InfoSec Compliance & AI Governance For over 20 years, DISC InfoSec has been a trusted voice for cybersecurity professionals—sharing practical insights, compliance strategies, and AI governance guidance to help you stay informed, connected, and secure in a rapidly evolving landscape.
If you don’t fix your security vulnerabilities, attackers will exploit them. It’s simply a matter of who finds them first. If you fail to prove that your software is secure, your sales are at risk too.
Whether you’re a technology executive, developer, or security professional, you are responsible for securing your application. However, you may be uncertain about what works, what doesn’t, how hackers exploit applications, or how much to spend. Or maybe you think you do know, but don’t realize what you’re doing wrong.
To defend against attackers, you must think like them. As a leader of ethical hackers, Ted Harrington helps the world’s foremost companies secure their technology. Hackable teaches you exactly how. You’ll learn how to eradicate security vulnerabilities, establish a threat model, and build security into the development process. You’ll build better, more secure products. You’ll gain a competitive edge, earn trust, and win sales.
Researchers at cybersecurity company GRIMM recently published an interesting trio of bugs they found in the Linux kernel…
…in code that had been sitting there inconspicuously for some 15 years.
Fortunately, it seemed that no one else had looked at the code for all that time, at least not diligently enough to spot the bugs, so they’re now patched and the three CVEs they found are now fixed:
CVE-2021-27365.Exploitable heap buffer overflow due to the use of sprintf().
CVE-2021-27363.Kernel address leak due to pointer used as unique ID.
CVE-2021-27364.Buffer overread leading to data leakage or denial of service (kernel panic).
The bugs were found in the kernel code that implements iSCSI, a component that implements the venerable SCSI data interface over the network, so you can talk to SCSI devices such as tape and disk drives that aren’t connected directly to your own computer.
Of course, if you don’t use SCSI or iSCSI anywhere in your network any more, you’re probably shrugging right now and thinking, “No worries for me, I don’t have any of the iSCSI kernel drivers loaded because I’m simply not using them.”
After all, buggy kernel code can’t be exploited if it’s just sitting around on disk – it has to get loaded into memory and actively used before it can cause any trouble.
Except, of course, that most (or at least many) Linux systems not only come with hundreds or even thousands of kernel modules in the /lib/modules directory tree, ready to use in case they are ever needed, but also come configured to allow suitably authorised apps to trigger the automatic loading of modules on demand.
Today’s world uses the information for a variety of purposes. City officials install traffic signals with traffic movement information, and accounting professionals use revenue and expenditure information to calculate annual earnings. So, experts established different domains intending to secures information. Such domains are Information security, Cybersecurity, and Ethical hacking.
In its 10th annual Risk Barometer, Allianz found that cyber incidents ranked third in a list of the most important global business risks for the upcoming year, coming in second behind risks stemming from the pandemic itself. We can expect cyber incidents to increase in frequency and sophistication as cyber criminals continue to leverage the various security lapses that accompany remote workforces.
However, something that has changed recently is how business leaders and boards of directors are viewing cyber risk. While previously seen as an issue solely for security and technology leaders to manage, executives are now pressuring security departments to financially quantify cyber risks facing their organizations.
In fact, a recent survey of 100 senior security professionals found that 70% of respondents have received pressure to produce cyber risk quantification for their business. Further, half of the respondents reported they have a lack of confidence in their ability to communicate and report the financial impacts of cyber risks, with a quarter saying they do not have a cyber risk quantification technology deployed at their company.
Why are executives pressuring CISOs to start financially quantifying cyber risk for their business? This process allows CISOs to identify and rank risk scenarios that are most critical to their enterprise, based on factors such as which attacks would have the biggest financial impact, and how equipped the company is to defend itself against any given attack.
Automated risk quantification makes this process even easier, removing the guesswork out of these decisions and streamlining the process of getting to actionable information. The potential for human error and subjectivity are removed completely from the equation.
Previously, security leaders have relied on theoretical models of risk like the Common Vulnerability Scoring System (CVSS). Even with this system, it can be difficult to prioritize the vulnerabilities that rank highest in terms of severity. This is even more challenging for leaders across the enterprise who may be unfamiliar with this system. Cyber risk quantification provides security leaders with a way to communicate the most pressing cyber threats facing a company that do not rely on a scoring system that is incomprehensible to anyone outside of the security department.
By assigning a dollar value to potential cyber incidents, business leaders have better visibility into the most pressing – and costly – threats facing the enterprise. With this information, the business and security teams can align their efforts and prioritize the largest risks, rather than dedicating resources to lower priority risks.
Teams can focus their efforts on ensuring the business has adequate controls and processes in place to defend against the costlier risks and make additional investments accordingly. It can also make it easier for leaders and boards to justify spending more time or money to proactively defend against certain risks.
For CISOs, cyber risk quantification also provides an easier way to communicate the value of their work to leadership. Security leaders can calculate the return on investment of their tools and teams in the context of risk reduction for the enterprise. This gives leaders better visibility into the risks facing their organizations in terms that are understandable and actionable. Conversely, cyber risk quantification can help to identify any issues with an organization’s existing cybersecurity program and measure improvement over time.
Overall, shifting to this type of risk-led approach for cybersecurity will result in data-driven and actionable insights that will allow leaders across all business departments to understand and act on the most critical cyber risks facing their enterprise.
We know that attacks are going to continue, whether they’re state-sponsored or cyber criminals, and it is critical for an enterprise to have a comprehensive view into your risk landscape. Now is the time for security leaders to adopt cyber risk quantification and more easily demonstrate how cybersecurity organizations are protecting their business operations from disruption and catastrophic harm.
A Chinese cyber-espionage group has shifted operations from targeting Vatican officials and Catholic organizations to telecom providers across Asia, Europe, and the US.
The group, known in the cybersecurity community as Mustang Panda or RedDelta, has been targeting employees of telecom companies since last fall, as a gateway inside organizations, with the end goal of stealing 5G-related information.
Chinese group targeted telco employees with job offers
According to a technical report published today by security firm McAfee and titled “Operation Diànxùn” [PDF], the Mustang Panda group primarily relied on luring telco employees to a malicious site masquerading as Huawei’s careers page.
The phishing site would ask users to install a Flash software update hosted on a malicious site, and this file would later download and install a .NET backdoor, which would communicate with the attacker’s remote infrastructure via a Cobalt Strike beacon.
McAfee said the point of these attacks was to gain a foothold on a telcos’ internal networks.
“We believe that this espionage campaign is aimed at stealing sensitive or secret information in relation to 5G technology,” the company said today.
Attacks were observed against telcos in Southeast Asia, Europe, and the US; however, McAfee said it observed the group also showing “strong interest in German, Vietnamese, and India telecommunication companies.”
Another gem in Mr. Mechler’s report is in Section 7.1, in which he reveals that acceptance testing of voting systems is done by the vendor, not by the customer. Acceptance testing is the process by which a customer checks a delivered product to make sure it satisfies requirements. To have the vendor do acceptance testing pretty much defeats the purpose.
Last year, the number of active phishing websites increased 350% from January to March alone. Now that employees are connecting to the office from their own remote networks and not through their office’s secure network, the chance of a security breach is higher than ever. While risk managers know this already, securing company data is essential to customer trust and longevity. To prioritize risk during remote work, risk managers need to involve executives and keep them updated and educated on potential problems and solutions. Prioritizing risk now will pay dividends in the long run.
Executive teams need to buy in — simply relegating all risk-related work to risk managers isn’t enough in the end. Investing time and money to form a risk-aware culture will better educate all employees on how to avoid common scams and prepare for larger-scale problems. Without prioritization and investment in risk, companies may not make it through the next major disruption and risk major security breaches.
A risk-aware culture can’t be created overnight. Risk managers and executives must first identify the risks and find out where the company stands, aligning risk culture with the existing company culture. Then, they can implement new risk management strategies that may require drastic changes, such as new software, revised policies and educational tutorials on risk. IT teams need to be on top of their game for virtual risks, educating employees and preparing them to ask the right questions. With phishing on the rise and data at a very vulnerable point, employees must be able to assess risk on their own.
Crooks devised a new method to hide credit card data siphoned from compromised e-stores, experts observed hackers hiding data in JPG files.
Cybercriminals have devised a new method to hide credit card data siphoned from compromised online stores, experts from Sucuri observed Magecart hackers hiding data in JPG files to avoid detection and storing them on the infected site.
The new exfiltration technique was uncovered while investigating a Magecart attack against an e-store running the e-commerce CMS Magento 2.
“A recent investigation for a compromised Magento 2 website revealed a malicious injection that was capturing POST request data from site visitors. Located on the checkout page, it was found to encode captured data before saving it to a .JPG file.” reads the post published by Sucuri.
The researchers discovered a PHP code that was found injected to the file ./vendor/magento/module-customer/Model/Session.php. The attackers use the getAuthenticates function to load the rest of the malicious code onto the compromised environment.
The code stored the siphoned data in the image file “pub/media/tmp/design/file/default_luma_logo.jpg,” in this way it is easy to hide, access, and download the stolen information without rising suspicious.
The PHP code injected into the site leverages the Magento function getPostValue to capture the POST data within the checkout page, then the captured POST data is encoded with base64 before the PHP operator ^ is used to XOR the stolen data.
“To successfully capture the POST data, the PHP code needs to use the Magento code framework. It relies on the Magento function getPostValue to capture the checkout page data within the Customer_POST parameter.” continues the post.
“Using the Magento function isLoggedIn, the PHP code also checks whether the victim that sent the POST request data is logged in as a user. If they do happen to be logged in, it captures the user’s email address.”
Customer_ parameter contains almost all of the information submitted by the victim on the checkout page, including full names and addresses, payment card details, telephone numbers, and user agent details.
Sucuri experts pointed out that captured data could be used for credit card fraud, spam campaigns, or spear-phishing attacks.
“Bad actors are always actively searching for new methods to prevent any detection of their malicious behavior on compromised websites.” concludes the post. “The creative use of the fake .JPG allows an attacker to conceal and store harvested credit card details for future use without gaining too much attention from the website owner.”
A network penetration test, or pen test, is a method of assessing a network’s security and identifying vulnerabilities in the network by the intentional use of malicious penetration techniques. In simple terms, an ethical hacker tries to hack your organization’s network, with your permission, to reveal underlying security risks to your network.
You may ask, “I have conducted a vulnerability assessment. Do I need to conduct a network penetration test, as well?”
Vulnerability assessment makes use of automated tools that only help pinpoint common security vulnerabilities. In contrast, during penetration testing, security experts act as hackers and simulate a potential cyberattack. They observe how your system will react to a cyberattack by a cybercriminal. They identify security weaknesses, and may provide remediation advice applicable to software, hardware, or even human management of the system.
Although some high-quality vulnerability assessment tools categorize security risks, assign risk levels and offer remediation suggestions, the need for pen testing can not be fulfilled by vulnerability assessment alone.
So, the answer is yes. For a complete picture of your network’s security, network penetration testing is a must.
AI and ML technologies have made great strides in helping organizations with cybersecurity, as well as with other tasks like chatbots that help with customer service.
Cybercriminals have also made great strides in using AI and ML for fraud.
“Today, fraud can happen without stealing someone else’s identity because fraudsters can create ‘synthetic identities’ with fake, personally identifiable information (PII),” explained Rick Song, co-founder and CEO of Persona, in an email interview. And fraudsters are leveraging new tricks, using the latest technologies, that allow them to slip past security systems and do things like open accounts where they rack up untraceable debt, steal Bitcoin holdings without detection, or simply redirect authentic purchases to a new address.
Some increasingly popular fraud tricks using AI and ML include:
Deepfakes that mimic live selfies in an attempt to circumvent security systems
Replicating a template across a dozen or more accounts to create fake IDs (these often use celebrity photos and their public data)
Mimicking the voice of high-level officials and corporate executives to extort personal information and money
“With this pace of evolution, companies are left at risk of holding the bag — they are not only losing money directly through things like loans and fees they can’t recoup and any restitution to impacted customers, but they’re also losing trust and credibility. Fraud costs the global economy over $5 trillion every year, but the reputational costs are hard to quantify,” said Song.
The exercise/event is called “Cyber Polygon” and it will take place this July. It is being sponsored by the WEF (World Economic Forum) and this is what they will focus on during the simulated cyber attack. This is from their website.
“Cyber Polygon 2021 will draw together leading global experts to discuss the key risks posed by digitalisation and share best practices in developing secure ecosystems. During the technical exercise, the participants will practise mitigating a targeted supply chain attack on a corporate ecosystem.”
Also from Technocracy news: Last year, the World Economic Forum teamed up with the Russian government and global banks to run a high-profile cyberattack simulation that targeted the financial industry, an actual event that would pave the way for a “reset” of the global economy. The simulation, named Cyber Polygon, may have been more than a typical planning exercise and bears similarities to the WEF-sponsored pandemic simulation Event 201 that briefly preceded the COVID-19 crisis.
There are four forms of password reuse and they all are bad
The first and easiest to prevent is the use of the same password on the same account. For example, if my username is michael.schenck, my password is Football123, and the system prompts me to change my password but lets me use Football123 again – then I’m reusing an old password. This is a problem because old password databases may have been stolen and cracked, in which case the Football123 password could be compromised. In this scenario, the credentials (which a hacker now has access to) will still work today. Remember, the internet never forgets.
The most common form of password reuse is the use of the same password and email/account name for multiple sites and services (e.g., using Football123 as the password for your email, Netflix, bank, and personal Microsoft account). If one account is hacked, you must assume all are hacked. This can be especially messy since the average business employee must keep track of 191 passwords and changing all 191 would take several days.
A related form of password reuse blends the last two together – reusing the same password across accounts with different usernames. Most workplace IT configurations won’t let users reuse passwords. However, when an employee changes companies, their former employer’s password history controls no longer apply. This allows older passwords to be used at a new job. This, too, is a bad practice. As the databases of passwords on the dark web and open-source intelligence sources continue to grow, it becomes easier for a hacker to link a password to a person – regardless of the account username or the company they work for.
The last form of password reuse is the use of a common password. Every year numerous publications list the top 10, 20, 100 passwords used in the previous year. For example, in 2020 more than 2.5 million people used the password “123456.” Lists of popular passwords are used by hackers to script – or brute-force – logins to gain access. If you use any of these common passwords, it won’t be long until you get hacked.
A security researcher has released a new proof-of-concept exploit that could be adapted to install web shells on Microsoft Exchange servers vulnerable ProxyLogon issues.
Since the disclosure of the flaw, security experts observed a surge in the attacks against Microsoft Exchange mailservers worldwide.
Check Point Research team reported that that in a time span of 24 hours the exploitation attempts are doubling every two hours.
“CPR has seen hundreds of exploit attempts against organizations worldwide” reads the post published by CheckPoint. “In the past 24 hours alone, CPR has observed that the number exploitation attempts on organizations it tracks doubled every two to three hours.”
Most of exploit attempts targeted organizations in Turkey (19%), followed by United States (18%) and Italy (10%). Most targeted sectors have been Government/Military (17% of all exploit attempts), followed by Manufacturing (14%), and then Banking (11%).
Security experts pointed out that the flaws are actively exploited to deliver web shells, and more recently ransomware such as the DearCry ransomware.
Last week, the independent security researcher Nguyen Jang published on GitHub a proof-of-concept tool to hack Microsoft Exchange servers. The tool chains two of the ProxyLogon vulnerabilities recently addressed by Microsoft.
The availability of the proof-of-concept code was first reported by The Record.
“Exploitation and Sanitization of Hidden Data in PDF Files”
Abstract: Organizations publish and share more and more electronic documents like PDF files. Unfortunately, most organizations are unaware that these documents can compromise sensitive information like authors names, details on the information system and architecture. All these information can be exploited easily by attackers to footprint and later attack an organization. In this paper, we analyze hidden data found in the PDF files published by an organization. We gathered a corpus of 39664 PDF files published by 75 security agencies from 47 countries. We have been able to measure the quality and quantity of information exposed in these PDF files. It can be effectively used to find weak links in an organization: employees who are running outdated software. We have also measured the adoption of PDF files sanitization by security agencies. We identified only 7 security agencies which sanitize few of their PDF files before publishing. Unfortunately, we were still able to find sensitive information within 65% of these sanitized PDF files. Some agencies are using weak sanitization techniques: it requires to remove all the hidden sensitive information from the file and not just to remove the data at the surface. Security agencies need to change their sanitization methods.
Metadata (The MIT Press Essential Knowledge series)
Using an opt-in approach will help curb the excesses of Big Tech.
Americans have become inured to the relentless collection of their personal information online. Imagine, for example, if getting your suit pressed at the dry cleaner’s automatically and permanently signed you up to have scores of inferences about you — measurements, gender, race, language, fabric preferences, credit card type — shared with retailers, cleaning product advertisers and hundreds of other dry cleaners, who themselves had arrangements to share that data with others. It might give you pause.
But that’s the daily reality on the internet. Every minute a person spends online helps countless companies build a thicker dossier about that person.
Despite what corporations profess, much of this personal data is used not to improve products themselves, but to make those products more attractive to advertisers.
One straightforward solution is to let people opt in to data collection on apps and websites. Today, with few exceptions, loads of personal data are collected automatically by default unless consumers take action to opt out of the practice — which, in most cases, requires dropping the service entirely.
Virginia recently had the opportunity to extend firmer data protection rights to its residents. But the state’s Consumer Data Protection Act, signed into law this month, is a business-friendly package, supported by Amazon and Microsoft, that puts the onus on consumers to opt out of most data collection, except for the most sensitive personal details. Washington State lawmakers are advancing similar legislation.
China’s RedEcho sent a clear signal to India that, while China may engage in fisticuffs along the line of control, they were willing to escalate the low-intensity conflict into the cyber domain targeting India’s infrastructure.
We talked with Recorded Future’s Insikt Group about the RedEcho activity to learn if neighboring nations, or those involved with the Chinese Belt and Road Initiative, were similarly engaged by RedEcho, and learned that the attacks have “been exclusively focused on Indian targets.” With the publication of the report on March 1, the Insikt Group noted that activity “gradually ceased and the last communication identified between the victim organizations and the RedEcho infrastructure was on March 2, 2021.”
The Insikt Group added that the RedEcho team “parked large amounts of their infrastructure, likely in response to the public reporting and incident response efforts.” They opined, “It remains to be seen how the group’s longer term M.O. will evolve following publication, but we believe it is likely that they will attempt to use other methods to attempt to maintain persistent access to the targeted organizations. This highlights the need for a full incident response effort for affected organizations to ensure the group does not maintain other means of network access.”
National Infrastructure
Cyberattacks against national infrastructure are neither unique nor new in a global context.
Dr. Christopher Ahlberg, CEO and co-founder, Recorded Future, tells us, “The impact of a cyberattack targeting the critical infrastructure of a country, whether for espionage or malicious activity, has the potential to be catastrophic with long-term repercussions. We have long seen cyber efforts from China aimed around strategic policies and initiatives, and this campaign from RedEcho is no exception. Accurate and actionable intelligence is vital for preempting such attacks and proactively disrupting adversaries both within an organization and across a nation.”
Chris Blask, global director, applied innovation at Unisys, said, “The findings about RedEcho are another indication that the trend towards using cyber means against national infrastructure for political ends continues to follow its multi-decade curve.”
“Nation-states should continue to develop processes, such as seen in the NERC CIP series of regulations, for lessons,” Blask said. “The timing of NERC CIP 13 last October requiring supply chain strategies for critical electrical operators, the SolarWinds attack, and the Feb. 24, 2021 executive order from U.S. president Joe Biden creating a 100-day window for federal departments to develop supply chain security strategies can be seen as an indication of areas for those working on national defense systems to focus.”
We strongly suggest that customers using Signal Sciences Next-Gen WAF in front of their Microsoft Exchange servers enable this rule as soon as possible and configure it to block requests if the signal is observed. Additionally, follow all guidance from Microsoft to patch affected systems. The vulnerabilities in question are actively being exploited globally and have severe impact.
Patching Microsoft Exchange systems
We are seeing a large uptick in exploitation attempts in the wild. This is an evolving story and our teams are working continuously to ensure the rules are catching the latest attacks, but this should not be your only line of defense. We strongly recommend that you patch affected systems, perform incident response, and follow recommendations from Microsoft.
Exploit chain
The observed attacks on Microsoft Exchange systems chain together multiple CVEs (Common Vulnerabilities and Exposures) to carry out the attack. The impact of these attacks range from full system takeover through Remote Code Execution (RCE), as well as email inbox exfiltration and compromise. At a high level, the exploit chain is carried out as follows:
A Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server identified as CVE-2021-26855 allows attackers to send HTTP requests to the exposed Exchange server and access other endpoints as the Exchange server itself. This is an unauthenticated step of the attack which makes the vulnerability exceptionally easy to exploit.
An insecure deserialization vulnerability identified by CVE-2021-26857 leverages the SYSTEM-level authentication obtained by the above SSRF attack to send specially-crafted SOAP payloads which are insecurely deserialized by the Unified Messaging Service. This gives the attacker the ability to run code as SYSTEM on the Exchange server.
After CVE-2021-26855 is successfully exploited, attackers can then utilize CVE-2021-27065 and CVE-2021-26858 to write arbitrary files to the Exchange server itself on any path. This code that is uploaded by the attacker is run as SYSTEM on the server. Lateral movement, malware implanting, data loss, escalation, and more can be carried out through these vulnerabilities.
By enabling the Signal Sciences Next-Gen WAF templated rule, the first step in the exploit chain cannot be carried out. If you would like to dig deeper into the technical details of this chain of attacks please see this post by the folks at Praetorian. To enable the templated rule, please refer to our documentation for details on how to enable templated rules.
The secret to resolving compliance and security issues before they escalate into costly audit penalties is to proactively add an automated compliance and security management system in the cloud environment. This way your company can take advantage of all the security benefits offered by the cloud provider while also managing other security aspects critical to your company’s operations while also providing an audit trail that can be used to help verify compliance.
In short, your company needs the means to detect specific issues and correct them prior to an official compliance certification audit. The top areas that auditors check are all centered on data access. That’s understandable given that Gartner predicts that “by 2023, 75% of security failures will result from inadequate management of identities, access, and privileges, up from 50% in 2020.”
Cloud security automation can scale along with your workloads in cloud environments and correct compliance issues and security vulnerabilities as they occur. Your company should consider the following when selecting an Identity Access Management (IAM) product to use in cloud environments to automate corrections and ensure compliance.
More easily visualize the current IAM posture and get alerts about excessive permissions
Get proof of regulatory compliance and data hygiene along with verification that relevant assets can only be accessed from specific areas in the application
Monitor any changes in the application that require updates in its security policy
If needed, create a new security policy that reflects the needs of each cloud-based asset
Ease of deployment in the pre-production and production environments
If you are a business looking to comply with various data privacy laws, look no further. We can help with Privacy as a Service. 👍
The simplest, fastest, and most affordable way to comply with privacy legislation like the EU’s GDPR (General Data Protection Regulation), the CPRA (California Privacy Rights Act), New York’s SHIELD Act, and others. With Privacy as a Service, you can:
* Achieve scaled privacy compliance quickly * Remain one step ahead of legislative developments with affordable advice and support * Reduce privacy risks with one simple subscription service * Enjoy peace of mind with your own dedicated data privacy manager
![Cybersecurity for Executives in the Age of Cloud by [Teri Radichel]](https://m.media-amazon.com/images/I/51yWmk6hKiL.jpg)
