit malware family has been around more than half a decade – a mature Trojan with functionality centered around banking credential theft. In recent years, almost as much effort has gone into improvement of its delivery method as has gone into the NodeJS-based malware itself.
In the past, Sophos and other security experts have bundled the discussion of the malware itself with analysis of the delivery mechanism, but as this method has been adopted to deliver a wider range of malicious code, we assert that this mechanism deserves scrutiny (and its own name), distinct from its payload, which is why we’ve decided to call it Gootloader.
The report goes into the sort of detail that is well worth knowing if you’re interested in how modern malware embeds and extends itself inside a network, including a discussion of so-called “fileless” attacks.
CYBERSECURITY: It’s not just a good idea. Register to learn more.
Please join Mary Ellen Seale, Founder/CEO of NCSS, Peter Levett, Chief of Staff from the cybersecurity firm SecureCircle, and Phil Bandy, CISO Sharevault from the safety of your desk on Thursday, March 4th at 9am PST as our experts explore this ongoing threat and offer best practices for mitigation.
If cybersecurity is part of your strategic plan for 2021, and it should be, then you might want to check out the National Cybersecurity Society (NCSS).
The National Cybersecurity Society is a community of participating technology professionals focused on helping small businesses stay safe online. The NCSS is a non-profit organization that provides cybersecurity education, awareness and advocacy to its small businesses members, specifically cybersecurity education tailored to the needs of the small business owner. The NCSS assists its small business members in assessing their cybersecurity risk, distributes threat information to members so that they will be more knowledgeable about the threats facing their business, and provides advice on the type of services needed to stay safe online. You know cybersecurity is important, but where do you start? What organizational assets do you need to protect? Is it only your IT assets? Is it your IP?
The NCSS website provides several helpful guides to get you started on your cybersecurity journey. At the top of the list is simply understanding and identifying what is vital to protect. It starts with employing a Risk Assessment Methodology This involves identifying your organizational assets (people, information, technology, facilities) and assigning the responsibility of those assets in order to protect them appropriately.
Once organizational assets are defined, the next step is to define the relationship between those assets and the high-value services they support. This requires a process that examines and validates this relationship through periodic reviews. Lastly, it requires your organization to maintain and sustain an inventory of these assets and high-value services. It’s important to keep this information up to date and modified when circumstances or events change.
STEP 1: INVENTORY
Create an inventory of your people – not just your employees, but your suppliers and partners, the data you need to run your business, the technology assets you need (computers, servers – the entire infrastructure), and the facilities needed to house and operate your business.
STEP 2: HIGH-VALUE SERVICES
Create a list of high-value services that keep your business functioning – logistics, financial, service delivery, assembly, manufacturing. Define what are the key services you need – those services that if lost, delayed or compromised would impact your business.
STEP 3: MAPPING
Create a mapping of people, data, technology and facilities to the high-value services they support. Define the relationship between these assets and the high-value services. Validate the relationship through periodic reviews. As an example, if the supplier for your medical equipment changes, and this supplier has been identified as key personnel, have you updated your mapping relationships? Did you review the contract with the new medical supplier to determine if anything has changed that would affect your service delivery? Leveraging your people to take responsibility for certain high-value services and keeping the critical information current is key to protecting your assets.
STEP 4: INVENTORY PLAN
A plan is only useful if it is kept current and up-to-date. Schedule an annual inventory and mapping exercise to ensure that the protection mechanisms you employ support valid assets. A good rule of thumb: Once a year.
STEP 5: CONTINUITY PLAN
A sound business strategy includes continuity plans. For all your high-value services that depend on critical people, data, technology and facilities, you will need a contingency plan in place in the event any of these assets is compromised. The NCSS also has helpful resources on how to develop a Continuity Plan.
If you’d like to learn more about The NCSS and best practices for cybersecurity for your business, please join ShareVault for our upcoming webinar on cybersecurity. For this webinar we’ve assembled a panel of cybersecurity experts (including the founder of The National Cybersecurity Society) to discuss the current cyberthreat landscape, the bad actors, and best practices for preventing a devastating breach that could cost your company millions.
The panel includes Mary Ellen Seale, Founder/CEO of NCSS, Peter Levett, Chief of Staff from the cybersecurity firm SecureCircle, and Phil Bandy, ShareVault’s Chief Information Security Officer who formerly provided information security to NASA.
We are living in a world of innovations. Now, imagine innovative technologies with zero security is such a big nightmare. Cybersecurity comes here for the rescue. Cybersecurity is an immense ocean of various fields. Many skillful fishes are living in this ocean with lots of expertise. Cybersecurity is what keeps all organizations sane and safe. For that reason, I will discuss the fields that outgrown currently and the certifications that help in those fields.
Before diving into the ocean of cybersecurity, let us understand why to choose cybersecurity. Imagine being the CEO of a digital children’s toy-making corporate, promising every parent that the information provided about children inside the toys will stay safe. And the organization faces a cyber-attack that leaks all information about the children. That is the big downfall of the organization’s reputation.
Cybersecurity promises to secure the organization system’s from cyberattacks yet to keep user information safe. Cybersecurity professionals put all their efforts to create a secure and protect the environment, not only for organizations as well for all the users connected to the network/internet.
The world is becoming digital day-by-day, the growth in cybersecurity is not coming slow. The rates of cybercrime are also increasing yet bringing many opportunities for jobs in cybersecurity.
According to New York Times,3.5 million cybersecurity jobs are available this year. United States Bureau of Labor Statistics (BLS) contemplate that in the next ten years, cybersecurity jobs will increase 30% compared to other computing jobs.
Job performance is another category where cybersecurity staff performs well. The (ISC)2 Cybersecurity Workforce Report in 2019 showed that 71% of cybersecurity professionals in the United States are happy with their employment.
Initial investigation suggested that the password “solarwinds123” was publicly accessible via a misconfigured GitHub repository since June 17, 2018. The issue was addressed on November 22, 2019.
New details emerged about the security breach, in a hearing before the House Committees on Oversight and Reform and Homeland Security, CEO Sudhakar Ramakrishna confirmed that the password had been in use as early as 2017.
A preliminary investigation revealed that the threat actors behind the SolarWinds attack compromised the SolarWinds Orion supply chain as early as October 2019, but later Crowdstrikes’ researchers dated the initial compromise on September 4, 2019.
“I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad,” Representative Katie Porter of California said. “You and your company were supposed to be preventing the Russians from reading Defense Department emails.”
“I believe that was a password that an intern used on one of his servers back in 2017 which was reported to our security team and it was immediately removed,” Ramakrishna said in response to Porter.
Paired longevity solutions in hardware and software
There is a solution to both these issues – durability and security.
Rugged devices are designed specifically for your hardworking enterprise operations. They integrate seamlessly into UEM and MDM platforms, can be trained to only engage with secure networks, and can be geofenced to turn themselves into expensive paperweights if taken off-property.
Rugged devices are not only trusted for their durability and performance, but their security capabilities are also unparalleled when it comes to providing your IT security team with top-down controls over device management and data security.
Their sturdy construction, replaceable shift batteries, and stable software platform ensures that your investment will last for years and will eliminate “down-time” (if used correctly).
What’s more, a survey conducted by Samsung found that employees were not only open to using ruggedized devices, over 90% of respondents currently using rugged tech – and over half of non-user respondents – wanted management to invest more into such devices.
During the recent video conference of the members of the European Council (25-26 February 2021), NATO chief Jens Stoltenberg highlighted the importance to define a strategy to boost defense and security.
“We want to act more strategically, to defend our interests and to promote our values.” said Charles Michel, President of the European Council.“We will step up our cooperation and our coordination to combat hybrid threats and disinformation.”
Member states highlighted the importance of close cooperation with NATO and strengthening partnerships with the UN and key regional partners. The EU leaders emphasized that they looked forward to cooperating with the new US administration on a strong and ambitious transatlantic agenda that included a close dialogue on security and defence.
Participants are committed to providing secure European access to space, cyberspace and the high seas.
“In light of the growing number and complexity of cyber threats, we aim to strengthen European cyber resilience and responsiveness and to improve the cybersecurity crisis management framework. Following the Cybersecurity Strategy presented in December 2020, we invite the Commission and the High Representative to report on implementation by June 2021.” reads a statement from EU leaders. “In addition, we invite the co-legislators to swiftly take work forward, particularly on the revised Directive on security of network and information systems (NIS 2 Directive). We also call for greater cooperation and coordination to prevent and respond to hybrid threats, including disinformation, inter alia by involving the private sector and relevant international actors.”
EU leaders invited the Commission and the High Representative, Josep Borrell, to work on the implementation of the Cybersecurity Strategy by June 2021.
The U.S. Court of Appeals for the 5th Circuit just issued a blistering attack on HIPAA enforcement by the U.S. Department of Health and Human Services (HHS). In University of Texas M.D. Anderson Cancer v. Department of Health and Human Services (No. 19-60226, Jan. 14, 2001), the 5th Circuit struck down a fine and enforcement action by HHS as arbitrary and capricious. This case has significant implications for HHS enforcement — and for agency enforcement more generally.
My reactions to the case are mixed. The court makes a number of good points, and it identifies flaws with HHS’s interpretation of HIPAA and with its enforcement approach. But there are parts of the opinion that overreach and that are unrealistic.
The case arises out of an HHS civil monetary penalty (CMP) against the University of Texas M.D. Anderson Cancer Center for $4,348,000 for a series of incidents involving unencrypted portable electronic devices being lost or stolen. In 2012, a faculty member had ePHI of 29,021 people on an unencrypted laptop that was stolen. Subsequently, in 2013, a trainee and visiting researcher lost unencrypted USB drives with ePHI of thousands of patients on them. HHS imposed a fine of $1.348 million for violating the HIPAA Encryption Rule for the 2012 incident and $1.5 million for each of the 2013 incidents, adding up to a total of $4.348 million.
Applying the Administrative Procedure Act (APA), the Fifth Circuit concluded that HHS’s enforcement was “arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.” 5 U.S.C. § 706(2). There are several parts of the court’s decision that are worth discussing.
(1) Interpretation of the Encryption Rule
The court held that HHS misinterpreted the HIPAA Encryption Rule. The rule states that covered entities must “implement a mechanism to encrypt and decrypt electronic protected health information.” 45 C.F.R. § 164.312(a)(2)(iv). HHS contended that the rule was violated because the devices weren’t encrypted. The court, however, emphasized that the rule used the words “implement a mechanism to encrypt” rather than to ensure that devices were encrypted:
Microsoft announced the release of open-source CodeQL queries that it experts used during its investigation into the SolarWinds supply-chain attack
In early 2021, the US agencies FBI, CISA, ODNI, and the NSA released a joint statement that blames Russia for the SolarWinds supply chain attack.
The four agencies were part of the task force Cyber Unified Coordination Group (UCG) that was tasked for coordinating the investigation and remediation of the SolarWinds hack that had a significant impact on federal government networks.
The UCG said the attack was orchestrated by an Advanced Persistent Threat (APT) actor, likely Russian in origin.
According to the security experts, Russia-linked threat actors hacked into the SolarWinds in 2019 used the Sundrop malware to insert the Sunburst backdoor into the supply chain of the SolarWinds Orion monitoring product.
Microsoft, which was hit by the attack, published continuous updates on its investigation, and now released the source code of CodeQL queries, which were used by its experts to identify indicators of compromise (IoCs) associated with Solorigate.
“In this blog, we’ll share our journey in reviewing our codebases, highlighting one specific technique: the use of CodeQL queries to analyze our source code at scale and rule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with Solorigate.” reads the blog post published by Microsoft. “We are open sourcing the CodeQL queries that we used in this investigation so that other organizations may perform a similar analysis. Note that the queries we cover in this blog simply serve to home in on source code that shares similarities with the source in the Solorigate implant, either in the syntactic elements (names, literals, etc.) or in functionality.”
We often are asked if FAIR™, the international standard for cyber and technology risk quantification and the basis of the RiskLens platform, is compatible with the common security and risk standards and frameworks.
The answer is yes — by bringing a financial discipline to otherwise technical guidelines, FAIR and RiskLens enhance their value as business-decision support tools. The most widely used cybersecurity framework, the NIST CSF, includes FAIR as a recommended best practice for risk assessment and risk analysis.
The ISO 27000 standards don’t prescribe a specific approach to analyzing risk and leave it to the risk practitioners to select their preferred analytics model. This is where FAIR comes in.
Factor Analysis of Information Risk (FAIR) decomposes risk into discrete factors that can be quantified and analyzed together to describe risk as a range of probable loss in dollars. Unlike risk assessment methods that focus their output on qualitative color charts or numerical weighted scales, the FAIR standard delivers financially derived results through the RiskLens platform that can be communicated across the enterprise in standard business terms of loss exposure and return on investment.
With the growing interest in Factor Analysis of Information Risk (FAIR™), we hear a lot from people who have read about FAIR or even taken FAIR training and are really excited about the potential power of cyber risk quantification for risk management – but have come away with the impression that to actually bring a quantitative risk management program to life in their organization would be…
…a slow, evolutionary process.
Well, it is a process of upward evolution from qualitative, opinion-driven, red-yellow-green risk analysis to critical thinking about risk in financial terms. And yes, bringing your entire organization to a common way of thinking about risk as loss events instead of vague worries like “the cloud” is a great step forward.
Recent data indicates that they are inconsistent (at best) when it comes to digging deep enough for clues of security issues lurking in the enterprise’s vendor and partner ecosystem. Even more troubling? Very few TPRM security assessments result in remediation action.
So TPRM programs are nominally jumping through hoops to ask vendors about or observe their security controls. But few of them are actually doing much to work with their vendors to bolster the security of these third-party IT environments.
This was one of the key findings of a recent report compiled by Cyentia Institute on behalf of RiskRecon. Conducted among 154 TPRM professionals operating in a range of industries, the study showed that a whopping 81% of respondents admit they rarely require remediation from third parties after an assessment.
And that’s not because everything is fine and dandy with these vendors’ security controls. The survey showed that a slim 14% of these professionals are highly confident that their vendors are performing security requirements. That’s not from an utter lack of investment. At this point some 79% of organizations have a formal TPRM program, with a median of at least two full-time employees. Some of these programs are just getting underway, but many have been established for some time and the average age of these programs is now five to six years.
Obviously, these investments in TPRM programs are not being fully realized through effective risk reduction, so what gives? The survey results indicate that this may be classic checkbox compliance scenario. According to respondents, regulatory compliance is the runaway top driver for development of their company’s TPRM program. Some 62% cited compliance as their number one motive for running a program, in contrast to just 22% who named executive mandates and 16% who cited customer requirements.
This likely explains why so many organizations today still rely so heavily on security questionnaires, as that’s the bare minimum required by most compliance regimes. The survey showed that twice as many organizations regularly utilize questionnaires – 84% – as compared to those (42%) who utilize a more verifiable assessment method like cybersecurity ratings. This is in spite of the fact that only about one in three TPRM professionals actually believe questionnaire responses.
Clearly there’s more work to be done. The good news is that the forces at play within the TPRM world are following a maturity playbook that most cybersecurity and risk professionals know well.
Infection Monkey is an open source Breach and Attack Simulation tool that lets you test the resilience of private and public cloud environments to post-breach attacks and lateral movement, using a range of RCE exploiters.
Infection Monkey was created by Israeli cybersecurity firm Guardicore to test its own segmentation offering. Developer Mike Salvatore told told The Stack: “Infection Monkey was inspired by Netflix’s Chaos Monkey.
“Chaos Monkey randomly disables production instances to incentivize engineers to design services with reliability and resilience in mind. We felt that the same principles that guided Netflix to create a tool to improve fault tolerance could be applied to network security. Infection Monkey can be run continuously so that security-related shortcomings in a network’s architecture can be quickly identified and remediated.”
The company recently added a Zero Trust assessment, as well as reports based on the MITRE ATT&CK framework.
![Breaking IN: A Practical Guide to Starting a Career in Information Security by [Ayman Elsawah]](https://m.media-amazon.com/images/I/51d-r8hESmL.jpg)
