InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
The Damselfly Advanced Persistent Threat (APT) group, also known as APT42, has been actively utilizing custom backdoor variants, NiceCurl and TameCat, to infiltrate Windows machines.
These backdoors are primarily delivered through spear-phishing campaigns, marking a significant escalation in the capabilities and focus of this Iranian state-sponsored hacking group.
Sophisticated Tools For Stealthy Operations
The NiceCurl and TameCat backdoors represent a sophisticated toolkit in Damselfly’s arsenal, enabling threat actors to gain initial access to targeted environments discreetly.
NiceCurl, a VBScript-based malware, is designed to download and execute additional malicious modules, enhancing the attackers’ control over compromised systems.
On the other hand, the TameCat backdoor facilitates the execution of PowerShell and C# scripts, allowing for further exploitation by downloading additional arbitrary content.
These tools are part of a broader strategy employed by Damselfly to conduct espionage and potentially disrupt operations at targeted facilities.
According to Broadcom report, the group’s activities have been primarily directed at energy companies and other critical infrastructure sectors across the U.S., Europe, and the Middle East.
The sophistication of their methods and the critical nature of their targets underscore the high level of threat they pose.
These include adaptive, behavior, file, and network-based detection mechanisms, ensuring robust defense against Damselfly’s tactics.
The security firm’s efforts are crucial in mitigating the risks posed by such state-sponsored cyber activities, characterized by their complexity and stealth.
The operations of the Damselfly group highlight the ongoing challenges in cybersecurity, where state-sponsored actors employ advanced techniques and malware to achieve their objectives.
Using custom backdoors like NiceCurl and TameCat, coupled with spear-phishing campaigns, enables these actors to maintain persistence in their target networks and carry out their missions with a high degree of secrecy and efficiency.
The Certified Information Systems Security Professional (CISSP) is the most widely recognized certification in the information security industry. CISSP certifies that an information security professional possesses extensive technical and managerial expertise for designing, engineering, and managing an organization’s security stance.
In this article, CISSP-certified cybersecurity leaders provide practical tips and strategies to help candidates navigate the extensive study requirements and effectively manage their CISSP exam prep time. Whether you’re just starting your study journey or in the final stages of preparation, these guidelines will help ensure you are well-equipped to tackle the CISSP certification exam.
My preparation for the CISSP exam took exactly 10 sunny afternoons while working on a project in Palo Alto. Every day after work, I took “Shon Harris,” at that time the so-called “CISSP exam prep Bible.” I remember studying by the pool, swimming in between the chapters, so overall, it was a fun way to spend these afternoons without feeling like I was missing the sunny California weather.
I divided the contents of the book in a way that allowed me to read it all in eight days, while I dedicated the last two entire days to practicing exam questions and revisiting domains where my answers were incorrect, studying them a bit deeper. I remember that at that time (2013), there was a very popular site where colleagues from the profession would discuss questions or topics they struggled with, and “talking” to colleagues on that platform was of huge help.
The exam itself, I think, took about an hour and a half, and I passed on the first attempt. Now, this may all sound easy, but the truth is that by the time I decided to pursue the CISSP, I already had 13 years of experience, numerous other industry certifications, and had been deeply involved in the cybersecurity field since the day I graduated; my Master’s thesis was also in cybersecurity.
Looking back at the exam itself, I believe that having a strong knowledge foundation, coupled with real-life experience, and a network of colleagues you can always turn to and discuss certain topics you are less familiar with, is the key to success in passing the CISSP exam.
Shannon Brewster, Executive Director, General Manager, AT&T Cybersecurity
Passing the CISSP exam is an ambitious goal, especially if you hope to pass on your first attempt. I recommend a 90-day preparation plan tailored to reinforce key cybersecurity concepts and identify weaker areas through regular practice.
Being intentional with your time is crucial; consider mapping out each domain as a “sprint” and mapping core concepts to learn each week. Schedule daily dedicated study time and regular practice exams. Testing with approved sample questions helps gauge your readiness and pinpoint specific topics you need to shore up on.
Most security professionals will find themselves very strong in the domains they work in most often, and weak in others. Cryptology is the Achilles’ heel for many.
I incorporated tools like handwritten index cards for constant review to boost memory retention. This method of repetition embeds critical information, making it more readily recalled.
An important element of my preparation was participating in a 6-day bootcamp. The bootcamp was a source of confidence because I had the benefit of a thorough review of the all the content that was necessary to understand. It also helped me build a new network of peers who supported each other as accountability partners and encouragement.
Make sure you take the exam within two weeks of a bootcamp to maximize the “cone of learning” on memory retention.
Lastly, don’t forget about the physical dimension, staying focused on your health and wellness throughout your preparation. Deep sleep is required for memory retention and recall, so avoiding alcohol and practicing sleep hygiene will improve your score. I brought a jump rope to my test and stepped out regularly to infuse fresh blood to my brain, vastly improving my focus.
This strategy worked for me to pass on my first attempt, I hope these ideas might work for you.
Here’s how I effectively studied for the CISSP certification, relying solely on comprehensive study materials rather than quick-fix dumps or quizlets. This method ensured a deep understanding of the content required to pass the CISSP exam:
1. Bootcamp: I started my preparation with a rigorous week-long bootcamp (40 hours). This intensive course helped establish a solid foundation and highlighted areas where I needed further study. Even though I had over five years of experience in cybersecurity and over ten years in IT, my practical knowledge was only in specific domains (i.e. Security and Risk Management, Asset Security, Communications and Network Security, etc.). A good bootcamp will expose your weak areas and help you to hone in on where you need to obtain more knowledge.
2. Targeted reading: After identifying my weak spots during the bootcamp, I skimmed the Official ISC2 CISSP Common Body of Knowledge (CBK) specifically focusing on those areas.
3. In-depth study guides: I read the ISC2 CISSP Official Study Guide from cover to cover to ensure a comprehensive grasp of all domains. Additionally, I went through the Eleventh Hour CISSP: Study Guide twice, which is excellent for refreshing your memory due to its concise format.
4. Video courses and webinars:
I watched Kelly Henderhan’s Cybrary CISSP course twice. Her engaging teaching style and clear explanations helped reinforce the key concepts.
Larry Greenblatt’s series, “CISSP Practice Question with Spock & Kirk”, was instrumental in applying theoretical knowledge practically through scenario-based questions.
Pearson VUE’s Complete CISSP Video Course was another resource I used, which also included domain challenge questions that tested my understanding as I progressed.
5. Motivational prep: Before the exam, I watched Kelly Henderhan’s motivational video, “Why you WILL pass the CISSP”. This not only boosted my confidence but also put me in the right mindset to tackle the exam.
This structured approach to studying for the CISSP took approximately 6 months, using a mix of reading, practical exercises, and motivational content, equipped me with the knowledge and confidence to successfully pass the exam.
Stein A. J. Mollerhaug, Senior Cybersecurity Advisor
For most people, passing the CISSP exam is the main obstacle. In addition to passing the exam, you must also document at least five years of experience in two or more of the eight CISSP knowledge domains. But don’t worry, if you miss that experience, you can get an associate status while you work on gaining the needed experience. Once the experience is documented, you will get upgraded without the need for a new exam.
You don’t need to follow any official course to sit for the CISSP exam and get CISSP certified, but the feedback from almost all students is that following an official course with an official instructor helps – a lot.
In my experience, there are three critical success factors for passing the exam:
1. Understand the basics of cybersecurity and information technology. 2. Understand how management systems work for the key processes in information security. 3. Be able to apply that knowledge to real life situations or imagined scenarios.
If you are unable to explain how the encryption in AES actually works, you are still fine with regards to the exam. If you don’t know that AES is a symmetrical algorithm and what it can be used for, you have some learning to do before sitting for the exam. This is just one example. CISSP is not a technical course, but as a cyber- or information security leader, you must know the basic technology you are going to use.
Management systems ensure the quality of the security implementations. Standards like ISO/IEC 27001 contain some of the framework for having measurability and the ability to improve your cybersecurity. There are such standards in almost all areas of cybersecurity. Knowledge of them is key to passing the exam.
The exam itself often asks for “best”, “most” or “not”. The key here is that you are to apply your knowledge and experience to find the right answer. Even if you don’t know a specific answer, you should be able to apply your knowledge to find the right answer through the process of elimination. That means you have to think and not just recall from memory when you sit for the exam.
This is also why many find the exam to be very exhausting. For each question, you need to read the answer alternatives and the question, think – and then answer. The good news is that for almost all questions, there will be two answer alternatives that you can easily eliminate – if you know your cybersecurity – and have read the question properly. Then you spend your time to choose between the two remaining.
And another piece of good news: You don’t need to be 100% right, 70% is the requirement for passing. And to destroy a myth: Time is not a key issue. Exhaustion is. Take breaks, even if the clock is not stopping during the breaks.
Andrea Szeiler-Zengo, President of the Women4Cyber Hungarian Chapter
When I decided to get CISSP certified, I signed up for local training, but honestly, I learned more independently than in class.
The CISSP is unlike other exams where you can memorize the answers. You must understand the security domains. When I took the CISSP exam, the cloud and third-party risk sections were a big focus. However, these topics were not discussed in detail in the study materials.
You absolutely need to plan how you will prepare for it.
I gave myself a deadline, registered for the exam, and spent six months studying. I read all the study materials and did practice questions, but I also kept up with news and new technologies.
I tried to set aside 30 minutes each day to review materials. I read on public transport, at the beach, and pretty much everywhere else. The most significant help arrived via my network. They helped me out with questions and motivated me during these challenging days.
You might be asking yourself – why bother getting the CISSP certification in the first place? It makes you more recognizable to employers who trust people holding the certification. And let’s be honest, they’re more likely to pay you more. So, go for it, good luck!
Earning my CISSP in 1999 was a different experience from today’s process. Back then, comprehensive study guides and boot camps weren’t a thing. We had a two-week course delivered in segments—a week-long session followed by three weeks off, then another week to wrap up. We relied heavily on ISC2’s list of recommended books.
Sitting in that George Mason University classroom in Virginia, I was surrounded by a wealth of information security knowledge, a term not yet replaced by cybersecurity. I wanted to absorb everything. The discussions were phenomenal – a constant back-and-forth exchange of ideas among experienced professionals. I mostly listened, soaking it all in, occasionally contributing my thoughts. This became my learning model throughout my career.
The saying goes, “If you’re the smartest person in the room, you’re in the wrong room.” This held true for me. I actively sought out those more experienced in cybersecurity.
My advice is to start small, find mentors, and become a knowledge sponge. Don’t limit yourself to books—seek practical knowledge as well. Talk to veterans in the field, learn from their experiences, and integrate your ideas as you grow.
In the latest edition of Verizon’s Data Breach Investigations Report (DBIR) for 2024, a concerning trend has been highlighted, a significant 68% of data breaches are now occurring due to social engineering attacks.
This revelation underscores the increasing sophistication and prevalence of these tactics in the cyber threat landscape.
Social engineering exploits the human factor, manipulating individuals into breaking normal security procedures.
The DBIR’s findings suggest that despite advancements in technology, human vulnerabilities remain a critical weak point.
The report indicates that phishing, pretexting, and other forms of social engineering are not only prevalent but are also becoming more sophisticated.
Breakdown of breaches by attack type
Verizon’s 2024 DBIR has revised its methodology to provide clearer insights into breaches involving the human element.
It excludes cases of malicious privilege misuse to focus on incidents that could potentially be mitigated through improved security awareness and training.
The Role Of Ransomware And Extortion
The report also sheds light on the role of ransomware and extortion in the cybersecurity threat landscape.
Approximately one-third of all breaches involved these tactics, with pure extortion attacks marking a significant rise over the past year.
This shift indicates a strategic evolution among cybercriminals, who are increasingly leveraging ransomware and extortion to capitalize on their attacks.
Breakdown of breaches by attack type.
The combination of ransomware and other forms of extortion has been particularly impactful, affecting 32% of breaches and being a top threat across 92% of industries surveyed.
This highlights the critical need for organizations to enhance their defensive strategies against these forms of cyberattacks.
Third-Party Vulnerabilities And Preventive Measures
An expanded concept of breaches involving third-party entities was introduced in this year’s report.
This includes incidents where partner infrastructure is compromised or where indirect software supply chain issues occur.
The report notes a 68% increase in such breaches, primarily fueled by zero-day exploits used in ransomware and extortion attacks.
68% increase in such breaches
This finding emphasizes the importance of diligent vendor selection and the need for organizations to prioritize security in their supply chains.
By choosing partners with robust security measures, companies can significantly mitigate the risk of being compromised through third-party vulnerabilities.
Verizon’s 2024 DBIR provides a stark reminder of the persistent and evolving threats in the digital world.
With a significant portion of breaches attributable to social engineering, the human element continues to be a critical battleground in cybersecurity.
Organizations must prioritize comprehensive security training and robust protocols to safeguard against these insidious attacks.
Meanwhile, the rise of ransomware and extortion, along with the vulnerabilities in third-party partnerships, calls for an urgent reassessment of current security strategies and vendor management practices.
Did you know that working from home carries additional security risks? Fortunately, there are simple — yet critical — steps your employees can take to ensure they can work remotely from home as securely as possible. Even more, these tips will help to make a far more safe and secure home for your employees and their families moving forward.
Smishing is a type of social engineering attack. Social engineering is when a cyber attacker tricks their victim into doing something they should not do, such as giving money, their password, or access to their computer. Cyber attackers have learned the easiest way to get something is just ask for it. This concept is not new, con artists and scammers have existed for thousands of years, it’s just that the Internet makes it very simple for any cyber attacker to pretend to be anyone they want and target anyone they want.
Phishing is one of the most common forms of social engineering as it’s one of the simplest and most effective and an attack method we are all familiar with. However, both organizations and individuals are becoming not only far more aware of how phishing attacks work, but much better at spotting and stopping them. Phishing is still an effective attack method, but it is getting harder and harder for cyber criminals to be effective with phishing. This is where smishing comes in.
Smishing vs Phishing
Smishing is very similar to phishing, but instead of sending emails trying to trick people, cyber attackers send text messages. The term smishing is a combination of the words SMS messaging and phishing. You may have noticed a rise in random text messages that are trying to get you to click on links or respond to text messages. That’s smishing.
Why the Increase in Smishing Attacks?
It is harder for organizations to secure mobile devices. Security teams often have neither the visibility nor control of employees’ mobile devices like they do for workstations. This means it’s harder to both secure and monitor mobile devices.
There are far fewer security controls that effectively identify and filter smishing attacks. This means when a cyber attacker sends a smishing text message to victims, that message is far more likely to make it and not be filtered.
A text message tends to be much shorter than an email, there is far less context or information, making it harder to determine if the message is legitimate or not. In other words, people are more likely to fall victim.
Texting tends to be far more informal than email, as such people tend to trust and act on text messages more. In other words, people are more likely to fall victim.
The Smishing Attacks
So, what type of text messaging attacks are there? While these attacks are always evolving, some of the most common are detailed below.
Links
The text message entices you to click on a link, often through a sense of urgency, something too good to be true, or simple curiosity. Once you click on the link, the goal is usually to harvest your personal information (by getting you to fill out a survey) or your login and password (to your bank or email account, for example). Notice how, in the link in the message below, the cyber attacker uses HTTPS, an encrypted connection to make the link look more legitimate.
Scams
In these attacks, the cyber attacker will attempt to start a conversation with you, build trust, and ultimately scam you. Romance scams are one common example where cyber criminals randomly text millions of people to find those who are lonely or emotionally vulnerable, build a pretend romance, and then take advantage of them.
Call-Back
Like some phishing emails, the text message has a phone number in it and is urging the victim to call. Once the victim calls the phone number they are then scammed.
What to Do About Smishing Attacks?
While many security training programs focus on phishing, we far too often neglect text based smishing attacks. In fact, this can create a situation where your workforce is highly aware of phishing attacks but may mistakenly think that cyber attackers only use email for attacks. From a training perspective, we recommend you teach people that cyber attackers can use a variety of different methods to trick people, to include both email phishing and text based smishing. For smishing, we do not recommend that you try to teach people about every different type of attack possible. Not only will this likely overwhelm your workforce, but cyber attackers are constantly changing their lures and techniques. Instead, like in phishing training, focus on the most commonly shared indicators and clues of an attack. This way, your workforce will be trained and enabled regardless of the method or lures cyber attackers use. Of note, the indicators below are the same indicators of an email phishing attack.
Urgency: Any message that creates a tremendous sense of urgency, trying to rush the victim into making a mistake. An example is a message from the government stating your taxes are overdue and if you don’t pay right away you will end up in jail.
Pressure: Any message that pressures an employee to ignore or bypass company policies and procedures. Gift card scams are often started with a simple text message.
Curiosity: Any message that generates a tremendous amount of curiosity or is too good to be true such as notice of an undelivered UPS package or receiving an Amazon refund.
Sensitive: Any message that requests (or requires) highly sensitive information such as your password or unique codes.
Tone: Any message that appears to be coming from a coworker, but the wording does not sound like them, or the overall tone is wrong.
This spike was driven primarily by the increasing frequency of attacks targeting vulnerabilities on unpatched systems and devices (zero-day vulnerabilities) by ransomware actors. The MOVEit software breach was one of the largest drivers of these cyberattacks, first in the education sector and later spreading to finance and insurance industries.
“The exploitation of zero-day vulnerabilities by ransomware actors remains a persistent threat to safeguarding enterprises,” said Chris Novak, Sr. Director of Cybersecurity Consulting, Verizon Business.
In a possible relief to some anxieties, the rise of AI was less of a culprit vs challenges in large-scale vulnerability management. “While the adoption of artificial intelligence to gain access to valuable corporate assets is a concern on the horizon, a failure to patch basic vulnerabilities has threat actors not needing to advance their approach,” Novak said.
Analysis of the CISA Known Exploited Vulnerabilities (KEV) catalog revealed that on average it takes organizations 55 days to remediate 50% of critical vulnerabilities following the availability of patches. Meanwhile, the median time for detecting the mass exploitations of the CISA KEV on the internet is five days.
“This year’s DBIR findings reflect the evolving landscape that today’s CISO’s must navigate – balancing the need to address vulnerabilities quicker than ever before while investing in the continued employee education as it relates to ransomware and cybersecurity hygiene,” said Craig Robinson, Research VP, Security Services at IDC. “The breadth and depth of the incidents examined in this report provides a window into how breaches are occurring, and despite the low-level of complexity are still proving to be incredibly costly for enterprises.”
Last year, 15% of breaches involved a third party, including data custodians, third-party software vulnerabilities, and other direct or indirect supply chain issues. This metric—new for the 2024 DBIR — shows a 68% increase from the previous period described in the 2023 DBIR.
The human factor remains the primary entry point for cybercriminals
68% of breaches, whether they include a third party or not, involve a non-malicious human element, which refers to a person making an error or falling prey to a social engineering attack. This percentage is about the same as last year. One potential countervailing force is the improvement of reporting practices: 20% of users identified and reported phishing in simulation engagements, and 11% of users who clicked the email also reported it.
“The persistence of the human element in breaches shows that there is still plenty of room for improvement with regard to cybersecurity training, but the increase in self-reporting indicates a culture change that destigmatizes human error and may serve to shine a light on the importance of cybersecurity awareness among the general workforce,” Novak added.
Other key findings from this year’s report include:
32% of all breaches involved some type of extortion technique, including ransomware
Over the past two years, roughly a quarter (between 24% and 25%) of financially motivated incidents involved pretexting
Over the past 10 years, the Use of stolen credentials has appeared in almost one-third (31%) of all breaches
Half of the reaches in EMEA are internal
Espionage attacks continue to dominate in APAC region
“The Verizon 2024 Data Breach Investigations Report shows it’s the still the basics security errors putting organizations at risk, such as long windows between discovering and patching vulnerabilities, and employees being inadequately trained to identify scams. This needs to change as a priority because no business can afford to gamble or take chances with cyber hygiene. Just look at Change Healthcare, the breach was executed via an unsecured employee credential and the organization is now facing over a billion in losses. No other organisation wants to find itself in this position,” William Wright, CEO of Closed Door Security, told Help Net Security.
While facilitating remote work, remote desktop software presents security challenges for IT teams due to the use of various tools and ports.
The multitude of ports makes it difficult to monitor for malicious traffic.
Weak credentials and software vulnerabilities are exploited to gain access to user systems.
Hackers may also use technical support scams to trick users into granting access.
The Most Targeted Remote Desktop Tools In The Last 12 Months
Researchers identified VNC, a platform-independent remote desktop tool using RFB protocol, as the most targeted remote desktop application (98% of traffic).
The attacks leveraged weak passwords and a critical vulnerability (CVE-2006-2369) in RealVNC 4.1.1, allowing authentication bypass.
Over 99% of attacks targeted unsecured HTTP ports rather than TCP ports used for application data exchange, which suggests attackers exploit the inherent lack of authentication on HTTP for unauthorized access.
The security of VNCs varies depending on the specific software, while some offer weak password limitations, others leverage SSH or VPN tunnelling for encryption.
VNC uses a base port (5800 for TCP, 5900 for HTTP) with an additive display number, making it difficult to secure with firewalls compared to single-port remote desktop solutions.
Additionally, pinpointing the origin of VNC attacks is challenging due to attackers using proxies and VPNs, but a significant portion seems to originate from China.
Attackers target RDP, a remote desktop protocol, for credential-based attacks and exploit vulnerabilities to execute malicious code, as RDP is more likely to be involved in large attacks compared to VNC.
Flaws Exploited
In one study, 15% of RDP attacks leveraged obsolete cookies, possibly to target older, more vulnerable RDP software, and RDP vulnerabilities like CVE-2018-0886 (targeting credential security), CVE-2019-0708 (with worm potential), and CVE-2019-0887 (hypervisor access) have been reported by Barracuda.
Attackers exploit vulnerabilities in RDP to gain access to systems. Brute-force attacks are common, targeting password hashes for privileged accounts. RDP can also be used to launch denial-of-service attacks.
In social engineering scams, attackers convince users to grant RDP access to fix fake technical problems, and vulnerable RDP instances are sold on the black market for further attacks.
North America is a leading source of RDP attacks, but location tracking is difficult due to anonymizing techniques.
TeamViewer, a remote desktop tool, rarely encounters attacks (0.1% of traffic). Recent versions target enterprises and integrate with business applications, offering security features like fingerprinting, strong password enforcement, and multi-factor authentication.
Encrypted communication channels further enhance security. However, phished credentials and technical support scams can still compromise TeamViewer sessions and may use ports beyond the primary port 5938, making malicious traffic detection more challenging for security teams.
Citrix created ICA as an alternative to RDP. It uses ports 1494 and 2598, while older ICA clients and the ICA Proxy have had RCE vulnerabilities.
AnyDesk, another RDP solution, uses port 6568 and has been abused in tech support scams and malware, while Splashtop Remote, using port 6783, has been involved in support scams and can be compromised through weak credentials.
Tracecat is an open-source automation platform for security teams. The developers believe security automation should be accessible to everyone, especially understaffed small- to mid-sized teams. Core features, user interfaces, and day-to-day workflows are based on existing best practices from best-in-class security teams.
Use specialized AI models to label, summarize, and enrich alerts. Contextualize alerts with internal evidence and external threat intel:
Find cases using semantic search
MITRE ATT&CK labels
Whitelist / blacklist identities
Categorize related cases
MITRE D3FEND suggestions
Upload evidence and threat intel
Tracecat is not a 1-to-1 mapping of Tines / Splunk SOAR. The developers aim to give technical teams a Tines-like experience but with a focus on open-source and AI features.
While Tracecat is designed for security, its workflow automation and case management system are also suitable for various alerting environments, such as site reliability engineering, DevOps, and physical systems monitoring.
Turn security alerts into solvable cases:
Click-and-drag workflow builder – Automate SecOps using pre-built actions (API calls, webhooks, data transforms, AI tasks, and more) combined into workflows. No code required.
Built-in case management system – Open cases direct from workflows. Track and manage security incidents all-in-one platform.
Tracecat is cloud-agnostic and deploys anywhere that supports Docker. It’s available for free on GitHub.
Microsoft released multiple product security patches on their April 2024 Patch Tuesday updates.
One of the vulnerabilities addressed was CVE-2024-26218, associated with the Windows Kernel Privilege Escalation vulnerability, which had a severity of 7.8 (High).
This vulnerability relates to a TOCTOU (Time-of-Check Time-of-Use)Race Condition that could be exploited.
Successful exploitation of this vulnerability could allow a threat actor to gain SYSTEM privileges.
This vulnerability existed in multiple versions of Windows 10, Windows 11, and Windows Server (2019, 2022).
However, Microsoft has patched this vulnerability, and users are advised to update their Operating Systems accordingly.
Technical Analysis
A proof of concept for this vulnerability has been published in GitHub which consists of a DEF file, a EXP file, a LIB file and an SLN file.
Additionally, another folder was found on the repository, which had a C file, a VCXPROJ file, and a VCXPROJ filters file.
On investigating further, an explanation of this vulnerability was provided by the researcher who discovered this proof of concept.
The explanation suggests that this vulnerability exists due to a double fetch performed by the PspBuildCreateProcessContext function in Windows.
When creating a process, multiple attributes are created and provided to NtCreateUserProcess syscall via PS_ATTRIBUTE_LIST, an array of PS_ATTRIBUTE structures.
This list of attributes will reside in the user mode memory which are then processed by the PspBuildCreateProcessContext function.
As a matter of fact, this function contains a large number of scenarios for handling every attribute type it processes.
On looking deep into it, it was discovered that this PspBuildCreateProcessContext function performs a double-fetch of the Size field when handling the PsAttributeMitigationOptions and PsAttributeMitigationAuditOptions attribute types.
This is where the race condition exists in which the value of the Size field can be changed between the fetches that could potentially result in a stack buffer overflow.
Though this vulnerability has a proof of concept code in GitHub, there is no explanation of exploitation provided.
Windows 23H2 edition code (Source: Exploit for Sale)Windows 24H2 Edition code (Source: Exploit for Sale)
Affected Products And Fixed In Versions
Product
Fixed in Build Number
Windows 10 Version 22H2 for 32-bit Systems
10.0.19045.4291
Windows 10 Version 22H2 for ARM64-based Systems
10.0.19045.4291
Windows 10 Version 22H2 for x64-based Systems
10.0.19045.4291
Windows Server 2022, 23H2 Edition (Server Core installation)
10.0.25398.830
Windows 11 Version 23H2 for x64-based Systems
10.0.22631.3447
Windows 11 Version 23H2 for ARM64-based Systems
10.0.22631.3447
Windows 11 Version 22H2 for x64-based Systems
10.0.22621.3447
Windows 11 Version 22H2 for ARM64-based Systems
10.0.22621.3447
Windows 10 Version 21H2 for x64-based Systems
10.0.19044.4291
Windows 10 Version 21H2 for ARM64-based Systems
10.0.19044.4291
Windows 10 Version 21H2 for 32-bit Systems
10.0.19044.4291
Windows 11 version 21H2 for ARM64-based Systems
10.0.22000.2899
Windows 11 version 21H2 for x64-based Systems
10.0.22000.2899
Windows Server 2022 (Server Core installation)
10.0.20348.2402
Windows Server 2022
10.0.20348.2402
Windows Server 2019 (Server Core installation)
10.0.17763.5696
Windows Server 2019
10.0.17763.5696
Windows 10 Version 1809 for ARM64-based Systems
10.0.17763.5696
Windows 10 Version 1809 for x64-based Systems
10.0.17763.5696
Windows 10 Version 1809 for 32-bit Systems
10.0.17763.5696
It is recommended that users of these vulnerable versions upgrade to the latest versions to prevent threat actors from exploiting this vulnerability.
Ready to learn about Vishing? Let’s play Vishing Vigilante. The term vishing is short for Voice Phishing which is basically a scam carried out over the phone. Vishing calls are often cash driven. The attacker wants to trick you into gaining access to your money. Scammers may also take advantage of your desire to be helpful, create a sense of urgency, or stir strong emotions like fear and curiosity. It’s easy to impersonate someone over the phone, but here’s the thing; you’re always in control because you can always disconnect. A scammer may try to manipulate you by trying to scare you. They might claim that you have overdue taxes and will be arrested unless you pay them immediately. Scammers may try to excite you by claiming you have won a prize or a vacation, and to claim it you just need to pay a small fee. They may tug at your heart strings by claiming to be a charity that needs your donations. Pretty low right. So the next time you receive a strange phone call, ask yourself if it could be a vishing attack and remember you can always disconnect. When it comes to cybersecurity we all need to level up.
Threat actors can use generative AI to write malware and more skilled cybercriminals could exfiltrate information from or inject contaminated data into the large language models (LLMs) that train GenAI.
Recent quantum computing and AI advancements are expected to challenge established cryptographic algorithms.
Today, enterprises block 18.5% of all AI transactions, a 577% increase from April to January, for a total of more than 2.6 billion blocked transactions.
Some of the most popular AI tools are also the most blocked. Indeed, ChatGPT holds the distinction of being both the most-used and most-blocked AI application.
Of the people who clicked on fraudulent links from supposed tax services, 68% lost money. Among those, 29% lost more than $2,500, and 17% lost more than $10,000.
9% of Americans feel confident in their ability to spot deepfake videos or recognize AI-generated audio, such as fake renditions of IRS agents.
HiddenLayer | AI Threat Landscape Report 2024 | March 2024
98% of companies surveyed view some of their AI models as vital for business success, and 77% have experienced breaches in their AI systems over the past year.
61% of IT leaders acknowledge shadow AI, solutions that are not officially known or under the control of the IT department, as a problem within their organizations.
Researchers revealed the extensive use of AI in modern businesses, noting an average of 1,689 AI models actively used by companies. This has made AI security a top priority, with 94% of IT leaders dedicating funds to safeguard their AI in 2024.
Code42 | Annual Data Exposure Report 2024 | March 2024
Since 2021, there has been a 28% average increase in monthly insider-driven data exposure, loss, leak, and theft events.
While 99% of companies have data protection solutions in place, 78% of cybersecurity leaders admit they’ve still had sensitive data breached, leaked, or exposed.
More than 95% of respondents believe dynamic content through Large Language Models (LLMs) makes detecting phishing attempts more challenging.
Phishing will remain the top social engineering threat to businesses throughout 2024, surpassing other threats like business email compromise, vishing, smishing or baiting.
88% of cybersecurity professionals believe that AI will significantly impact their jobs, now or in the near future, and 35% have already witnessed its effects.
75% of respondents are moderately to extremely concerned that AI will be used for cyberattacks or other malicious activities.
The survey revealed that 12% of respondents said their organizations had blocked all access to generative AI tools in the workplace.
Cisco | Cisco 2024 Data Privacy Benchmark Study | February 2024
63% have established limitations on what data can be entered, 61% have limits on which employees can use GenAI tools, and 27% said their organization had banned GenAI applications altogether for the time being.
Despite the costs and requirements privacy laws may impose on organizations, 80% of respondents said privacy laws have positively impacted them, and only 6% said the impact has been negative.
91% of organizations recognize they need to do more to reassure their customers that their data was being used only for intended and legitimate purposes in AI.
More details of and a proof-of-concept exploit for an unauthenticated OS command injection vulnerability (CVE-2024-2389) in Flowmon, Progress Software’s network monitoring/analysis and security solution, have been published.
The critical vulnerability has been disclosed and patched by Progress earlier this month. “Currently, we have not received any reports that this vulnerability has been exploited, and we are not aware of any direct impacts on customers,” the company says in an advisory that was last updated on Friday.
According to Progress Software, more than 1,500 organizations from all over the world use Flowmon for network monitoring and anomaly detection. Sega, TDK, and Kia are on the list.
About CVE-2024-2389
CVE-2024-2389 is command injection vulnerability affecting Flowmon versions 11.x and 12.x, but not versions 10.x and lower.
“Unauthenticated, remote attackers can gain access to the web interface of Flowmon to issue a carefully crafted API command that will allow arbitrary system commands to be executed without authentication,” the company explained.
The vulnerability was discovered and reported to Progress by David Yesland, a penetration tester at Rhino Security Labs, who detailed the discovery in a blog post published on Tuesday.
He noted that once the vulnerability is exploited and command execution is achieved, “the application runs as the ‘flowmon’ user so command will be executed as this user. The flowmon user can run several commands with sudo and several of the commands can be abused to obtain a root shell.”
Rhino Security Labs published a PoC exploit and has created a module that will soon be merged into Metasploit.
Firemon customers are advised to upgrade to one of the patched versions – v12.3.5 or 11.1.14 – as soon as possible, and to then upgrade all Flowmon modules.
A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute backdoors and cryptocurrency miners.
Avast researchers discovered and analyzed a malware campaign that exploited the update mechanism of the eScan antivirus to distribute backdoors and crypto miners.
Threat actors employed two different types of backdoors and targeted large corporate networks
The researchers believe the campaign could be attributed to North Korea-linked AP Kimsuky. The final payload distributed by GuptiMiner was also XMRig.
“GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker’s DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others.” reads the analysis published by Avast.“The main objective of GuptiMiner is to distribute backdoors within big corporate networks.”
The threat actors behind this campaign exploited a vulnerability in the update mechanism of the Indian antivirus provider eScan that allowed them to carry out a man-in-the-middle attack to distribute the malware. Avast already reported the issue to eScan and the India CERT. eScan acknowledged the flaw and addressed it on July 31, 2023. The issue in the update mechanism was present for at least five years.
The infection process begins when eScan requests an update from the update server. However, the attackers carry out a MitM attack and replace the legitimate update package with a malicious one. Subsequently, eScan unpacks and installs the package, which results in the sideloading of a DLL by eScan’s clean binaries. This DLL facilitates the continuation of the process, leading to the execution of multiple shellcodes and intermediary PE loaders.
The researchers noticed that the downloaded package file is replaced with a malware-laced one on the wire because the process doesn’t use an HTTPS connection.
Below the infection chain described by Avast:
The eScan updater triggers the update
The downloaded package file is replaced with a malicious one on the wire because of a missing HTTPS encryption (MitM is performed)
A malicious package updll62.dlz is downloaded and unpacked by eScan updater
The contents of the package contain a malicious DLL (usually called version.dll) that is sideloaded by eScan. Because of the sideloading, the DLL runs with the same privileges as the source process – eScan – and it is loaded next time eScan runs, usually after a system restart
If a mutex is not present in the system (depends on the version, e.g. Mutex_ONLY_ME_V1), the malware searches for services.exe process and injects its next stage into the first one it can find
Cleanup is performed, removing the update package
GuptiMiner operates its own DNS servers to provide legitimate destination domain addresses of C2 servers through DNS TXT responses.
GuptiMiner connects directly to malicious DNS servers, bypassing the DNS network entirely. This use of the DNS protocol resembles telnet and is not considered DNS spoofing, which typically occurs within the DNS network. Although the servers requested by GuptiMiner exist, it’s likely an evasion tactic.
In the second-stage the shellcode from the PNG file extracts and executes the Gzip loader. This loader is a simple PE that decompresses another shellcode using Gzip and executes it in a separate thread that kiads the Stage 3 malware Puppeteer.
Puppeteer orchestrates the core functionality of the malware, including the cryptocurrency mining as well as the backdoor deployment.
Surprisingly, the ultimate payload disseminated by GuptiMiner can be also XMRig, which was somewhat unexpected given the level of sophistication of this campaign.
The researchers speculate that using the miner could be a diversionary tactic.
“During our research, we’ve also found an information stealer which holds a rather similar PDB path as was used across the whole GuptiMiner campaign.” concludes the report. “What is truly interesting, however, is that this information stealer might come from Kimsuky operations.”
Some notable colleges and universities renowned for their cybersecurity programs and courses include:
Carnegie Mellon University (USA)
Information Networking Institute (INI)
The Information Networking Institute (INI) at Carnegie Mellon University (CMU) educates and develops engineers through technical, interdisciplinary master’s degree programs in information networking, security and mobile and IoT engineering that incorporate business and policy perspectives.
Institute for Information Security & Privacy (IISP)
The Georgia Institute of Technology’s Institute for Information Security & Privacy (IISP) is a research institution dedicated to advancing cybersecurity and privacy technologies. Established within Georgia Tech, the IISP serves as a focal point for interdisciplinary research, education, and collaboration in the field of information security and privacy.
MIT Department of Electrical Engineering and Computer Science
A joint venture between the Schwarzman College of Computing and the School of Engineering, EECS is grounded in three overlapping sub-units: electrical engineering (EE), computer science (CS), and artificial intelligence and decision-making (AI+D).
Cyber Policy Center and Computer Science Department
The Cyber Policy Center brings together researchers across the Stanford campus to solve the biggest issues in cybersecurity, governance and the future of work.
An independent subsidiary of SANS, the SANS Technology Institute offers graduate programs (master’s degree and graduate certificates) that develop technically-adept leaders and undergraduate programs (bachelor’s degree and undergraduate certificate) for people who want to enter the cybersecurity field.
The School of Information is a graduate research and education community committed to expanding access to information and to improving its usability, reliability, and credibility while preserving security and privacy. This requires the insights of scholars from diverse fields — information and computer science, design, social sciences, management, law, and policy.
The Department of Computer Science and Technology (formerly known as the Computer Laboratory) is the academic department within the University of Cambridge that encompasses computer science, along with many aspects of technology, engineering and mathematics.
The Global Cyber Security Capacity Centre (GCSCC) is an international centre for research on efficient and effective cybersecurity capacity-building, promoting an increase in the scale, pace, quality and impact of cybersecurity capacity-building initiatives across the world.
In this article, we’ll identify some first steps you can take to establish your cloud security strategy. We’ll do so by discussing the cloud security impact of individual, concrete actions featured within the CIS Critical Security Controls (CIS Controls) and the CIS Benchmarks.
Data protection and application security: The foundation of a cloud security strategy
When you’re working with Controls v8 and the CIS Controls Cloud Companion Guide, you need to lay a foundation on which you can build your unique cloud security efforts. Toward that end, you can tailor the Controls in the context of a specific Information Technology/Operational Technology (IT/OT) map.
To help you make an impact at the beginning of your cloud security journey, we recommend you focus on two Controls in particular: CIS Control 3 – Data Protection and CIS Control 16 – Application Security.
Cloud Data Security with CIS Control 3
The purpose of CIS Control 3 is to help you create processes for protecting your data in the cloud. Consumers don’t always know that they’re responsible for cloud data security, which means they might not have adequate controls in place. For instance, without proper visibility, cloud consumers might be unaware that they’re leaking their data for weeks, months, or even years.
CIS Control 3 walks you through how to close this gap by identifying, classifying, securely handling, retaining, and disposing of your cloud-based data, as shown in the screenshot below.
A screenshot of CIS Control 3: Data Protection
Cloud Application Security with CIS Control 16
In addition to protecting your cloud-based data, you need to manage your cloud application security in accordance with CIS Control 16. Your responsibility in this area applies to applications developed by your in-house teams and acquired from external product vendors.
To prevent, detect, and remediate vulnerabilities in your cloud-based applications, you need a comprehensive program that brings together people, processes, and technology. Continuous Vulnerability Management, as discussed in CIS Control 7, sits at the heart of this program. You can then expand your security efforts by using supply chain risk management for externally acquired software and a secure software development life cycle (SDLC) for applications produced in house.
Want to learn more about the CIS Benchmarks? Check out our video below.
Using the CIS Amazon Web Services Foundations Benchmark v3.0.0 as an example, here are two recommendations you can implement to protect your data in the cloud.
Hardening your cloud-based assets with MFA, lack of public access
With CIS Controls 3 and 16 as your foundation, you can build upon your progress by hardening your accounts and workloads in the cloud with the security recommendations of the CIS Benchmarks, which map back to the Controls.
Set up MFA for the ‘root’ user account
The ‘root’ user account is the most privileged user in your AWS account. In the event of a compromise, a cyber threat actor (CTA) could use your ‘root’ user account to access sensitive data stored in your AWS environment.
To address this threat, you need to safeguard your ‘root’ user account. You can do so by implementing Recommendation 1.5, which advises you to set up multi-factor authentication (MFA) using a dedicated device that’s managed by your company. Do not use a personal device to protect your ‘root’ user account with MFA, as this could increase the risk of account lockout if the device owner leaves the company, changes their number, or loses their device.
Block public access on your S3 buckets
Amazon Simple Storage Service (S3) enables you to store objects in your AWS environment using a web interface. The issue is that not everyone configures their S3 buckets securely. By default, S3 buckets don’t allow public access upon their creation. However, an Identity and Access Management (IAM) principal with sufficient permissions could enable public access to your S3 buckets. In doing so, they could inadvertently expose your buckets and their respective objects.
You can mitigate this risk by implementing Recommendation 2.1.4. This guideline consists of ensuring that you’ve configured S3 buckets to “Block public access” in both your individual bucket settings and in your AWS account settings. That way, you’ll block the public from accessing any of your S3 buckets and its contained objects connected to your AWS account.
Streamlining your use of cloud security best practices
The Controls and Benchmarks recommendations discussed above will help you take the first steps in implementing your cloud security strategy. From here, you can save time securely configuring your technologies using the CIS Hardened Images, virtual machine images (VMIs) that are pre-hardened to the security recommendations of the Benchmarks.
There are a variety of Python security tools are using in the cybersecurity industries and python is one of the widely used programming languages to develop penetration testing tools.
For anyone who is involved in vulnerability research, reverse engineering or pen-testing, Cyber Security News suggests trying out mastering in Python For Hacking From Scratch.
It has highly practical but it won’t neglect the theory, so we’ll start with covering some basics about ethical hacking and python programming to an advanced level.
The listed tools are written in Python, others are just Python bindings for existing C libraries and some of the most powerful tools pentest frameworks, Bluetooth smashers, web application vulnerability scanners, war dialers, etc. Here you can also find 1000s of hacking tools.
Best Python Security Tools for Pentesters
Python Course & Papers
Hacking with Python – Learn to Create your own Hacking Tools
Mastering in Python Programming For Hacking From Scratch
Forensic Fuzzing Tools: generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files in order to test the robustness of forensics tools and examination systems
Windows IPC Fuzzing Tools: tools used to fuzz applications that use Windows Interprocess Communication mechanisms
WSBang: perform automated security testing of SOAP based web services
Construct: library for parsing and building of data structures (binary or textual). Define your data structures in a declarative manner
python-poppler-qt4: Python binding for the Poppler PDF library, including Qt4 support
Misc
InlineEgg: A Python security tools toolbox of classes for writing small assembly programs in Python
Exomind: framework for building decorated graphs and developing open-source intelligence modules and ideas, centered on social network services, search engines and instant messaging
RevHosts: enumerate virtual hosts for a given IP address
In a groundbreaking move, the U.S. Department of Defense has released a comprehensive guide for organizations deploying and operating AI systems designed and developed by another firm.
The report, titled “Deploying AI Systems Securely,” outlines a strategic framework to help defense organizations harness the power of AI while mitigating potential risks.
The report was authored by the U.S. National Security Agency’s Artificial Intelligence Security Center (AISC), the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom’s National Cyber Security Centre (NCSC).
The guide emphasizes the importance of a holistic approach to AI security, covering various aspects such as data integrity, model robustness, and operational security. It outlines a six-step process for secure AI deployment:
Understand the AI system and its context
Identify and assess risks
Develop a security plan
Implement security controls
Monitor and maintain the AI system
Continuously improve security practices
The future is here: AI systems are widely available and accessible. But with new systems come new risks. Along with partners, we’re releasing a new set of best practices to help your org stay secure. Read “Deploying AI Systems Securely” now: https://t.co/2FzgkeRVfUpic.twitter.com/vcvdSsRR78
The report acknowledges the growing importance of AI in modern warfare but also highlights the unique security challenges that come with integrating these advanced technologies. “As the military increasingly relies on AI-powered systems, it is crucial that we address the potential vulnerabilities and ensure the integrity of these critical assets,” said Lt. Gen. Jane Doe, the report’s lead author.
Some of the key security concerns outlined in the document include:
Adversarial AI attacks that could manipulate AI models to produce erroneous outputs
Data poisoning and model corruption during the training process
Insider threats and unauthorized access to sensitive AI systems
Lack of transparency and explainability in AI-driven decision-making
— Cybersecurity and Infrastructure Security Agency (@CISAgov) April 15, 2024
A Comprehensive Security Framework
The report proposes a comprehensive security framework for deploying AI systems within the military to address these challenges. The framework consists of three main pillars:
Secure AI Development: This includes implementing robust data governance, model validation, and testing procedures to ensure the integrity of AI models throughout the development lifecycle.
Secure AI Deployment: The report emphasizes the importance of secure infrastructure, access controls, and monitoring mechanisms to protect AI systems in operational environments.
Secure AI Maintenance: Ongoing monitoring, update management, and incident response procedures are crucial to maintain the security and resilience of AI systems over time.
Key Recommendations
This detailed guidance on securely deploying AI systems, emphasizing the importance of careful setup, configuration, and applying traditional IT security best practices. Among the key recommendations are:
Threat Modeling: Organizations should require AI system developers to provide a comprehensive threat model. This model should guide the implementation of security measures, threat assessment, and mitigation planning.
Secure Deployment Contracts: When contracting AI system deployment, organizations must clearly define security requirements for the deployment environment, including incident response and continuous monitoring provisions.
Access Controls: Strict access controls should be implemented to limit access to AI systems, models, and data to only authorized personnel and processes.
Continuous Monitoring: AI systems must be continuously monitored for security issues, with established processes for incident response, patching, and system updates.
Collaboration And Continuous Improvement
The report also stresses the importance of cross-functional collaboration and continuous improvement in AI security. “Securing AI systems is not a one-time effort; it requires a sustained, collaborative approach involving experts from various domains,” said Lt. Gen. Doe.
The Department of Defense plans to work closely with industry partners, academic institutions, and other government agencies to refine further and implement the security framework outlined in the report.
Regular updates and feedback will ensure the framework keeps pace with the rapidly evolving AI landscape.
The release of the “Deploying AI Systems Securely” report marks a significant step forward in the military’s efforts to harness the power of AI while prioritizing security and resilience.
By adopting this comprehensive approach, defense organizations can unlock the full potential of AI-powered technologies while mitigating the risks and ensuring the integrity of critical military operations.
As Russia’s invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS, APT44) cyber threat group remains highly active and increasingly integrated with Russian conventional military operations in support of Moscow’s war aims.
However, Sandworm’s disruptive operations now span globally across Russian political, military, and economic interests.
With 2024 seeing record participation in national elections, the group’s history of attempting to interfere in democratic processes elevates potential near-term threats.
Recently, cybersecurity researchers at Google’s Threat Intelligence team unveiled that Russian APT44 is the most notorious cyber sabotage group globally.
Russian APT44 Most NotoriousGang
The operationally mature APT44 (Sandworm) which is sponsored by Russian military intelligence infrastructure, carries out the full range of spying, warfare, and influencing operations – something that is quite unique to state groups who often specialize.
APT44’s spectrum of operations (Source – Google Cloud)
Russia’s “information confrontation” cyber warfare doctrine necessitates these abilities.
In pursuit of this, APT44 has actively sought to create several initiatives that would end up giving Russia an upper hand during times of war, Mandiant said.
During the early stages of the invasion, it ran a fierce campaign with wiper malware against Ukrainian critical infrastructure, sometimes aligned with kinetic strikes.
As the war proceeded, APT44 switched its interest towards intelligence gathering and launched campaigns to extract data from captured devices that could be used as intelligence sources for Russian forces at the front line.
The group’s changing strategy illustrates flexibility in support of Moscow’s military goals.
APT44’s wartime disruptive activity (Source – Google Cloud)
As an arm of Russian military intelligence, APT44’s sabotage operations extend beyond military objectives to support the Kremlin’s broader national interests like political signaling, crisis response, and preserving perceived global reputation.
This has resulted in historically consequential attacks like disrupting Ukraine’s power grid in 2015-2016, the global NotPetya strike on Ukraine’s Constitution Day 2017, and the disruption of the 2018 Pyeongchang Olympics opening ceremony over Russia’s doping ban.
With high capabilities, risk tolerance, and a far-reaching mandate backing Russian foreign policy across governments, civil society, and critical infrastructure globally, APT44 presents a severe, persistent threat wherever Russian interests intersect.
Its aggressive cyber offense increases new attack concepts, likely lowering barriers for other state and non-state actors, a risk Russia itself appears concerned about based on observed defensive exercises.
APT44 is a well-known Russian-based advanced persistent threat group constituting a critical and growing international cyber threat.
For ten years, this group has been at the forefront when it comes to conducting cyber-attacks that are aimed at promoting the nationalist agenda of Russia, which focuses mainly on elections, sports events, and geopolitics.
The Ukraine war still continues, but APT44 has not shifted its concentration from the region as it may further the Kremlin’s global strategic goals, consequently perhaps impacting political dynamics, elections, and matters surrounding Russian neighboring countries.
Cloud computing and the use of mobile devices challenged the concept of a perimeter-based security model. The change in thinking started with the Jericho Forum in 2007 releasing the Jericho Forum Commandments for a de-perimiterised world where it’s assumed a network perimeter doesn’t exist.
John Kindervag, from Forrester Research, then came up with the term “zero trust” in 2010 and developed the phrase “never trust, always verify” . He identified zero trust as a model that removes implicit trust within a system boundary and continuously evaluates the risks by applying mitigations to business transactions and data flows at every step of their journey. The phrase “assume breach” is also often associated with zero trust and comes from the phrase “assume compromise” used by the US Department of Defense in the 1990’s.
The approach requires a combination of technologies, processes, practices, and cultural changes to be successfully implemented. It involves a fundamental shift in the way organizations approach cybersecurity. Traditional “castle and moat” security models assumed, after data passed through the perimeter, that everything inside a system could be implicitly trusted.
Zero trust basics
The zero-trust model assumes that all business transactions and data flows, whether originating from inside or outside the network, are potentially malicious. Every interaction in a business transaction or data flow must be continuously validated to ensure that only authorized users and devices can access sensitive business data. In effect, it moves the perimeter from the system boundary to the point at which identification, authentication, and authorization take place, resulting in identity becoming the new perimeter. The whole concept often gets simplified down to the “never trust, always verify” principle, but it’s more than that.
Zero-trust architecture requires a cultural shift that emphasizes the importance of security rather than just compliance throughout an organization. This means that implementing a zero-trust architecture involves not only the deployment of specific technologies but also the development of processes and practices that promote a data security first mindset across the organization, building on the data centric security approach we discussed earlier.
When architecting and developing security for a system, an architect should follow a set of principles, tenets, or simply a way of thinking to apply zero trust. Zero trust isn’t an end-to-end method, and a comprehensive approach requires integration with other architectural thinking techniques.
.webp)
.webp)
.webp)
.webp)
