InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
A critical vulnerability in Facebook could have allowed threat actors to hijack any Facebook account, researcher warns.
Meta addressed a critical Facebook vulnerability that could have allowed attackers to take control of any account.
The Nepalese researcher Samip Aryal described the flaw as a rate-limiting issue in a specific endpoint of Facebook’s password reset flow. An attacker could have exploited the flaw to takeover any Facebook account by brute-forcing a particular type of nonce.
Meta awarded the researchers for reporting the security issue as part of Facebook’s bug bounty program.
The researchers discovered that the issue impacts Facebook’s password reset procedure when the user selects “Send Code via Facebook Notification.”
Analyzing the vulnerable endpoint the researcher discovered that three conditions opened the door for a brute-force attack:
The nonce sent to the user is active for longer than I expected (≈ 2 hrs)
The same nonce code was sent every time for the period.
I didn’t see any sort of code invalidation after entering the correct code but with multiple previous invalid tries (unlike in the SMS reset functionality).
Choosing the option “Send Code via Facebook Notification” will send a POST request to:
POST /ajax/recover/initiate/ HTTP/1.1
with the parameter; recover_method=send_push_to_session_login
Then the researchers attempted to send a 6-digit code ‘000000’ to analyze the POST request sent to the vulnerable endpoint:
POST /recover/code/rm=send_push_to_session_login&spc=0&fl=default_recover&wsr=0 HTTP/1.1
where “n” parameter holds the nonce.
At this stage, bruteforcing this 6-digit value had become a trivial task for the expert.
“there was no rate limiting on this endpoint, thus the matching code was responded back with a 302 status code. Use this code to log in/reset the FB account password for the user account.” reads the analysis published by Aryal.
The researcher noticed that upon exploiting this vulnerability, Facebook would notify the targeted user. The notification would either display the six-digit code directly or prompt the user to tap the notification to reveal the code.
The researcher reported the flaw to Meta on January 30, 2024, and the company addressed the issue on February 2nd, 2024. This vulnerability had a huge impact, Meta recognized it as a zero-click account takeover exploit. Aryal is currently ranked in first place in Facebook’s Hall of Fame 2024.
🔹Nipe – Script to redirect all traffic from the machine to the Tor network. 🔗https://lnkd.in/grhEtqdr
🔹OnionScan – Tool for investigating the Dark Web by finding operational security issues introduced by Tor hidden service operators. 🔗https://onionscan.org/
🔹Tails – Live operating system aiming to preserve your privacy and anonymity. 🔗https://tails.boum.org/
🔹Tor – Free software and onion routed overlay network that helps you defend against traffic analysis. 🔗https://lnkd.in/g8Uc8nB2
🔹dos-over-tor – Proof of concept denial of service over Tor stress test tool. 🔗https://lnkd.in/gAEQPvbd
76% of enterprises lack sufficient voice and messaging fraud protection as AI-powered vishing and smishing skyrocket following the launch of ChatGPT, according to Enea.
Enterprises report significant losses from mobile fraud
61% of enterprises still suffer significant losses to mobile fraud, with smishing (SMS phishing) and vishing (voice phishing) being the most prevalent and costly.
Enterprises account for a significant share of communication service provider (CSP) subscribers and an even greater share of their revenues. They depend on their CSP to protect them from telecom-related fraud, with 85% saying security is important or extremely important for their telecoms buying decisions.
Since the launch of ChatGPT in November 2022, vishing, smishing, and phishing attacks have increased by a staggering 1,265%.
61% of enterprise respondents said their mobile messaging fraud costs were significant, yet more than three-quarters don’t invest in SMS spam or voice scam/fraud protection.
51% said they expect their telecom operator to protect them from voice and mobile messaging fraud, citing their role as more important than that of cloud providers, managed IT providers, systems integrators or direct software vendors.
85% of enterprises say that security is important or extremely important for their telecoms purchasing decisions.
Only 59% of CSPs say they have implemented a messaging firewall, and just 51% said they have implemented a signaling firewall. 46% report adopting some threat intelligence service, essentially leaving a majority blind to new or morphing threats.
CSPs that prioritize security are better positioned to win enterprise business
Security leaders, characterized by better capabilities, better funding, and a higher prioritization of security, are less than half as likely as the followers to have a security breach go undetected or unmitigated (12% vs 25%). CSP security leaders are more likely to see security as an opportunity to generate revenues (31% vs 19%).
“We’ve observed the rapidly evolving threat landscape with growing concern, particularly as AI-powered techniques become more accessible to cybercriminals,” commented John Hughes, SVP and Head of Network Security at Enea.
“The stark increase in mobile fraud, particularly following the advent of advanced technologies like ChatGPT, underscores a critical need for enhanced network security measures. This survey highlights a significant disconnect between enterprise expectations and the current capabilities of many CSPs, and our ongoing mission is to help the sector bridge that gap and safeguard networks and users,” concluded Hughes.
Maintaining and enhancing mobile network security is a never-ending challenge for CSPs. Mobile networks are constantly evolving – and continually being threatened by a range of threat actors who may have different objectives, but all of whom can exploit vulnerabilities and execute breaches that impact millions of subscribers and enterprises and can be highly costly to remediate.
To bridge this gap, CSPs must overcome challenges such as a lack of skilled staff to handle potential security breaches, a lack of budget to invest in adequate security tools, and internal organizational complexity preventing them from prioritising security.
France’s National Cybersecurity Agency (ANSSI) observed a significant rise in cyber espionage campaigns targeting strategic organizations in 2023.
These operations are increasingly focused on individuals and non-governmental structures that create, host or transmit sensitive data, ANSSI observed in its 2023 Cyber Threat Landscape report, published on February 27, 2024.
Besides public administration, the primary targets of cyber espionage activity included organizations associated with the French government, such as technology and defense contractors, research institutes and think tanks.
Overall, cyber espionage remained the top cyber threat ANSSI’s teams dealt with in 2023.
ANSSI has also noted an increase in attacks against business and personal mobile phones aimed at targeted individuals.
There has also been an upsurge in attacks that have used methods publicly associated with the Russian government.
“These attacks are not limited to mainland French territory: in 2023, ANSSI dealt with the compromise of an IT network located in a French overseas territory using an attack modus operandi publicly associated with China,” reads the report.
30% Rise in Ransomware
Meanwhile, financially motivated attacks were also on the rise, with an observed 30% increase in ransomware attacks compared to 2022.
Monthly and yearly breakdown of ransomware attacks reported to ANSSI in 2022 (in blue) and in 2023 (in green). Source: ANSSI
Small and medium enterprises (SMEs) and mid-sized businesses were the most targeted organizations, representing 34% of all cyber-attacks observed by ANSSI in 2023. Local administration came second, suffering 24% of all attacks in 2023.
In total in 2023, ANSSI recorded 3703 cyber events, 1112 of which were labeled as cyber incidents. In 2022, it recorded 3018 cyber events, including 832 cyber incidents.
The latest version of the LockBit ransomware, LockBit 3.0 (aka LockBit Black), was the most used malware in financially motivated cyber-attacks in 2023, taking over previous ransomware versions from the same threat group that dominated the ransomware landscape in 2022.
Top Ransomware versions detected by ANSSI in cyber-attacks targeting French organizations. Source: ANSSI
Overall, 2023 has seen significant changes in the structure and methods of attackers. They are perfecting their techniques in order to avoid being detected, tracked, or even identified.
“Despite efforts to improve security in certain sectors, attackers continue to exploit the same technical weaknesses to gain access to networks. Exploiting ‘zero-day’ vulnerabilities remains a prime entry point for attackers, who all too often still take advantage of poor administration practices, delays in applying patches and the absence of encryption mechanisms,” reads the report, translated from French to English by Infosecurity.
The top five vulnerabilities exploited by threat actors to compromise French organizations’ IT systems in 2023 include flaws in VMWare, Cisco, Citrix, Atlassian and Progress Software products.
Pre-Positioning Activities on ANSSI’s Radar for 2024
Finally, in a tense geopolitical context, ANSSI noted new destabilization operations aimed mainly at promoting a political discourse, hindering access to online content or damaging an organization’s image.
“While distributed denial of service (DDoS) attacks by pro-Russian hacktivists, often with limited impact, were the most common, pre-positioning activities targeting several critical infrastructures in Europe, North America and Asia were also detected.
“These more discreet activities may nevertheless be aimed at larger-scale operations carried out by state actors waiting for the right moment to act,” the report explained.
Vincent Strubel, ANSSI’s director general, commented: “While financially motivated attacks and destabilization operations saw a clear upturn in 2023, it was once again the less noisy threat, which remains the most worrying, that of strategic and industrial espionage and pre-positioning for sabotage purposes, which mobilised the ANSSI teams the most.”
These geopolitically driven threats will particularly be on ANSSI’s radar in 2024, as Paris is prepares to host the 2024 Olympic and Paralympic Games.
How to learn it…As a Cybersecurity professional you learn something new everyday, as this is an evolving field. Happy Learning!
Learning cybersecurity involves a combination of formal education, self-study, hands-on practice, and staying updated with the latest developments in the field. Here’s a step-by-step guide to help you get started:
Understand the Basics: Familiarize yourself with the fundamentals of computer science, networking, and operating systems. This will provide you with a strong foundation for understanding cybersecurity concepts.
Choose a Learning Path: Cybersecurity is a broad field with various specializations such as network security, ethical hacking, digital forensics, and cloud security. Decide which area interests you the most and focus your learning efforts accordingly.
Take Online Courses: There are numerous online platforms offering cybersecurity courses for beginners to advanced learners. Some popular ones include Coursera, Udemy, Pluralsight, and Cybrary. Look for courses that cover topics like cryptography, malware analysis, penetration testing, etc.
Earn Certifications: Certifications can validate your skills and knowledge in specific areas of cybersecurity. Some widely recognized certifications include CompTIA Security+, Certified Ethical Hacker (CEH), Certified Information Systems Security Professional (CISSP), and Offensive Security Certified Professional (OSCP).
Practice with Hands-on Labs: Hands-on experience is crucial in cybersecurity. Set up a lab environment using virtualization software like VirtualBox or VMware, and practice implementing security measures, performing penetration tests, and analyzing malware.
Read Books and Whitepapers: Supplement your online learning with books and whitepapers written by cybersecurity experts. These resources provide in-depth insights into advanced topics and real-world case studies.
Join Cybersecurity Communities: Engage with cybersecurity communities and forums to connect with fellow enthusiasts and professionals. Websites like Reddit’s r/netsec and Stack Exchange’s Information Security offer valuable discussions and resources.
Participate in Capture The Flag (CTF) Competitions: CTF competitions are cybersecurity challenges where participants solve various tasks related to hacking, reverse engineering, cryptography, etc. Participating in CTFs is an excellent way to sharpen your skills and learn new techniques.
Stay Updated: Cyber threats evolve rapidly, so it’s essential to stay updated with the latest news, trends, and vulnerabilities. Follow cybersecurity blogs, subscribe to industry newsletters, and attend conferences and webinars.
Consider Formal Education: If you’re serious about pursuing a career in cybersecurity, consider enrolling in a degree program or bootcamp specializing in cybersecurity. A formal education can provide you with structured learning and access to industry experts.
Remember that cybersecurity is a continuously evolving field, so be prepared to adapt and keep learning throughout your career. Good luck on your learning journey!
Web Check offers thorough open-source intelligence and enables users to understand a website’s infrastructure and security posture, equipping them with the knowledge to understand, optimize, and secure their online presence.
Unlike similar services, Web Check is free. There’s no signup, tracking, logging, or ads. Anyone can deploy their instance easily.
Web Check features
Web Check provides insight into the inner workings of any specified website, enabling users to identify possible security vulnerabilities, scrutinize the underlying server architecture, inspect security settings, and discover the various technologies employed by the site.
Currently, the dashboard will show IP info, SSL chain, DNS records, cookies, headers, domain info, search crawl rules, page map, server location, redirect ledger, open ports, traceroute, DNS security extensions, site performance, trackers, associated hostnames, carbon footprint.
“When you’re looking into any website or server, either as part of an OSINT investigation or just out of curiosity, there’s a couple of checks that you always start with. Think domain registrar records, SSL chain, server info, page list, tech stack, etc. None of these are hard to find individually, usually with a combination of bash commands and online tools. However, fetching, collating, and analyzing all this data is time-consuming. I created Web Check to automate this process. It locates, processes, and visualizes everything you need to provide a good starting point for your investigation. It takes just seconds to generate a full report, with no fluff,” Alicia Sykes, the creator of Web Check, told Help Net Security.
Future plans
“I’m always looking for ways to increase and improve the data returned. The web scene is constantly changing, so there are always new and interesting insights you can glean from sites. I’m working on some new checks to include this data. I’m also working on a public API to be used programmatically or integrated into researchers’ existing workflows. Due to it being free to use, I must also improve performance to keep compute costs down continuously,” Sykes concluded.
HackerGPT is a cutting-edge AI tool designed explicitly for the cybersecurity sector, particularly beneficial for individuals involved in ethical hacking, such as bug bounty hunters.
This advanced assistant is at the cutting edge of cyber intelligence, offering a vast repository of hacking methods, tools, and tactics. More than a mere repository of information, HackerGPT actively engages with users, aiding them through the complexities of cybersecurity.
There are several ChatGPT-powered tools, such as OSINVGPT, PentestGPT, WormGPT, andBurpGPT, that have already been developed for the cyber security community, and HackerGPT is writing a new chapter for the same.
What is the Purpose of HackerGPT:
It leverages the capabilities of ChatGPT, enhanced with specialized training data, to assist in various cybersecurity tasks, including network and mobile hacking, and understand different hacking tactics without resorting to unethical practices like jailbreaking.
HackerGPT generates responses to user queries in real-time, adhering to ethical guidelines. It supports both GPT-3 and GPT-4 models, providing users with access to a wide range of hacking techniques and methodologies.
The tool is available for use via a web browser, with plans to develop an app version in the future. It offers a 14-day trial with unlimited messages and faster response times.
HackerGPT aims to streamline the hacking process, making it significantly easier for cybersecurity professionals to generate payloads, understand attack vectors, and communicate complex technical results effectively.
This AI-powered assistant is seen as a valuable resource for enhancing security evaluations and facilitating the understanding of potential risks and countermeasures among both technical and non-technical stakeholders
Recently, HackerGPT released 2.0, and the beta is now available here.
Upon posing a query to HackerGPT, the process begins with authentication of the user and management of query allowances, which differ for free and premium users.
The system then probes its extensive database to find the most relevant information to the query. For non-English inquiries, translation is employed to ensure the database search is effective.
If a suitable match is discovered, it is integrated into the AI’s response mechanism. The query is securely transmitted to OpenAI or OpenRouter for processing, ensuring no personal data is included. The response you receive depends on the module in use:
HackerGPT Module: A customized version of Mixtral 8x7B with semantic search capabilities tailored to our database.
GPT-4 Turbo: The most recent innovation from OpenAI, enhanced with our specialized prompts.
Guidelines for Issues: The “Issues” section is strictly for problems directly related to the codebase. We’ve noticed an influx of non-codebase-related issues, such as feature requests or cloud provider problems. Please consult the “Help” section under the “Discussions” tab for setup-related queries. Issues not pertinent to the codebase are typically closed promptly.
Engagement in Discussions: We strongly encourage active participation in the “Discussions” tab! It’s an excellent platform for asking questions, exchanging ideas, and seeking assistance. Chances are, others might have the same question if you have a question.
Updating Process: To update your local Chatbot UI repository, navigate to the root directory in your terminal and execute:
npm run update
For hosted instances, you’ll also need to run:
npm run db-push
This will apply the latest migrations to your live database.
Setting Up Locally: To set up your own instance of Chatbot UI locally, follow these steps:
Navigate to the root directory of your local Chatbot UI repository and run:
npm install
Install Supabase & Run Locally:
Supabase is chosen for its ease of use, open-source nature, and free tier for hosted instances. It replaces local browser storage, addressing security concerns, storage limitations, and enabling multi-modal use cases.
Install Docker: Necessary for running Supabase locally. Download it for free from the official site.
Install Supabase CLI: Use Homebrew for macOS/Linux or Scoop for Windows.
Start Supabase: Execute supabase start in your terminal at the root of the Chatbot UI repository.
Fill in Secrets: Copy the .env.local.example file to .env.local and populate it with values obtained from supabase status.
Optional Local Model Installation:
For local models, follow the instructions provided for Ollama installation.
Run the App Locally:
Finally, run npm run chat in your terminal. Your local instance should now be accessible at http://localhost:3000.
Setting Up a Hosted Instance:
To deploy your Chatbot UI instance in the cloud, follow the local setup steps here . Then, create a separate repository for your hosted instance and push your code to GitHub.
Set up the backend with Supabase by creating a new project and configuring authentication. Connect to the hosted database and configure the frontend with Vercel, adding necessary environment variables. Deploy, and your hosted Chatbot UI instance should be live and accessible through the Vercel-provided URL. You can read the complete GitHub repository here.
In 2023, cybercriminals saw more opportunities to “log in” versus hack into corporate networks through valid accounts – making this tactic a preferred weapon for threat actors, according to IBM’s 2024 X-Force Threat Intelligence Index.
Attacks on critical infrastructure reveal industry faux pas
In nearly 85% of attacks on critical sectors, compromise could have been mitigated with patching, MFA, or least-privilege principals – indicating that what the security industry historically described as “basic security” may be harder to achieve than portrayed.
Ransomware attacks on enterprises saw a nearly 12% drop last year, as larger organizations opt against paying and decrypting, in favor of rebuilding their infrastructure. With this growing pushback likely to impact adversaries’ revenue expectations from encryption-based extortion, groups that previously specialized in ransomware were observed pivoting to infostealers.
X-Force analysis projects that when a single generative AI technology approaches 50% market share or when the market consolidates to three or less technologies, it could trigger at-scale attacks against these platforms.
“While ‘security fundamentals’ doesn’t get as many head turns as ‘AI-engineered attacks,’ it remains that enterprises’ biggest security problem boils down to the basic and known – not the novel and unknown” said Charles Henderson, Global Managing Partner, IBM Consulting, and Head of IBM X-Force. “Identity is being used against enterprises time and time again, a problem that will worsen as adversaries invest in AI to optimize the tactic.”
A global identity crisis poised to worsen
Exploiting valid accounts has become the path of least resistance for cybercriminals, with billions of compromised credentials accessible on the dark web today. In 2023, X-Force saw attackers increasingly invest in operations to obtain users’ identities – with a 266% uptick in infostealing malware, designed to steal personal identifiable information like emails, social media and messaging app credentials, banking details, crypto wallet data and more.
This “easy entry” for attackers is one that’s harder to detect, eliciting a costly response from enterprises. According to X-Force, major incidents caused by attackers using valid accounts were associated to nearly 200% more complex response measures by security teams than the average incident – with defenders needing to distinguish between legitimate and malicious user activity on the network.
In fact, IBM’s 2023 Cost of a Data Breach Report found that breaches caused by stolen or compromised credentials required roughly 11 months to detect and recover from – the longest response lifecycle than any other infection vector.
This wide reach into users’ online activity was evident in the FBI and European law enforcement’s April 2023 takedown of a global cybercrime forum that collected the login details of more than 80 million user accounts. Identity-based threats will likely continue to grow as adversaries leverage generative AI to optimize their attacks. Already in 2023, X-Force observed over 800,000 posts on AI and GPT across dark web forums, reaffirming these innovations have caught cybercriminals attention and interest.
Worldwide, nearly 70% of attacks that X-Force responded to were against critical infrastructure organizations, an alarming finding highlighting that cybercriminals are wagering on these high value targets’ need for uptime to advance their objectives.
Nearly 85% of attacks that X-Force responded to on this sector were caused by exploiting public-facing applications, phishing emails, and the use of valid accounts. The latter poses an increased risk to the sector, with DHS CISA stating that the majority of successful attacks on government agencies, critical infrastructure organizations and state-level government bodies in 2022 involved the use of valid accounts. This highlights the need for these organizations to frequently stress test their environments for potential exposures and develop incident response plans.
For cybercriminals to see ROI from their campaigns, the technologies they target must be ubiquitous across most organizations worldwide. Just as past technological enablers fostered cybercriminal activities – as observed with ransomware and Windows Server’s market dominance, BEC scams and Microsoft 365 dominance or cryptojacking and the Infrastructure-as-a-Service market consolidation – this pattern will most likely extend across AI.
X-Force assesses that once generative AI market dominance is established – where a single technology approaches 50% market share or when the market consolidates to three or less technologies – it could trigger the maturity of AI as an attack surface, mobilizing further investment in new tools from cybercriminals.
Although generative AI is currently in its pre-mass market stage, it’s paramount that enterprises secure their AI models before cybercriminals scale their activity. Enterprises should also recognize that their existing underlying infrastructure is a gateway to their AI models that doesn’t require novel tactics from attackers to target – highlighting the need for a holistic approach to security in the age of generative AI.
Where did all the phish go?
Nearly one in three attacks observed worldwide targeted Europe, with the region also experiencing the most ransomware attacks globally (26%).
Despite remaining a top infection vector, phishing attacks saw a 44% decrease in volume from 2022. But with AI poised to optimize this attack and X-Force research indicating that AI can speed up attacks by nearly two days, the infection vector will remain a preferred choice for cybercriminals.
Red Hat Insights found that 92% of customers have at least one CVE with known exploits unaddressed in their environment at the time of scanning, while 80% of the top ten vulnerabilities detected across systems in 2023 were given a ‘high’ or ‘critical’ CVSS base severity score.
X-Force observed a 100% increase in “kerberoasting” attacks, wherein attackers attempt to impersonate users to escalate privileges by abusing Microsoft Active Directory tickets.
X-Force Red penetration testing engagements indicate that security misconfigurations accounted for 30% of total exposures identified, observing more than 140 ways that attackers can exploit misconfigurations.
Ransomware attacks against manufacturers, utilities and other industrial companies were up 50% last year.
The pace and sophistication of cyberattacks against industrial companies are escalating rapidly, as administration officials warn that nation-states are heavily targeting U.S. critical infrastructure sectors.
Ransomware attacks against industrial companies increased by around 50% last year, according to an annual report from cybersecurity company Dragos published Tuesday, which tracked 905 strikes.
The Hanover, Md.-based company, which specializes in protecting systems used by heavy industries such as electric grids and wastewater plants, said it tracked 28% more groups specifically targeting “operational technology” last year than the year before. The term refers to the heavy machinery and industrial control systems used by manufacturing plants, water utilities and similar organizations, as opposed to information technology, which generally comprises software such as accounting and human resources systems. Among industrial companies, manufacturers were targeted most, said Rob Lee, chief executive of Dragos.
“It’s not so much that they’re OT experts, it’s just they know that they’re impacting the revenue-generating portions of those companies,” Lee said, “so the companies are willing to pay, and pay faster.”
Even when ransomware attacks target manufacturers’ corporate technology systems and not their operational technology machinery, there can be collateral damage for production, said Mark Orsi, president of the Manufacturing Information Sharing and Analysis Center, a nonprofit that coordinates the sharing of threat data among manufacturers.
“The vast majority of ransomware variants only target the IT infrastructure of an organization, but all too often the manufacturing plant floor operations are disrupted as a result of compromise to IT systems,” he said.
But ransomware is just the tip of the iceberg, say industry observers. The tools used by hackers to specifically target operations have become more sophisticated in recent years.
The emergence of Pipedream, for instance, a tool believed to have been authored by a nation-state team, has many concerned. Pipedream is able to target industrial systems across industries, and doesn’t rely on common attack methods, such as exploiting vulnerabilities in software.
“When Pipedream or Pipedream-like capabilities leak out into the community, they will be the Cobalt Strikes of OT. That’s the stuff that worries me,” Lee said during a call with reporters on Jan. 30, referring to a suite of cybersecurity tools, Cobalt Strike, developed for network defenders, which gave rise to a slew of malicious hacking tools when it was leaked.
U.S. officials have also ratcheted up warnings of attempts to infiltrate U.S. critical infrastructure. Christopher Wray, director of the Federal Bureau of Investigation, on Sunday said Chinese efforts to secure footholds in critical infrastructure networks are occurring at an unprecedented scale.
While Beijing routinely denies involvement in hacking, Wray’s comments follow a series of similar remarks made by Rob Joyce, cybersecurity director of the National Security Agency. Last month, Joyce told an FBI-sponsored conference that Chinese hackers are positioning themselves within those networks so as to be able to strike at U.S. infrastructure in the event of a conflict. The U.S. government in January said it disrupted one such operation, without specifying the types of infrastructure targeted.
“It’s not just an electric company issue, it’s not just a water issue or a manufacturing issue. I think it’s an issue that affects all of us,” said Jason Nations, director of enterprise security at Oklahoma City-based
Critical infrastructure operators also face supply-chain security threats common to companies in many industries. German company
PSI Software, which said last week it had been the victim of a cyberattack, specified on Monday that it had been hit by ransomware, and took its systems offline to prevent further intrusions. PSI Software supplies software specialized for energy providers and other industrial processes. PSI didn’t respond to a request for comment.
One difficulty critical-infrastructure companies struggle with is finding cybersecurity experts to defend their networks. While there is a shortage of around 4 million corporate cyber professionals globally, according to trade association ISC2, some companies say it is especially difficult to hire people with both cyber skills and expertise in heavy machinery and industrial technology.
A wastewater treatment plant in Fountain Valley, Calif. U.S. officials have said Chinese hackers have been trying to position themselves inside critical infrastructure to be able to impede operations in the event of a conflict. PHOTO: MARIO TAMA/GETTY IMAGES
7 Cyberattacks faced by small businesses and how to prepare to counter them:
1. Phishing Attacks 🎣 Phishing attacks trick employees into revealing sensitive information. • Train staff to recognize suspicious emails. • Use email filtering tools to block malicious messages.
2. Ransomware 🔒💵 Ransomware locks your data until you pay a ransom. • Backup data regularly. • Ensure you have strong antimalware software and keep it updated.
3. DDoS Attacks 🌐💥 Distributed Denial of Service (DDoS) attacks overwhelm your servers with traffic. • Invest in DDoS protection services. • Have a response plan ready to mitigate downtime.
4. Insider Threats 👥🔪 Employees or partners can misuse access to harm your business. • Implement strict access controls. • Monitor user activities for unusual behavior.
5. Zero-Day Exploits ⚙️❗ Hackers exploit unknown software vulnerabilities. • Keep all software and systems updated. • Use intrusion detection systems to spot suspicious activity.
6. Man-in-the-Middle Attacks 🕵️ Attackers intercept communications between two parties. • Use encryption for all communications. • Implement secure VPNs for remote access.
7. SQL Injection 💾🐛 Hackers insert malicious code into your database queries. • Regularly update and patch your database systems. • Use parameterized queries to prevent SQL injection.
Being prepared can save your small business from disaster. 💼💥
Top UK universities have had their services impacted by a DDoS attack, which has been claimed by the Anonymous Sudan hacktivist group.
The University of Cambridge’s Clinical School Computing Service revealed the incident in a post on its X (formerly Twitter) account on February 19, stating that internet access will be intermittent.
It said that the attack started at 15.00 GMT on February 19, with “multiple universities” impacted.
In an update on the morning of February 20, the service said that disruption to the network appears largely over, although some systems remain impacted.
Varsity, the independent newspaper for the University of Cambridge, reported that the attack had affected access to student IT services such as CamSIS and Moodle.
The attackers targeted the Janet Network, a high-speed data-sharing network used by researchers, according to the Varsity report. This service is used by a number of UK universities.
The Janet network is managed by Jisc, a UK not-for-profit provider of network and IT services to the higher education sector.
The University of Manchester also reported connectivity issues as a result of the DDoS attack, stating on its X account on February 19 that the availability of IT services off campus were impacted.
Anonymous Sudan Claims Responsibility for University DDoS Attacks
Hacktivist group Anonymous Sudan claimed responsibility for the attack on the universities.
Hacktivist tracker X account CyberKnow shared a screenshot of a post by the gang, in which they cited the UK government’s support for Israel’s military action in Gaza and the bombing of the Houthi movement in Yemen as the reason for the attack.
Anonymous Sudan has frequently been linked to politically motivated DDoS attacks. It claimed to have launched numerous cyber-attacks against the Israeli government and media organizations in the wake of Hamas’ assault on Israel on October 7, 2023, which started the conflict in Gaza.
UK Institutions Targeted by Hackers
Renowned UK institutions appear to be a growing target for cyber-threat actors.
The British Library is still in the process of recovering its digital services as a result of a ransomware attack in October 2023.
Gerasim Hovhannisyan, CEO and co-founder of EasyDMARC, noted that the University of Cambridge’s Library itself is in the process of restoring systems following the British Library attack.
He said that well-known institutions like universities must be particularly vigilant at this time.
“While DDoS attacks themselves usually don’t result in data loss, they can be used to mask the real malicious intentions of cybercriminals.
“With AI lowering the bar of who can develop and carry out cyber-attacks and the ransomware-as-a-service industry further expanding that demographic to anyone with sufficient funds, universities must look at the state of their cybersecurity postures seriously,” he commented.
Research published by KnowBe4 on February 19 found an “exponential” increase in cyber-attacks against UK higher education institutions. The report cited research showing that only half of higher education institutions have a cybersecurity strategy.
Keiron Holyome, VP UKI & Emerging Markets, BlackBerry Cybersecurity, noted that universities are seen as a soft target by threat actors. This has been exacerbated by the expanded threat environment following the shift to remote learning, connected learning technologies and more connections to often-unsecured devices owned by the students.
“IT support is often limited, budgets tight, and many use standard software provided to the education sector. If a vulnerability is found in that software, it won’t take long for the criminals to find it and exploit it,” explained Holyome.
As organizations shift their applications and operations to the cloud and increasingly drive revenues through software, cloud-native applications and APIs have emerged among the greatest areas of modern security risk.
According to publicly available data, eight of the top 10 data breaches of 2023 were related to application attack surfaces.1 These eight breaches alone exposed almost 1.7 billion records, illustrating the potential for tremendous data loss if applications are poorly configured and lack effective protection.
Application security has quickly become one of the most essential forms of security for the modern enterprise. That’s why we set out to understand how organizations are securing their applications today and the challenges they face in doing so. Our research team surveyed 400 application security professionals in the United States to learn how they are securing applications, the tools and processes they are using and how effective their work is.
wo flights bound for Israel over the past week have suffered attempts to hijack their communications and divert the aircraft, according to local reports.
The El Al flights were both travelling from Thailand to Israel’s Ben Gurion international airport and apparently encountered “hostile elements” while flying over the Middle East.
Citing a report from national broadcaster Kan Reshet B, The Jerusalem Post claimed that hackers attempted to hijack the planes’ communications networks in order to divert them from their pre-programmed route.
No group has claimed responsibility. Although the aircraft were flying over an area in which Iranian-backed Houthis are active, sources have claimed it could be the work of a group operating from Somaliland – an unrecognized state in the Horn of Africa.
Fortunately, the pilots reportedly became suspicious about the sudden change in instructions and ignored them, switching to another communications channel and double-checking their route with air traffic controllers.
An El Al source revealed that pilots are trained to spot and mitigate such threats whilst in the air.
“The disruption did not affect the normal course of the flight thanks to the professionalism of the pilots who used the alternative means of communication and allowed the flight to continue on the planned route.”
The EU’s aviation safety agency EASA recently revamped its cybersecurity regulations for the sector with the release of the first Easy Access Rules (EAR) for Information Security (Part IS).
They’re designed to enforce best practice security across the industry, covering an exhaustive range of suppliers as well as airlines, airports, communication infrastructure providers and air towers.
A novel, very sophisticated mobile Trojan dubbed GoldPickaxe.iOS that targets iOS users exclusively was discovered to collect facial recognition data, intercept SMS, and gather identity documents.
The Asia-Pacific region includes the majority of those impacted by this harmful activity. On the other hand, two APAC countries that deserve particular consideration are Vietnam and Thailand.
The GoldPickaxe family, which comes in iOS and Android variants, is based on the GoldDigger Android Trojan (discovered in October 2023) and receives frequent modifications to improve its functionality and avoid detection.
“To exploit the stolen biometric data from iOS and Android users, the threat actor creates deepfakes using AI face-swapping services to replace their faces with those of the victims. This method could be used by cybercriminals to gain unauthorized access to victims’ bank accounts”, Group-IB researchers shared with Cyber Security News.
Timeline Of GoldFactory’s Trojans
Group-IB has linked the entire threat cluster to a single threat actor known as GoldFactory, which has created an advanced collection of mobile banking malware.
Timeline of GoldFactory’s Trojans
The traditional Android banking Trojan GoldDigger exploits Accessibility Service to provide hackers access to the device. Another Android malware that increases GoldDigger’s capability is called GoldDiggerPlus.
GoldDiggerPlus features an embedded Trojan called GoldKefu, which contains web fakes and allows real-time voice conversations with victims. A Trojan called GoldPickaxe was created for the iOS and Android operating systems used to obtain and exfiltrate biometric data and personal information from victims.
GoldPickaxe.IOS Employs A Notable Distribution Scheme
Thai financial institutions extensively utilize facial recognition for login authentication and transaction verification. Because of this, GoldPickaxe’s facial recognition video capture and unique features give attackers the chance to access bank accounts without authorization.
GoldPickaxe Trojans extract money from victims’ devices
Hackers are using their own Android smartphones to install banking apps, and they are exploiting the captured face scans to get over facial recognition security measures and gain unauthorized access to victims’ accounts.
Screenshots displaying how GoldPickaxe for Android captures a facial biometric profile
Cybercriminals pose as government officials in Thailand and convince victims to utilize LINE, one of the nation’s most widely used chat services. The LINE user needs to add another as a friend to initiate a chat.
“Malicious links are distributed through messengers to encourage the installation of the app. Victims are then lured into a fraudulent application posing as a ‘Digital Pension’ app, purportedly enabling them to receive their pension digitally”, according to Thailand Banking Sector CERT (TB-CERT).
Researchers noticed in one instance the CryptoRAM campaigns, in which fraudsters disseminated fake cryptocurrency applications by using Apple’s TestFlight platform.
Another technique is manipulating Apple devices using Mobile Device Management (MDM). MDM is an all-inclusive and centralized approach to controlling and safeguarding mobile devices inside an organization, including tablets and smartphones.
Thus, a proactive and comprehensive strategy for cybersecurity must include user education and integrated current security techniques to proactively identify the introduction of new Trojans and alert end users.
The U.S. government offers rewards of up to $10 million for information that could lead to the identification or location of ALPHV/Blackcat ransomware gang leaders.
The U.S. Department of State is offering a reward of up to $10 million for information leading to the identification or location of the key figures behind the ALPHV/Blackcat ransomware operation. The US government is also offering a reward offer of up to $5 million for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in ALPHV/Blackcat ransomware attacks.
This additional reward aims to target affiliated and initial access brokers involved and that facilitated the attacks of the group.
On December 19, 2023, the FBI seized the Tor leak site of the AlphV/Blackcat ransomware group and replaced the home page with the announcement of the seizure.
On December 7th, BleepingComputer and other prominent experts reported that the ALPHV gang’s websites went offline.
On December 10th, the primary domain of the group went offline and administrators claimed the problem was caused by a hardware failure. At the same time, rumors circulated that the site was taken offline as a result of law enforcement’s operation. The group always denied this circumstance, but today the domain displayed the following message to the visitors.
The seizure is the result of a joint operation conducted by international law enforcement agencies from the US, Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, Austria and Europol.
“This action has been taken in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice with substantial assistance from Europol and Zentrale Kriminalinspektion Guttingen.” reads the message published by law enforcement on the seized websites.
“The Justice Department announced today a disruption campaign against the Blackcat ransomware group — also known as ALPHV or Noberus — that has targeted the computer networks of more than 1,000 victims and caused harm around the world since its inception, including networks that support U.S. critical infrastructure.” reads the press release published by DoJ.
The ALPHV/Blackcat group was the second most prolific ransomware-as-a-service operation, it amassed hundreds of millions of dollars in ransom payments.
The FBI developed a decryption tool that could allow over 500 victims to recover their systems for free.
“FBI identified ALPHV/Blackcat actors as having compromised over 1,000 victim entities in the United States and elsewhere, including prominent government entities (e.g., municipal governments, defense contractors, and critical infrastructure organizations).” reads the press release. “To date, the FBI has worked with dozens of victims in the United States and internationally to disseminate a decryption tool to restore victim systems and prevent ransom demand payments of approximately $99 million.”
According to the press release published by the U.S. Department of State, ALPHV/Blackcat actors have compromised over 1,000 victim entities in the United States and elsewhere.
People who have information eligible for the reward can access the following Tor website set up by the US Department of State: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion.
Digital forensics plays a crucial role in analyzing and addressing cyberattacks, and it’s a key component of incident response. Additionally, digital forensics provides vital information for auditors, legal teams, and law enforcement agencies in the aftermath of an attack.
Many cutting-edge digital forensics tools are on the market, but for those who cannot afford them, here’s a list of great free solutions to get you started.
Autopsy is a digital forensics platform widely employed by law enforcement agencies, military personnel, and corporate investigators to examine and understand activities on a computer. Although Autopsy is designed to be cross-platform, the latest version is fully functional and tested only on Windows.
bulk_extractor is a high-speed tool for digital forensics analysis. It scans various inputs, including disk images, files, and directories, extracting organized information like email addresses, credit card numbers, JPEG images, and JSON fragments. This is achieved without the need to parse file systems or their structures. The extracted data is saved in text files, which can be examined, searched, or utilized as inputs for further forensic investigations.
NetworkMiner, an open-source network forensics tool, specializes in extracting artifacts like files, images, emails, and passwords from network traffic captured in PCAP files. Additionally, it can capture live network traffic by sniffing a network interface.
Velociraptor is a sophisticated digital forensics and incident response tool designed to improve your insight into endpoint activities. At the press of a (few) buttons, perform targeted collection of digital forensic evidence simultaneously across your endpoints, with speed and precision.
WinHex is a versatile hexadecimal editor, proving especially useful in the areas of computer forensics, data recovery, low-level data processing, and IT security. It allows users to inspect and modify various file types, as well as recover deleted files or retrieve lost data from hard drives with damaged file systems or digital camera cards.
An ongoing campaign of cloud account takeover has affected hundreds of user accounts, including those of senior executives, and impacted dozens of Microsoft Azure environments.
Threat actors attack users with customized phishing lures inside shared documents as part of this ongoing effort.
Some documents that have been weaponized have embedded links to “View document,” which, when clicked, take users to a malicious phishing webpage to steal sensitive information and commit financial fraud.
Attackers Targeting Wide Range Of Individuals
Threat actors appear to target a broad spectrum of people with varying titles from various organizations, affecting hundreds of users worldwide.
“The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers,” Proofpoint researchers shared with Cyber Security News.
“Individuals holding executive positions such as “Vice President, Operations,” “Chief Financial Officer & Treasurer” and “President & CEO” were also among those targeted.”
Threat actors have a realistic approach, as seen by the variety of positions they have targeted, intending to compromise accounts that have varying degrees of access to important resources and responsibilities across organizational activities.
In this campaign, researchers observed the usage of a particular Linux user agent that attackers employed during the attack chain’s access phase.
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
The ‘OfficeHome’ sign-in application is primarily accessed by attackers using this user-agent, along with other native Microsoft365 apps, like:
‘Office365 Shell WCSS-Client’ (indicative of browser access to Office365 applications)
‘Office 365 Exchange Online’ (indicative of post-compromise mailbox abuse, data exfiltration, and email threats proliferation)
‘My Signins’ (used by attackers for MFA manipulation; for more info about this technique, see our recent Cybersecurity Stop of the Month blog)
‘My Apps’
‘My Profile’
Attackers use their own MFA techniques to keep accessing systems permanently. Attackers choose various authentication techniques, such as registering additional phone numbers to authenticate via SMS or phone calls.
MFA manipulation events executed by attackers in a compromised cloud tenant
Criminals get access to and download confidential data such as user credentials, internal security protocols, and financial assets.
Mailbox access is also used to target individual user accounts with phishing threats and migrate laterally across compromised organizations.
Internal emails are sent to the impacted companies’ finance and human resources departments to commit financial fraud.
Attackers design specialized obfuscation rules to hide their activities and erase any proof of malicious activity from the inboxes of their victims.
Obfuscation mailbox rules created by attackers following successful account takeover
“Attackers were observed employing proxy services to align the apparent geographical origin of unauthorized activities with that of targeted victims, evading geo-fencing policies,” researchers said.
Thus, in your cloud environment, be aware of account takeover (ATO) and possible illegal access to key resources. Security solutions must offer precise and prompt identification of both initial account compromise and post-compromise actions, together with insight into services and applications that have been misused.
In this Help Net Security interview, Yaron Edan, CISO at REE Automotive, discusses the cybersecurity landscape of the automotive industry, mainly focusing on electric and connected vehicles.
Edan highlights the challenges of technological advancements and outlines strategies for automakers to address cyber threats effectively. Additionally, he emphasizes the importance of consumer awareness in ensuring vehicle security.
Can you describe the state of cybersecurity in the automotive industry, especially in the context of electric and connected vehicles?
The automotive industry is experiencing a digital breakthrough transforming how vehicles are designed, manufactured, and used, primarily driven by the introduction and popularity of electric and autonomous vehicles. Technological advancements have been introduced and integrated throughout the vehicle life cycle. This brings numerous benefits like enhanced safety and improved efficiency to the cars we drive daily, but it also brings new and pressing cybersecurity challenges.
Now that our vehicles are becoming increasingly connected to the internet can go through Over-the-Air (OTA) updates, use remote management, contain Advanced Driver Assistance Systems (ADAS), and employ AI, the potential avenues for cyberattacks have expanded for threat actors to exploit in a significant way.
What steps are automakers taking to address cybersecurity challenges in their latest vehicle models?
We use different forms and increasing amounts of software in our vehicles. The first challenge is in the supply chain, not just in terms of who provides the software; the issue penetrates each layer. Automakers need to understand this from a risk management perspective to pinpoint the onset and location of each specific risk. Suppliers must be involved in this process and continue to follow guidelines put in place by the automaker.
The second challenge involves software updating. As technology continues to evolve and more features are added, cybercriminals find new ways to exploit flaws and gaps in systems that we may not have been aware of because of the newness of the technology. Regular software updates must be administered to products to patch holes in systems, improve existing vulnerabilities and improve product performance.
In order to address these challenges, automakers need to conduct an initial risk assessment to understand what kind of threats and the type of threat actors are active within each layer of the product and supply chain in the automotive industry. From the experience gained from the initial risk assessment, a procedure must be put in place to ensure each internal and external employee and supplier knows their role in maintaining security at the company.
The procedure determines which types of threat actors are active within the automotive industry, where they are located, and each threat’s severity. This is complicated because threat actors reside worldwide in large numbers, and each group uses various forms of attacks to various degrees. Automakers use the information collected daily to help protect their assets. Additionally, audits must be conducted regularly to evaluate each supplier and employee to verify the procedures are followed correctly, don’t need to be updated, etc.
Can you explain how vehicle manufacturers integrate cybersecurity into the design and development process?
Once you have a factory line running, the first step to integrate cybersecurity into the manufacturing process is to secure the operation technology (OT) policy by understanding the risk and how to close the gaps. Manufacturers must deal with OT threats, which involve thousands of unique threats coming from the product lines, sensors, and other equipment involved in the manufacturing process, instead of systems like computers.
These threats can be especially dangerous if left ignored because of the simplicity of the equipment used in this stage. Suppose you are a threat actor and you want to damage an automaker. In that case, it is much more difficult to conduct a cyberattack on the cloud or the employees of an automaker. Still, the factory line is easier to attack because it uses equipment that is easier to breach and actions are less detected. This is a very common area for threat actors to target.
What key strategies are you recommending for protecting connected and electric vehicles against cyber threats?
Automotive companies must take a proactive approach to addressing cybersecurity threats instead of being reactive. This allows security teams to avoid threats instead of responding later once the damage has already been done. A few proactive strategies I’d recommend for companies are the following.
Conduct a risk assessment to understand and prioritize current and future risks.
Develop company-wide security policies and procedures so all employees know their roles in maintaining security.
Hold regular security training and awareness programs to educate employees.
Implement strong network security measures, including firewalls, detection systems, and encryption, to monitor your network traffic for any anomalies regularly.
Regularly backup critical data and store it in secure locations.
Develop a comprehensive incident response plan outlining steps to be taken during a cyberattack.
Conduct periodic security audits to evaluate the effectiveness of security measures and identify improvement areas.
Cybersecurity is an ongoing process that requires constant vigilance and adaptation – current strategies will likely become outdated and need to be reworked as new threats emerge.
What role do regulatory bodies play in shaping cybersecurity standards for electric and connected vehicles?
Regulatory bodies play a role in shaping cybersecurity standards, but they do not help you secure your products directly – that is up to each individual player in the automotive supply chain. The goal of regulatory bodies is to provide automakers with best practices on steps to take in the event of a cyber hack, what players to communicate with, and how deep to reach depending on the severity of the threat.
Once an automaker is compliant with certain regulatory rules, they will then ask the regulatory bodies to come to conduct an onsite visit, where they conduct an audit for months at a time, trying to hack each layer they can and look for any areas of weakness, to identify what needs to be patched up. This process needs to be repeated until the automaker is fully compliant.
What are the best practices that consumers should be aware of to ensure the cybersecurity of their electric or connected vehicles?
Consumers need to make sure the data collected in the vehicle stays private. For example, if you have an electric vehicle (EV) and you need to charge it, you might visit a public charging station. Not many people know this, but your vehicle data can be easy to hack at public charging stations because you are not only transferring electricity but also data.
To prevent this from happening, vehicle owners need to ask the right questions. Owning an EV is no different than when a homeowner goes to buy a large kitchen appliance, for example. The right questions need to be asked, including – who made it, whether the company has a cybersecurity procedure in place, whether it is currently compliant with regulatory body requirements, etc. Making sure that all software is regularly up to date is also essential. EV users must download official software from trusted brands using a secure network.
Along with automakers, consumers are partially responsible for their own security, which needs to be stressed to the general public more. Without this knowledge, consumers are left highly vulnerable to hacks from cybercriminals.
In this Help Net Security interview, Robin Long, founder of Kiowa Security, shares insights on how best to approach the implementation of the ISO/IEC 27001 information security standard.
Long advises organizations to establish a detailed project roadmap and to book certification audits at an early stage. He also recommends selecting an internal team that includes a leader with the ISO 27001 Lead Implementer qualification and suggests that in some cases, the best approach to the standard may be to start by prioritizing a limited number of “security wins” before embarking on full implementation.
A few general points about ISO 27001, before getting onto the questions:
1. The documentation behind ISO/IEC 27001:2022 (“ISO 27001”) is broken into two main parts: ISO/IEC 27001 itself, which contains the primary guidance, and a ‘guidance document’ called ISO/IEC 27002, which lists suggested information security controls that may be determined and implemented based on the risk analysis that is carried out according to the requirements of the primary document.
ISO 27001 is also supported by the other standards ISO/IEC 27000:2018 (IT security techniques) and ISO/IEC 27005:2022 (Information security, cybersecurity, and privacy protection), among others.
All these are developed and maintained by the International Organization for Standardization (ISO), which is based in Geneva, Switzerland.
2. Although there are a number of things that you are obliged to do if you’re seeking certified conformity to the standard, it is actually quite flexible about the details. Even the “requirements” – the obligatory clauses in the 27001 document – generally allow a fairly broad range of interpretation. This makes sense when you think that ISO 27001 has been developed as a one-size-fits-all system for all types and sizes of organization that handle sensitive information.
When you look at it like that, it immediately becomes less intimidating.
3. If you decide to go ahead and implement ISO 27001, it’s highly recommended to put together a detailed road map that defines targets of what should be achieved by what date in the timeline of the project (Gantt charts are good for this – look them up!). This helps to keep the project under control and reduces the risk of time and budget overrun. Breaking the project up into weekly components also makes it less daunting.
4. You’ll also need to define a (small) group of people to carry out, maintain and be accountable for implementation of the standard. You might call this the ‘ISMS Team’ (where ISMS means Information Security Management System, another way to describe ISO 27001). This team should ideally incorporate expertise and experience in IT, business development and data protection, and have a channel to senior management.
How do you recommend organizations approach understanding and implementing ISO 27001’s wide range of controls and requirements, especially those new to information security management?
As a consultant myself, I’m aware of the conflict of interest, but I have to say that I do think it makes sense to hire external advice for assistance with implementation of ISO 27001, for internal audit, and interaction with certification auditors.
One of the main responsibilities of such an advisor is to assist with understanding of the standard and information security management generally, at both high and low levels. The range of ISO27002 controls – for example – is wide indeed, but a competent consultant will break them down into manageable portions that are taken on one by one, in a carefully planned order.
Whether or not you decide to hire a consultant, it’s a pretty good idea also to send the leader of the ISMS Team on an ISO2 7001 Lead Implementer (LI) course. These courses typically run for about three days, and they are helpful. Note that ISO 27001 requires the organisation to provide evidence of the competence of key participants in the project, and the LI qualification for a team member indicates a reasonable degree of knowledge and commitment regarding the standard.
Of course, there are also a number of helpful online resources including the ISO27k Forum.
Implementing ISO 27001 can be resource-intensive. What advice do you have for organizations, particularly SMEs, in effectively allocating resources and budget for ISO 27001 implementation?
It’s true that implementation of ISO 27001 necessarily consumes resources, in terms of money and other assets – particularly people’s time. The critical question is whether the resource cost is offset by perceived gains, and this is largely about efficiency of allocation. Among other methods that we can use to attempt to optimise this are:
1. Use of a roadmap – as mentioned above – that takes the organisation all the way through to the two-stage certification audit process at a granular (weekly) level.
2. Early selection of the certification auditor and agreement of tentative dates for the certification audits. The benefits of doing this include the psychological one of getting an end date in the diary to help define the project roadmap. The cost of certification audits is also an important part of the overall budget, and the certification body will provide quotes for these at this stage.
Note that along with the two initial certification audits, there are a couple of (roughly annual) surveillance audits and a recertification audit after three years. These audits all cost money, of course, and require budgeting.
3. Watching out for some of the less obvious costs, including the potential charges associated with:
Legal work on modifications/additions to employment contracts, NDAs etc.
Software that you choose to install e.g., anti-malware, IDS, etc.
What strategies can be employed to convince top management of the necessity and benefits of ISO 27001 compliance?
Consultancy companies love to answer this question – on their websites – with a list of bullet points.
However, I can tell you that in nearly all cases there is just a single key factor at play, and it is a commercial one: Potential important clients or partners have been identified that require certification to the standard. Organisations that operate in sensitive sectors (finance, critical infrastructure, healthcare…) have already learned this or are in the process of learning it, and don’t need to be told about it. If they don’t know, then by all means tell them!
Other reasons that I consider completely valid and credible include:
Perceived improvement in the level of an organisation’s information security provides assurance to other stakeholders apart from clients – investors, senior management, regulators, suppliers and so on – regarding information security risks to the organisation.
Implementation of ISO 27001 can help smaller companies with their expansion. For example, it can help with the development of sound HR policies, with procedures around business continuity, disaster recovery and change management, and several other areas.
Note that ISO 27001 isn’t by any means just about personal data but is also concerned with other types of sensitive information, in particular intellectual property or “IP” (including trade secrets and source code). For many tech start-ups, these are the main assets of the business, and need to be well protected.
Risk management and performance evaluation are critical yet challenging aspects of ISO 27001. How should organizations approach these elements to ensure an effective Information Security Management System (ISMS)?
These are indeed arguably the core areas of ISO 27001. Among the critical things to remember regarding risk assessments are:
You should really at least try to come up with all the possible information security risks (internal and external) that are or might be faced by your organisation. This is best done by brainstorming in a group based around the ISMS Team.
ISO 27001 fundamentally breaks down to: “What information security risks do we face? How should we best manage them?”
Just as the chicken may come before the egg, note that what should happen in this case is that you identify the risks first and then select the controls that help to manage those risks.
You definitely don’t have to apply all of the controls, and nearly all organisations treat some, validly, as non-applicable in their Statement of Applicability. For example, businesses where all employees work remotely simply don’t have the full range of risks that can benefit from mitigation by the physical controls.
When it comes to performance evaluation, it’s largely a case of working through the relevant clauses and controls and agreeing how good a job the organisation is doing trying to meet the associated requirements. The ones that are selected for monitoring, measurement and evaluation will depend on the type and size of the organisation and its business objectives. These are basically key performance indicators (KPIs) for information security and might include supplier evaluations and documented events, incidents, and vulnerabilities.
Specifically for cloud solutions like Microsoft 365, what unique challenges do organizations face in implementing ISO 27001, and how can they be addressed?
The switch towards remote working and use of cloud resources has been quite disruptive for ISO 27001. The 2022 version has been somewhat adapted (via modifications to the controls) to reflect the change in working conditions. However, it still gives a lot of attention to traditional physical places of work, networks, and pre-SaaS style suppliers.
The big switch away from locally downloaded software to cloud services means that we need to take advantage of the flexibility of ISO 27001 to interpret the 27002 controls in a corresponding way, for example:
Thinking less about networks and more about secure configuration of cloud resources.
Focusing on aspects of the ‘supplier relationships’ controls that are relevant to SaaS suppliers.
Remembering that if cloud resources are very important for handling and storage of sensitive data in your business, then the new control 5.23 (Information security for use of cloud services) is correspondingly important for your business and must be tackled carefully and rigorously. It almost definitely applies to you – and there’s a lot there.
Note that business continuity/disaster recovery for an organisation with employees that work remotely using cloud services becomes largely a question of how the relevant cloud provider(s) manage backups, redundancy of storage/compute etc.
ISO 27001 requires a commitment to continuous improvement. How should organizations approach this, particularly regarding incident management and response?
This is an enigmatic section of clause 10 (Improvement) that organisations tend to struggle with (the second part is about dealing with non-conformities and is much clearer regarding what needs to be done).
It seems to me that the best approach is to raise the question of ‘how can we make the ISMS better?’ at the periodic ISMS management meetings, come up with some examples whereby this may be achieved and then provide any observed progress in the right direction. That means that by the time of the first follow-up (surveillance) audit you should be able to present a list of several potential improvements along with how they are being achieved.
I’d like to finish up by mentioning that nothing stops your organisation implementing ISO 27001 without getting the certification, or even doing a partial implementation. Many businesses like the concept of ISO 27001 but aren’t quite ready to commit fully. In that case, I highly recommend the following implementation model:
1. Decide which areas of information security are priorities for your organisation in terms of incremental increase in security, resources (money, time, personnel) required and ease of implementation. You can call these your ‘lowest-hanging security fruit’ if you must. Possible examples include access control, HR security or endpoint security. 2. Work through these one by one according to the relevant 27002 controls. 3. Once you have the highest priority areas covered off, start working on lower levels of priority. 4. After a few months of this, you may feel that ISO 27001 isn’t quite so formidable, and that you are ready to tackle it. Go for it!
