Second Course Exam for Free – ISO 9001, ISO 14001, ISO 27001 & EU GDPR

I just wanted to inform you that, at the end of September, Advisera launched “Second Course Exam for Free” promotional campaign. The campaign will start on September 22, and end on September 29, 2022.

Take the ISO 9001 course exam and get the ISO 14001, ISO 13485, or 45001 course exam for free


In this promotion the second course exam is completely FREE OF CHARGE.

The bundles are displayed on two landing pages, one with bundles related to ISO 9001 and another with bundles related to ISO 27001.

Take the ISO 27001 course exam and get the EU GDPR course exam for free

Foundations course exam bundles:

ISO 9001 Foundations exam + ISO 14001 Foundation exam

ISO 9001 Foundations exam + ISO 27001 Foundation exam

ISO 9001 Foundations exam + ISO 13485 Foundation exam

ISO 9001 Foundations exam + ISO 45001 Foundation exam

ISO 14001 Foundations exam + ISO 45001 Foundation exam

Internal Auditor course exam bundles:

ISO 9001 Internal Auditor exam + ISO 14001 Internal Auditor exam

ISO 9001 Internal Auditor exam + ISO 27001 Internal Auditor exam

ISO 9001 Internal Auditor exam + ISO 13485 Internal Auditor exam

ISO 9001 Internal Auditor exam + ISO 45001 Internal Auditor exam

ISO 14001 Internal Auditor exam + ISO 45001 Internal Auditor exam

Lead Auditor course exam bundles:

ISO 9001 Lead Auditor exam + ISO 14001 Lead Auditor exam

ISO 9001 Lead Auditor exam + ISO 13485 Lead Auditor exam

ISO 9001 Lead Auditor exam + ISO 45001 Lead Auditor exam

ISO 14001 Lead Auditor exam + ISO 45001 Lead Auditor exam

Lead Implementer course exam bundles:

ISO 9001 Lead Implementer exam + ISO 14001 Lead Implementer exam

ISO 9001 Lead Implementer exam + ISO 13485 Lead Implementer exam

ISO 9001 Lead Implementer exam + ISO 45001 Lead Implementer exam

ISO 14001 Lead Implementer exam + ISO 45001 Lead Implementer exam

2/ ISO 27001/EU GDPR-related bundles:

ISO 27001 Foundations exam + EU GDPR Foundations exam

ISO 27001 Foundations exam + ISO 9001 Foundation exam

ISO 27001 Internal Auditor exam + EU GDPR Data Protection Officer exam

ISO 27001 Internal Auditor exam + ISO 9001 Internal Auditor exam

ISO 27001 Lead Auditor exam + ISO 9001 Lead Auditor exam

ISO 27001 Lead Implementer exam + ISO 9001 Lead Implementer exam

Take the ISO 9001 course exam and get the ISO 14001, ISO 13485, or 45001 course exam for free

Take ISO 27001 course exam and get the EU GDPR course exam for Free

Take the ISO 27001 course exam and get the EU GDPR course exam for free

Leave a Comment

How to Spot Your Biggest Security Threat? Just Look out for the Humans

As it turns out, it’s not some AI-powered machine learning super virus or pernicious and anonymous cybercrime syndicate. It’s not the latest and greatest in botnets, malware, or spyware either.

Sure, these can be scary, and they are worth protecting against. The headlines report the increased volume and velocity of security threats every other day. The risk is real, and companies need to take cybersecurity seriously.

Just Look out for the Humans

How to Spot Your Biggest Security Threat? Just Look out for the Humans
What is the biggest security threat in your company?

But the greatest threat of all? Well, that would be humans. Look no further if you’re trying to identify your biggest cyber threats.

Humans: The Biggest Cyber Security Threats

When we say “humans,” you may assume we are talking about hackers and cybercriminals. After all, they are humans, too, right?

But no, we are talking about employees in your organization, not necessarily disgruntled or vengeful ones.

Verizon’s latest 2022 Data Breach Investigation Report showed that 82% of breaches involved the human element, including social attacks, errors, and misuse.

This is the 80/20 Rule (also known as the Pareto Principle) at work. In cybersecurity, 80% of your problems come from 20% of sources – in this case, human beings.

Whether using a weak, compromised password, clicking on a link in a phishing email, or accidentally setting sensitive cloud-based databases to “public,” your team is the weakest link in the chain.

Here’s a breakdown of the leading issues:

  • Credential problems account for nearly 50% of non-error, non-misuse breaches
  • Phishing accounts for nearly 20% of breaches
  • Nearly 20% of breaches are the result of misconfigured cloud accounts or emailing sensitive data to the wrong people
  • Vulnerability exploits account for less than 10% of attacks

The biggest cyber threats, therefore, cannot be prevented with a robust security technology infrastructure alone. Technology is critical but cannot always account for the human element.

3 Types of Internal Threats

The biggest security threat is humans, who make up your team. The majority are innocent, or at the very least well-meaning. But there are also those with malicious intent. Identifying the different types of internal threats is critical to your security plans.

These are the three types of internal threats to be aware of:

  1. Unintentional. Employees with poor cybersecurity training and habits can unintentionally compromise an organization’s security by clicking on a malicious link, trusting a spoofed website with their credentials, offering sensitive data to the wrong person, or otherwise. Proper cybersecurity training is key to mitigating risk.
  2. Malicious. The occasional disgruntled employee whose primary interest is personal or financial gain. Advanced technologies can help prevent internal threats such as these, but there is no way to read the minds of your employees, so as with cybersecurity in general, an ounce of prevention is worth a pound of cure.
  3. Accomplice. Employees can also collude with cybercriminals or other external parties to steal information from your company for personal gain. Limiting access to key data is critical to preventing scenarios like the “Wolf of Manchester,” who made thousands by selling customer data from an insurance company.

How To Prevent the Biggest Cyber Security Attacks

It’s critical to understand that the same hackers exploiting software vulnerabilities also exploit human vulnerabilities. Cybercriminals have grown wiser about human psychology and are waiting at every turn to seize upon the unsuspecting.

So, you can’t simply reallocate your resources from vulnerability management to in-house training programs. The key is finding a meaningful balance where good cybersecurity practices are baked into your IT security infrastructure.

Preventing the biggest security threat will mean developing a cybersecurity culture in your organization. Blanket policies and procedures are helpful, but they can fall short. Creating an entire culture of cybersecurity will ensure that best practices and good habits are adopted by all.

Naturally, this will mean investing in training. These are the key topics that should be addressed:

  • Password management
  • Phishing attacks, how they work, how to avoid them
  • Encryption and digital signing
  • Authentication
  • Creating backups
  • Best practices in sending personal or sensitive information
  • Account access and privileges as well as oversight and management

Note that if you don’t have all the resources and personnel necessary to handle the training internally, you can hire an outside party to lead it.

Cyber Security Threats and Challenges Facing Human Life

InfoSec Threats

Leave a Comment

Vendor Security Assessment

Assessing the security of network equipment.

decorative image

This document provides guidance on how operators should assess the security of vendor’s security processes and vendor equipment and is referenced in the Telecom Security Act Code of Practice.

The purpose of the guidance is to allow operators to objectively assess the cyber risk due to use of the vendor’s equipment. This is performed by gathering objective, repeatable evidence on the security of the vendor’s processes and network equipment.

NCSC-Vendor-Security-Assessment

https://www.ncsc.gov.uk/report/vendor-security-assessment

Leave a Comment

Deep Insert – An ATM Skimmer Let Hackers Clone ATM Card & Steal 4-Digit PIN

It has been reported that in New York City a number of financial institutions are facing an outburst of super-thin skimming devices known as “deep inserts”. In this type of skimming device, the card is inserted into the mouth of a slot on the ATM that accepts cards.

As a clever disguise, the card skimmers are paired up with pinhole cameras that are hidden within the cash machine in order to pose as part of that machine.

Approximately .68 millimeters is the height of the insert skimmer. It is important to note that this is plenty of space for the machine to capture and return the customer’s credit or debit card without interrupting the machine’s ability to retrieve the card.

Chip-card data or transactions are not snatched by these skimmers. However, most payment cards issued to American citizens still contain plain text cardholder data stored on the magnetic stripe.

Threat Actors’ Goal

In designing this skimmer, the thieves specifically sought the data stored on the magnetic stripe and the 4-digit PIN of the customer. 

According to the Kerbs investigation report, With those two pieces of data, the crooks can then clone payment cards and use them to siphon money from victim accounts at other ATMs. ATMs made by NCR, called SelfServ 84 Walk-Up were abused by the threat actors to install these skimming devices.

Pinhole spy cameras are sometimes embedded in fake panels above PIN pads by skimmer thieves. As a result of incorporating insert kit into the ATMs of financial institutions, most of the insert skimmer attacks at this point have been successfully stopped. 

The insert kit is a solution that NCR has developed to mitigate such attacks. A “smart detect kit” from NCR is also tested in field situations, which includes a USB camera to be able to monitor the interior of the card reader, which adds a photographic element to the test.

There will be a continued trend of miniaturization and stealthy device development for skimming devices as long as cardholder data will continue to be stored on magnetic strips on payment cards in plain text.

Whenever you are at a cash machine, make sure you make your mind up to avoid ATMs that are dodgy-looking or that have a low lighting fixture. And not only that even make sure to cover PIN pad with your hand to defeat such thefts.

skimmer credit card detector/protector

Leave a Comment

Imperva blocked a record DDoS attack with 25.3 billion requests

Cybersecurity company Imperva announced to have mitigated a distributed denial-of-service (DDoS) attack with a total of over 25.3 billion requests.

Cybersecurity firm Imperva mitigated a DDoS attack with over 25.3 billion requests on June 27, 2022. According to the experts, the attack marks a new record for Imperva’s application DDoS mitigation solution.

The attack targeted an unnamed Chinese telecommunications company and outstands for its duration, it lasted more than four hours and peaked at 3.9 million RPS.

“On June 27, 2022, Imperva mitigated a single attack with over 25.3 billion requests, setting a new record for Imperva’s application DDoS mitigation solution” reads the announcement. “While attacks with over one million requests per second (RPS) aren’t new, we’ve previously only seen them last for several seconds to a few minutes. On June 27, Imperva successfully mitigated a strong attack that lasted more than four hours and peaked at 3.9 million RPS.”

DDoS record Imperva 21 Sept 22.png

The Chinese telecommunications company was already targeted by large attacks in the past, and experts added that two days later a new DDoS attack hit its website, although the attack was shorter in duration.

The average rate for this record-breaking attack was 1.8 million RPS. Threat actors used HTTP/2 multiplexing, or combining multiple packets into one, to send multiple requests at once over individual connections.

The technique employed by the attackers is difficult to detect and can bring down targets using a limited number of resources.

“Since our automated mitigation solution is guaranteed to block DDoS in under three seconds, we estimate that the attack could have reached a much greater rate than our tracked peak of 3.9 million RPS.” continues Imperva.

This specific attack was launched botnet composed of almost 170,000 different IPs, including routers, security cameras and compromised servers. The compromised devices are located in over 180 countries, most of them in the US, Indonesia, and Brazil.

On Monday, September 12, 2022, Akamai mitigated the largest DDoS attack ever that hit one of its European customers. The malicious traffic peaked at 704.8 Mpps and appears to originate from the same threat actor behind the previous record that Akamai blocked in July and that hit the same customer.

AWS Best Practices for DDoS Resiliency (AWS Whitepaper) 

Leave a Comment

What do SOC analysts need to be successful?

Gurucul announced the results of a Black Hat USA 2022 security professionals survey with respondents indicating that insider threats were the most difficult type of attack for SOC analysts to detect, and that behavioral analytics was the most common piece of technology they felt was missing and that they planned to add to the SOC in the near future.

The survey also found that a strong majority of respondents feel their SOC programs are improving, but that they needed more training, high-level talent in the SOC, better compensation, and more time off.

“Taken as a whole, these survey results suggest that organizations and security professionals understand that insider threats are a serious security risk and are working to improve their defenses by adding technologies like behavioral analytics and network traffic analysis,” said Saryu NayyarGurucul’s CEO.

Other key findings from the survey include:

  • 27% of respondents identified insider threats as the most difficult attack to detect – the highest percentage across types.
  • More than 36% of respondents chose behavioral analytics as the technology they are currently missing that would most improve their SOC and more than 24% plan to invest budget into behavioral analytics solutions in the next year.
  • More than 17% of respondents plan to invest in Network Traffic Analysis technology in the next year.
  • 82% of security professionals feel their SOC programs are improving. Less than 5% said it was actively getting worse.
  • Tier 3 SOC analysts / threat hunters are the most in-demand role in the SOC (chosen by 31% of respondents), followed by Tier 2 Analysts (20%) and threat content creators (16%).
  • 39% of respondents feel that their organization is investing in enough training for the SOC, but 31% said they are not and 30% were undecided.
  • 35% of analysts need more than two weeks of time off to feel rejuvenated and 28% feel like they deserved a 20% raise.
insider threat

Cybersecurity Career Master Plan: Proven techniques and effective tips to help you advance in your cybersecurity career

Leave a Comment

Netgear Router Models With FunJSQ Let Attackers Execute Arbitrary Code

It has been discovered recently by the European security and compliance assessment company Onekey that arbitrary code may be injected into multiple Netgear router models through FunJSQ in a malicious manner.

In order to accelerate online games, Xiamen Xunwang Network Technology has developed a third-party module known as FunJSQ. In short, FunJSQ is a third-party gaming module.

Along with routers there are some Orbi WiFi Systems that are also affected. If your WiFi password is known to an attacker or your router’s Ethernet cable is connected to your computer, then this vulnerability is exploitable.

Affected Routers and WiFi Systems

Here below we have mentioned the all the router models and WiFi systems that are affected. Not only that even we have also mention their respective fixed firmware versions as well:-

Routers:-

  • R6230 fixed in firmware version 1.1.0.112
  • R6260 fixed in firmware version 1.1.0.88
  • R7000 fixed in firmware version 1.0.11.134
  • R8900 fixed in firmware version 1.0.5.42
  • R9000 fixed in firmware version 1.0.5.42
  • RAX120 fixed in firmware version 1.2.8.40
  • RAX120v2 fixed in firmware version 1.2.8.40
  • XR300 fixed in firmware version 1.0.3.72

Orbi WiFi Systems

  • RBR20 fixed in firmware version 2.7.2.26
  • RBR50 fixed in firmware version 2.7.4.26
  • RBS20 fixed in firmware version 2.7.2.26
  • RBS50 fixed in firmware version 2.7.4.26

Illicit Actions

The FunJSQ gaming module does not have a secure update process. Update packages that are sent from the server to the FunJSQ module are only superficially checked.

A hash checksum is used to validate the packages on the device as they are unsigned.

There are a number of actions that an attacker can take in order to exploit an insecure communication channel, such as:-

  • The data that has been returned from the server can be tampered with.
  • A package can be extracted with elevated privileges from its contents and placed in the root folder.
  • It is possible to overwrite anything on the device by taking control of the update package.

There is a potential for arbitrary code to be executed from the WAN interface as a result of these factors combined.

CVE-2022-40620 has been assigned to the issue relating to an insecure update mechanism introduced in the release. CVE-2022-40619 was the CVE ID number assigned to the flaw related to unauthenticated command injections.

Download the Latest Firmware

  • To begin with, you will need to visit the NETGEAR Support page.
  • In the search box, you will need to enter your model number.
  • Once the drop-down menu appears, you can select the model you are looking for from it.
  • After that, click on the Downloads tab.
  • If the title of your first download starts with the firmware version under Current Versions, then pick that one.
  • The next thing you need to do is click the Release Notes button.
  • For instructions on downloading and installing the new firmware, please refer to the firmware release notes.

It should be noted that Netgear has not yet divulged a workaround for this vulnerability. The latest firmware from NETGEAR should be downloaded as soon as possible, as NETGEAR strongly recommends you do so.

Netgear Router FunJSQ

Leave a Comment

ISO 27001 Internal Audit

DISC LLC presents a phase approach to deliver ISO 27001 Internal Audit services to SaaS businesses. 

ISO27001 Internal Audit Service - iTGRC security and compliance advisory  group

The Engagement:

We understand that your core business is your SaaS application and you desire an audit.  The audit is to be an independent assessment of the company’s ISMS, to measure the maturity of the program, to identify if the program is ready to pass the certification audit for ISO 27001:2013 certification, and provide strategic guidance for achieving the certification.  Our focus will be your application which is hosted at AWS/Azure and you have xxx employees who create, maintain, and manage the application.

The audit will be conducted remotely and we will have a dedicated contact person assigned to our audit team to facilitate access to documentation, records, and select staff for interviews.  We will complete your standard audit process documentation according to the ISO 27001 standard. 

The Plan:

Below is our high-level audit plan for your ISO 27001internal audit.  We propose a staged and flexible approach so we may progressively tune our audit process to deliver maximum business value to you.

Phase 1: This phase starts within a week one of signing of an engagement contract.  First step is a kickoff meeting to discuss the overall audit engagement, to finalize the formal audit plan, and to establish access to documents to be reviewed. We will review the available documents based on the ISO27001 standard. At the end of this phase we will present our findings in a briefing session.

Phase2: Phase 2 kickoff will be based on the document review and coordinate scheduling interviews that focus on critical processes to establishing the degree that the various control procedures have been activated. This is a critical part of the audit process. We will measure the maturity of required controls that has been implemented and present the findings for review within another review session (schedule subject to availability for interviews). 

Phase 3: Recommendations will be the focus of this phase.  This will also start with a kickoff meeting to establish a coordinated plan for what measures are already planned and what new measures are required to actually pass (to-be state) the certification audit.  This final step can save you a lot of effort as we can help you navigate to the end goal of passing the audit and also create the precise measures that have maximum business value.  The closing meeting of this phase will present our collective recommendations.

All of the efforts outlined above are aligned to a compliant internal audit process with a few enhancements that are value-add.  These audit records will likely be a primary target of the certification audit so they need to be well executed.  Your controls also have to be tailored to your business. We can help get you certified but that doesn’t mean you are actually secure.  We can help you do both.  Missing the secure part would be devastating to you and to all of your customers. This is our value-add. 

Checkout our latest articles on ISO 27001/2

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Follow DISC #InfoSec blog

Ask DISC an InfoSec & compliance related question

email: Info@DeuraInfoSec.com

Leave a Comment

Critical Flaws in Airplanes WiFi Access Point Let Attackers Gain Root Access

Two critical vulnerabilities have been found recently in the wireless LAN devices of Contec. These critical vulnerabilities were discovered by the cybersecurity analysts, Samy Younsi and Thomas Knudsen of Necrum Security Lab.

There are two models of the FLEXLAN FXA2000 and FXA3000 series from CONTEC which are primarily used in airplane installations as WiFi access points.

As a result, these devices offer extremely high-speed connectivity during flight trips for the following purposes:-

  • Movies
  • Musics
  • Buy foods
  • Buy goodies
Critical Flaws in Airplanes WiFi Access Point Let Attackers Gain Root Access

Leave a Comment

SMBs are hardest-hit by ransomware

Coalition announced the mid-year update to its 2022 Cyber Claims Report detailing the evolution of cyber trends, revealinig that small businesses have become bigger targets, overall incidents are down, and ransomware attacks are declining as demands go unpaid.

During the first half of 2022, the average cost of a claim for a small business owner increased to $139,000, which is 58% higher than levels during the first half of 2021.

“Across industries, we continue to see high-profile attacks targeting organizations with weak or exposed infrastructure — which has become exacerbated by today’s remote working culture and companies’ dependence on third-party vendors,” said Catherine LyleCoalition’s Head of Claims.

“Small businesses are especially vulnerable because they often lack resources. For these businesses, avoiding downtime and disruption is essential, and they must understand that Active Insurance is accessible.”

The good news: both Coalition and the broader insurance industry observed a decrease in ransomware attack frequency and the amount of ransom demanded between the second half of 2021 and the first half of 2022. Ransomware demands decreased from $1.37M in H2 2021 to $896,000 in H1 2022. Of the incidents that resulted in a payment, Coalition negotiated down to roughly 20% of the initial demand.

More good news: Coalition policyholders experienced 50% fewer claims compared to the broader market. The severity of these claims has also declined, with 45% of incidents resolved at no cost. The substantial decrease in overall claims stems from Coalition’s combination of cybersecurity tools, including active monitoring and alerting, access to digital forensics and incident response, and broad insurance coverage.

“Organizations are increasingly aware of the threat ransomware poses. They have started to implement controls such as offline data backups that allow them to refuse to pay the ransom and restore operations through other means,” said Chris Hendricks, Coalition’s Head of Incident Response. “As ransomware is on the decline, attackers are turning to reliable methods. Phishing, for example, has skyrocketed – and only continues to grow.”

Other key findings:

  • Phishing triggers the majority of cyber incidents, accounting for 57.9% of reported claims
  • Cyber gangs have built a thriving business
  • Funds transfer fraud (FTF) claims have held steady thanks to phishing, and
  • Microsoft Exchange has become the vulnerability that persists.

100 dollars

Cybersecurity for Small and Midsize Businesses

Leave a Comment

scanless – A Pentesting Tool to Perform Anonymous open Port Scan on Target Websites

Network Penetration Testing determines vulnerabilities on the network posture by discovering Open ports, Troubleshooting live systems, services, port scans and grabbing system banners.

Port Scanner is an application used to perform an open port scan with server or hosts. Open ports are the gateway for attackers to enter in and to install malicious backdoor applications.

It is Command-line utility for exploitation websites which will perform Open port scan on your behalf. This tool helps early stages of a penetration testing to run an open port scanner on a bunch and have it not come back from your IP address.

Port Scanners Supported

  • yougetsignal
  • viewdns
  • hackertarget
  • ipfingerprints
  • pingeu
  • spiderip
  • portcheckers
  • t1shopper

Open Port Scanner

It is simple and easy to use the tool, can get results in minutes and also it to stay Anonymous. you can download the tool from github.

To install scanless and help

sudo pip install scanless
scanless –help

port scans

To list all the supported scanners

scanless -l

port scans

To Run Scan 

scanless -s yougetsignal -t domain.com

port scans

scanless -s pingeu -t domain.com

port scans

Author : Austin Jackson

port scans

Leave a Comment

Uber Downplays Data Breach Impact, Claims No Sensitive Data Stolen

Uber Downplays Data Breach Impact, Claims No Sensitive Data Stolen – Uber is downplaying a data breach that occurred on Thursday, saying that no sensitive data was exposed.

Uber Downplays Data Breach Impact, Claims No Sensitive Data Stolen

Leave a Comment

Tool for defining the ISO 27001 ISMS scope

No alternative text description for this image

Free tool | *Tool for defining the ISO 27001 ISMS scope*

What is ISO 27001 Information Classification?

IMPLEMENT ISO 27001 AND ISO 22301 EFFORTLESSLY

What is ISO 27001 Information Classification?

ISO 27001 & ISO 27017 & ISO 27018 CLOUD DOCUMENTATION TOOLKIT

The challenges of achieving ISO 27001

Risk Management document templates

Leave a Comment

Critical Vulnerabilities Found in Devices That Provide WiFi on Airplanes

The Flexlan FXA3000 and FXA2000 series LAN devices made by the Japan-based firm contain two critical vulnerabilities tracked as CVE–2022–36158 and CVE–2022–36159.

Necrum Security Labs’ researchers Samy Younsi and Thomas Knudsen have discovered two critical vulnerabilities in the wireless LAN devices manufactured by Contec. The company specializes in industrial automation, computing, and IoT communication technology.

Research Details

Reportedly, the Flexlan FXA3000 and FXA2000 series LAN devices made by the Japan-based firm contain two critical vulnerabilities tracked as CVE–2022–36158 and CVE–2022–36159.

For your information, these devices are used in airplanes to offer internet connectivity. The abovementioned series of devices offer WiFi access points in airplanes to ensure uninterrupted high-speed internet communication so that passengers could enjoy music, movies, and even purchased goodies during the flight. Hence, these vulnerabilities can allow an adversary to hack the inflight entertainment system and more.

Critical Vulnerabilities Found in Devices That Provide WiFi on Airplanes
FXA2000 (left) and FXA3000 (right)

Researchers discovered the first vulnerability (CVE–2022–36158) while performing the firmware’s reverse engineering. They identified a hidden page, which wasn’t listed in the Wireless LAN Manager interface. This page facilitates the execution of Linux commands on the device with root privileges. They could then access all system files and open the telnet port to gain complete access to the device.

The second vulnerability (CVE–2022–36159) entailed the use of hard-coded, weak cryptographic keys and backdoor accounts. While investigating, they also learned that the shadow file contained the has of two users, including root and user, and within a few minutes they could access them through a brute-force attack.

How to Fix the Issues?

In their blog post, researchers explained that the device owner could change the account’s user password from the web admin’s interface, which is the primary reason behind the emergence of these flaws. The root account is reserved for Contec for maintenance purposes.

Therefore, an attacker armed with the root hard-coded password can conveniently access all FXA2000 and FXA3000 series devices.

In order to fix the first issue, the hidden engineering web page must be removed from the under-production devices because the default password is weak and makes it easy for an attacker to inject a backdoor into the device using this page.

Furthermore, the company needs to generate a unique password for each device during the production phase for the second issue.

As pointed out by Eduard Kovacs of SecurityWeek, in its advisory, Contec explained that the vulnerabilities are connected to a private webpage created for developers to execute system commands and the page isn’t linked to other pages available to users. These vulnerabilities have been addressed in versions 1.16.00 for the FX3000 series and 1.39.00 for FX2000 series devices.

WiFi 6: Protocol and Network

Leave a Comment

Akamai Mitigated Record-Breaking DDoS Attack Against European Customer

On Monday, 12th September 2022, cybersecurity firm Akamai mitigated a distributed denial of service attack (DDoS Attack), which has been declared a record-breaking attack in terms of packets-per-second compared to the attack Akamai recorded in July.

For your information, cybercriminals bombard servers with fake requests and traffic to prevent legit visitors from accessing their services in a DDoS attack.

The primary targets of the attack Akamai recorded recently were European companies. It peaked at 704.8 million packets per second, marking the second attack on such a massive scale against the same customer within a short span of three months.

According to Akamai’s Craig Sparling, prior to June 2022, this customer only saw attack traffic against its primary data center. However, unexpectedly, the attack campaign expanded, hitting six different global locations, from Europe to North America.

Akamai Prolexic’s DDoS specialization culture, focus on customer infrastructure designs, and history are rooted in defending the most complex, multifaceted attacks, and our platform is equipped with purpose-built tooling for rapid threat mitigation, even in the ‘fog of war.

Sean Lyons, Senior Vice President and General Manager of Infrastructure Security

The attack was thwarted on the same day it was identified. Though not the largest DDoS attack ever, this one raised eyebrows because it was the largest attack against European organizations. The attackers used UDP as their DDoS vector and ICMP, SYN, RESET floods, TCP anomaly, PUSH flood, etc.

Attackers managed to target more than 1,800 IP addresses of a single organization, and the attack was dispersed at six different locations. Akamai noted that this attack originated from the same threat actor that targeted it previously, while the target is also the same unnamed customer based in Eastern Europe.

Previously, the attacker targeted the company’s primary data; this time, they could target 6 data center locations in North America and Europe.

Akamai Mitigated a Massive DDoS Attack Against its European Customer

As shown above, Akamai recorded a humongous 659.6 MPPS DDoS attack back in July. The latest attack was 7% higher than the one in July. The company received 74 DDoS attacks before July, and around 200 attacks afterward. The company stated that this campaign indicates attackers continuously improve their attack techniques to evade detection.

Akamai Mitigated a Massive DDoS Attack Against its European Customer

Distributed Denial of Service Attacks: Real-world Detection and Mitigation

Comments (2)

Browser-in-the-browser attacks

Researchers at threat intelligence company Group-IB just wrote an intriguing real-life story about an annoyingly simple but surprisingly effective phishing trick known as BitB, short for browser-in-the-browser.

You’ve probably heard of several types of X-in-the-Y attack before, notably MitM and MitB, short for manipulator-in-the-middle and manipulator-in-the-browser.

In a MitM attack, the attackers who want to trick you position themselves somewhere “in the middle” of the network, between your computer and the server you’re trying to reach.

(They might not literally be in the middle, either geographically or hop-wise, but MitM attackers are somewhere along the route, not right at either end.)

The idea is that instead of having to break into your computer, or into the server at the other end, they lure you into connecting to them instead (or deliberately manipulate your network path, which you can’t easily control once your packets exit from your own router), and then they pretend to be the other end – a malevolent proxy, if you like.

They pass your packets on to the official destination, snooping on them and perhaps fiddling with them on the way, then receive the official replies, which they can snoop on and tweak for a second time, and pass them back to you as though you’d connected end-to-end just as you expected.

If you’re not using end-to-end encryption such as HTTPS in order to protect both the confidentiality (no snooping!) and integrity (no tampering!) of the traffic, you are unlikely to notice, or even to be able to detect, that someone else has been steaming open your digital letters in transit, and then sealing them again up afterwards.

more details: Serious Security: Browser-in-the-browser attacks – watch out for windows that aren’t!

Web Security for Developers: Real Threats, Practical Defense

Browser Security A Complete Guide

Leave a Comment

5 Kali Linux books you should read this year

Advanced Security Testing with Kali Linux

Independently published / Author: Daniel Dieterle

Kali Linux books

This book covers the more intermediate and advanced uses of the Kali Linux pentesting distribution. You will learn topics like:

  • The MITRE ATT@CK Framework
  • Command & Control (C2) frameworks
  • In-depth network scanning
  • Web app pentesting
  • Advanced techniques like “Living off the Land”
  • AV bypass tools
  • Using IoT devices in security

Kali Linux Penetration Testing Bible

Wiley / Author: Gus Khawaja

Kali Linux books

This book is the hands-on and methodology guide for pentesting with Kali Linux. You’ll discover everything you need to know about the tools and techniques hackers use to gain access to systems like yours so you can erect reliable defenses for your virtual assets. Whether you’re new to the field or an established pentester, you’ll find what you need in this comprehensive guide.

  • Build a modern dockerized environment
  • Discover the fundamentals of the bash language in Linux
  • Use a variety of effective techniques to find vulnerabilities (OSINT, Network Scan, and more)
  • Analyze your findings and identify false positives and uncover advanced subjects, like buffer overflow, lateral movement, and privilege escalation
  • Apply practical and efficient pentesting workflows
  • Learn about Modern Web Application Security Secure SDLC
  • Automate your penetration testing with Python

Linux Basics for Hackers: Getting Started with Networking, Scripting, and Security in Kali

No Starch Press / Author: OccupyTheWeb

Linux Basics for Hackers: Getting Started with Networking, Scripting, and Security in Kali

If you’re getting started along the exciting path of hacking, cybersecurity, and pentesting, Linux Basics for Hackers is an excellent first step. Using Kali Linux, an advanced penetration testing distribution of Linux, you’ll learn the basics of using the Linux operating system and acquire the tools and techniques you’ll need to take control of a Linux environment.

First, you’ll learn how to install Kali on a virtual machine and get an introduction to basic Linux concepts. Next, you’ll tackle broader Linux topics like manipulating text, controlling file and directory permissions, and managing user environment variables. You’ll then focus in on foundational hacking concepts like security and anonymity and learn scripting skills with bash and Python. Practical tutorials and exercises throughout will reinforce and test your skills as you learn how to:

  • Cover your tracks by changing your network information and manipulating the rsyslog logging utility
  • Write a tool to scan for network connections, and connect and listen to wireless networks
  • Keep your internet activity stealthy using Tor, proxy servers, VPNs, and encrypted email
  • Write a bash script to scan open ports for potential targets
  • Use and abuse services like MySQL, Apache web server, and OpenSSH
  • Build your own hacking tools, such as a remote video spy camera and a password cracker

Mastering Kali Linux for Advanced Penetration Testing, 4th Edition

Packt Publishing / Author: Vijay Kumar Velu

Mastering Kali Linux for Advanced Penetration Testing, 4th Edition

In this book you’ll learn an offensive approach to enhance your penetration testing skills by testing the sophisticated tactics employed by real hackers. You’ll go through laboratory integration to cloud services so that you learn another dimension of exploitation that is typically forgotten during a penetration test. You’ll explore different ways of installing and running Kali Linux in a VM and containerized environment and deploying vulnerable cloud services on AWS using containers, exploiting misconfigured S3 buckets to gain access to EC2 instances.

This book delves into passive and active reconnaissance, from obtaining user information to large-scale port scanning. Building on this, different vulnerability assessments are explored, including threat modeling. See how hackers use lateral movement, privilege escalation, and command and control (C2) on compromised systems. By the end of this book, you’ll have explored many advanced pentesting approaches and hacking techniques employed on networks, IoT, embedded peripheral devices, and radio frequencies.

For more information about this book, we have a video with the author you can watch here.

The Ultimate Kali Linux Book – 2nd Edition

Packt Publishing / Author: Glen D. Singh

Kali Linux books

This is a comprehensive guide for those who are new to Kali Linux and penetration testing that will have you up to speed in no time. Using real-world scenarios, you’ll understand how to set up a lab and explore core penetration testing concepts.

Throughout this book, you’ll focus on information gathering and even discover different vulnerability assessment tools bundled in Kali Linux. You’ll learn to discover target systems on a network, identify security flaws on devices, exploit security weaknesses and gain access to networks, set up Command and Control (C2) operations, and perform web application penetration testing. In this updated second edition, you’ll be able to compromise Active Directory and exploit enterprise networks.

Finally, this book covers best practices for performing complex web penetration testing techniques in a highly secured environment.

Hacking Handbooks

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Follow DISC #InfoSec blog

Ask DISC an InfoSec & compliance related question

Leave a Comment

Organizations should fear misconfigurations more than vulnerabilities

Censys launched its State of the Internet Report, a holistic view into internet risks and organizations’ exposure to them.

Through careful examination of which ports, services, and software are most prevalent on the internet and the systems and regions where they run, the research team discovered that misconfigurations and exposures represent 88% of the risks and vulnerabilities across the internet.

“Assessing the state of the internet is crucial in understanding an organization’s own risks and exposures,” said Zakir Durumeric, Chief Scientist of Censys.

Key findings

  • Misconfigurations – including unencrypted services, weak or missing security controls and self-signed certificates – make up roughly 60% of observed risks. When analyzing the risk profile of organizations across industries, missing common security headers accounted for the primary security error.
  • Exposures of services, devices, and information represent 28% of observed risks. This includes everything from accidental database to device exposures.
  • Critical vulnerabilities and advanced exploits only represent 12% of observed risks. When analyzing organizations by industry, the Computer and Information Technology industry had the widest spread of different risks, while Freight Shipment and Postal Services had the second widest.

Researchers also conducted a holistic assessment of the internet’s response to three major vulnerabilities – Log4jGitLab and Confluence – to understand mitigation strategies based on how a vulnerability is perceived. From this analysis, Censys learned how the internet responds differently to vulnerability disclosures.

Three distinct types of behavior in response to vulnerability disclosures

  • Near-immediate upgrading: Systems vulnerable to Log4j acted quickly based on the widespread coverage of the vulnerability. By March 2022, Censys observed only 36% of potential vulnerable services were left unpatched.
  • Upgrading only after the vulnerability is being actively and widely exploited: While the GitLab vulnerability was being exploited, the remediation process acted slower than others until researchers discovered a botnet composed of thousands of compromised GitLab servers participating in DDoS campaigns.
  • Near-immediate response by taking the vulnerable instance off the internet entirely: Rather than upgrading, users chose to remove assets entirely from the internet after Confluence’s vulnerability became public between June 2021 and March 2022.

The internet constantly evolves as new technologies emerge, vulnerabilities are discovered, and organizations expand their operations that interact with the internet. Security teams have the responsibility to protect their organizations’ digital assets and need proper visibility into the entire landscape to do so.

Although vulnerabilities often garner the bigger headlines, it’s undetected misconfigurations and exposures that create the most risk for an organization, making it important to regularly assess any new hosts or services that appear in your infrastructure. Regardless of vulnerability type, providing organizations with the visibility and tools needed to strengthen their security posture introduces a proactive, more vigilant approach to digital risk management.

World

Secure By Design

Comments (2)

Risk Management document templates

Risk Assessment and Risk Treatment Methodology

The purpose of this document is to define the methodology for assessment and treatment of information risks, and to define the acceptable level of risk.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

There are 3 appendices related to this document. The appendices are not included in the price of this document and can be purchased separately

Risk Assessment Table

The purpose of this table is to list all information resources, vulnerabilities and threats, and assess the level of risk. The table includes catalogues of vulnerabilities and threats.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

This document is an appendix. The main document is not included in the price of this document and can be purchased separately

Risk Treatment Table

The purpose of this table is to determine options for the treatment of risks and appropriate controls for unacceptable risks. This table includes a catalogue of options for treatment of risks as well as a catalogue of 114 controls prescribed by ISO 27001.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

This document is an appendix. The main document is not included in the price of this document and can be purchased separately

Risk Assessment and Treatment Report

The purpose of this document is to give a detailed overview of the process and documents used during risk assessment and treatment.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

This document is an appendix. The main document is not included in the price of this document and can be purchased separately

Statement of Applicability

The purpose of this document is to define which controls are appropriate to be implemented in the organization, what are the objectives of these controls, how they are implemented, as well as to approve residual risks and formally approve the implementation of the said controls.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

Risk Treatment Plan

The purpose of this document is to determine precisely who is responsible for the implementation of controls, in which time frame, with what budget, etc.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

Toolkit below contains all the documents above

Leave a Comment

Top 3 data security risks facing businesses

There are many ways that data security risks can occur, and it is important to be aware of them in order to protect our information.

Data security issues, continuous data breaches, and advanced cyber-criminal activity make it harder for businesses to stay updated with the latest strategy to keep their accounts and customer data protected.

We continue to see companies small or large being targeted by cybercriminals, according to Nexor, the UK experienced a 31% rise in cyber-attacks  during the height of the pandemic in May and June 2020.  

Cybercrimes from malware, insider threats, and stolen data to hacked systems will always be a threat so how can companies ensure they are prepared for security risks as technology and cyber criminals continue to advance? We take a look at the top 3 data security risks business are facing.

1)  Lack of resources to deter cyber threats

Hackers and companies are aware of issues concerning IT infrastructures and computer systems, but it is the responsibility of the business to ensure systems are guarded and secure from unauthorised access and that they are not vulnerable to cybercriminal threats through unsecure internal networks and software. 

A report in partnership with the office of cyber security and information assurance in the cabinet office, estimates the cost of cybercrime to the UK to be £27bn per annum

As the pressure for cyber professionals rises, panic in business also increases as there is a shortage of IT security professionals with skills in IT and cyber security. The ISC 2021 Cybersecurity Workforce Study states that the global cybersecurity skills shortage has fallen for the second consecutive year, but the size of the workforce is still 65% below what it needs to be. CEO, Clar Rosso at ISC shares her thoughts:

“Any increase in the global supply of cybersecurity professionals is encouraging, but let’s be realistic about what we still need and the urgency of the task before us…The study tells us where talent is needed most and that traditional hiring practices are insufficient. We must put people before technology, invest in their development, and embrace remote work as an opportunity. And perhaps most importantly, organizations must adopt meaningful diversity, equity, and inclusion practices to meet employee expectations and close the gap.”

UK government report published last year found that 48% of organisations lacked the expertise to complete routine cyber security practices, and 30% of organisations had skills gaps in more advanced areas, such as penetration testing, forensic analysis, and security architecture.

With a high demand for security professionals and a shortage in skills, could cyber criminals be a few steps ahead? 

Many businesses, especially most small businesses lack the capability and expertise to withstand a cyber security attack. Finding the right talent and investing in the skills can be a challenge, but there are consultants that specialise in working with various types of businesses that can add value and help place the right data protection strategies and provide businesses with the best tools and training.

Guard Wisely are independent data security specialists that are trusted by organisations to solve their biggest compliance, security, operations, and BAU challenges. They have delivered many successful security projects to a large variety of Enterprise Customers Globally and over 180,000 employees. 

2) Technology continues to accelerate 

The pandemic fast-forwarded the need for digitalisation, and the sudden change to remote working meant that more data was being shared across unsecure cloud environments, kept on networks and employee desktops. This meant an increased risk for businesses as they figured out how to maintain data security in a hybrid work environment.

We have seen that everything and everyone is connecting through the Internet, and wireless capabilities are bringing innovation to all areas of business and general life at unprecedented speed. 

With remote and hybrid working being a part of the future of work, data needs to be regularly monitored and controlled. Large enterprises need to manage their customers’ and employees’ data to remain compliant, to do this they need to understand where that data resides to secure it.  

Across the world, there are now nearly two billion internet users and over five billion mobile phone connections; every day, we send 294 billion emails and five billion SMS messages; every minute, we post 35 hours of video to YouTube, 3,000 photos to Flickr and nearly 35,000 ‘tweets’ according to this report .

Over 91 percent of UK businesses and 73 percent of UK households have internet access and £47.2 billion was spent online in the UK alone in 2009.

The issue arises for data security as the embedded operating system in any device is deployed in its firmware, and these operating systems are rarely designed with security as their prime focus. This means that many systems have flaws and vulnerabilities, which is a gateway for many hackers and cybercriminals. 

3) Weak passwords encourage cyber-attacks and “insider breaches” 

With so many passwords to remember for a variety of devices, sites, and networks, we will continue to see a security risk in passwords. In most cases, hackers do not find it difficult to figure out corporate passwords and, employee passwords tend to be easier to work out.  

Not only this, but once you know the password for a device, you’ll most likely be able to have access to other accounts. People tend to keep the same password across many of the accounts they hold, for the ease of remembering but this as much as we know it, is a security issue that needs to be addressed. 

Unsecure passwords could increase ‘insider’ breaches at the workplace. Organisations often overlook the threats residing inside their ecosystems which can have devastating effects. These companies, although they are aware of threats don’t usually have an insider threat program in place, and are therefore not prepared to prevent, detect, and respond to internal threats.

Having access to anyone’s computers or devices at work can mean that systems will be at a higher risk of attack from insider threats. Hackers are always looking for opportunities to steal passwords and break them into private and corporate accounts.

To minimise these risks, companies must evaluate and introduce measures to ensure access to certain files and folders is in place. They will have to make sure individuals have unique passwords to enter their computers so that other people cannot access or abuse computer activity. 

Tracking which files and folders are being used and accessed on individual machines will also be beneficial in a lot of cases. As a short-term fix, they can also ensure they turn on two-factor authentication (2FA), also known as multi-factor authentication where possible for important accounts, as a secondary method of authentication.

Top 3 data security risks facing businesses

Business Data Networks and Security 

Comments (1)