Jan 25 2019

Windows 7 migration warning: Plan now to avoid security worries later | ZDNet

Category: Information Security — DISC @ 9:56 am

Malware can spread much more easily on obsolete platforms, warns security body. With less than a year until the end of Windows 7 support, don’t get caught out.

Source: Windows 7 migration warning: Plan now to avoid security worries later | ZDNet

Phishing Scam

Subscribe to DISC InfoSec blog by Email

Tags: Windows 7, windows security

Comments (0)

Jan 24 2019

Google Creates Online Phishing Quiz

Category: Phishing — DISC @ 11:59 am

Google Alphabet incubator Jigsaw says knowing how to spot a phish plus two-factor authentication are the best defenses against falling for a phishing email.

Source: Google Creates Online Phishing Quiz

Phishing Scam

Subscribe to DISC InfoSec blog by Email

Comments (0)

Jan 23 2019

Center for Internet Security releases Microsoft 365 benchmarks

Category: App Security,Information Security — DISC @ 11:01 am

Follow the guidance in this CIS document to configure Microsoft 365 security settings to the level that suits your organization.

Source: Center for Internet Security releases Microsoft 365 benchmarks

Comments (0)

Jan 23 2019

Chinese Hacker Publishes PoC for Remote iOS 12 Jailbreak On iPhone X

Category: Jail break — DISC @ 9:24 am

Here we have great news for all iPhone Jailbreak lovers and concerning one for the rest of iPhone users.
A Chinese cybersecurity researcher has today revealed technical details of critical vulnerabilities in Apple Safari web browser and iOS that could allow a remote attacker to jailbreak and compromise victims’ iPhoneX running iOS 12.1.2 and before versions.

Source: Chinese Hacker Publishes PoC for Remote iOS 12 Jailbreak On iPhone X

Tags: Jail Break

Comments (0)

Jan 22 2019

Did you win at online casinos? Your data might have had exposed online

Category: Security Breach — DISC @ 1:47 pm

Data belonging to online casinos found exposed online on unprotected Elastic search instance, it includes info on 108 million bets and user details

Source: Did you win at online casinos? Your data might have had exposed online

Businesses can safely delay patching most vulnerabilities

Category: Information Security,Security patching — DISC @ 8:38 am

Patching vulnerabilities is often seen as a key element of keeping systems secure. But a new report suggests businesses could be ‘smarter’ in their patching regimes and prioritize the i…

Source: Businesses can safely delay patching most vulnerabilities

🔒 securing the business 🔒

New Rocke Group Malware Turns off Your Cloud Security Tools

Category: Malware — DISC @ 11:09 pm

A new Rocke Group malware sample “captured” and analysed by Palo Alto Networks Unit 42 has adopted code to uninstall five cloud security protection products

Source: New Rocke Group Malware Turns off Your Cloud Security Tools

🔒 securing the business 🔒

Windows Zero-Day Bug That Lets Attackers Read Any File Gets Micropatch

Category: Zero day — DISC @ 1:12 pm

A micropatch is now available for a zero-day vulnerability in Windows that allows unauthorized read access with the highest privileges to any file on the operating system.

Source: Windows Zero-Day Bug That Lets Attackers Read Any File Gets Micropatch

Comments (0)

Jan 21 2019

Iranian developer advertised BlackRouter Ransom-as-a-Service

Category: Ransomware — DISC @ 12:53 pm

An Iranian developer is promoting on a Telegram hacking channel the BlackRouter ransomware through a Ransomware-as-a-Service model.

Source: Iranian developer advertised BlackRouter Ransom-as-a-Service

Comments (0)

Jan 20 2019

8 Tips for Monitoring Cloud Security

Category: Cloud computing — DISC @ 6:30 pm

Cloud security experts weigh in with the practices and tools they prefer to monitor and measure security metrics in the cloud.

Source: 8 Tips for Monitoring Cloud Security

🔒 securing the business 🔒

3 Compelling Reasons To Invest In Cyber Security – Part 3

Category: cyber security — DISC @ 11:40 pm

Cyber security is among the essential subjects to boards, alongside business strategy and leadership. Your compelling case to gain an investment is now here!

Source: 3 Compelling Reasons To Invest In Cyber Security – Part 3

🔒 securing the business 🔒

Privacy notice under the GDPR

Category: GDPR — DISC @ 8:58 pm

A privacy notice is a public statement of how your organisation applies data protection principles to processing data. It should be a clear and concise document that is accessible by individuals.

Articles 12, 13 and 14 of the GDPR outline the requirements on giving privacy information to data subjects. These are more detailed and specific than in the UK Data Protection Act 1998 (DPA).

The GDPR says that the information you provide must be:

Concise, transparent, intelligible and easily accessible;
Written in clear and plain language, particularly if addressed to a child; and
Free of charge.

Help with creating a privacy notice template

The privacy notice should address the following to sufficiently inform the data subject:

Who is collecting the data?
What data is being collected?
What is the legal basis for processing the data?
Will the data be shared with any third parties?
How will the information be used?
How long will the data be stored for?
What rights does the data subject have?
How can the data subject raise a complaint?

Below is an example of a customisable privacy notice template, available from IT Governance here.

Example of the privacy notice template available to purchase from IT Governance

If you are looking for a complete set of GDPR templates to help with your compliance project, you may be interested in the market-leading EU GDPR Documentation Toolkit. This toolkit is designed and developed by expert GDPR practitioners, and has been used by thousands of organisations worldwide. It includes:

A complete set of easy-to-use and customisable documentation templates, which will save you time and money and ensure GDPR compliance;
Helpful dashboards and project tools to ensure complete GDPR coverage;
Direction and guidance from expert GDPR practitioners; and
Two licences for the GDPR Staff Awareness E-learning Course.

Tags: GDPR Privacy, GDPR Privacy Notice

Comments (2)

Sep 24 2018

Why your organisation should consider outsourcing its DPO

Category: GDPR — DISC @ 2:47 pm

Why your organisation should consider outsourcing its DPO

By Laura Downes

Since the EU’s GDPR (General Data Protection Regulation) came into effect in May 2018, demand for DPOs (data protection officers) has increased. The Regulation stipulates that certain organisations must appoint a DPO to support their GDPR compliance. DPOs also have an essential role as intermediaries between relevant stakeholders, such as supervisory authorities, data subjects, and business units within an organisation.

Your organisation will need to appoint a DPO if it:

Is a public authority or body;
Regularly and systematically monitors data subjects; or
Processes special categories of data on a large scale.

The GDPR does not stipulate the level of experience a DPO must have, meaning some organisations might appoint an internal team member who does not have the experience or qualifications required, leaving them wide open to error.

Why you should consider outsourcing your DPO

Suitably skilled and experienced DPO candidates are hard to find. Outsourcing the role not only satisfies the requirements of the GDPR but also ensures your organisation is employing proper data handling and privacy policies. Furthermore, there is no conflict of interest between the DPO and other business activities.

An external DPO can work for your organisation on a fixed-fee or a per-hour basis. Signing up to a DPO service also means you can rely on several experienced DPOs rather than just one, which means more hands on deck should you ever suffer a breach.

DPO as a service (GDPR)

IT Governance’s annual subscription DPO service offers you hands-on support from one of our qualified DPOs, who will serve as independent data protection expert to your organisation. Your appointed DPO will:

Review and advise on policies, procedures and documentation relating to the processing of personal data;
Oversee the establishment and maintenance of the personal data processing register;
Advise on the necessity of DPIAs (data protection impact assessments) and the manner of their implementation and outcomes;
Provide guidance on data breach monitoring, management and reporting;
Serve as the contact point for data protection authorities for all data protection issues;
Provide advice and guidance on responses to privacy rights requests from individuals; and
Monitor compliance with the GDPR.

Find out more >>

Comments (0)

Sep 21 2018

PCI DSS policies address the weakest link – people

Category: pci dss — DISC @ 9:38 am

By Nick Calver @ITG

Drafting detailed data protection policies and documentation is vital for improving security for your customers, stakeholders and brand because it shows your understanding and commitment to the PCI DSS (Payment Card Industry Data Security Standard). From policy, to procedure, to configuration standard, a significant proportion of PCI DSS compliance begins with documentation.

Deploying security technologies can only go so far in protecting an organisation and helping maintain compliance.

Nearly 1 in 5 data breaches caused by human error

Verizon’s 2018 Data Breach Investigations Report identified that almost 1 in 5 data breaches (17%) were the result of human error.

Policies are needed to address the weak link in security – people. If your employees don’t know or understand what’s expected of them, they can put cardholder data at risk, regardless of the other security measures you have in place. Policies play an important role in securing data. They are the foundation for everything else as they provide direction and instruction, and assign responsibility.

What’s in a PCI policy set?

PCI DSS compliance requires that all merchants and service providers document the processes and procedures they put in place. These policies and procedures can then serve as a guide, following the 12 requirements of the PCI DSS, from which you and your QSA (Qualified Security Assessor) can work during your assessment.

The policies might address:

Information security: This details the organisation’s security strategy in relation to the storage, processing and transmission of credit card data. It provides a detailed outline of information security responsibilities for all staff, contractors, partners and third parties that access the CDE (cardholder data environment).

Formal security awareness: This identifies the organisation’s responsibilities when implementing a PCI security awareness training programme and is intended for anyone who has access to the CDE. Staff should take this program during their induction and repeat it at least annually or whenever there is a security incident.

Incident response: This is a set of instructions for detecting, responding to and limiting the effects of an information security event. Without a plan in place, organisations might not detect an attack or fail to follow proper protocol to contain it and recover.

Nothing here should surprise an experienced security professional. The policy requirements are basic information security best practices. Therefore, when structuring your PCI policy set we advise doing so alongside the development of your core information security policy.

Increase your employees’ knowledge of the Payment Card Industry Data Security Standard (PCI DSS) and how it affects your organization with the expertise at IT Governance USA Inc.

Comments (0)

Sep 20 2018

Equifax fined by ICO over data breach that hit Britons

Category: Cyber Insurance,data security,GDPR,Security Breach — DISC @ 10:02 am

Equifax

Credit rating agency Equifax is to be fined £500,000 by the Information Commissioner’s Office (ICO) after it failed to protect the personal data of 15 million Britons.

A 2017 cyber-attack exposed information belonging to 146 million people around the world, mostly in the US.

The compromised systems were also US-based.

But the ICO ruled Equifax’s UK branch had “failed to take appropriate steps” to protect UK citizens’ data.

It added that “multiple failures” meant personal information had been kept longer than necessary and left vulnerable.

Originally, Equifax reported that fewer than 400,000 Britons had had sensitive data exposed in the breach – but it later revealed that the number was nearly 700,000.

A further 14.5 million British records exposed would not have put people at risk, the company added last October.

The ICO, which joined forces with the Financial Conduct Authority to investigate the breach, found that it affected three distinct groups in the following ways:

19,993 UK data subjects had names, dates of birth, telephone numbers and driving licence numbers exposed
637,430 UK data subjects had names, dates of birth and telephone numbers exposed
Up to 15 million UK data subjects had names and dates of birth exposed

Guard let down

Equifax had also been warned about a critical vulnerability in its systems by the US Department of Homeland Security in March 2017, the ICO revealed.

And appropriate steps to fix the vulnerability were not taken, according to the ICO.

Because the breach happened before the launch of the EU’s General Data Protection Regulation (GDPR) in May this year, the investigation took place under the UK’s Data Protection Act 1998 instead.

And the fine of £500,000 is the highest possible under that law.

“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said information commissioner Elizabeth Denham.

“This is compounded when the company is a global firm whose business relies on personal data.”

An Equifax spokesperson said the firm was “disappointed in the findings and the penalty”.

“As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.

“The criminal cyber-attack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.”

By BBC.com

Comments (0)

Sep 19 2018

CISOs and the Quest for Cybersecurity Metrics Fit for Business

Category: CISO,Metrics — DISC @ 12:52 pm

By Kevin Townsend

Never-ending breaches, ever-increasing regulations, and the potential effect of brand damage on profits has made cybersecurity a mainstream board-level issue. It has never been more important for cybersecurity controls and processes to be in line with business
priorities.

Reporting Security Metrics to the Board

A recent survey by security firm Varonis highlights that business and security are not fully aligned; and while security teams feel they are being heard, business leaders admit they aren’t listening.

The problem is well-known: security and business speak different languages. Since security is the poor relation of the two, the onus is absolutely on security to drive the conversation in business terms. When both sides are speaking the same language, aligning security controls with business priorities will be much easier.

Well-presented metrics are the common factor understood by both sides and could be used as the primary driver in this alignment. The reality, however, is this isn’t always happening

Using metrics to align Security and Business: Information security metrics

SecurityWeek spoke to several past and present CISOs to better understand the use of metrics to communicate with business leaders: why metrics are necessary; how they can be improved; what are the problems; and what is the prize?

Demolishing the Tower of Babel

“While some Board members may be aware of what firewalls are,” comments John Masserini: CISO at Millicom Telecommunications, “the vast majority have no understanding what IDS/IPS, SIEMs, Proxies, or any other solution you have actually do. They only care about the level of risk in the company.”

CISOs, on the other hand, understand risk but do not necessarily understand which parts of the business are at most risk at any time. Similarly, business leaders do not understand how changing cybersecurity threats impact specific business risks.

The initial onus is on the security lead to better understand the business side of the organization to be able to deliver meaningful risk management metrics that business leaders understand. This can be used to start the process for each side to learn more about the other. Business will begin to see how security reduces risk, and will begin to specify other areas that need more specific protection.

The key and most common difficulty is in finding and presenting the initial metrics to get the ball rolling. This is where the different ‘languages’ get in the way. “The IT department led by the CIO typically must maintain uptime for critical systems and support transformation initiatives that improve the technology used by the business to complete its mission,” explains Keyaan Williams, CEO at CLASS-LLC. “The Security department led by the CISO typically must maintain confidentiality, integrity, and availability of data and information stored, processed, or transmitted by the organization. These departments and these leaders tend to provide metrics that focus on their tactical duties rather than business drivers that concern the board/C-suite.”

Drew Koenig, consultant and host of the Security in Five podcast, sees the same basic problem. “In security there tends to be a focus on the technical metrics. Logins, blocked traffic, transaction counts, etc… but most do not map back to business objectives or are explained in a format business leaders can understand or care about. Good metrics need to be tied to dollars, business efficiency shown through time improvements, and able to show trending patterns of security effectiveness as it relates to the business. That’s the real challenge.”

Williams sees the problem emanating from a lack of basic business training in the academic curriculum that supports IT and security degrees. “The top management tool in 2017 was strategic planning,” he said. “Strategic planning is often listed as one of the top-five tools of business leaders. How many security leaders understand strategic planning and execution enough to ensure their metrics contribute to the strategic initiatives of the organization?”

It is not up to the business leaders to learn about security. “The downfall for many CISOs in the past is believing that business needs to understand security,” adds Candy Alexander, a virtual CISO and president-elect of ISSA. “That is a mistake, because security is our job. We need to better understand the business, so that we can articulate the impact of not applying appropriate safeguards. The key to this whole approach is for the CISO to understand the business, and to understand the mission and goals of the business.”

for more on this article: CISOs and the Quest for Cybersecurity Metrics Fit for Business

Tags: CISO, infosec metrics

Comments (2)

Sep 19 2018

US lawmakers introduce bill to fight cybersecurity workforce shortage

Category: cyber security,Information Security — DISC @ 10:04 am

Report claims US public and private sectors had over 300,000 cybersecurity-related job openings between April 2017 and March 2018.

By Catalin Cimpanu for Zero Day

US lawmakers have introduced a bipartisan bill in the House of Representatives meant to address the cybersecurity workforce shortage crisis.

The bill, named the Cyber Ready Workforce Act (H.R.6791), would establish a grant program within the Department of Labor.

According to the bill’s proposed text, the Secretary of Labor will be able to award grants to workforce intermediaries to support the creation, implementation, and expansion of apprenticeship programs in cybersecurity.

These apprenticeship programs may include career counseling, mentorship, and assistance with transportation, housing, and child care costs.

The Cyber Ready Workforce Act is meant to address a growing problem in the US workforce landscape where companies, across all sectors, are having a hard time filling cybersecurity jobs with trained personnel.

According to a CompTIA report based on data from CyberSeek, a free cybersecurity career and workforce resource, there were 301,873 cybersecurity-related job openings in the private and public sectors between April 2017 and March 2018.

Also: Bill that would have the White House create a database of APT groups passes House vote

Congresswoman Jacky Rosen (Dem., NV-03) introduced the bill last week. The bill is based on the state of Nevada’s recently introduced cybersecurity apprenticeship program.

The bill was also co-sponsored by Congressman Seth Moulton (Dem., MA-06), Congresswoman Elise Stefanik (Rep., NY-21), and Congressman Dan Donovan (Rep., NY-11).

The bill, which doesn’t yet have mirroring legislation in the Senate, has also gained the support of trade and workforce organizations such as CompTIA and The Learning Center.

“Cybersecurity threats will continue to present national security challenges for America in the 21st century,” said Congressman Dan Donovan. “With these threats and the changing economic and technological landscape, America needs a workforce that can adequately advance our cybersecurity defense priorities.”

“Investing in and expanding our cybersecurity workforce doesn’t only fuel our economy, it keeps us safe,” said Congressman Seth Moulton. “While I was fighting on the ground in Iraq, Al-Qaeda was fighting us on the internet — and they were beating us online! And while we focused on Russia’s military in 2016, they attacked us through the internet. This bill is an important first step towards making sure we don’t get ourselves into such a vulnerable position again.”

Tags: cybersecurity workforce shortage

Comments (0)

Sep 16 2018