InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Maintaining aĀ list of assets, their business criticality, and who/where they are is the first step to establishing control over your environment. To do this, start with these steps:
Identify the systems, data, and people assets that you need to protect.
Identify the threats to those assets, and prioritize them.
Identify what you want to do to protect your priority assets from their most significant threats.
2. Identify the activities you need to complete
It is important to establish a list of security activities and the cadence on which they will need to happen in order to meet your compliance requirements. Some activities only need to be done once a year, while others might need done quarterly or even monthly. For example, you may only need to do an annual penetration test, but how often do you need to perform pen testing, internal vulnerability scans? Establishing the list of compliance management activities you need to complete and when they need to be completed will be a great starting point for your 2024 compliance program.
DISC llc provides you with a full list of Information Security activities (GRC) required to achieve a successful data security program. This list includes activities such as:
Review policies and procedures (including Acceptable Use Policy)
Complete a risk assessment – this should be done annually
Review security training – to ensure new employees, as well as current employees, are up to date on all their training
Test and update your Business Continuity Plan – this should be done on an annual basis to account for any new situations that may occur
Review regulatory and legal compliance requirements – especially important for organizations that need to consider regulations such as ISO 27001:2022, SOC2, GDPR, CPRA, etc.
Conduct an inventory of your data assets – data assets change over the year so it is important this document is updated regularly.
3. Assign the right people and resources(RACI Matrix)
It is important to ensure you have the right team members in place. This means not only people qualified to be a part of the team but also team members from all departments. You will also need to select the compliance management tools that you will use to support your planning. Selecting a tool that includes risk management as well as data security will help protect your company as you grow.
4. Schedule all your meetings and tasks for the year(Audit/ Assessment planning)
It might seem a little early to schedule a meeting in July but by planning ahead of time all your key team members will have the time blocked on their calendars and available for your meetings. It will also allow you to run different assessments at different times of the year to avoid inconvenient times for other departments, such as the accounting department.
If it is not documented then it didnāt happen. Make sure you have policies and procedures in place to document all your business actions. If you are not sure how to write appropriate policies and procedures, seek expert advice. Make sure all the required policies are approved and reviewed on regular basis.Ā Ā Ā Ā
6. Plan ahead to future-proof your security program
Identify the frameworks you may want to tackle down the road and use a helpful platform that will crosswalk to get it done. This will save you time in the future when you wish to consider multiple frameworks for your organization. If you are unsure where to start, speak to a security expert for advice on the frameworks that best suit your industry and your needs. DISC llc performs Security Risk Assessments based on diverse standards and regulations, aligning them with the standard of your preference.
To learn more about compliance management you should seek expert advice from serious security professionals like theĀ DISC Professional ServicesĀ team.Ā
Attackers in South Korea are distributing malware disguised as cracked software, including RATs and crypto miners, and registering themselves with the Task Scheduler to ensure persistence.
Even after removing the initial malware, the Task Scheduler triggers PowerShell commands to download and install new variants, which persists because the PowerShell commands keep changing, leaving unpatched systems vulnerable to information theft, proxy abuse, and cryptocurrency mining.
Attack flow
Malicious actors are leveraging file-sharing platforms to distribute malware disguised as cracked MS Office, which retrieves the download URL and target platform during infection, potentially enabling them to tailor attacks and evade detection.Ā Ā
Cybercriminals are distributing malware disguised as cracked software. The malware, developed in.NET, uses obfuscation to hide its malicious code, and initially, it accessed Telegram to retrieve a download URL.
Newer versions contain two Telegram URLs and a Mastodon URL, each with a string linked to a Google Drive or GitHub URL.
The threat actor hides malicious PowerShell commands within these cloud storage locations, using Base64 encoding for further obfuscation, and once executed, these commands install additional malware strains.
Commands encrypted in Base64
The updater malware, āsoftware_reporter_tool.exe,ā leverages a PowerShell script to download and maintain persistence, which creates a malicious executable at āC:\ProgramData\KB5026372.exeā and uses a compromised 7zip installation (āC:\ProgramData\Google\7z.exeā) to decompress a password-protected archive from GitHub or Google Drive (password: āxā) by mirroring tactics from a previous campaign.
Malware installation using 7z and PowerShell
Additionally, the updater registers itself with the Task Scheduler to ensure continuous operation after a reboot, and the scheduled task triggers the PowerShell script for further updates and potential malware installation.
The attackers deployed Orcus RAT and XMRig on the compromised system.
Orcus RAT can steal information through keylogging, webcam, and screenshot capture, while XMRig mines cryptocurrency.
3Proxyās configuration file
XMRig is configured to stop mining when resource-intensive programs are running and to terminate processes competing for resources, such as security software installers, while 3Proxy is used to turn the infected machine into a proxy server by adding a firewall rule and injecting itself into a legitimate process.
A Korean security program unable to operate properly due to the AntiAV malware
According to ASEC, PureCrypter downloads and executes further payloads, and AntiAV malware disrupts security products by modifying their configuration files.
Attackers are distributing malware disguised as popular Korean software (Windows, MS Office, Hangul) through file-sharing sites, and theĀ malwareĀ bypasses file detection with frequent updates and utilizes the Task Scheduler for persistence, leading to repeated infections upon removal.Ā
Some inauthentic networks used artificial intelligence in their campaigns to push certain political agendas, according to Meta.
Meta says it cracked down on propaganda campaigns on its platforms, including one that used AI to influence political discourse and create the illusion of wider support for certain viewpoints, according to its quarterly threat report published today. Some campaigns pushed political narratives about current events, including campaigns coming from Israel and Iran that posted in support of the Israeli government.
The networks used Facebook and Instagram accounts to try to influence political agendas around the world. The campaigns ā some of which also originated in Bangladesh, China, and Croatia ā used fake accounts to post in support of political movements, promote fake news outlets, or comment on the posts of legitimate news organizations.
A network originating in China, for example, consisted of several dozen Instagram and Facebook accounts, pages, and groups and was used to target global Sikh communities, Meta says. Another campaign traced to Israel used more than 500 Facebook and Instagram accounts to pose as local Jewish students, African Americans, and āconcernedā citizens praising Israeli military actions and discussing campus antisemitism, among other types of content.
Some of the content shared by those two networks was likely created using generative AI tools, Meta writes. Accounts in the China-based campaign shared AI-generated images, and the Israeli campaign posted AI-generated comments, Meta found. The report says that, for now, AI-powered influence campaigns are not sophisticated enough to evade existing systems of detection.
Influence campaigns are regularly discovered on social media platforms. Earlier in May, TikTok said it hadĀ uncovered and disrupted a dozen such networksĀ on its platform, including one that it traced to China.
North Korea’s newest threat actor uses every trick in the nation-state APT playbook, and most of cybercrime’s tricks, too. It also developed a whole video game company to hide malware.
Researchers at Microsoft have identified a North Korean threat group carrying out espionage and financial cyberattacks concurrently, using a grab bag of different attack techniques against aerospace, education, and software organizations and developers.
In the beginning,Ā Microsoft explained in a blog post, Moonstone Sleet heavily overlapped with the known DPRK advanced persistent threat (APT)Ā Diamond Sleet. The former copped from the latter’s malware ā likeĀ the Comebacker TrojanĀ ā as well as its infrastructure and preferred techniques ā such as delivering Trojanized software via social media. Moonstone Sleet has since differentiated itself, though, moving to its own infrastructure and establishing for itself a unique, if rather erratic identity.
For one thing, where some of Kim Jong-Un’s threat groupsĀ focus on espionageĀ and othersĀ focus on stealing money, Moonstone Sleet does both. Having its hands in every pie is reflected in its tactics, techniques, and procedures (TTPs), too, which in various cases have involved fake job offers, custom ransomware, and even a fully functional fake video game.
“Moonstone Sleet’s ability to blend traditional cybercriminal methodologies with those of nation-state actors is particularly alarming,” says Adam Gavish, co-founder and CEO at DoControl. “Their multifaceted strategies ā ranging from setting up fake companies to deliver custom ransomware to using compromised tools for direct infiltration ā showcase a versatility that complicates defensive measures.”
Moonstone Sleet’s Grab Bag of TTPs
To Gavish, “One tactic that stands out is their utilization of trusted platforms, like LinkedIn and Telegram, and developer freelancing websites to target victims. This exploits the inherent trust associated with these platforms, making it easier for them to trick victims into interacting with malicious content.”
To add to the realism, Moonstone Sleet uses theĀ common North Korean strategyĀ of engaging with victims from the perspective of a seemingly legitimate company.
From January to April of this year, for example, the group masqueraded as a software development company called “StarGlow Ventures.” With a sleek custom domain, made-up employees, and social media accounts to go along with it all, StarGlow Ventures targeted thousands of organizations in the software and education sectors. In phishing emails, the faux company complemented its victims and offered to collaborate on upcoming projects.
In other cases, the group used another fake company ā C.C. Waterfall ā to spread an especially creative ruse.
In emails from C.C. Waterfall since February, Moonstone Sleet has been reaching out to victims with a link to download a video game. “DeTankWar” ā also called DeFiTankWar, DeTankZone, or TankWarsZone ā is marketed as a community-driven,Ā play-to-earnĀ tank combat game. It has its own websites, and X accounts for fake personas used to promote it.
Remarkably, DeTankWar is a fully functional (if atavistic) video game. When users launch it, though, they also download malicious DLLs with a custom loader called “YouieLoad.” YouieLoad loads malicious payloads to memory, and creates services that probe victim machines and collect data, and allow its owners to perform extra hands-on command execution.
Whack-a-Mole Cyber Defense
Fake companies and fake video games are just some of Moonstone Sleet’s tricks. Its members also try to get hired for remote tech jobs with real companies. It spreads malicious npm packages on LinkedIn and freelancer websites. It has its own ransomware, FakePenny, which it uses in conjunction with a ransom note ripped from NotPetya to solicit millions of dollars worth of Bitcoin.
In the face of such varied TTPs and malicious tools, Gavish says, “The answer is fundamentally the same as for any other threat: Defenders must adopt a multi-layered security posture. This involves a combination of endpoint protection, network monitoring, and threat hunting to detect and respond to anomalous activities early.” Microsoft took a similarly broad stance in its blog, highlighting network and tamper protections, endpoint detection and response (EDR), and more steps organizations can take to layer their cyber defenses.
“Ultimately,” says Gavish, “the dynamic nature of threats like Moonstone Sleet requires a holistic and adaptive approach to cybersecurity ā one that balances technical defenses with strategic intelligence and continuous vigilance.”
The cyber intrusion into MITREās environment was a meticulously planned and executed operation, highlighting the attackersā advanced technical capabilities and understanding of virtualized environments. The attackers exploited specific vulnerabilities in Ivanti Connect Secure (ICS), identified as CVE-2023-46805 and CVE-2024-21887. These vulnerabilities allowed unauthorized access to the VMware infrastructure, providing the attackers with a foothold within the network.
Initial Penetration and Exploitation: The attackers began by identifying and exploiting weaknesses in the Ivanti Connect Secure (ICS) infrastructure. The vulnerabilities in question were zero-day exploits, meaning they were unknown to the vendor and had no existing patches or mitigations at the time of the attack. By exploiting these vulnerabilities, the attackers could bypass authentication mechanisms and gain administrative access to the virtualized environment.
Deployment of Rogue Virtual Machines (VMs): Once inside the network, the attackers created and deployed rogue VMs. These VMs were crafted to mimic legitimate virtual machines, allowing them to blend into the existing infrastructure and evade detection. The deployment of rogue VMs served multiple purposes:
Persistence: Rogue VMs provided a stable and resilient presence within the network, ensuring that the attackers could maintain access over an extended period.
Evasion: By operating within the virtualized environment, the rogue VMs could bypass traditional security measures that focus on physical or network-based threats.
Expansion: The rogue VMs acted as a base for further malicious activities, including data exfiltration, lateral movement within the network, and the deployment of additional malware.
Command and Control (C2) Operations: The attackers established robust C2 channels to maintain control over the rogue VMs. These channels allowed the attackers to issue commands, receive data, and monitor the status of their malicious operations. The C2 infrastructure was designed to be resilient, utilizing techniques such as encryption and redundancy to avoid detection and disruption.
TECHNICAL DEEP DIVE: UNDERSTANDING THE ATTACK
To fully appreciate the sophistication of the attack, it is essential to delve into the technical aspects of the methodologies employed by the attackers.
Vulnerability Exploitation:
The vulnerabilities exploited, CVE-2023-46805 and CVE-2024-21887, were critical flaws within the Ivanti Connect Secure (ICS) software. These flaws allowed the attackers to execute arbitrary code and gain administrative privileges within the virtualized environment.
The attackers used a combination of social engineering, phishing, and advanced scanning techniques to identify vulnerable systems. Once identified, they deployed custom exploit scripts to gain access.
Rogue VM Deployment:
The deployment process involved creating VMs that were virtually identical to legitimate ones, making detection difficult. The attackers leveraged existing VM templates and modified them to include their malicious payloads.
These rogue VMs were configured to operate with minimal resource usage, further reducing the likelihood of detection through performance monitoring.
Rogue VMs are created and managed through service accounts directly on the hypervisor, rather than through the vCenter administrative console. As a result, these VMs do not appear in the inventory.
The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access. They wrote and deployed a JSP web shell (BEEFLUSH) under the vCenter Serverās Tomcat server to execute a Python-based tunneling tool, facilitating SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure.
By deploying rogue VMs, adversaries can evade detection by hiding their activities from centralized management interfaces like vCenter. This allows them to maintain control over compromised systems while minimizing the risk of discovery.
Persistence Mechanisms:
To ensure persistence, the attackers implemented several techniques within the rogue VMs. These included installing rootkits and other low-level malware that could survive reboots and updates.
The attackers also manipulated the VM management tools to hide the presence of the rogue VMs from administrators.
Evasion Tactics:
The attackers employed various evasion tactics to avoid detection by security tools. These included using encrypted communication channels, obfuscating malicious code, and leveraging legitimate administrative tools to carry out their activities.
They also frequently rotated their command and control servers to avoid being blacklisted or shut down.
IMPLICATIONS FOR CYBERSECURITY
The MITRE cyber intrusion serves as a stark reminder of the evolving tactics used by cybercriminals and the vulnerabilities inherent in virtualized environments. This incident highlights several critical areas for improvement in cybersecurity practices:
Enhanced Vulnerability Management: Organizations must adopt rigorous vulnerability management practices to identify and remediate vulnerabilities promptly. This includes regular patching, conducting vulnerability assessments, and staying informed about emerging threats.
Advanced Detection Mechanisms: Traditional security measures are often inadequate in virtualized environments. Organizations need to implement advanced detection mechanisms that can identify anomalous activities within virtualized infrastructures. This includes behavior-based monitoring, anomaly detection, and machine learning algorithms to identify suspicious activities.
Comprehensive Security Training: Human factors remain a significant vulnerability in cybersecurity. Comprehensive training programs for employees can help reduce the risk of social engineering and phishing attacks, which are often the initial vectors for intrusions.
Robust Incident Response Plans: Having a well-defined incident response plan is crucial for mitigating the impact of cyber intrusions. This plan should include procedures for identifying, containing, and eradicating threats, as well as recovery strategies to restore normal operations.
DETECTING ADVERSARY ACTIVITY IN VMWARE ECOSYSTEM
In VMwareās environment, spotting adversary activity demands meticulous scrutiny. For instance, adversaries might enable SSH on hypervisors and log in by routing traffic through the vCenter Server. This technique underscores the importance of monitoring SSH activity for signs of unauthorized access.
WHAT TO LOOK FOR:
Anomalous SSH Enablement: Keep a close watch for unexpected occurrences of āSSH login enabledā messages. Any activation of SSH outside the normal administrative cycle could indicate malicious activity.
Unusual SSH Sessions: Monitor for deviations from the expected pattern of SSH sessions being opened. Look out for instances where āSSH session was opened forā messages occur unexpectedly or at unusual times.
NOTABLE ATT&CK TECHNIQUES: DEPLOYING ROGUE VMS
Moving forward to January 7, 2024, the adversary accessed VMs and deployed malicious payloads, the BRICKSTORM backdoor and the BEEFLUSH web shell. The adversary also used a default VMware account, VPXUSER, to make seven API calls that enumerated a list of mounted and unmounted drives.
The adversary bypassed detection mechanisms by deploying rogue VMs, as VPXUSER, directly onto hypervisors using SFTP to write files then executed them with /bin/vmx. By doing this, these rogue VMs were not discoverable via vCenter, the ESXi web interface, and even some on-hypervisor command-line utilities that query the API.
These rogue VMs contained the BRICKSTORM backdoor and persistence mechanisms, configured with dual network interfaces for communication with both the Internet/C2 and core administrative subnets within the prototyping network.
LEVERAGING THE VPXUSER ACCOUNT
Adversaries often can leverage the VPXUSER account to perform various administrative tasks, such as enumerating VMs, accessing configuration settings, and interacting with the underlying hypervisor infrastructure. Additionally, adversaries may deploy rogue VMs directly onto hypervisors to evade detection mechanisms and maintain persistence within the environment. Rogue VMs, which are created and operated without proper authorization and management by the hypervisor, provide adversaries with a stealthy foothold for conducting malicious activities. These VMs can bypass visibility controls within VMware management interfaces, making them difficult to detect and mitigate.
DETECTING ROGUE VMS
Safeguarding against rogue VMs and any ensuing persistence demands a vigilant approach. Simply using the hypervisor management interface to manage VMs is often insufficient and can be pointless when it comes to dealing with rogue VMs. This is because rogue VMs operate outside the standard management processes and do not adhere to established security policies, making them difficult to detect and manage through the GUI alone. Instead, one needs special tools or techniques to identify and mitigate the risks associated with rogue VMs effectively.
WHAT TO LOOK FOR:
Command-Line Usage: Utilize the following commands on an ESXi hypervisor to identify unregistered VMs:
vim-cmd vmsvc/getallvms
esxcli vm process list | grep Display
Comparison of VM Lists: Compare the output of vim-cmd (API-based VM check) with the list of running VMs obtained from esxcli. Differences in the list of VMs between the output of a vim-cmd (that will check for VMs via the API) and the list of running VMs that esxcli sees (which directly queries the host hypervisor) indicate a potential problem. A VM running on a hypervisor that is not seen via the registered VM data via API warrants further investigation as a possible unregistered/rogue VM.
DETECTING VMWARE PERSISTENCE
To address the persistence of these rogue VMs, it is crucial to scrutinize the hypervisorās startup scripts.
WHAT TO LOOK FOR:
Persistence Mechanism: Monitor for modification of the legitimate /etc/rc.local.d/local.sh file to include the following line:
Persistence Identification: Search for invocations of the /bin/vmx binary within /etc/rc.local.d/ or more specifically by manually reviewing the local.sh startup script with the following commands:
grep -r \/bin\/vmx /etc/rc.local.d/
cat /etc/rc.local.d/local.sh
The infiltration of MITREās network through VMware vulnerabilities underscores the need for heightened vigilance and advanced security measures in virtualized environments. As attackers continue to refine their techniques, organizations must evolve their defenses to protect against these sophisticated threats. By adopting comprehensive security practices, staying informed about emerging vulnerabilities, and fostering a culture of cybersecurity awareness, organizations can better defend against future intrusions.
Cybersecurity journalist Joseph Cox, author of the new book Dark Wire, tells us the wild, true story behind secure phone startup Anom.
On todayās episode of Decoder, I sat down with Joseph Cox, one of the best cybersecurity reporters around. Joseph spent a long time working at Viceās tech vertical Motherboard, but last year, after Vice imploded, he and three other journalists co-founded a new site, called 404 Media, where theyāre doing some really great work.
Criminals like drug traffickers represent a market for encrypted, secure communications away from the eyes of law enforcement. In the early mobile era, that gave rise to a niche industry of specialized, secured phones criminals used to conduct their business.
Josephās done a ton of reporting on this over the years, and the book ends up telling a truly extraordinary story: After breaking into a few of these encrypted smartphone companies, the FBI ended up running one of these secure phone services itself so it could spy on criminals around the world. And that means the FBI had to actually run a company, with all the problems of any other tech startup: cloud services, manufacturing and shipping issues, customer service, expansion, and scale.
The company was called Anom, and for about three years, it gave law enforcement agencies around the world a crystal-clear window into the criminal underworld. In the end, the feds shut it down in large part because it was too successful ā again, a truly wild story. Now, with the rise of apps like Signal, most criminals no longer need specialized hardware, but that, of course, raises a whole new set of issues.
The book is a great read, but it also touches on a lot of things we talk about a lot here on Decoder. There really are bad people out there using tech to help them do bad things, but the same tools that keep their communications private help give everyone else their privacy, too ā whistleblowers, dissenters, ordinary people like you and me.
Thereās a deep tension between privacy and security that constantly runs through tech, and youāll hear us really dig into the way tech companies and governments are forever going back and forth on it. Thereās a lot here, and itās a fun one.
A consumer-grade spyware app named pcTattletale has been discovered running on the check-in systems of at least three Wyndham hotels across the United States.
This alarming discovery was made by TechCrunch, which reported that the app stealthily captured screenshots of hotel booking systems, exposing sensitive guest details and customer information.
Due to a security flaw in the spyware, these screenshots were accessible to anyone on the internet, not just the intended users of the spyware.
Sensitive Guest Information Exposed
The spyware, pcTattletale, allows remote viewing of the targetās Android or Windows device and its data from anywhere in the world.
The app runs invisibly in the background, making it undetectable to the user.
However, a significant bug in the app means that anyone who understands the security flaw can download the screenshots directly from pcTattletaleās servers.
Security researcher Eric Daigle, who discovered the compromised hotel check-in systems, attempted to warn pcTattletale of the issue, but the company has not responded, and the flaw remains unfixed.
Screenshots from two Wyndham hotels revealed the names and reservation details of guests on a web portal provided by travel tech giant Sabre.
Additionally, the screenshots displayed guestsā partial payment card numbers.
Another screenshot showed access to a third Wyndham hotelās check-in system, logged into Booking.comās administration portal used to manage guest reservations.
Hotel And Corporate Responses
The discovery has raised serious concerns about the security measures in place at these hotels.
The manager of one affected hotel expressed surprise, stating they were unaware that the spyware was taking screenshots of their check-in computer.
The managers of the other two hotels did not respond to TechCrunchās calls or emails.
Wyndham spokesperson Rob Myers clarified that Wyndham is a franchise organization, meaning all its U.S. hotels are independently owned and operated.
However, Wyndham did not confirm whether it was aware of pcTattletaleās use on the front-desk computers of its branded hotels or if such use was approved by Wyndhamās policies.Booking.com, whose administration portal was accessed by the spyware, stated that its systems were not compromised.
Angela Cavis, a spokesperson for Booking.com, highlighted that this incident seemed to be an example of how cybercriminals target hotel systems through sophisticated phishing tactics.
These tactics often lead to unauthorized access to hotel accounts and attempts to impersonate the hotel or Booking.com to request customer payments.
This incident is the latest example of consumer-grade spyware exposing sensitive information due to security flaws. pcTattletale, marketed for child and employee monitoring, has also been promoted for use against spouses suspected of infidelity.
The app requires physical access to the targetās device for installation and offers a service to help customers install the spyware on the targetās computer.
Despite the serious implications of this security breach, Bryan Fleming, the founder of pcTattletale, did not respond to TechCrunchās request for comment.
The exposure of sensitive guest information at these hotels underscores the urgent need for more robust cybersecurity measures and regulatory oversight to protect personal data from unauthorized access and misuse.
As investigations continue, the hospitality industry must reassess its security protocols to prevent such breaches in the future.
The Principle of Least Privilege (PoLP) is a foundational concept in cybersecurity, aimed at minimizing the risk of security breaches. By granting users and applications the minimum levels of accessāor permissionsāneeded to perform their tasks, organizations can significantly reduce their attack surface. In the context of cloud computing, implementing PoLP is critical. This article explores how to enforce PoLP in the three major cloud platforms(cloud security): Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
AWS (AMAZON WEB SERVICES)
1. Identity and Access Management (IAM)
AWS IAM is the core service for managing permissions. To implement PoLP:
Create Fine-Grained Policies: Define granular IAM policies that specify exact actions allowed on specific resources. Use JSON policy documents to customize permissions precisely.
Use IAM Roles: Instead of assigning permissions directly to users, create roles with specific permissions and assign these roles to users or services. This reduces the risk of over-permissioning.
Adopt IAM Groups: Group users with similar access requirements together. Assign permissions to groups instead of individual users to simplify management.
Enable Multi-Factor Authentication (MFA): Require MFA for all users, especially those with elevated privileges, to add an extra layer of security.
2. AWS Organizations and Service Control Policies (SCPs)
Centralized Management: Use AWS Organizations to manage multiple AWS accounts. Implement SCPs at the organizational unit (OU) level to enforce PoLP across accounts.
Restrict Root Account Usage: Ensure the root account is used sparingly and secure it with strong MFA.
3. AWS Resource Access Manager (RAM)
Share Resources Securely: Use RAM to share AWS resources securely across accounts without creating redundant copies, adhering to PoLP.
Define Custom Roles: Create custom roles tailored to specific job functions, limiting permissions to only what is necessary.
Use Built-in Roles: Start with built-in roles which already follow PoLP principles for common scenarios, then customize as needed.
Assign Roles at Appropriate Scope: Assign roles at the narrowest scope possible (management group, subscription, resource group, or resource).
2. Azure Active Directory (Azure AD)
Conditional Access Policies: Implement conditional access policies to enforce MFA and restrict access based on conditions like user location or device compliance.
Privileged Identity Management (PIM): Use PIM to manage, control, and monitor access to important resources within Azure AD, providing just-in-time privileged access.
3. Azure Policy
Policy Definitions: Create and assign policies to enforce organizational standards and PoLP. For example, a policy to restrict VM sizes to specific configurations.
Initiative Definitions: Group multiple policies into initiatives to ensure comprehensive compliance across resources.
GCP (GOOGLE CLOUD PLATFORM)
1. Identity and Access Management (IAM)
GCP IAM allows for detailed access control:
Custom Roles: Define custom roles to grant only the necessary permissions.
Predefined Roles: Use predefined roles which provide granular access and adhere to PoLP.
Least Privilege Principle in Service Accounts: Create and use service accounts with specific roles instead of using default or highly privileged accounts.
2. Resource Hierarchy
Organization Policies: Use organization policies to enforce constraints on resources across the organization, such as restricting who can create certain resources.
Folder and Project Levels: Apply IAM policies at the folder or project level to ensure permissions are inherited appropriately and follow PoLP.
3. Cloud Identity
Conditional Access: Implement conditional access using Cloud Identity to enforce MFA and restrict access based on user and device attributes.
Context-Aware Access: Use context-aware access to allow access to apps and resources based on a userās identity and the context of their request.
IMPLEMENTING PRINCIPLE OF LEAST PRIVILEGE IN AWS, AZURE, AND GCP
As a Cloud Security Analyst, ensuring the Principle of Least Privilege (PoLP) is critical to minimizing security risks. This comprehensive guide will provide detailed steps to implement PoLP in AWS, Azure, and GCP.
AWS
STEP 1: REVIEW IAM POLICIES AND ROLES
Access the IAM Console:
Navigate to the AWS IAM Console.
Review existing policies under the āPoliciesā section.
Look for policies with wildcards (*), which grant broad permissions, and replace them with more specific permissions.
Audit IAM Roles:
In the IAM Console, go to āRoles.ā
Check each roleās attached policies. Ensure that each role has the minimum required permissions.
Remove or update roles that are overly permissive.
STEP 2: USE IAM ACCESS ANALYZER
Set Up Access Analyzer:
In the IAM Console, select āAccess Analyzer.ā
Create an analyzer and let it run. It will provide findings on resources shared with external entities.
Review the findings and take action to refine overly broad permissions.
STEP 3: TEST POLICIES WITH IAM POLICY SIMULATOR
Simulate Policies:
Go to the IAM Policy Simulator.
Simulate the policies attached to your users, groups, and roles to understand what permissions they actually grant.
Adjust policies based on the simulation results to ensure they provide only the necessary permissions.
STEP 4: MONITOR AND AUDIT
Enable AWS CloudTrail:
In the AWS Management Console, go to āCloudTrail.ā
Create a new trail to log API calls across your AWS account.
Enable logging and monitor the CloudTrail logs regularly to detect any unauthorized or suspicious activity.
Use AWS Config:
Navigate to the AWS Config Console.
Set up AWS Config to monitor and evaluate the configurations of your AWS resources.
Implement AWS Config Rules to check for compliance with your least privilege policies.
STEP 5: UTILIZE AUTOMATED TOOLS
AWS Trusted Advisor:
Access Trusted Advisor from the AWS Management Console.
Review the āSecurityā section for recommendations on IAM security best practices.
AWS Security Hub:
Enable Security Hub from the Security Hub Console.
Use Security Hub to get a comprehensive view of your security posture, including IAM-related findings.
AZURE
STEP 1: REVIEW AZURE AD ROLES AND PERMISSIONS
Azure AD Roles:
Navigate to the Azure Active Directory.
Under āRoles and administrators,ā review each role and its assignments.
Ensure users are assigned only to roles with necessary permissions.
Role-Based Access Control (RBAC):
Go to the āResource groupsā or individual resources in the Azure portal.
Under āAccess control (IAM),ā review role assignments.
Remove or modify roles that provide excessive permissions.
STEP 2: CHECK RESOURCE-LEVEL PERMISSIONS
Review Resource Policies:
For each resource (e.g., storage accounts, VMs), review the access policies to ensure they grant only necessary permissions.
Network Security Groups (NSGs):
Navigate to āNetwork security groupsā in the Azure portal.
Review inbound and outbound rules to ensure they allow only necessary traffic.
STEP 3: MONITOR AND AUDIT
Azure Activity Logs:
Access the Activity Logs.
Monitor logs for changes in role assignments and access patterns.
Azure Security Center:
Open Azure Security Center.
Regularly review security recommendations and alerts, especially those related to IAM.
STEP 4: UTILIZE AUTOMATED TOOLS
Azure Policy:
Create and assign policies using the Azure Policy portal.
Enforce policies that require the use of least privilege access.
Azure Blueprints:
Use Azure Blueprints to define and deploy resource configurations that comply with organizational standards.
Privileged Identity Management (PIM):
In Azure AD, go to āPrivileged Identity Managementā under āManage.ā
Enable PIM to manage, control, and monitor privileged access.
GCP
STEP 1: REVIEW IAM POLICIES AND ROLES
Review IAM Policies:
Access the IAM & admin console.
Review each policy and role for overly permissive permissions.
Avoid using predefined roles with broad permissions; prefer custom roles with specific permissions.
Create Custom Roles:
In the IAM console, navigate to āRoles.ā
Create custom roles that provide the minimum necessary permissions for specific job functions.
STEP 2: CHECK RESOURCE-BASED POLICIES
Service Accounts:
In the IAM & admin console, go to āService accounts.ā
Review the permissions granted to each service account and ensure they are scoped to the least privilege.
VPC Firewall Rules:
Navigate to the VPC network section and select āFirewall rules.ā
Review and restrict firewall rules to allow only essential traffic.
STEP 3: MONITOR AND AUDIT
Cloud Audit Logs:
Enable and configure Cloud Audit Logs for all services.
Regularly review logs to monitor access and detect unusual activities.
IAM Recommender:
In the IAM console, use the IAM Recommender to get suggestions for refining IAM policies based on actual usage patterns.
Access Transparency:
Enable Access Transparency to get logs of Google Cloud administrator accesses.
STEP 4: UTILIZE AUTOMATED TOOLS
Security Command Center:
Access the Security Command Center for a centralized view of your security posture.
Use it to monitor and manage security findings and recommendations.
Forseti Security:
Deploy Forseti Security for continuous monitoring and auditing of your GCP environment.
Policy Intelligence:
Use tools like Policy Troubleshooter to debug access issues and Policy Analyzer to compare policies.
STEP 5: CONDUCT REGULAR REVIEWS
Schedule Periodic Reviews:
Regularly review IAM roles, policies, and access patterns across your GCP projects.
Use the Resource Manager to organize resources and apply IAM policies efficiently.
By following these detailed steps, you can ensure that the Principle of Least Privilege is effectively implemented across AWS, Azure, and GCP, thus maintaining a secure and compliant cloud environment.
Implementing the Principle of Least Privilege in AWS, Azure, and GCP requires a strategic approach to access management. By leveraging the built-in tools and services provided by theseĀ cloudĀ platforms, organizations can enhance their security posture, minimize risks, and ensure compliance with security policies. Regular reviews, continuous monitoring, and automation are key to maintaining an effective PoLP strategy in the dynamic cloud environment.
The core section of the standard retains its 11 clauses with minor modifications, while significant structural revisions have been implemented in the Annex A controls. Control categories have been rearranged, resulting in a reduction in the total number of controls. Broadly speaking, 11 new controls have been added, 57 controls have been consolidated, 23 controls have been rebranded, and three controls have been eliminated. The introduction of these 11 new controls underscores the heightened significance of Cloud, DevOps, and Personal Information, which have evolved over the past decade.
A.5.7 Threat intelligence
A.5.23 Information security for the use of cloud services
A.5.30 ICT readiness for business continuity
A.7.4 Physical security monitoring
A.8.9 Configuration management
A.8.10 Information deletion
A.8.11 Data masking
A.8.12 Data leakage prevention
A.14.1.4 Secure development policy
A.16.2.4 Security of supplier services
A.18.2.3 Protection of personal information in public clouds
ISO 27002:2022 has three control types, #Preventive, #Corrective and #Detective. Some of these controls share more than one control types. There are total 12 Detective, 13 Corrective, and 83 Preventive controls and 15 controls (12+13+83 = 108 -15 = 93)Ā which share more than one control type in ISO 27002:2022 latest guidance. If you like to know more about how and when to start complying with new and latest control guidance, pleaseĀ contact usĀ to book an appointment to discuss the details, how DISC llc can assist your organization with ISO 27001 compliance or certification plans.Ā
Ensuring the security of your organizationās information systems is crucial in todayās digital landscape.
Access Control is a fundamental aspect of cybersecurity that safeguards sensitive data and protects against unauthorized access. To assist you in establishing robust access control measures, we are pleased to offer a comprehensive Access Control Policy Template, available for download.
What does the Access Control Policy template include?
Our Access Control Policy template is designed to provide a clear, structured framework for managing access to your organizationās information systems.
Here are some of the key components included in the template:
Document Control;
Purpose and Scope;
Policy Statement;
Roles & Responsibilities;
Access Control Principles;
Access Control Measures;
Access Control Technologies;
Monitoring and Auditing;
Incident Management;
Policy Compliance;
Policy Review.
Benefits of using our Access Control Policy template
Implementing an effective access control policy offers several key benefits:
Enhanced security: Protects sensitive data and systems from unauthorized access and potential breaches.
Regulatory compliance: Helps ensure compliance with relevant regulations and standards.
Operational efficiency: Clearly defined roles and responsibilities streamline access management processes.
Risk mitigation: Regular monitoring and auditing identify and address vulnerabilities proactively.
To take advantage of our comprehensive Access Control Policy Template, simply click on the links at the top of the article to download them. The download will start automatically.
You can then customize the template to fit the specific needs and context of your organization.
By doing so, youāll be taking a significant step towards securing your information systems and safeguarding your valuable data.
Gabriella is the Social Media Manager and Cybersecurity Communications Officer at HeimdalĀ®, where she orchestrates the strategy and content creation for the company’s social media channels. Her contributions amplify the brand’s voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.
Tycoon 2FA, a recently emerged Phishing-as-a-Service (PhaaS) platform, targets Microsoft 365 and Gmail accounts, which leverage an Adversary-in-the-Middle (AitM) technique to steal user session cookies, bypassing multi-factor authentication (MFA) protections.
By acting as an intermediary between the user and the legitimate login page, Tycoon 2FA captures cookies that grant attackers unauthorized access to compromised accounts and cloud services, even if additional security measures are implemented.
TheĀ Tycoon 2FAĀ phishing kit received an update in March 2024, specifically designed to bypass security defenses, and the update enhanced the kitās evasion capabilities through obfuscated JavaScript and HTML code, making the code unreadable, hindering analysis.
Tycoon 2FA to facilitate MFA token theft and bypass.Ā
On Telegram, it sells pre-made phishing pages targeting Microsoft 365 and Gmail credentials, which lowers the technical barrier for attackers by offering easy-to-use templates.Ā
Proofpoint TAP Dashboard campaign snapshot from December campaigns.Ā
The attack works through a reverse proxy, capturing login credentials and relaying them to the real service to bypass the login page, as the attackers steal the session cookies returned during successful logins, granting unauthorized access even with MFA enabled.
It facilitates credential theft by bypassing multi-factor authentication (MFA), and attackers use various lures such as emails with fake authentication links, voicemail-themed threats, and PDFs with QR codes leading to phishing pages.
QR code and voicemail lure examples for the Tycoon 2FA threats that were seen in late 2023.
The pages often include CAPTCHAs to appear legitimate and steal login credentials and MFA tokens. Security researchers atĀ ProofpointĀ identified rules to detect Tycoon landing pages based on these tactics.Ā
AI-powered behavioral analytics and a URL sandbox are used to identify and block malicious landing pages and phishing activity associated with Tycoon 2FA and similar threats that are achieved by combining threat intelligence with machine learning to recognize suspicious behaviors.
Global threat intelligence feeds give information about bad infrastructure, which helps defenders stop known and new threats before they happen by making it easier to find them, fix problems, and manage human risk when it comes to new phishing techniques.
The Polish computer emergency response team CERT.pl has issued a warning about an ongoing cyberattack campaign by the notorious APT28 hacking group, also known as Fancy Bear or Sofacy. The campaign is targeting various Polish government institutions with a new strain of malware.
According to the CERT.pl analysis, the attack begins with spear-phishing emails containing malicious attachments or links.
The malware is deployed once the victim opens the attachment or clicks the link, establishing a foothold in the targeted network.
Subject: I solved your problem
Hello PaweÅ!
I did a little research and found this mysterious Ukrainian woman.
Now she is in Warsaw.
She runs a rather unusual company that sells used underwear.
also has clients from senior authorities in Poland and Ukraine.
All information on this subject is available at this link - ALINA-BOKLAN (Link)
Threat actors are increasingly using free, commonly-used services like run.mocky.io and webhook.site to deliver malware while evading detection.
This technique involves redirecting through these services to obfuscate the final malicious payload. The link first goes to run.mocky.io, a free API testing service, which then redirects to webhook.site for logging requests.
A ZIP archive disguised as an image file (e.g. IMG-238279780.zip) is downloaded from webhook.site.
With default Windows settings hiding extensions and hidden files, the victim sees the ZIP as an image, potentially leading them to open the malicious payload.
entire attack flow
Using free services reduces costs and makes malicious links harder to flag as they blend in with legitimate developer traffic. This stealthy approach is becoming a trend across many APT groups.
āThe malware used in this campaign is a new variant of the X-Agent backdoor, which allows the attackers to execute arbitrary commands, exfiltrate data, and move laterally within the compromised network,ā explained CERT.pl in their report.
CERT.plĀ urgesĀ all Polish government agencies and critical infrastructure operators to remain vigilant and implement security measures.
ā¼ļøThis week we observed a large-scale malware campaign targeting Polish government institutions. Based on technical indicators and similarity to attacks described in the past, the campaign can be associated with the APT28 activity set. Moreā”ļø https://t.co/Szv62K060q
APT28 is a highly sophisticated cyber-espionage group believed to be associated with the Russian military intelligence agency GRU.
The group has been active since at least 2007 and has been linked to numerous high-profile cyberattacks, including the 2016 Democratic National Committee email leak and the 2017 NotPetya ransomware outbreak.
This latest campaign highlights the persistent threat posed by state-sponsored hacking groups and the importance of maintaining robust cybersecurity measures, especially for critical government and infrastructure systems.
The report details the attack flow, providing indicators of compromise (IOCs) and recommendations for detecting and mitigating the threat.
The Damselfly Advanced Persistent Threat (APT) group, also known as APT42, has been actively utilizing custom backdoor variants, NiceCurl and TameCat, to infiltrate Windows machines.
These backdoors are primarily delivered through spear-phishing campaigns, marking a significant escalation in the capabilities and focus of this Iranian state-sponsoredĀ hackingĀ group.
Sophisticated Tools For Stealthy Operations
The NiceCurl and TameCat backdoors represent a sophisticated toolkit in Damselflyās arsenal, enabling threat actors to gain initial access to targeted environments discreetly.
NiceCurl, a VBScript-basedĀ malware, is designed to download and execute additional malicious modules, enhancing the attackersā control over compromised systems.
On the other hand, the TameCat backdoor facilitates the execution of PowerShell and C# scripts, allowing for further exploitation by downloading additional arbitrary content.
These tools are part of a broader strategy employed by Damselfly to conduct espionage and potentially disrupt operations at targeted facilities.
According to Broadcom report, the groupās activities have been primarily directed at energy companies and other critical infrastructure sectors across the U.S., Europe, and the Middle East.
The sophistication of their methods and the critical nature of their targets underscore the high level of threat they pose.
These include adaptive, behavior, file, and network-based detection mechanisms, ensuring robust defense against Damselflyās tactics.
The security firmās efforts are crucial in mitigating the risks posed by such state-sponsored cyber activities, characterized by their complexity and stealth.
The operations of the Damselfly group highlight the ongoing challenges in cybersecurity, where state-sponsored actors employ advanced techniques and malware to achieve their objectives.
Using custom backdoors like NiceCurl and TameCat, coupled with spear-phishing campaigns, enables these actors to maintain persistence in their target networks and carry out their missions with a high degree of secrecy and efficiency.
TheĀ Certified Information Systems Security Professional (CISSP)Ā is the most widely recognized certification in the information security industry. CISSP certifies that an information security professional possesses extensive technical and managerial expertise for designing, engineering, and managing an organizationās security stance.
In this article, CISSP-certified cybersecurity leaders provide practical tips and strategies to help candidates navigate the extensive study requirements and effectively manage their CISSP exam prep time. Whether youāre just starting your study journey or in the final stages of preparation, these guidelines will help ensure you are well-equipped to tackle the CISSP certification exam.
My preparation for the CISSP exam took exactly 10 sunny afternoons while working on a project in Palo Alto. Every day after work, I took āShon Harris,ā at that time the so-called āCISSP exam prep Bible.ā I remember studying by the pool, swimming in between the chapters, so overall, it was a fun way to spend these afternoons without feeling like I was missing the sunny California weather.
I divided the contents of the book in a way that allowed me to read it all in eight days, while I dedicated the last two entire days to practicing exam questions and revisiting domains where my answers were incorrect, studying them a bit deeper. I remember that at that time (2013), there was a very popular site where colleagues from the profession would discuss questions or topics they struggled with, and ātalkingā to colleagues on that platform was of huge help.
The exam itself, I think, took about an hour and a half, and I passed on the first attempt. Now, this may all sound easy, but the truth is that by the time I decided to pursue the CISSP, I already had 13 years of experience, numerous other industry certifications, and had been deeply involved in the cybersecurity field since the day I graduated; my Masterās thesis was also in cybersecurity.
Looking back at the exam itself, I believe that having a strong knowledge foundation, coupled with real-life experience, and a network of colleagues you can always turn to and discuss certain topics you are less familiar with, is the key to success in passing the CISSP exam.
Shannon Brewster, Executive Director, General Manager,Ā AT&T Cybersecurity
Passing the CISSP exam is an ambitious goal, especially if you hope to pass on your first attempt. I recommend a 90-day preparation plan tailored to reinforce key cybersecurity concepts and identify weaker areas through regular practice.
Being intentional with your time is crucial; consider mapping out each domain as a āsprintā and mapping core concepts to learn each week. Schedule daily dedicated study time and regular practice exams. Testing with approved sample questions helps gauge your readiness and pinpoint specific topics you need to shore up on.
Most security professionals will find themselves very strong in the domains they work in most often, and weak in others. Cryptology is the Achillesā heel for many.
I incorporated tools like handwritten index cards for constant review to boost memory retention. This method of repetition embeds critical information, making it more readily recalled.
An important element of my preparation was participating in a 6-day bootcamp. The bootcamp was a source of confidence because I had the benefit of a thorough review of the all the content that was necessary to understand. It also helped me build a new network of peers who supported each other as accountability partners and encouragement.
Make sure you take the exam within two weeks of a bootcamp to maximize the ācone of learningā on memory retention.
Lastly, donāt forget about the physical dimension, staying focused on your health and wellness throughout your preparation. Deep sleep is required for memory retention and recall, so avoiding alcohol and practicing sleep hygiene will improve your score. I brought a jump rope to my test and stepped out regularly to infuse fresh blood to my brain, vastly improving my focus.
This strategy worked for me to pass on my first attempt, I hope these ideas might work for you.
Hereās how I effectivelyĀ studied for the CISSP certification, relying solely on comprehensive study materials rather than quick-fix dumps or quizlets. This method ensured a deep understanding of the content required to pass the CISSP exam:
1. Bootcamp: I started my preparation with a rigorous week-long bootcamp (40 hours). This intensive course helped establish a solid foundation and highlighted areas where I needed further study. Even though I had over five years of experience in cybersecurity and over ten years in IT, my practical knowledge was only in specific domains (i.e. Security and Risk Management, Asset Security, Communications and Network Security, etc.). A good bootcamp will expose your weak areas and help you to hone in on where you need to obtain more knowledge.
2. Targeted reading: After identifying my weak spots during the bootcamp, I skimmed the Official ISC2 CISSP Common Body of Knowledge (CBK) specifically focusing on those areas.
3. In-depth study guides: I read the ISC2 CISSP Official Study Guide from cover to cover to ensure a comprehensive grasp of all domains. Additionally, I went through the Eleventh Hour CISSP: Study Guide twice, which is excellent for refreshing your memory due to its concise format.
4. Video courses and webinars:
I watched Kelly Henderhanās Cybrary CISSP course twice. Her engaging teaching style and clear explanations helped reinforce the key concepts.
Larry Greenblattās series, āCISSP Practice Question with Spock & Kirkā, was instrumental in applying theoretical knowledge practically through scenario-based questions.
Pearson VUEās Complete CISSP Video Course was another resource I used, which also included domain challenge questions that tested my understanding as I progressed.
5. Motivational prep: Before the exam, I watched Kelly Henderhanās motivational video, āWhy you WILL pass the CISSPā. This not only boosted my confidence but also put me in the right mindset to tackle the exam.
This structured approach to studying for the CISSP took approximately 6 months, using a mix of reading, practical exercises, and motivational content, equipped me with the knowledge and confidence to successfully pass the exam.
Stein A. J. Mollerhaug, Senior Cybersecurity Advisor
For most people, passing the CISSP exam is the main obstacle. In addition to passing the exam, you must also document at least five years of experience in two or more of the eight CISSP knowledge domains. But donāt worry, if you miss that experience, you can get an associate status while you work on gaining the needed experience. Once the experience is documented, you will get upgraded without the need for a new exam.
You donāt need to follow any official course to sit for the CISSP exam and get CISSP certified, but the feedback from almost all students is that following an official course with an official instructor helps ā a lot.
In my experience, there are three critical success factors for passing the exam:
1. Understand the basics of cybersecurity and information technology. 2. Understand how management systems work for the key processes in information security. 3. Be able to apply that knowledge to real life situations or imagined scenarios.
If you are unable to explain how the encryption in AES actually works, you are still fine with regards to the exam. If you donāt know that AES is a symmetrical algorithm and what it can be used for, you have some learning to do before sitting for the exam. This is just one example. CISSP is not a technical course, but as a cyber- or information security leader, you must know the basic technology you are going to use.
Management systems ensure the quality of the security implementations. Standards like ISO/IEC 27001 contain some of the framework for having measurability and the ability to improve your cybersecurity. There are such standards in almost all areas of cybersecurity. Knowledge of them is key to passing the exam.
The exam itself often asks for ābestā, āmostā or ānotā. The key here is that you are to apply your knowledge and experience to find the right answer. Even if you donāt know a specific answer, you should be able to apply your knowledge to find the right answer through the process of elimination. That means you have to think and not just recall from memory when you sit for the exam.
This is also why many find the exam to be very exhausting. For each question, you need to read the answer alternatives and the question, think ā and then answer. The good news is that for almost all questions, there will be two answer alternatives that you can easily eliminate ā if you know your cybersecurity ā and have read the question properly. Then you spend your time to choose between the two remaining.
And another piece of good news: You donāt need to be 100% right, 70% is the requirement for passing. And to destroy a myth: Time is not a key issue. Exhaustion is. Take breaks, even if the clock is not stopping during the breaks.
Andrea Szeiler-Zengo, President of the Women4Cyber Hungarian Chapter
When I decided to get CISSP certified, I signed up for local training, but honestly, I learned more independently than in class.
The CISSP is unlike other exams where you can memorize the answers. You must understand the security domains. When I took the CISSP exam, the cloud and third-party risk sections were a big focus. However, these topics were not discussed in detail in the study materials.
You absolutely need to plan how you will prepare for it.
I gave myself a deadline, registered for the exam, and spent six months studying. I read all the study materials and did practice questions, but I also kept up with news and new technologies.
I tried to set aside 30 minutes each day to review materials. I read on public transport, at the beach, and pretty much everywhere else. The most significant help arrived via my network. They helped me out with questions and motivated me during these challenging days.
You might be asking yourself ā why bother getting the CISSP certification in the first place? ItĀ makes you more recognizable to employersĀ who trust people holding the certification. And letās be honest, theyāre more likely to pay you more. So, go for it, good luck!
Earning my CISSP in 1999 was a different experience from todayās process. Back then, comprehensive study guides and boot camps werenāt a thing. We had a two-week course delivered in segmentsāa week-long session followed by three weeks off, then another week to wrap up. We relied heavily on ISC2ās list of recommended books.
Sitting in that George Mason University classroom in Virginia, I was surrounded by a wealth of information security knowledge, a term not yet replaced by cybersecurity. I wanted to absorb everything. The discussions were phenomenal ā a constant back-and-forth exchange of ideas among experienced professionals. I mostly listened, soaking it all in, occasionally contributing my thoughts. This became my learning model throughout my career.
The saying goes, āIf youāre the smartest person in the room, youāre in the wrong room.ā This held true for me. I actively sought out those more experienced in cybersecurity.
My advice is to start small, find mentors, and become a knowledge sponge. Donāt limit yourself to booksāseek practical knowledge as well. Talk to veterans in the field, learn from their experiences, and integrate your ideas as you grow.
In the latest edition of Verizonās Data Breach Investigations Report (DBIR) for 2024, a concerning trend has been highlighted, a significant 68% of data breaches are now occurring due to social engineering attacks.
This revelation underscores the increasing sophistication and prevalence of these tactics in the cyber threat landscape.
Social engineering exploits the human factor, manipulating individuals into breaking normal security procedures.
The DBIRās findings suggest that despite advancements in technology, human vulnerabilities remain a critical weak point.
The report indicates that phishing, pretexting, and other forms of social engineering are not only prevalent but are also becoming more sophisticated.
Breakdown of breaches by attack type
Verizonās 2024 DBIR has revised its methodology to provide clearer insights into breaches involving the human element.
It excludes cases of malicious privilege misuse to focus on incidents that could potentially be mitigated through improved security awareness and training.
The Role Of Ransomware And Extortion
The report also sheds light on the role of ransomware and extortion in the cybersecurity threat landscape.
Approximately one-third of all breaches involved these tactics, with pure extortion attacks marking a significant rise over the past year.
This shift indicates a strategic evolution among cybercriminals, who are increasingly leveraging ransomware and extortion to capitalize on their attacks.
Breakdown of breaches by attack type.
The combination of ransomware and other forms of extortion has been particularly impactful, affecting 32% of breaches and being a top threat across 92% of industries surveyed.
This highlights the critical need for organizations to enhance their defensive strategies against these forms of cyberattacks.
Third-Party Vulnerabilities And Preventive Measures
An expanded concept of breaches involving third-party entities was introduced in this yearās report.
This includes incidents where partner infrastructure is compromised or where indirect software supply chain issues occur.
The report notes a 68% increase in such breaches, primarily fueled by zero-day exploits used in ransomware and extortion attacks.
68% increase in such breaches
This finding emphasizes the importance of diligent vendor selection and the need for organizations to prioritize security in their supply chains.
By choosing partners with robust security measures, companies can significantly mitigate the risk of being compromised through third-party vulnerabilities.
Verizonās 2024 DBIR provides a stark reminder of the persistent and evolving threats in the digital world.
With a significant portion of breaches attributable to social engineering, the human element continues to be a critical battleground in cybersecurity.
Organizations must prioritize comprehensive security training and robust protocols to safeguard against these insidious attacks.
Meanwhile, the rise of ransomware and extortion, along with the vulnerabilities in third-party partnerships, calls for an urgent reassessment of current security strategies and vendor management practices.
Did you know that working from home carries additional security risks?Ā Fortunately, there are simple āĀ yet criticalĀ ā steps your employees can take to ensure they can work remotely from home as securely as possible. Even more, these tips will help to make a far more safe and secure home for your employees and their families moving forward.
Smishing is a type of social engineering attack. Social engineering is when a cyber attacker tricks their victim into doing something they should not do, such as giving money, their password, or access to their computer. Cyber attackers have learned the easiest way to get something is just ask for it. This concept is not new, con artists and scammers have existed for thousands of years, itās just that the Internet makes it very simple for any cyber attacker to pretend to be anyone they want and target anyone they want.
Phishing is one of the most common forms of social engineering as itās one of the simplest and most effective and an attack method we are all familiar with. However, both organizations and individuals are becoming not only far more aware of how phishing attacks work, but much better at spotting and stopping them. Phishing is still an effective attack method, but it is getting harder and harder for cyber criminals to be effective with phishing. This is where smishing comes in.
Smishing vs Phishing
Smishing is very similar to phishing, but instead of sending emails trying to trick people, cyber attackers send text messages. The term smishing is a combination of the words SMS messaging and phishing. You may have noticed a rise in random text messages that are trying to get you to click on links or respond to text messages. Thatās smishing.
Why the Increase in Smishing Attacks?
It is harder for organizations to secure mobile devices. Security teams often have neither the visibility nor control of employeesā mobile devices like they do for workstations. This means itās harder to both secure and monitor mobile devices.
There are far fewer security controls that effectively identify and filter smishing attacks. This means when a cyber attacker sends a smishing text message to victims, that message is far more likely to make it and not be filtered.
A text message tends to be much shorter than an email, there is far less context or information, making it harder to determine if the message is legitimate or not. In other words, people are more likely to fall victim.
Texting tends to be far more informal than email, as such people tend to trust and act on text messages more. In other words, people are more likely to fall victim.
The Smishing Attacks
So, what type of text messaging attacks are there? While these attacks are always evolving, some of the most common are detailed below.
Links
The text message entices you to click on a link, often through a sense of urgency, something too good to be true, or simple curiosity. Once you click on the link, the goal is usually to harvest your personal information (by getting you to fill out a survey) or your login and password (to your bank or email account, for example). Notice how, in the link in the message below, the cyber attacker uses HTTPS, an encrypted connection to make the link look more legitimate.
Scams
In these attacks, the cyber attacker will attempt to start a conversation with you, build trust, and ultimately scam you. Romance scams are one common example where cyber criminals randomly text millions of people to find those who are lonely or emotionally vulnerable, build a pretend romance, and then take advantage of them.
Call-Back
Like some phishing emails, the text message has a phone number in it and is urging the victim to call. Once the victim calls the phone number they are then scammed.
What to Do About Smishing Attacks?
While many security training programs focus on phishing, we far too often neglect text based smishing attacks. In fact, this can create a situation where your workforce is highly aware of phishing attacks but may mistakenly think that cyber attackers only use email for attacks. From a training perspective, we recommend you teach people that cyber attackers can use a variety of different methods to trick people, to include both email phishing and text based smishing. For smishing, we do not recommend that you try to teach people about every different type of attack possible. Not only will this likely overwhelm your workforce, but cyber attackers are constantly changing their lures and techniques. Instead, like in phishing training, focus on the most commonly shared indicators and clues of an attack. This way, your workforce will be trained and enabled regardless of the method or lures cyber attackers use. Of note, the indicators below are the same indicators of an email phishing attack.
Urgency: Any message that creates a tremendous sense of urgency, trying to rush the victim into making a mistake. An example is a message from the government stating your taxes are overdue and if you donāt pay right away you will end up in jail.
Pressure: Any message that pressures an employee to ignore or bypass company policies and procedures. Gift card scams are often started with a simple text message.
Curiosity: Any message that generates a tremendous amount of curiosity or is too good to be true such as notice of an undelivered UPS package or receiving an Amazon refund.
Sensitive: Any message that requests (or requires) highly sensitive information such as your password or unique codes.
Tone: Any message that appears to be coming from a coworker, but the wording does not sound like them, or the overall tone is wrong.
This spike was driven primarily by the increasing frequency of attacks targeting vulnerabilities on unpatched systems and devices (zero-day vulnerabilities) by ransomware actors. TheĀ MOVEit software breachĀ was one of the largest drivers of these cyberattacks, first in the education sector and later spreading to finance and insurance industries.
āThe exploitation of zero-day vulnerabilities by ransomware actors remains a persistent threat to safeguarding enterprises,ā saidĀ Chris Novak, Sr. Director of Cybersecurity Consulting, Verizon Business.
In a possible relief to some anxieties, the rise of AI was less of a culprit vs challenges in large-scaleĀ vulnerability management. āWhile the adoption of artificial intelligence to gain access to valuable corporate assets is a concern on the horizon, a failure to patch basic vulnerabilities has threat actors not needing to advance their approach,ā Novak said.
Analysis of the CISA Known Exploited Vulnerabilities (KEV) catalog revealed that on average it takes organizations 55 days to remediate 50% of critical vulnerabilities following the availability of patches. Meanwhile, the median time for detecting the mass exploitations of the CISA KEV on the internet is five days.
āThis yearās DBIR findings reflect the evolving landscape that todayās CISOās must navigate ā balancing the need to address vulnerabilities quicker than ever before while investing in the continued employee education as it relates to ransomware and cybersecurity hygiene,ā saidĀ Craig Robinson, Research VP, Security Services at IDC. āThe breadth and depth of the incidents examined in this report provides a window into how breaches are occurring, and despite the low-level of complexity are still proving to be incredibly costly for enterprises.ā
Last year, 15% of breaches involved a third party, including data custodians, third-party software vulnerabilities, and other direct or indirect supply chain issues. This metricānew for the 2024 DBIR ā shows a 68% increase from the previous period described in the 2023 DBIR.
The human factor remains the primary entry point for cybercriminals
68% of breaches, whether they include a third party or not, involve a non-malicious human element, which refers to a person making an error or falling prey to aĀ social engineeringĀ attack. This percentage is about the same as last year. One potential countervailing force is the improvement of reporting practices: 20% of users identified and reported phishing in simulation engagements, and 11% of users who clicked the email also reported it.
āThe persistence of the human element in breaches shows that there is still plenty of room for improvement with regard to cybersecurity training, but the increase in self-reporting indicates a culture change that destigmatizes human error and may serve to shine a light on the importance of cybersecurity awareness among the general workforce,ā Novak added.
Other key findings from this yearās report include:
32% of all breaches involved some type of extortion technique, including ransomware
Over the past two years, roughly a quarter (between 24% and 25%) of financially motivated incidents involved pretexting
Over the past 10 years, the Use of stolen credentials has appeared in almost one-third (31%) of all breaches
Half of the reaches in EMEA are internal
Espionage attacks continue to dominate in APAC region
āThe Verizon 2024 Data Breach Investigations Report shows itās the still the basics security errors putting organizations at risk, such as long windows between discovering and patching vulnerabilities, and employees being inadequately trained to identify scams. This needs to change as a priority because no business can afford to gamble or take chances with cyber hygiene. Just look at Change Healthcare, the breach was executed via an unsecured employee credential and the organization is now facing over a billion in losses. No other organisation wants to find itself in this position,āĀ William Wright, CEO of Closed Door Security, told Help Net Security.
While facilitating remote work, remote desktop software presents security challenges for IT teams due to the use of various tools and ports.
The multitude of ports makes it difficult to monitor for malicious traffic.
Weak credentials and software vulnerabilities are exploited to gain access to user systems.
Hackers may also use technical support scams to trick users into granting access.
The Most Targeted Remote Desktop Tools In The Last 12 Months
Researchers identified VNC, a platform-independent remote desktop tool using RFB protocol, as the most targeted remote desktop application (98% of traffic).
The attacks leveraged weak passwords and a critical vulnerability (CVE-2006-2369) in RealVNC 4.1.1, allowing authentication bypass.
Over 99% of attacks targeted unsecured HTTP ports rather than TCP ports used for application data exchange, which suggests attackers exploit the inherent lack of authentication on HTTP for unauthorized access.
The security of VNCs varies depending on the specific software, while some offer weak password limitations, others leverage SSH or VPN tunnelling for encryption.
VNC uses a base port (5800 for TCP, 5900 for HTTP) with an additive display number, making it difficult to secure with firewalls compared to single-port remote desktop solutions.
Additionally, pinpointing the origin of VNC attacks is challenging due to attackers using proxies and VPNs, but a significant portion seems to originate from China.
Attackers target RDP, a remote desktop protocol, for credential-based attacks and exploit vulnerabilities to execute malicious code, as RDP is more likely to be involved in large attacks compared to VNC.
Flaws Exploited
In one study, 15% of RDP attacks leveraged obsolete cookies, possibly to target older, more vulnerable RDP software, and RDP vulnerabilities like CVE-2018-0886 (targeting credential security), CVE-2019-0708 (with worm potential), and CVE-2019-0887 (hypervisor access) have been reported by Barracuda.
Attackers exploit vulnerabilities in RDP to gain access to systems. Brute-force attacks are common, targeting password hashes for privileged accounts. RDP can also be used to launch denial-of-service attacks.
In social engineering scams, attackers convince users to grant RDP access to fix fake technical problems, and vulnerable RDP instances are sold on the black market for further attacks.
North America is a leading source of RDP attacks, but location tracking is difficult due to anonymizing techniques.
TeamViewer, a remote desktop tool, rarely encounters attacks (0.1% of traffic). Recent versions target enterprises and integrate with business applications, offering security features like fingerprinting, strong password enforcement, and multi-factor authentication.
Encrypted communication channels further enhance security. However, phished credentials and technical support scams can still compromise TeamViewer sessions and may use ports beyond the primary port 5938, making malicious traffic detection more challenging for security teams.
Citrix created ICA as an alternative to RDP. It uses ports 1494 and 2598, while older ICA clients and the ICA Proxy have had RCE vulnerabilities.
AnyDesk, another RDP solution, uses port 6568 and has been abused in tech support scams and malware, while Splashtop Remote, using port 6783, has been involved in support scams and can be compromised through weak credentials.
.webp)
