How can a business ensure the security of their supply chain?

10 best practices to evaluate a supplier’s risk

While there are no guarantees that a business can detect a supply chain attack before it happens, there are 10 best practices that a business can consider to help mitigate risk and validate the security of its supply chain.

1. Evaluate the impact each supplier can have on your business if the supplier’s IT infrastructure is compromised. While a full-risk assessment is preferred, smaller organizations might not have the resources to conduct one. At a minimum, however, they should analyze the worst-case scenarios and ask questions such as:

  • How would a ransomware attack on this supplier’s systems impact my business?
  • How would my business be affected if the supplier’s source code was compromised by a Trojan virus?
  • If the supplier’s databases are compromised and data is stolen, how would that impact my business?

2. Evaluate internal IT resources and competencies for each supplier. Do they have a dedicated cybersecurity team led by a security manager or a CISO? It is important to identify the supplier’s security leadership because that is who can answer your questions. If the team is non-existent or poorly staffed with no real leadership, you may want to reconsider engaging with this supplier.

3. Meet with the supplier’s security manager or CISO to discover how they protect their systems and data. This can be a short meeting, phone call, or even an email conversation, depending on the risks identified in step 1.

4. Request evidence to verify what the supplier is claiming. Penetration reports are a useful way to do this. Be sure the scope of the test is appropriate and, whenever possible, request a report on two consecutive tests to verify that the supplier is acting on its findings.

5. If your supplier is a software provider, ask for an independent source code review. In some cases, the supplier may require an NDA to share the full report or may choose not to share it. When this happens, ask for an executive summary.

6. If your supplier is a cloud provider, you can scan the supplier’s networks, perform a Shodan search, or ask the supplier for a report of their own scans. If you plan to scan yourself, obtain a permit from the supplier and ask them to segregate customer addresses from their own so you are not scanning something irrelevant.

7. If the supplier is a software or cloud provider, find out if the supplier is running a bug bounty reward program. These programs help an organization find and fix vulnerabilities before attackers have a chance to exploit them.

8. Ask your suppliers how they are prioritizing their risks. For example, the Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities and assign severity scores so the supplier can prioritize risk responses.

9. Request the supplier’s patching reports. The fact that they have a report demonstrates their commitment to security and managing vulnerabilities. If possible, try to get a report that is produced by an independent entity.

10. Steps 1 through 9 should be repeated annually, depending on the risk to and impact on your business. For a low-impact supplier, this may be performed less often. For a supplier that is mission-critical to the business’s success and is high risk, the business may want to develop a permanent evaluation process. However, large SaaS and IaaS providers may not be willing to participate in ongoing evaluations.

How can a business ensure the security of their supply chain?

Cyber Security and Supply Chain Management

Leave a Comment

Study reveals top 200 most common passwords

Nordpass has published its annual report, titled “Top 200 most common passwords,” on the use of passwords. The report shows that we are still using weak passwords.

The list of passwords was compiled with the support of independent researchers specializing in data breach analysis., the study is based on the analysis of a 4TB database containing passwords across 50 countries.

Most used passwords are still 123456, 123456789, 12345, qwerty, and “password”. Businesses fail to enforce strong passwords, and rarely request employees to enable multi-factor authentication (MFA). 

The report revealed that the most common passwords in 2021 were:

  1. 123456 (103,170,552 hits)
  2. 123456789 (46,027,530 hits)
  3. 12345 (32,955,431 hits)
  4. qwerty (22,317,280 hits)
  5. password (20,958,297 hits)
  6. 12345678 (14,745,771 hits)
  7. 111111 (13,354,149 hits)
  8. 123123 (10,244,398 hits)
  9. 1234567890 (9,646,621 hits)
  10. 1234567 (9,396,813 hits)

Below is the map showing password leaks per capita:

top used passwords

Do you ever have trouble remembering your usernames and passwords when you visit a website? Access Denied password notebook is a safe and accessible place where you can save all of your important internet addresses, usernames, and passwords. To help you find what you’re searching for fast, the pages are structured into easy-to-follow parts.

The Quick and Easy Way to Manage Your Personal Usernames and Passwords!

Leave a Comment

DuckDuckGo Wants to Stop Apps From Tracking You on Android

At the end of April, Apple’s introduction of App Tracking Transparency tools shook the advertising industry to its core. iPhone and iPad owners could now stop apps from tracking their behavior and using their data for personalized advertising. Since the new privacy controls launched, almost $10 billion has been wiped from the revenues of Snap, Meta Platform’s Facebook, Twitter, and YouTube.

Now, a similar tool is coming to Google’s Android operating system—although not from Google itself. Privacy-focused tech company DuckDuckGo, which started life as a private search engine, is adding the ability to block hidden trackers to its Android app. The feature, dubbed “App Tracking Protection for Android,” is rolling out in beta from today and aims to mimic Apple’s iOS controls. “The idea is we block this data collection from happening from the apps the trackers don’t own,” says Peter Dolanjski, a director of product at DuckDuckGo. “You should see far fewer creepy ads following you around online.”

The vast majority of apps have third-party trackers tucked away in their code. These trackers monitor your behavior across different apps and help create profiles about you that can include what you buy, demographic data, and other information that can be used to serve you personalized ads. DuckDuckGo says its analysis of popular free Android apps shows more than 96 percent of them contain trackers. Blocking these trackers means Facebook and Google, whose trackers are some of the most prominent, can’t send data back to the mothership—neither will the dozens of advertising networks you’ve never heard of.

From a user perspective, blocking trackers with DuckDuckGo’s tool is straightforward. App Tracking Protection appears as an option in the settings menu of its Android app. For now, you’ll see the option to get on a waitlist to access it. But once turned on, the feature shows the total number of trackers blocked in the last week and gives a breakdown of what’s been blocked in each app recently. Open up the app of the Daily Mail, one of the world’s largest news websites, and DuckDuckGo will instantly register that it is blocking trackers from Google, Amazon, WarnerMedia, Adobe, and advertising company Taboola. An example from DuckDuckGo showed more than 60 apps had tracked a test phone thousands of times in the last seven days.Most Popular

My own experience bore that out. Using a box-fresh Google Pixel 6 Pro, I installed 36 popular free apps—some estimates claim people install around 40 apps on their phones—and logged into around half of them. These included the McDonald’s app, LinkedIn, Facebook, Amazon, and BBC Sounds. Then, with a preview of DuckDuckGo’s Android tracker blocking turned on, I left the phone alone for four days and didn’t use it at all. In 96 hours, 23 of these apps had made more than 630 tracking attempts in the background.

Using your phone on a daily basis—opening and interacting with apps—sees a lot more attempted tracking. When I opened the McDonald’s app, trackers from Adobe, cloud software firm New Relic, Google, emotion-tracking firm Apptentive, and mobile analytics company Kochava tried to collect data about me. Opening the eBay and Uber apps—but not logging into them—was enough to trigger Google trackers.

At the moment, the tracker blocker doesn’t show what data each tracker is trying to send, but Dolanjski says a future version will show what broad categories of information each commonly tries to access. He adds that in testing the company has found some trackers collecting exact GPS coordinates and email addresses.

“You should see far fewer creepy ads following you around online.”

PETER DOLANJSKI, DUCKDUCKGO

DuckDuckGo Wants to Stop Apps From Tracking You on Android

Leave a Comment

The six most common threats against the device that knows you best

I specialize in cybersecurity not mental health, so I can’t comment on how this intimacy with a device affects our well-being. But I can say that we must secure any platform that’s always connected, always on, and almost always within inches of our bodies.

Let’s take a look at the six threats F-Secure’s Tactical Defense Unit sees most often as we continually analyze the mobile landscape.

The six most common threats against the device that knows you best

Wireless Wars: China’s Dangerous Domination of 5G and How We’re Fighting Back

Leave a Comment

How Virtualization Helps Secure Connected Cars

Connected cars create opportunities to deliver enhanced customer experiences. At the same time, they also have the potential to provide high cost and revenue benefits. This is true for connected car companies, OEMs, suppliers and insurers (and much, much more).

However, car companies haven’t really explored the opportunities to monetize customer data adequately. We can probably attribute this to cybersecurity threats and a mad rush to market. But as the industry evolves and accelerates adoption, we must address these concerns now.

According to Allied Market Research, experts forecast the worldwide connected car market to be worth $225.16 billion by 2027. As we strive to achieve continuous connectivity, what’s the best approach to secure it? How do we keep drivers and their data safe from threat actors?

Before we dive into the solution, let’s look at some of the connected car challenges.

What Are the Threats to Connected Car Security?

#CarSecurity #Car Hacking

Leave a Comment

CISA releases incident response plans for federal agencies

The Cybersecurity and Infrastructure Security Agency (CISA) has released new cybersecurity response plans for federal civilian executive branch (FCEB) agencies (” Federal Government Cybersecurity Incident and Vulnerability Response Playbooks“).

The documents aim at developing a standard set of operational procedures (i.e., playbook) to be used in planning and conducting cybersecurity vulnerability and incident response activity for federal civilian agency information systems.

“The playbooks provide federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. The playbooks provide illustrated decision trees and detail each step for both incident and vulnerability response.” reads the announcement.

The definition and adoption of standardized IR procedures allow to drastically reduce the associated risks for impacted organizations.

The document released by CISA presents two playbooks, one for incident response and one for vulnerability response, both developed for FCEB agencies. CISA plans to extend these playbooks for organizations outside of the FCEB to promote a process of standardization of the incident response practices.

The Vulnerability Response Playbook applies to any flaw that is observed to be exploited by threat actors to gain compromise computer networks of the agencies. The playbook builds on CISA’s Binding Operational Directive 22-01 and standardizes the high-level process to address these vulnerabilities.

The playbooks will facilitate better coordination and effective response and enable tracking of cross-organizational successful actions.

“FCEB agencies should use the playbooks to shape their overall defensive cyber operations. The playbooks apply to information systems used or operated by an FCEB agency, a contractor of the agency, or another organization on behalf of the agency. CISA encourages agencies to review the playbooks and CISA’s webpage on EO 14028 for more information.” concludes CISA. “Although CISA created the playbooks for FCEB agencies, we encourage critical infrastructure entities; state, local, territorial, and tribal government organizations; and private sector organizations to review them to benchmark their own vulnerability and incident response practices.”

The incident response playbook has to be used in incidents that involve confirmed malicious cyber activity for which a major incident has been declared or not yet been reasonably ruled out (i.e. Incidents involving lateral movement, credential access, and exfiltration of data, and compromised administrator accounts).

incident response process

While aimed at federal agencies, CISA also encourages public and private sector partners, including critical infrastructure entities and state, local, territorial, and tribal (SLLT) government organizations, to review them to improve their incident and vulnerability response practices.

Leave a Comment

Combating cybercrime: Lessons from a CIO and Marine veteran

Combating cybercrime is exponentially more difficult than combating traditional criminal activities, as technologies and techniques make it very easy for cybercriminals to hide their true identities, locations, and allegiances. It’s a sobering situation, one that has resulted in extensive intellectual property theft, enormous financial losses, and the disruption of supply chains that deliver essential goods.

As a Marine veteran and CIO of a global software company, my approach to cybersecurity mirrors many of the principles I practiced in the military. Much like the corporate world, the Marines emphasized expertise, accountability, results, and leadership. With skilled teams, strong leaders, and tangible goals, it is much easier to deal with the daily uncertainty that is inherent in managing the cybersecurity of a large enterprise.

So, how does the United States better position itself to combat this growing threat? Through a more visible, coordinated, and concerted effort with measurable goals that involves the government, the private sector, educational institutions, and everyday citizens. Some of the highest priorities requiring action are below.

Combating cybercrime: Lessons from a CIO and Marine veteran

Cybercrime and Digital Forensics

Leave a Comment

Hackers Compromised Middle East Eye News Website to Hack Visitors, Researchers Say

Cybersecurity researchers tracked a hacking campaign spanning more than a year that hit around 20 websites – Israeli spyware vendor Candiru, recently blacklisted by the US, waged “watering hole” attacks on UK and Middle East websites critical of Saudi Arabia and others 

A group of hackers compromised a popular London-based news website that focuses on the Middle East with the goal of hacking its visitors, according to researchers. 

IMAGE: JUSTIN SETTERFIELD/GETTY IMAGES

On Tuesday, cybersecurity firm ESET published a report detailing the hacking campaign, which spanned from March 2020 until August of this year. During this time, according to the report, hackers compromised around 20 websites, including Middle East Eye, a popular independent news site that covers the Middle East and Africa and is based in the UK. 

The hackers compromised these websites in what are technically known as watering hole attacks, a type of cyberattack where hackers use legitimate websites to target people who visit them. In this case, the hackers did not target all visitors of the websites, but only specific ones, according to ESET.

“We were never able to get the final payload. So it shows that attackers are very careful in the selection of the targets,” Matthieu Faou, a researcher at ESET, told Motherboard in a phone call. 

Because the researchers could not retrieve the malware, “we don’t know who are the final targets,” Faou said. 

ESET researchers explained in the report that the hackers also compromised several government websites in Iran, Syria, and Yemen, as well as the sites of an Italian aerospace company and a South African government owned defense conglomerate—all websites with links to the Middle East. The hackers, according to ESET, may have been customers of the Israeli spyware vendor Candiru, a company that was recently put on a denylist by the US Government

Candiru is one of the most mysterious spyware providers out there. The company has no website, and it has allegedly changed names several times. Candiru offers “high-end cyber intelligence platform dedicated to infiltrate PC computers, networks, mobile handsets,” according to a document seen by Haaretz. The Israeli newspaper was the first one to report Candiru’s existence in 2019. Since then, several cybersecurity companies and groups such as Kaspersky LabMicrosoftGoogle, and Citizen Lab, have tracked its malware.  

7 Steps to Removing Spyware by Nick Laughter

Leave a Comment

Cloudflare mitigated 2 Tbps DDoS attack, the largest attack it has seen to date

Cloudflare, Inc. is an American web infrastructure and website security company that provides content delivery network and DDoS mitigation services. The company announced to have mitigated a distributed denial-of-service (DDoS) attack that peaked just below 2 terabytes per second (Tbps), which is the largest attack Cloudflare has seen to date.

The attack was launched by a Mirai botnet variant composed of 15,000 bots, it combined DNS amplification attacks and UDP floods. The botnet included Internet of Things (IoT) devices and GitLab instances.

“This was a multi-vector attack combining DNS amplification attacks and UDP floods. The entire attack lasted just one minute. The attack was launched from approximately 15,000 bots running a variant of the original Mirai code on IoT devices and unpatched GitLab instances.” reads the post published by Cloudflare.

DDoS record 2Tbps

Experts warn that terabit-strong attacks are becoming common confirming the trend in the overall increase of the intensity of distributed denial-of-service attacks.

Cloudflare Q3 DDoS Trends report also revealed that network-layer DDoS attacks increased by 44% quarter-over-quarter.

In August, the company announced that it has mitigated the largest ever volumetric distributed denial of service attack to date. The malicious traffic reached a record high of 17.2 million requests-per-second (rps), a volume three times bigger than previously reported HTTP DDoS attacks.

In October, Microsoft announced that its Azure cloud service mitigated a 2.4 terabytes per second (Tbps) DDoS attack at the end of August, it represents the largest DDoS attack recorded to date. The attack was aimed at an Azure customer in Europe, but Microsoft did not disclose the name of the victim. This is the largest DDoS attack that hit Azure customers prior to August 2020 when experts observed a 1 Tbps attack.

Leave a Comment

ENISA – The need for Incident Response Capabilities in the health sector

The European Union Agency for Cybersecurity (ENISA) published an analysis of the current state of development of sectoral CSIRT capabilities in the health sector since the implementation of the NIS Directive.

An attack against a hospital can lead to physical damages and put the lives of patients at risk. The Agency remarks the need to set up solid Incident Response Capabilities (IRC) in the health sector. The document aims at offering insights on current incident response (IR) trends and providing recommendations about the development of IR capabilities in the health sector.

In 2020, the number of reports sent to ENISA about cybersecurity incidents saw an increase of 47% compared to the previous year.

The level of exposure to cyber threats is increasing to the adoption of emerging technologies such as the Internet of Things (IoT), Artificial Intelligence (AI), big data, and cloud computing.

Computer Security Incident Response Teams (CSIRTs) are tasked to develop the capabilities needed to address cyber threats and implement the provisions of the Directive on security of network and information systems (NIS Directive).

“Although dedicated health sector CSIRTs are still the exception in the Member States, sector specific CSIRT cooperation is developing.” reads the report. “The lack of sector-specific knowledge or capacity of national CSIRTs, lessons learned from past incidents and the implementation of the NIS Directive appear to be the main drivers of the creation of sector-specific incident response capabilities in the health sector.”

While the lifetime of healthcare equipment is about 15 years on average, the pace of updates that are released by the vendors but in many cases, the healthcare devices remain unpatched for long periods. Another challenge the healthcare sector is faced with is the complexity of systems due to the increased number of connected devices is enlarging the attack surface.

Below is the list of recommendations included in the report:

  1. Enhance and facilitate the creation of health sector CISRTs by allowing easy access to funding, promoting capacity building activities, etc.
  2. Capitalise on the expertise of the health CSIRTs for helping Operators of Essential Services (OES) develop their incident response capabilities by establishing sector-specific regulations, cooperation agreements, communication channels with OES, public-private partnerships, etc.
  3. Empower health CSIRTs to develop information sharing activities using threat intelligence, exchange of good practices and lessons learned, etc.

“The key force driving the development of incident response capabilities of CSIRTs is the information related to security requirements and responsibilities of organisations for each sector.” concludes the report. “Shared frameworks for incident classification and threat modelling, education activities and a network allowing communication between incident response actors constitute the main resources and tools currently supporting the development of incident response capabilities.”

https://www.enisa.europa.eu/publications/csirt-capabilities-in-healthcare-sector

Leave a Comment

Implementing and auditing an Information Security Management System in small and medium-sized businesses

ISO 27001 Handbook

If you want to understand ISO 27001, this handbook is all you need. It not only explains in a clear way what to do, but also the reasons why.

This book helps you to bring the information security of your organization to the right level by using the ISO/IEC 27001 standard.

An organization often provides services or products for years before the decision is taken to obtain an ISO/IEC 27001 certificate. Usually, a lot has already been done in the field of information security, but after reading the requirements of the standard, it seems that something more needs to be done: an ‘information security management system’ must be set up. A what?

This handbook is intended to help small and medium-sized businesses establish, implement, maintain and continually improve an information security management system in accordance with the requirements of the international standard ISO/IEC 27001. At the same time, this handbook is also intended to provide information to auditors who must investigate whether an information security management system meets all requirements and has been effectively implemented.

This handbook assumes that you ultimately want your information security management system to be certified by an accredited certification body. The moment you invite a certification body to perform a certification audit, you must be ready to demonstrate that your management system meets all the requirements of the Standard. In this book, you will find detailed explanations, more than a hundred examples, and sixty-one common pitfalls. It also contains information about the rules of the game and the course of a certification audit.

ISO 27001 Certification

ISO 27001 Gap Assessment

DISC InfoSec vCISO as a Service

Leave a Comment

How to Hide Shellcode Behind Closed Port?

The Shellcoder’s Handbook

Leave a Comment

macOS Zero-Day exploited in watering hole attacks on users in Hong Kong

Google TAG researchers discovered that threat actors leveraged a zero-day vulnerability in macOS in a watering hole campaign aimed at delivering malware to users in Hong Kong. The attackers exploited a XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina

The watering hole campaign targeted websites of a media outlet and important pro-democracy labor and political group. The researchers discovered that attackers deployed on the sites hosted two iframes that were used to serve iOS and macOS exploits to the visitors.

The experts believe that the attack was orchestrated by a nation-state actor, but did not attribute the campaign to a specific APT group.

The attack was discovered in late August, the nature of the targets and the level of sophistication of the attack suggests the involvement of a China-linked threat actor.

“To protect our users, TAG routinely hunts for 0-day vulnerabilities exploited in-the-wild. In late August 2021, TAG discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group. The watering hole served an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor.” reads the analysis published by Google. “As is our policy, we quickly reported this 0-day to the vendor (Apple) and a patch was released to protect users from these attacks.”

HD. Alex Gibney directed this documentary about Stuxnet–a self-replicating computer malware that has opened a Pandora’s box of cyber-warfare.

Leave a Comment

vCISO as a service

Virtual CISO

Ransomware's Silver Bullet - The Virtual CISO Publication Series: Cybersecurity: Publication #1 Ransomware by [Virtual CISO]

Leave a Comment

Most CIOs and CISOs underestimate the risk of an OT breach

“Not only do enterprises rely on OT, the public at large relies on this technology for vital services including energy and water. Unfortunately, cybercriminals are all too aware that critical infrastructure security is generally weak. As a result, threat actors believe ransomware attacks on OT are highly likely to pay off,” said Skybox Security CEO Gidi Cohen. “Just as evil thrives on apathy, ransomware attacks will continue to exploit OT vulnerabilities as long as inaction persists.”

The research unearths the uphill battle that OT security faces – comprised of network complexity, functional silos, supply chain risk, and limited vulnerability remediation options. Threat actors take advantage of these OT weaknesses in ways that don’t just imperil individual companies – but threaten public health, safety, and the economy.

Key takeaways

Organizations underestimate the risk of a cyberattack

Fifty-six percent of all respondents were “highly confident” their organization will not experience an OT breach in the next year. Yet, 83% also said they had at least one OT security breach in the prior 36 months. Despite the criticality of these facilities, the security practices in place are often weak or nonexistent.

CISO disconnect between perception and reality

Seventy-three percent of CIOs and CISOs are highly confident their OT security system will not be breached in the next year. Compared to only 37% of plant managers, who have more firsthand experiences with the repercussion of attacks. While some refuse to believe their OT systems are vulnerable, others say the next breach is around the corner.

Compliance does not equal security

To date, compliance standards have proven insufficient in preventing security incidents. Maintaining compliance with regulations and requirements was the most common top concern of all respondents. Regulatory compliance requirements will continue to increase in light of recent attacks on critical infrastructure.

Complexity increases security risk

Seventy-eight percent said complexity due to multivendor technologies is a challenge in securing their OT environment. In addition, 39% of all respondents said that a top barrier to improving security programs is decisions are made in individual business units with no central oversight.

Cyber liability insurance is considered sufficient by some

Thirty-four percent of respondents said that cyber liability insurance is considered a sufficient solution. However, cyber liability insurance does not cover costly “lost business” that results from a ransomware attack, which is one of the top three concerns of the survey respondents.

Exposure and path analysis are top cybersecurity priorities

Forty-five percent of CISOs and CIOs say the inability to conduct path analysis across the environment to understand actual exposure is one of their top three security concerns. Further, CISOs and CIOs said disjointed architecture across OT and IT environments (48%) and the convergence of IT technologies (40%) are two of their top three greatest security risks.

Functional silos lead to process gaps and technology complexity

CIOs, CISOs, Architects, Engineers, and Plant Managers all list functional silos among their top challenges in securing OT infrastructure. Managing OT security is a team sport. If the team members are using different playbooks, they are unlikely to win together.

Supply chain and third-party risk is a major threat

Forty percent of respondents said that supply chain/third-party access to the network is one of the top three highest security risks. Yet, only 46% said their organization as a third-party access policy that applied to OT.

CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers

Leave a Comment

Healthcare – Patient or Perpetrator? – The Cybercriminals Within

With copious amounts of data collected by healthcare facilities, cybercriminals often target such entities. Moreover, the healthcare industry collects unique data, known as Protected Health Information (PHI), which is extremely valuable. Our PHI is engrained within us; medical history cannot get changed. As such, this information can sell for three times as much as Personally Identifiable Information (PII) on the dark web and can get used in much more nefarious ways. Identity theft takes on a whole new meaning when a bad actor gets ahold of your PHI.

A Silent Sickness

Cybercriminals are turning to hardware-based attacks to carry out their harmful activities. What makes such attacks so perilous is their clandestine nature; Rogue Devices can inject malware, cause data breaches, and more, all while operating covertly. Traditional security software, such as NAC, EPS, IDS, or IoT Network Security, fails to provide the Layer 1 visibility required to detect and accurately identify all hardware assets. As a result of this blind spot, Rogue Devices, which operate on Layer 1, go undetected. By hiding or spoofing their identity through Layer 1 manipulation, Rogue Devices bypass existing security efforts, even those as stringent as Zero Trust. All it takes is a few seconds to attach the Rogue Device to an endpoint, and the attack is underway.

An Open Wound

In addition to visibility challenges, there are several vulnerabilities within the healthcare industry that enable hardware-based attacks. Malicious insiders pose a significant threat to healthcare providers thanks to their physical access to the organization – a requirement for hardware-based attacks. However, gaining physical access to a healthcare facility is fairly easy; many healthcare entities, such as hospitals, are open to the public, with hundreds of people walking in and out each day. A malicious actor can walk in freely, disguised as a visitor or even acting as a patient, and carry out a hardware attack. Further, the interconnected environment typically found within healthcare facilities only makes life easier for these external perpetrators. Interconnectedness creates a larger attack surface as there are more entry points to the organization; outside attackers only need access to just one device to infiltrate their target’s network.

Worryingly, the large number of devices used within medical facilities proliferates the hardware threat. The industry is undergoing a digital transformation and is becoming increasingly reliant on technology and, more importantly, Internet of Medical Things (IoMT) devices. Not only do IoMTs act as an entry point, but the devices themselves are often the target of an attack. Firstly, IoMTs collect significant amounts of valuable data, and the ease with which they can get accessed makes them appealing targets. Additionally, an attack on IoMTs can have a physical impact, which could have dire consequences; some IoMTs perform life-saving operations, such as heart-rate monitors and insulin pumps. Should malicious actors gain control over such devices, the outcome can be fatal.

Cyberattacks on healthcare providers are a very serious matter as patients’ lives are at risk, as is the country’s national security. To protect against dangerous hardware-based attacks – and strengthen existing security measures – healthcare entities should invest in hardware security. With Layer 1 visibility, there is protection on the first line of defense.

About the author:

Jessica Amado – Head of Cyber Research – Sepio Systems

Leave a Comment

Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!

Leave a Comment

MITRE ATT&CK Update Covers Insider Threat Attack Techniques

Unmasking/Uncovering the Real Insider Threat

According to the Verizon 2021 Data Breach Investigations Report, insiders are responsible for around 22% of security incidents. That is clearly a significant number and insider threats are quickly becoming one of the most common cybersecurity threats organizations face today. The challenge that continues to remain high with insider threats is that it is difficult to differentiate between normal and abnormal user behavior for any user since they already have access to the environment compared to external threats. Therefore, it makes a very important case to correlate content, threat and behavior to make an accurate prediction for an insider threat. 

The significance of insider threats can be seen in the last update by MITRE where the version of ATT&CK for Enterprise contains 14 Tactics, 185 Techniques, and 367 Sub-techniques, among which are those used in insider threat attacks. In this analysis, we’ll look at a selection of the techniques published in the update and examine how they are used, the motivations and the types of attacks they are used for. 

What is Considered an Insider Threat?

An insider threat is a security threat that originates internally from within an organization. It’s usually someone who uses their authorized access—intentionally or unintentionally—to compromise an organization’s network, data or devices. Due to the authorized access, the attacker doesn’t need to raise a request or hack some credentials to gain access. There are three most common categories of an inside attacker. 

  • Malicious Insider – As the name suggests, the malicious insider is an employee or contractor who conducts nefarious activities that may or may not be financially motivated to gain or steal information.
  • Compromised Insider – This is a scenario where user credentials are compromised with the attacker using the compromised account to gain or steal information. In most cases the main target of these attacks are employees who are easily targeted via phishing. 
  • Negligent Insider – Negligent insiders are people who make errors and disregard policies, which place their organizations at risk. There is a huge uptick in this type of attacks as we see more and more configuration errors, which results in exposing internal data of the organization to the public. 

Let’s take a look at some of the recent insider attacks to understand the magnitude of the impact.  – Updated MITRE ATT&CK TTPs Used in Insider Threat Attacks

ATT&CK™ Framework and open source tools

Leave a Comment

Pakistan government approves new cybersecurity policy, cybercrime agency

The Pakistan Ministry of Information Technology has announced that a new cybersecurity policy and accompanying cybersecurity agency has been approved for the South Asian nation.

The new policy aims to support both public and private institutions, including national information systems and critical infrastructure, replacing a system whereby government institutions have separate security operations.

It comes at a delicate time for Pakistan, which recently accused India of using the Israeli spyware Pegasus to spy on Prime Minister Imran Khan – and designates cyber-attacks on any Pakistani institution as an attack on national sovereignty.

“The IT ministry and all relevant public and private institutions will be provided all possible assistance and support to ensure that their data, services, ICT products and systems are in line with the requirements of cybersecurity,” said IT minister Syed Aminul Haq, as quoted in local press.

Leave a Comment

CISA recommends vendors to fix BrakTooth issues after the release of PoC tool

US CISA is urging vendors to address BrakTooth flaws after security researchers have released public exploit code and a proof of concept tool to test Bluetooth devices against potential Bluetooth exploits.

“On November 1, 2021, researchers publicly released a BrakTooth proof-of-concept (PoC) tool to test Bluetooth-enabled devices against potential Bluetooth exploits using the researcher’s software tools. BrakTooth—originally disclosed in August 2021—is a family of security vulnerabilities in commercial Bluetooth stacks. An attacker could exploit BrakTooth vulnerabilities to cause a range of effects from denial-of-service to arbitrary code execution.” reads CISA’s advisory.

“CISA encourages manufacturers, vendors, and developers to review BRAKTOOTH: Causing Havoc on Bluetooth Link Manager and update vulnerable Bluetooth System-on-a-Chip (SoC) applications or apply appropriate workarounds.”

BrakTooth is a set of 16 security flaws in commercial Bluetooth stacks that can be exploited by threat actors to execute arbitrary code and crash the devices via DoS attacks.

Security Threats and Countermeasures in Bluetooth-Enabled Systems

Leave a Comment