Sep 14 2023

Next-Gen Email Firewalls: Beyond Spam Filters to Secure Inboxes Checklist

Category: Email Security,next generation firewalldisc7 @ 9:56 am
Next-Gen Email Firewalls: Beyond Spam Filters to Secure Inboxes Checklist

Email communication is still widely used as an attack vector despite the ever-changing nature of cyber threats.

The vast number of people who use it for communication daily, both professionally and personally, makes it a tempting target.

Cybercriminals are becoming more skilled at using malicious email campaigns in line with the growth of advanced technologies and increased security measures taken by businesses.

VIPRE Security found that 85.01% of phishing emails had harmful links inside the message body, and the volume of spam emails increased by 30.0% from the first to the second quarter of 2023.

In addition, phishing attacks against IT companies are now more common (14%) than against financial institutions (9%).

The Limitations of Traditional Spam Filters

Conventional spam filters rely on static rule-based systems with predetermined criteria or known dangerous signatures to identify emails as spam.

Their strict compliance with predetermined policies leaves companies vulnerable to ever-evolving cyberattacks. These filters rely too much on signature-based detection, making them vulnerable to zero-day threats and unable to protect against recent or modified malware. 

They can’t detect hidden risks like spear phishing since they don’t have advanced behavioral analysis. In addition, it cannot examine potentially harmful information in isolation without sandboxing characteristics.

 As a result, the ever-evolving and complicated nature of cyber threats makes their traditional approaches ineffective.

You can Understand and diagnose Email Issues using Trusitifi’s Email Header Analyzer Tool.

What are Next-Gen Email Firewalls?

Next-Generation Email Firewalls are the latest technologies for protecting against malicious emails. To quickly prevent new threats, such as zero-day vulnerabilities, these systems interact with real-time threat intelligence feeds, unlike traditional spam filters, which depend primarily on static rules. 

They scan things in-depth, including emails, embedded URLs, and attachments. Sandboxing is essential since it allows testing of potentially harmful information in a secure environment. 

Advanced systems use machine learning and behavioral analytics to identify complex phishing attacks like this. These firewalls use authentication protocols like DMARC, DKIM, and SPF to prevent spoofing and verify email senders. 

In addition, they have measures to prevent sensitive information from being accidentally leaked. These solutions, which are frequently cloud-native, provide a robust and complex approach to email security while scaling efficiently and integrating smoothly with existing security infrastructure.

How do Next-Gen Email Firewalls Protect Your Inbox?

Advanced Threat Intelligence – The use of real-time threat intelligence helps to identify and prevent emerging attacks, such as those that exploit zero-day flaws, as soon as they appear.

Deep Content Inspection – Rather than simply scanning the email’s information, these firewalls read the message in full, including any embedded URLs or files attached, to discover any hidden risks.

Sandboxing – To prevent viruses and malware from reaching their intended recipients, suspicious attachments and URLs are displayed in a safe, isolated environment.

Behavioral Analytics – These firewalls may identify spear-phishing initiatives by learning the sender’s typical activity patterns and comparing them to suspicious emails that appear to be from the same sender but act differently.

Identity Verification – Using authentication methods like DMARC, DKIM, and SPF, these tools ensure that all email arrives genuine and from a known source, protecting users from spoofing and phishing attempts.

Data Loss Prevention (DLP) – Besides inbound threats, they monitor outgoing emails to prevent sensitive material from being transmitted without authorization or violating regulations.

Machine Learning – Many modern firewalls use machine learning to “learn” from the attacks they block and better detect various threats over time.

Next-Gen Email Firewalls vs. Traditional Email Security

Next-Gen Email FirewallsTraditional email security
Quickly adapt to new threats by using real-time threat intelligence.It uses a static collection of threats and patterns to make decisions.
Emails, URLs, and attachments are all placed through an extensive content analysis.Metadata and simple patterns are the primary areas of security inspection.
Uses content isolation technologies (sandboxes) to investigate potentially harmful data.Doesn’t have a sandboxing environment.
Utilizes machine learning and behavioral analytics for real-time threat assessment.Depending on predetermined guidelines rather than monitoring user activity
Designed specifically for use in the cloud, this safeguards the present remote workforces.Less flexible with cloud integrations; works best in local installations.
The sophisticated analysis and learning capabilities have resulted in fewer false positives.There is an increase in false positives because of the inflexibility of rule-based systems.

Countering Sophisticated Email Threats with Next-Gen Email Firewalls

The importance of Next-Generation Email Firewalls in preventing modern email threats cannot be underestimated.

These modern firewalls utilize real-time threat intelligence to detect and neutralize recent security risks instead of the static rules used by older systems.

They investigate thoroughly, looking at every aspect of the email, from the subject line to the attachments. Sandboxing is a technique to test malicious code in a safe, restricted setting.

Unusual behaviors, such as those used in spear phishing or impersonation, can be detected via machine learning.

In addition, email spoofing may be prevented using sender authentication methods such as DMARC, DKIM, and SPF.

By authenticating the sender’s identity and confirming the accuracy of the received messages, these procedures act as the first line of protection against email-based threats.

SPF aims to improve email security by limiting the possibility that an unauthorized sender

In DKIM, the transmitting server gives Each email a unique DKIM signature generated using a private key. The DNS records of the sender are queried to retrieve the sender’s public key, which is then used to validate the email’s signature.

With DMARC, website administrators may specify how they want their domain’s incoming mail servers to deal with unencrypted messages that have not been authenticated. It has a policy and a statement, with three options (reject, quarantine, or do nothing). 

You can Analyze and Detect SPF Issues using Trustifi’s SPF Record Checker Tool.

Why Trustifi ? – AI-Powered Protection for Business Email Security

Next-generation email firewalls will benefit from quantum-resistant algorithms, IoT integration, and adaptive AI for threat prediction in the long run. 

Trustifi’s advanced protection uses machine learning and AI to quickly find and stop the most sophisticated email-based attacks, such as ransomware, malware, phishing attacks (malicious links), CEO impersonation protection, BEC, and account compromise, keeping hackers out of inboxes with the following email threat protection solutions.

These firewalls will prioritize cross-platform connectivity, robust data protection measures, and real-time threat sharing in response to the constantly evolving nature of cyber threats.

Trustifi Advanced Email Protection With Trusitifi Inbound Shield Offers powerful multi-layered scanning technology.

It thoroughly examines, identifies, and categorizes even the most sophisticated forms of Phishing, Malicious, SPAM, and Gray Emails. 

Modern machine learning and artificial intelligence provide comprehensive, precise threat hunting for it.

The Inbound Shield checks out and removes harmful data and for various irregularities, including the following.

  • Scammers who send emails from fake domains.
  • Money transfer and other private information requests.
  • Hyperlinks lead to malicious sites.
  • Files with potentially malicious content, such as SQL injection strings or other code snippets, are designed to execute upon download.

These filtering procedures only take milliseconds to complete and can detect previously unidentified zero-day attacks.

The Trustifi Inbound Shield is a cloud-based solution that requires no alterations to your current infrastructure to implement.

Emails could be sent and received safely without any complicated setup or concerns, and It takes minutes, not days, to set up.

The Internet and the Unregulated Space of the Scammers and Hackers: Surf the Internet Safely!

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Next-Gen Email Firewalls

Sep 13 2023

vCISO services solve the CISO talent shortage

Category: vCISOdisc7 @ 9:35 pm

vCISO services solve the CISO talent shortage:

Instead of hiring full time CISO, many organizations are hiring vCISO on subscription basis or on a retainer to gain access to expert cyber security advice in form of a virtual CISO when required.  vCISO offer C level strategic assistance and tactical level guidance in devising and implementing strategy to build a security program, to assess security program, to reduce risk and to prevent or mitigate the impact of the attacks. 

What may be the primary concern for an organization to seek vCISO services: The primary concern for an organization seeking Information Security (InfoSec) services is the protection of their sensitive data and digital assets. They are deeply concerned about potential cyber threats and vulnerabilities that could compromise the confidentiality, integrity and availability of their information systems. These concerns often stem from the increasing frequency and sophistications of cyberattacks, as well as the potential legal and reputational consequences of data breaches.

Organizations may also worry about compliance and industry regulations and data protection laws, as failing to meet these requirements can result in severe penalties and damage to their reputation. Moreover, organizations frequently express worries regarding the expenses associated with Information Security services and their ability to seamlessly integrate these services into their current IT infrastructure without causing disruptions. The aim of an organization is to find a harmonious equilibrium between security and operational effectiveness while adhering to budget limitations. 

A Virtual CISO can effectively address primary concerns for organizations seeking information security services by providing expert guidance and support without the need for a full-time in-house CISO. They assist in identifying and mitigating security risks, ensuring cost-effectiveness, seamless integration into existing IT infrastructure and finding the right balance between security and operational efficiency, all while staying within budget constraints.

In what situations would a vCISO Service be appropriate?

DISC-vCISO-v3-0-1Download

Checkout our previous posts on vCISO topic

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CISO talent shortage

Sep 13 2023

Understanding DDoS simulation testing in AWS

Category: DDoSdisc7 @ 9:04 am

https://aws.amazon.com/blogs/security/understanding-ddos-simulation-testing-at-aws/

Distributed denial of service (DDoS) events occur when a threat actor sends traffic floods from multiple sources to disrupt the availability of a targeted application. DDoS simulation testing uses a controlled DDoS event to allow the owner of an application to assess the application’s resilience and practice event response. DDoS simulation testing is permitted on Amazon Web Services (AWS), subject to Testing policy terms and conditions. In this blog post, we help you understand when it’s appropriate to perform a DDoS simulation test on an application running on AWS, and what options you have for running the test.

DDoS protection at AWS

Security is the top priority at AWS. AWS services include basic DDoS protection as a standard feature to help protect customers from the most common and frequently occurring infrastructure (layer 3 and 4) DDoS events, such as SYN/UDP floods, reflection attacks, and others. While this protection is designed to protect the availability of AWS infrastructure, your application might require more nuanced protections that consider your traffic patterns and integrate with your internal reporting and incident response processes. If you need more nuanced protection, then you should consider subscribing to AWS Shield Advanced in addition to the native resiliency offered by the AWS services you use.

AWS Shield Advanced is a managed service that helps you protect your application against external threats, like DDoS events, volumetric bots, and vulnerability exploitation attempts. When you subscribe to Shield Advanced and add protection to your resources, Shield Advanced provides expanded DDoS event protection for those resources. With advanced protections enabled on your resources, you get tailored detection based on the traffic patterns of your application, assistance with protecting against Layer 7 DDoS events, access to 24×7 specialized support from the Shield Response Team (SRT), access to centralized management of security policies through AWS Firewall Manager, and cost protections to help safeguard against scaling charges resulting from DDoS-related usage spikes. You can also configure AWS WAF (a web application firewall) to integrate with Shield Advanced to create custom layer 7 firewall rules and enable automatic application layer DDoS mitigation.

Acceptable DDoS simulation use cases on AWS

AWS is constantly learning and innovating by delivering new DDoS protection capabilities, which are explained in the DDoS Best Practices whitepaper. This whitepaper provides an overview of DDoS events and the choices that you can make when building on AWS to help you architect your application to absorb or mitigate volumetric events. If your application is architected according to our best practices, then a DDoS simulation test might not be necessary, because these architectures have been through rigorous internal AWS testing and verified as best practices for customers to use.

Using DDoS simulations to explore the limits of AWS infrastructure isn’t a good use case for these tests. Similarly, validating if AWS is effectively protecting its side of the shared responsibility model isn’t a good test motive. Further, using AWS resources as a source to simulate a DDoS attack on other AWS resources isn’t encouraged. Load tests are performed to gain reliable information on application performance under stress and these are different from DDoS tests. For more information, see the Amazon Elastic Compute Cloud (Amazon EC2) testing policy and penetration testing. Application owners, who have a security compliance requirement from a regulator or who want to test the effectiveness of their DDoS mitigation strategies, typically run DDoS simulation tests.

DDoS simulation tests at AWS

AWS offers two options for running DDoS simulation tests. They are:

  • A simulated DDoS attack in production traffic with an authorized pre-approved AWS Partner.
  • A synthetic simulated DDoS attack with the SRT, also referred to as a firedrill.

The motivation for DDoS testing varies from application to application and these engagements don’t offer the same value to all customers. Establishing clear motives for the test can help you choose the right option. If you want to test your incident response strategy, we recommend scheduling a firedrill with our SRT. If you want to test the Shield Advanced features or test application resiliency, we recommend that you work with an AWS approved partner.

DDoS simulation testing with an AWS Partner

AWS DDoS test partners are authorized to conduct DDoS simulation tests on customers’ behalf without prior approval from AWS. Customers can currently contact the following partners to set up these paid engagements:

Before contacting the partners, customers must agree to the terms and conditions for DDoS simulation tests. The application must be well-architected prior to DDoS simulation testing as described in AWS DDoS Best Practices whitepaper. AWS DDoS test partners that want to perform DDoS simulation tests that don’t comply with the technical restrictions set forth in our public DDoS testing policy, or other DDoS test vendors that aren’t approved, can request approval to perform DDoS simulation tests by submitting the DDoS Simulation Testing form at least 14 days before the proposed test date. For questions, please send an email to aws-ddos-testing@amazon.com.

After choosing a test partner, customers go through various phases of testing. Typically, the first phase involves a discovery discussion, where the customer defines clear goals, assembles technical details, and defines the test schedule with the partner. In the next phase, partners run multiple simulations based on agreed attack vectors, duration, diversity of the attack vectors, and other factors. These tests are usually carried out by slowly ramping up traffic levels from low levels to desired high levels with an ability for an emergency stop. The final stage involves reporting, discussing observed gaps, identifying actionable tasks, and driving those tasks to completion.

These engagements are typically long-term, paid contracts that are planned over months and carried out over weeks, with results analyzed over time. These tests and reports are beneficial to customers who need to evaluate detection and mitigation capabilities on a large scale. If you’re an application owner and want to evaluate the DDoS resiliency of your application, practice event response with real traffic, or have a DDoS compliance or regulation requirement, we recommend this type of engagement. These tests aren’t recommended if you want to learn the volumetric breaking points of the AWS network or understand when AWS starts to throttle requests. AWS services are designed to scale, and when certain dynamic volume thresholds are exceeded, AWS detection systems will be invoked to block traffic. Lastly, it’s critical to distinguish between these tests and stress tests, in which meaningful packets are sent to the application to assess its behavior.

DDoS firedrill testing with the Shield Response Team

Shield Advanced service offers additional assistance through the SRT, this team can also help with testing incident response workflows. Customers can contact the SRT and request firedrill testing. Firedrill testing is a type of synthetic test that doesn’t generate real volumetric traffic but does post a shield event to the requesting customer’s account.

These tests are available for customers who are already on-boarded to Shield Advanced and want to test their Amazon CloudWatch alarms by invoking a DDoSDetected metric, or test their proactive engagement setup or their custom incident response strategy. Because this event isn’t based on real traffic, the customer won’t see traffic generated on their account or see logs that drive helpful reports.

These tests are intended to generate associated Shield Advanced metrics and post a DDoS event for a customer resource. For example, SRT can post a 14 Gbps UDP mock attack on a protected resource for about 15 minutes and customers can test their response capability during such an event.

Note: Not all attack vectors and AWS resource types are supported for a firedrill. Shield Advanced onboarded customers can contact AWS Support teams to request assistance with running a firedrill or understand more about them.

Conclusion

DDoS simulations and incident response testing on AWS through the SRT or an AWS Partner are useful in improving application security controls, identifying Shield Advanced misconfigurations, optimizing existing detection systems, and improving incident readiness. The goal of these engagements is to help you build a DDoS resilient architecture to protect your application’s availability. However, these engagements don’t offer the same value to all customers. Most customers can obtain similar benefits by following AWS Best Practices for DDoS Resiliency. AWS recommends architecting your application according to DDoS best practices and fine tuning AWS Shield Advanced out-of-the-box offerings to your application needs to improve security posture.

DDoS Protection Second Edition

The 2023-2028 World Outlook for DDoS Protection and Mitigation

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: AWS, DDoS Protection, DDoS simulation testing

Sep 13 2023

Windows Arbitrary File Deletion Vulnerability Leads to Full System Compromise

Category: Security vulnerabilities,Windows Securitydisc7 @ 8:02 am
Windows Arbitrary File Deletion Vulnerability Leads to Full System Compromise

Threat actors were using Windows Arbitrary File Deletion to perform Denial-of-service attacks on systems affected by this vulnerability. However, recent reports indicate that this Windows Arbitrary file deletion can be used for a full compromise.

The possibility of this attack depends on the CVE-2023-27470 arbitrary file deletion vulnerability combining it with a Time-of-Check to Time-of-Use (TOCTOU) race condition, which enables the deletion of files on a Windows system and subsequently creates an elevated Command Prompt.

CVE-2023-27470 & TOCTOU – Technical Analysis

CVE-2023-27470 affects N-Able’s Take Control Agent, which can lead to an arbitrary file deletion vulnerability. This vulnerability analysis was done using Microsoft’s Process Monitor, often called ProcMon. 

This vulnerability exists due to insecure file operations conducted by NT AUTHORITY\SYSTEM processes that were detected with the help of ProcMon filters.

The process that was analyzed during this vulnerability was BASupSrvcUpdater.exe, belonging to Take Control Agent 7.0.41.1141.

Race Condition

BASupSrvcUpdater.exe attempts every 30 seconds to a non-existent folder under the C:\ProgramData\GetSupportService_N-Central\PushUpdates as an NT AUTHORITY\SYSTEM process. For further research, this PushUpdates folder and a dummy file aaa.txt were created.

BASupSrvcUpdater.exe made an attempt to read the contents of the folder and performed a deletion, which was logged in the C:\ProgramData\GetSupportService_N-Central\Logs\BASupSrvcUpdater_[DATE].log log file. 

This particular action gives rise to a race condition, as a threat actor can exploit this condition by utilizing the timeframe between the deletion and logging.

To exploit this condition and perform a full system compromise, an attacker must replace a file in the PushUpdates folder with a pseudo-symlink.

complete report about this attack has been published, which provides detailed information about the exploitation, techniques, process, and method of complete system compromise.

To prevent this attack, it is recommended for organizations using N-able to upgrade to version 7.0.43 to fix this vulnerability.

Mastering Windows Security and Hardening: Secure and protect your Windows environment from cyber threats using zero-trust security principles

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Full System Compromise, Mastering Windows Security and Hardening

Sep 12 2023

Top 10 SaaS Security Checklist in 2023

Category: Cloud computingdisc7 @ 10:21 am
Top 10 SaaS Security Checklist in 2023

Software as a Service (SaaS) security refers to the measures and practices employed to protect SaaS solutions’ data, applications, and infrastructure.

SaaS is a cloud computing model where software applications are hosted and delivered over the internet, rather than installed and run on individual devices or servers.

While SaaS offers numerous benefits, such as scalability and accessibility, it also introduces security challenges that organizations must address to safeguard their data and maintain compliance with regulatory requirements.

The software under this architecture is hosted centrally, with the service provider responsible for everything from database management to network administration to availability checks and infrastructure maintenance.

Data is often kept on centralized servers spread across numerous data centers and accessed by users via a web interface.

SaaS typically employs multi-tenancy, a deployment model in which a single software instance serves numerous customers whose data and settings are isolated.

Virtualization, load balancing, and backup storage are all part of this architecture’s strategy for delivering scalable, dependable, and readily available software solutions on demand.

Following the SaaS security checklist helps you understand the blind spots and focus on securing your SaaS apps and data.

Why is SaaS Security important?

Software as a service (SaaS) applications frequently deal with sensitive data, ranging from personal information to confidential corporate details, making SaaS security essential. 

Due to their internet-based nature, these apps are vulnerable to data theft and denial-of-service attacks.

 Data loss, financial consequences, legal issues, and reputational harm are all possible outcomes of a hacked SaaS service. 

In addition, due to the shared nature of SaaS’s basic infrastructure, a single vulnerability might affect several users. 

Moreover, while convenient, attackers may easily exploit SaaS due to its reliance on centralized data storage. Robust security for SaaS protects users and inspires confidence in the digital economy overall.

 It’s also a legal need for many businesses. Therefore, SaaS providers must place a premium on security to preserve credibility, safeguard customers, and guarantee the smooth running of operations.

To Protect Your SaaS Apps and data, Download the free Enterprise SaaS Security Technical Guide here.

Challenges and Risks for Security in SaaS

SaaS’s cloud-based, sharing nature (Software as a Service) raises security concerns and hazards. 
SaaS security checklist – Challenges and Risks
Data breach risk is significant since SaaS services are easily breached due to centralized storage. 
The multi-tenancy framework might cause data leakage if clients are not adequately segregated.
Data breaches might occur due to insufficient access restrictions, and when using third-party infrastructure, you have to put your faith in their safety precautions. 
SaaS Insecure Application Programming Interfaces APIs, which might open them to cyberattacks if they are not properly secured. 
Due to an increasing number of off-site data storage, often in separate countries, ensuring continued regulatory compliance is a challenging task.

Top SaaS Security Checklist 2023

  • Deploy a trusted SaaS Security Vendor
  • Data Encryption
  • Regular Security Audits
  • Multi-factor Authentication (MFA)
  • Set Identity and Access Management Rules
  • Data Backups and Disaster Recovery
  • Secure Application Development
  • Endpoint Security
  • Training and Awareness
  • Monitor and Alert

To Checkout the details: Top SaaS Security Checklist 2023

SaaS Security A Complete Guide

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: SaaS Security

Sep 11 2023

Cybercriminals Using PowerShell to Steal NTLMv2 Hashes

Category: Cheat Sheet,PowerShell Securitydisc7 @ 1:19 pm

Cybercriminals Using PowerShell to Steal NTLMv2 Hashes from Compromised Windows

A new cyber attack campaign is leveraging the PowerShell script associated with a legitimate red teaming tool to plunder NTLMv2 hashes from compromised Windows systems primarily located in Australia, Poland, and Belgium.

The activity has been codenamed Steal-It by Zscaler ThreatLabz.

“In this campaign, the threat actors steal and exfiltrate NTLMv2 hashes using customized versions of Nishang’s Start-CaptureServer PowerShell script, executing various system commands, and exfiltrating the retrieved data via Mockbin APIs,” security researchers Niraj Shivtarkar and Avinash Kumar said.

Nishang is a framework and collection of PowerShell scripts and payloads for offensive security, penetration testing, and red teaming.

PowerShell to Steal NTLMv2 Hashes

The attacks leverage as many as five different infection chains, although they all leverage phishing emails containing ZIP archives as the starting point to infiltrate specific targets using geofencing techniques –

  • NTLMv2 hash stealing infection chain, which employs a custom version of the aforementioned Start-CaptureServer PowerShell script to harvest NTLMv2 hashes
  • System info stealing infection chain, which OnlyFans lures to target Australian users into downloading a CMD file that pilfers system information
  • Fansly whoami infection chain, which uses explicit images of Ukrainian and Russian Fansly models to entice Polish users into downloading a CMD file that exfiltrates the results of the whoami command
  • Windows update infection chain, which targets Belgium users with fake Windows update scripts designed to run commands like tasklist and systeminfo

It’s worth noting that the last attack sequence was highlighted by the Computer Emergency Response Team of Ukraine (CERT-UA) in May 2023 as part of an APT28 campaign directed against government institutions in the country.

This raises the possibility that the Steal-It campaign could also be the work of the Russian state-sponsored threat actor.

“The threat actors’ custom PowerShell scripts and strategic use of LNK files within ZIP archives highlights their technical expertise,” the researchers said. “The persistence maintained by moving files from the Downloads to Startup folder and renaming them underscores the threat actors’ dedication to prolonged access.”

PowerShellCheatSheet_v41Download

Learn PowerShell in a Month of Lunches, Fourth Edition: Covers Windows, Linux, and macOS 

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: cheat sheet, Compromised Windows, Hashes, PowerShell

Sep 11 2023

Notepad++ v8.5.7 Released: Fix for 4 Security Vulnerabilities

Category: Security vulnerabilitiesdisc7 @ 8:19 am
Notepad++ v8.5.7 Released: Fix for 4 Security Vulnerabilities

Notepad++ v8.5.7 has been released, which has several bug fixes and new features. There has also been Integrity and authenticity validation, added Security enhancement and fixed a memory leak while reading Utf8-16 files.

Multiple vulnerabilities in Notepad++ relating to Heap buffer read overflow, Heap buffer write overflow & Global buffer read overflow were previously reported. However, the new version of Notepad++ claims to have patched these vulnerabilities.

Gitlab security researcher Jaroslav Lobačevski (@JarLob) discovered these vulnerabilities during the end of August 2023. However, as part of the GitLab coordinated disclosure policy, these vulnerabilities were publicly disclosed before Notepad++ patched them.

Notepad++ v8.5.7

This current new version of Notepad++ implemented the integrity and authenticity validation by introducing the GPG Notepad++ Public key which can be used for the verification of GPG Signature. In addition to that, SHA-256 digests of binary packages have also been added which can be used for checking the integrity of your Notepad++ download.

As part of Bug fixes and new features, Notepad++ has fixed the vulnerabilities reported previously which had the CVE IDs CVE-2023-40031CVE-2023-40036CVE-2023-40164 & CVE-2023-40166

Other fixes include Document disassociated issue, Dragging tab performance issue, Session file saving problem, product version value displayed in file’s properties and activating wrong file(s) were also rectified as part of this new release.

Furthermore, Notepad++ has added an option to suppress file with more than 2GB. This option enables Notepad++ to wait for user confirmation before opening a large file.

“Notepad++ will completely hang and await user confirmation when trying to open a file bigger than 2GB.” reads the issue on GitHub. Notepad++ has also released their current version of source code which can be found in this link

It is recommended for users of Notepad++ to upgrade to version 8.5.7 in order to fix the vulnerabilities and improve the application’s performance.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Notepad++

Sep 10 2023

Security Controls and Vulnerability Management

Category: Information Security,Security controls,Security Tools,Security vulnerabilitiesdisc7 @ 9:29 am

IS27002 Control:-Vulnerability Management
Why penetration test is important for an organization.
Ensuring the protection of user data in real-time, effectively prioritizing risk, fostering security awareness, devising strategies to identify vulnerabilities, and implementing an incident response protocol aligned with vulnerability management. Following compliance protocols becomes crucial in order to abide by and fulfil regulatory standards.
#informationsecurity #cyberdefense #cybersecurity
Cheat sheet for pentester
Image credit:-https://lnkd.in/eb2HRA3n

Hacking-Tool-cheatsheetDownload

Linux Cheat Sheet

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: vulnerability management

Sep 10 2023

Stealthy APT exposed: TTPs spill secrets of sophisticated campaigns

Category: TTP, Cyber-Espionagedisc7 @ 9:13 am

https://www.scmagazine.com/news/stealthy-apt-exposed-ttps-spill-secrets-of-sophisticated-campaigns

A newly identified advanced persistent threat (APT) group is using sophisticated cyberespionage techniques and custom malware to target government and technology sector organizations in at least six countries, including the United States.

Trend Micro said it discovered the group, which it calls Earth Estries, earlier this year, although they have been active since at least 2020.

In a Wednesday post, Trend Micro researchers describe Earth Estries as a sophisticated hacker group that is currently running an active campaign in the Philippines, Taiwan, Malaysia, South Africa and Germany, as well as the U.S.

“From a general overview of the tools and techniques used in this ongoing campaign, we believe the threat actors behind Earth Estries are working with high-level resources and functioning with sophisticated skills and experience in cyberespionage and illicit activities,” the researchers wrote.

Trend Micro did not attribute the group to a particular country but said it found some overlaps between the tactics, techniques and procedures (TTPs) used by Earth Estries and those used by another APT group, FamousSparrow.

“Moreover, the code similarities and TTPs between Earth Estries and FamousSparrow suggests a possible connection between them,” the researchers said.

Further evidence, including tracked IP addresses and common technical formatting themes also suggested there were “strong ties” between the two groups.

In a 2021 research report, ESET linked FamousSparrow to two other APT groups, SparklingGoblin and DRBControl, both of which have been connected to Chinese threat actors.

Focused on evading detection

Trend Micro said after compromising internal servers, Earth Estries used valid accounts with administrative privileges to covertly move laterally across its victims’ networks.

“To leave as little footprint as possible, they use PowerShell downgrade attacks to avoid detection from Windows Antimalware Scan Interface’s (AMSI) logging mechanism. In addition, the actors abuse public services such as Github, Gmail, AnonFiles, and File.io to exchange or transfer commands and stolen data.”

The researchers said Earth Estries deployed a range of tools to carry out its campaign, including commonly used remote control tools such as Cobalt Strike and PlugX, but also novel backdoors and information stealers.

Included in its toolkit was Zingdoor, a Go HTTP backdoor with cross-platform capabilities which was first developed in June 2022 and has only been deployed on limited occasions.

The group also used TrillClient, a custom browser data stealer, also written in Go, which connected to a GitHub repository to retrieve commands, and HemiGate, a backdoor with keylogging capabilities.

“Like most of the tools used by this threat actor, this backdoor is also executed via DLL sideloading using one of the loaders that support interchangeable payloads. We observed that Earth Estries relies heavily on DLL sideloading to load various tools within its arsenal,” the researchers said.

“We also noted that the threat actors regularly cleaned their existing backdoor after finishing each round of operation and redeployed a new piece of malware when they started another round. We believe that they do this to reduce the risk of exposure and detection.”

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

Tags: Cyber-Espionage

Sep 10 2023

ISO 27k1/2 Transitioning to the 2022 standards

Category: ISO 27kdisc7 @ 8:08 am
ISO27001_ISO27002_transitioning_2022_standardsDownload

How to transition to the 2022 version of ISO27001

What is ISO 27001 and in What Situation this Cert will be appropriate?
ISO 27001 Internal Audit Report Template

Implementing and auditing an Information Security Management System in small and medium-sized businesses

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: ISO 27001 2022, ISO 27002 2022

Sep 08 2023

NIST Gap Assessment Tool

Category: NIST CSF,NIST Privacydisc7 @ 1:23 pm

The NIST Gap Assessment Tool will cost-effectively assess your organization against the NIST SP 800-171 standard. It will help you to:

  • Understand the NIST SP 800-171 requirements for storing, processing, and transmitting CUI (Controlled Unclassified Information)
  • Quickly identify your NIST SP 800-171 compliance gaps
  • Plan and prioritise your NIST SP 800-171 project to ensure data handling meets U.S. DoD (Department of Defense) requirements

Get started with your NIST SP 800-171 compliance project

The DoD requires U.S. contractors and their subcontractors to have an available assessment of their compliance with NIST SP 800-171. As part of a national movement to have a consistent approach to cybersecurity across the U.S., even organizations that store, process, or transmit unclassified and/or sensitive information must complete an assessment.

ITG NIST Gap Assessment Tool provides the assessment template you need to guide you through compliance with the DoD’s requirements for NIST SP 800-171. The tool lays out all 14 categories and 110 security controls from the Standard, in Excel format, so you can complete a full and easy-to-use assessment with concise data reporting.

What does the tool do?

  • Features the following tabs: ‘Instructions’, ‘Summary’, and ‘Assessment and SSP (System Security Plan)’.
  • The ‘Instructions’ tab provides an easy explanation of how to use the tool and assess your compliance project, so you can complete the process without hassle.
  • The ‘Assessment and SSP’ tab shows all control numbers and requires you to complete your assessment of each control.
  • Once you have completed the full assessment, the ‘Summary’ tab provides high-level graphs for each category and overall completion. Analysis includes an overall compliance score and shows the amount of security controls that are completed, ongoing, or not applied in your organization.
  • The ‘Summary’ tab also provides clear direction for areas of development and how you should plan and prioritize your project effectively, so you can start the journey of providing a completed NIST SP 800-171 assessment to the DoD.

This NIST Gap Assessment Tool is designed for conducting a comprehensive compliance assessment.  NIST SP 800-171 Assessment Tool.

The Complete DOD NIST 800-171 Compliance Manual: Comprehensive Controlled Unclassified Information (CUI) Marking & Handling Section

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: NIST Gap Assessment Tool, NIST SP 800-171

Sep 08 2023

CALDERA: FREE OPERATIONAL TECHNOLOGY OT ATTACK EMULATION TOOL TO SECURE ICS, SCADA AND PLC DEVICES

Category: OT/ICS,Scada Security,Security Toolsdisc7 @ 7:23 am
Caldera: Free Operational technology OT Attack Emulation Tool to secure ICS, SCADA and PLC devices

MITRE and the US Cybersecurity and Infrastructure Security Agency (CISA) have collaborated to develop a new open source tool that simulates cyber-attacks on operational technology (OT). The product was published recently.

The MITRE Calder for OT is now accessible to the general public as an addition to the open-source Caldera platform that may be found on GitHub. This would make it possible for cybersecurity specialists who deal with industrial control systems (ICS) to carry out automated adversary simulation exercises. These exercises will have the goal of testing and improving their cyber defenses on a constant basis. In addition to this, this includes security inspections as well as exercises involving red, blue, and purple teams.

This Caldera extension for OT was created via a collaborative effort between CISA and the Homeland Security Systems Engineering and Development Institute (HSSEDI). HSSEDI is a research and development institution that is financed by the federal government and is maintained and run by MITRE on behalf of the Department of Homeland Security (DHS).

The program contributes to the goal of the federal government to strengthen the security of vital infrastructure that is dependent on OT. Some examples of such infrastructure are water and electricity. This objective was elaborated upon in the United States’ National Cybersecurity Strategy, which was published in March 2023, and in the Executive Order on Improving the Nation’s Cybersecurity, which was issued by President Biden in May 2021.
Work done by CISA and HSSEDI to automate opponent emulation simulations in CISA’s Control Environment Laboratory Resource (CELR) served as the foundation for the OT extension, which was developed upon that work. This made it possible to identify hostile strategies that may be implemented in Caldera.

The defensive mechanisms and testing capabilities of critical infrastructure systems are slated to get a boost from the use of these plugins.

These plugins, which are stored in the “caldera-ot” repository, are essential instruments for the protection of operational technology (OT) settings.

They are made available as Git submodules, which enables researchers and experts in the security industry to quickly and readily access them.

The purpose of these plugins is to facilitate enemy simulation inside the OT environment. This was the driving force behind their development.

Because of this, companies are given the ability to strengthen their security defenses and better prepare for possible attacks.

In addition to this, it is compatible with classic use cases for Caldera, such as rigorous testing of security mechanisms and operator training.

The move that has been taken by MITRE marks a major step forward in the continuing endeavor to secure critical infrastructure systems and to strengthen security within the OT sector.

Pwn2Own Miami paid $400,000 USD for 26 zero-day exploits on ICS and SCADA products

A presentation titled “Emulating Adversary Actions in the Operational Environment with Caldera (TM) for OT” has also been made available by MITRE for individuals who are looking for further information of a more in-depth kind.

Users may apply the following command in order to install the whole collection of Caldera for OT plugins:

git clone https://github.com/mitre/caldera-ot.git –recursive


Individuals also have the option of configuring certain plugins on their own, which allows them to personalize their approach to OT security to meet their unique requirements.

At the moment, the following three important plugins are available:

  1. BACnet Catering to Building Automation and Control Networks (BACnet) protocol.
  2. DNP Addressing the Distributed Network Protocol 3 (DNP3).
  3. Modbus Supporting the Modbus protocol.

Open-Source OT Protocol Libraries That Are Unified And Exposed To Users. Caldera for OT plugins is a service provided by MITRE that aims to standardize and expose open-source OT protocol libraries, making them available for use as protocol-specific plugins. Each plugin comes with its own extensive documentation.

Aligning Security Operations with the MITRE ATT&CK Framework: Level up your security operations center for better security

Cyber Defence Strategy using NIST and MITRE ATT&CK Frameworks

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Caldera, MITRE ATT&CK, MITRE Caldera

Sep 05 2023

Connected cars and cybercrime: A primer

Category: Cybercrimedisc7 @ 9:30 am
Connected cars and cybercrime: A primer

Analysis of chatter in criminal underground message exchanges, however, reveals that the pieces exist for multi-layered, widespread attacks in the coming years. And given that the automotive industry’s customary development cycles are long, waiting for the more sophisticated cyberattacks on connected cars to appear is not a practical option.

What should the world’s automotive OEMs and suppliers do now to prepare for the inevitable transition from today’s manual, car-modding hacks to tomorrow’s user impersonation, account thefts and other possible attacks?

How connectivity is changing car crime

As our vehicles become more connected to the outside world, the attack surface available to cybercriminals is rapidly increasing, and new “smart” features on the current generation of vehicles worldwide open the door for new threats.

Our new “smartphones on wheels”—always connected to the internet, utilizing many apps and services, collecting tremendous amounts of data from multiple sensors, receiving over-the-air software updates, etc.—stand to be attacked in similar ways to how our computers and handheld devices already are today.

Automotive companies need to think now about those potential future threats. A car that an OEM is planning today will likely reach the market in three to five years. It will need to be already secured against the cyberthreat landscape that might be in existence by then. If the car hits the market without the required cybersecurity capabilities, the job of securing it will become significantly more difficult.

The likelihood of substantially more frequent, devious, and harmful attacks is portended by the complex attacks on connected cars that we have seen devised by industry researchers. Fortunately, the attacks to this point largely have been limited to these theoretical exercises in the automotive industry. Car modding – e.g., unlocking a vehicle’s features or manipulating mileage – is as far as real-world implementation has gotten.

Connectivity limits some of the typical options that are available to criminals specializing in car crime. The trackability of contemporary vehicles makes reselling stolen cars significantly more challenging, and even if a criminal can manage to take a vehicle offline, the associated loss of features renders the car less valuable to potential buyers.

Still, as connectivity across and beyond vehicles grows more pervasive and complicated, so will the threat. How are attacks on tomorrow’s connected cars likely to evolve?

Emerging fronts for next-generation attacks

Because the online features of connected cars are managed via user accounts, attackers may seek access to those accounts to attain control over the vehicle. Takeover of these car-user accounts looms as the emerging front for attack for would-be car cybercriminals and even criminal organizations, creating ripe possibilities for user impersonation and the buying and selling of the accounts.

Stealing online accounts and selling them to rogue collaborators who can act on that knowledge tee up a range of future possible attacks for tomorrow’s automotive cybercriminals:

  • Selling car user accounts
  • Impersonating users via phishing, keyloggers or other malware
  • Remote unlocking, starting and controlling connected cars
  • Opening cars and looting for valuables or committing other one-off crimes
  • Stealing cars and selling for parts
  • Locating cars to pinpoint owners’ residential addresses and to identify when owners are not home

The crime triangle takes shape

Connected car cybercrime is still in its infancy, but criminal organizations in some nations are beginning to recognize the opportunity to exploit vehicle connectivity. Surveying today’s underground message forums quickly reveals that the pieces could quickly fall into place for more sophisticated automotive cyberattacks in the years ahead. Discussions on underground crime forums around data that could be leaked and needed/available software tools to enable attacks are already intensifying.

post from a publicly searchable auto-modders forum about a vehicle’s multi-displacement system (MDS) for adjusting engine performance, is symbolic of the current activity and possibilities.

Another, in which a user on a criminal underground forum offers a data dump from car manufacturer, points to the possible threats that likely are coming to the industry.

Though they still seem to be limited to accessing regular stolen data, compromises and network accesses are for sale in the underground. The crime triangle (as defined by crime analysts) for sophisticated automotive cyberattacks is solidifying:

  • Target — The connected cars that serious criminals will seek to exploit in the years ahead are becoming more and more prevalent in the global marketplace.
  • Desire — Criminal organizations will find ample market incentive to monetize stolen car accounts.
  • Opportunity — Hackers are steeped in inventive methods to hijack people’s accounts via phishing, infostealing, keylogging, etc.

Penetrating and exploiting connected cars

The ways for seizing access to the data of users of connected cars are numerous: introducing malicious in-vehicle infotainment (IVI) apps, exploiting unsecure IVI apps and network connections, taking advantage of unsecure browsers to steal private data, and more.

Also, there’s a risk of exploitation of personally identifiable information (PII) and vehicle telemetric data (on a car’s condition, for example) stored in smart cockpits, to inform extremely personalized and convincing phishing emails.

Here’s one method by which it could happen:

  • An attacker identifies vulnerabilities that can be exploited in a browser.
  • The attacker creates a professional, attractive webpage to offer hard-to-resist promotions to unsuspecting users (fast-food coupons, discounts on vehicle maintenance for the user’s specific model and year, insider stock information, etc.)
  • The user is lured into visiting the malicious webpage, which bypasses the browser’s security mechanisms
  • The attacker installs backdoors in the vehicle IVI system, without the user’s knowledge or permission, to obtain various forms of sensitive data (driving history, conversations recorded by manufacturer-installed microphones, videos recorded by built-in cameras, contact lists, text messages, etc.)

The possible crimes enabled by such a process are wide ranging. By creating a fraudulent scheme to steal the user’s identity, for example, the attacker would be able to open accounts on the user’s behalf or even trick an OEM service team into approving verification requests—at which point the attacker could remotely open the vehicle’s doors and allow a collaborator to steal the car.

Furthermore, the attackers could use the backdoors that they installed to infiltrate the vehicle’s central gateway via the IVI system by sending malicious messages to electronic control units (ECUs). A driver could not only lose control of the car’s IVI system and its geolocation and audio and video data, but also the ability to control speed, steering and other safety-critical functions of the vehicle, as well as the range of vital data stored in its digital clusters.

Positioning today for tomorrow’s threat landscape

Until now there might have been reluctance among OEMs to invest in averting cyberattacks, which haven’t yet materialized in the real world. But a 2023 Gartner Research report, “Automotive Insight: Vehicle Cybersecurity Ecosystem Creates Partnership Opportunities,” is among the industry research documenting a shift in priorities.

Driven by factors such as the significant risk of brand and financial damage from cyberattacks via updatable vehicle functions controlled by software, as well as emerging international regulatory pressures such as the United Nations (UN) regulation 155 (R155) and ISO/SAE 21434, OEMs have begun to emphasize cybersecurity.

And today, they are actively evaluating and, in some cases, even implementing a few powerful capabilities:

  • Security for IVI privacy and identity
  • Detection of IVI app vulnerabilities
  • Monitoring of IVI app performance
  • Protection of car companion apps
  • Detection of malicious URLs
  • 24/7 surveillance of personal data

Investing in cybersecurity in the design stage, versus after breaches, will ultimately prove less expensive and more effective in terms of avoiding or mitigating serious crimes involving money, vehicle and identity theft from compromised personal data by the world’s most savvy and ambitious business criminals.

Building Secure Cars

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Connected cars

Sep 04 2023

“SMISHING TRIAD” TARGETED USPS AND US CITIZENS FOR DATA THEFT

Category: Phishingdisc7 @ 10:30 pm
“Smishing Triad” Targeted USPS and US Citizens for Data Theft

Resecurity has identified a large-scale smishing campaign, tracked as Smishing Triad, targeting the US Citizens.

Earlier episodes have revealed victims from the U.K., Poland, Sweden, Italy, Indonesia, Japan and other countries – the group was impersonating the Royal Mail, New Zealand Postal Service (NZPOST), Correos (Spain), Postnord, Poste Italiane and the Italian Revenue Service (Agenzia delle Entrate). Similar scams have been observed before targeting Fedex and UPS.

The bad actors attributed to Chinese-speaking cybercriminals are leveraging a package tracking text scam sent via iMessage to collect personal (PII) and payment information from the victims with the goal of identity theft and credit card fraud. The cybercriminal group with the associated campaign has been named “Smishing Triad” as it leverages smishing as the main attack vector and originates from China.

Smishing is a form of phishing that involves a text message or phone number. Victims will typically receive a deceptive text message that is intended to lure the recipient into providing their personal or financial information. These scammers often attempt to disguise themselves as a government agency, bank, or other organization to lend legitimacy to their claims, for example, a postal service like the United States Postal Service (USPS), asking to pay additional delivery fees via credit card. Once the victim shares payment information, the bad actors use it for fraudulent purposes and unauthorized charges.

Expecting the spike of this activity during summer time, USPS has timely warned about the growing risk of package tracking text scams sent via SMS/iMessage. The spike of this activity has been observed during August with big number of domain names registered by attackers.

The notable detail of “Smishing Triad” campaign is that bad actors used solely iMessage sent from compromised Apple iCloud accounts as the main delivery method of malicious messages to victims instead of traditional SMS or calls how it was done in other scam campaigns like “PostalFurious” and “RedZei” observed by other researchers in the past.

“Smishing Triad” also attacks online-shopping platforms and injects malicious code to intercept customer data. Around July 19, 2023 – there was identified a campaign conducted by the same actors targeting popular online-shopping platforms with malicious scenarios containing payment form impersonating Sumitomo Mitsui Banking Corporation (SMBC). Around same time, there were also identified customized forms impersonating New Zealand Transport Agency and the Agenzia delle Entrate (the Italian Revenue Agency), that enforces the financial code of Italy and collects taxes and revenue.

The bad actors also distribute an engine of fake online-shop (TrickyCart) allowing them to defraud consumers with a pseudo 3D Secure Payment form impersonating popular payment systems and e-commerce platforms including Visa, Mastercard and PayPal. 

“Smishing Triad” has own Telegram channel with over 2,725 members on it and several private groups. The actors are weaponizing other cybercriminals by selling them customized ‘smishing kits’ targeting popular U.S., U.K. and EU brands – starting at $200 per month provided on subscription with further support. Resecurity has identified a group of domain names used by “Smishing Triad” registered in “.top” zone via NameSilo and protected by Cloudflare around August 2023. Notably, some of the domain names are still functioning as well as the identified Telegram group managed by the actors.

After acquisition of the ‘smishing kit’, Resecurity was able to identify a vulnerability acting as a hidden backdoor in the code allowing actors to silently extract collected personal and payment data from their clients. According to researchers, such scenarios are widely used by cybercriminals in password stealers and phishing kits allowing them to profit from efforts of their clients or at least to monitor their activity. Resecurity was able to recover over 108,044 records with victims’ compromised data in order to alert them about identity theft. The collected information has been shared with relevant law enforcement agencies and the United States Postal Inspection Service.

Resecurity highlighted that it may be complicated to disrupt such cybercriminal activity committed by foreign actors located in jurisdictions like China without proper law enforcement and industry collaboration. Therefor, Resecurity is sharing the information about the “Smishing Triad” with the wider community and network defenders to raise awareness and safeguard their customers.

Further technical details are available in the report published by ReSecurity.

SCAM!: How to Avoid the Scams That Cost Victims Billions of Dollars Every

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Smishing

Sep 04 2023

Is the new OWASP API Top 10 helpful to defenders?

Category: API securitydisc7 @ 9:50 am
Is the new OWASP API Top 10 helpful to defenders?

The OWASP Foundation’s Top Ten lists have consistently aided defenders in directing their attention towards particular technologies, and the OWASP API (Application Programming Interface) Security Top 10 2023 is no different. Originally formulated five years ago and recently revised, its goal is to tackle evolving attack techniques.

API Security in Action

However, the OWASP API Security Project leaders had their work cut out when deciding how to group and prioritize the threats. The list is put together based upon industry input and must reflect compliance concerns, so it was never going to completely satisfy all people. The question is, does it go far enough to be of value to those in the thick of it when it comes to API development and defense?

What has changed and what has stayed the same?

By comparing the old and the new list, we can see that the top two threats – API1 Broken Object Level Authorization (BOLA) and API2 Broken User Authentication – have remained unchanged. API1 denotes the manipulation of the identification of an object that is sent within a request to the API while API2 marks the abuse of authentication mechanisms through attacks such as credential stuffing, including forgotten/rest password functions. They provide the quickest wins for attackers, and it’s easy to see why these continue to the top the list.

API3 replaced Excessive Data Exposure with Broken Object Property Level Authorization. Does this mean we have solved the problem of sensitive data exposure? Alas, no, it continues to be a huge problem. What this change signifies is the next stage an attacker would take when exploiting sensitive data exposure, i.e., break through the property level authorization. So why has the Project decided to make the change? Probably for the sake of clarity, because sensitive data exposure is an issue that spans the rest of the list. But some, including myself, would argue that this isn’t the right way to present the issue, because it declasses what is a very serious issue.

Similarly, API6 was Mass Assignment in 2019 and is now Unrestricted Access to Sensitive Business Flows. Are they different? Not really. Both are talking about taking advantage of objects and their properties within the application flow, with the examples listed on the project page referring to a ride share app where functionality is exploited in the backend. There is, however, something subtle about the naming that makes the 2023 version seem like something that needs to be fixed, rather than being nebulous and confusing, so in that respect it is an improvement.

Bring bots into the mix

API6 also plays to how an API that isn’t functioning properly can swiftly end up with attack automation being utilized against it in the form of bot attacks. This is important because there’s always been an artificial distinction made between API and bot attacks, with the security sector offering different solutions for each when the reality is that automated attacks can and are launched against APIs. So, it no longer makes sense to monitor for API attacks and bot attacks separately: bot mitigation has to become part of API security. This is apparent in our recent report, which revealed that automated attacks dwarfed other TTPs in the analysis of traffic during the last quarter of 2022.

Overall, the new list largely redefines many of the previous tactics, techniques and procedures (TTPs) in a bid to be more inclusive. API4, for instance, has moved from Lack of Resources and Rate Limiting to become Unrestricted Resource Consumption, reflecting the fact that rate limiting extends beyond the issue of network capacity. Other resources that can be abused if limits are not set include CPU, memory and storage, for example, but just as importantly, service providers can find service resources maxed out by API requests. They may provide emails, texts or phone calls and a repeat API request can see that service provider rack up huge service costs.

However, there are some changes in the order and new concepts in there towards the end. API7 Security Misconfiguration drops a place to API8 as there has been progress made in this area.

API7 is now Server Side Request Forgery (SSRF). APIs are a prime target for SSRF attacks because they routinely channel outbound traffic from an application. Developers often access external resources, such as web hooks, file fetching from URLs or custom SSO and URL previews – states the Project – or cloud or container providers expose management and control channels to compromise via HTTP. And the old API8, Injection attacks? That’s no longer a separately categorized threat again because it’s typically adopted in many of the other attack types.

Significant changes

API9 sees another subtle but important change in the wording: from Improper Assets Management to Improper Inventory Management. This reflects the heightened number of shadow APIs that are out there which once deployed are no longer monitored and effectively fall off the security team’s radar. Unmanaged, unknown and unprotected, these APIs are then sitting ducks for attackers who now actively search for them. In fact, we found that 45 billion search attempts were made for shadow APIs during the second half of 2022, compared to five billion during the first six months. A runtime API inventory that continuously monitors production APIs is therefore vital to ensure all APIs that go live are protected yet it’s one of the key failings in organisations today.

Finally, API10 has changed from Insufficient Logging and Monitoring, now largely covered by API9, to Unsafe Consumption of APIs. This reflects the extension we’ve seen of the API software chain, with APIs now often being integrated with other APIs. The problem that has arisen is that developers tend to inherently trust interactions with these external APIs, particularly from well-known companies, even though they may be flawed and/or be leaking data.

Clearly a great deal of thought has gone into adjusting the OWASP API Top Ten to more accurately address the TTPs that attackers are now using. The result sees both minor and some major changes to the list all of which are justified. Indeed, it’s not the descriptors but the list itself that is problematic. It’s an arbitrary concept that’s designed to attract attention to and heighten the profile of API security but does it do anything to further how we defend against these attacks?

How it holds up under an attack scenario

If we use breach analysis, we can compare a typical breach to the categories in the list to see how the concept stacks up. Many breaches start out with an API that the victim organization was unaware they had ( API9 in the 2023 list). This API is then found to return some kind of data about a user that isn’t the attacker (API1). Now the attacker is going to create attack automation using a bot to try to exploit this as quickly and as completely as possible (API6), completing the attack chain and giving the attacker access to data hidden in the victim organization’s systems.

It’s evident that such an attack would cross at least three of the attack categories so prioritizing them becomes immaterial. Indeed, such trinity attacks are gaining ground, with 100 million detected during the first half of 2022.

What’s more, as well as seeing attackers pivot during an attack and utilize known TTPs, we are also seeing them come up with unique TTPs to attempt to subvert the API. These grew more than fivefold between June and November (from 2,000 to 11,000). Most of those attacks were geared towards achieving account takeover (ATO), scraping to perform reconnaissance or to exfiltrate data, and hunting for business logic flaws within the API to commit fraud.

Keeping up with such diverse attacks requires the security team to focus not just on its defense but methods of detection and mitigation. Whether it is knowing where APIs are, testing them for flaws or stopping bots attacking unknown flows, API security needs to become more comprehensive, tracking and protecting the API throughout its entire lifecycle.

A sound summary of TTPs

The new OWASP API Top 10 may not be perfect, but it does cover the bases and provides a great starting point from which to address the topic. It now recognizes that some attack methods such as sensitive data and exposure and injection attacks span multiple TTPs and so do not require a separate category. It also amplifies the need for bot mitigation as part of API security, and the complex nature of API ecosystems that are seeing them integrated with one another, for instance.

But its structure is not conducive to showing how these attacks are being used in the wild. It still compartmentalizes these attacks when threat actors are becoming much more versatile and combining them.

Realistically, the only way of keeping pace with this rapidly evolving threat landscape is to monitor and manage those APIs. Creating a runtime inventory, conducting API threat surface assessments, carrying out specification anomaly detection and putting in place real-time automated bot detection and mitigation are all now essential to protect the API footprint of the business.

API Security

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: API Security, OWASP API

Sep 03 2023

Nmap cookbook, cheat sheet and mindmap

Category: Information Security,Network securitydisc7 @ 9:28 am
nmap-cookbookDownload
Nmap-Cheat-SheetDownload
NMAp-MindmapDownload

Nmap Network Exploration and Security Auditing Cookbook: Network discovery and security scanning at your fingertips

Mastering Nmap: A Comprehensive Guide to Network Discovery and Security

Nmap 7: From Beginner to Pro

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Nmap, Nmap network scanning

Aug 31 2023

THIS CODE ALLOW TO HACK INTO JUNIPER SRX FIREWALLS AND EX SWITCHES

Category: Hackingdisc7 @ 8:04 am
This code allow to hack into Juniper SRX firewalls and EX switches

Juniper Networks, a company that manufactures widely used networking equipment as well as security solutions, has issued a warning about vulnerabilities that are present in the operating systems of many of its devices.

The business has acknowledged in not one but two distinct security alerts that were either released or revised this week that the Junos OS and the Junos OS Evolved operating systems may be susceptible to attacks. Additionally, the corporation issued an updated warning about vulnerabilities that are present in the SRX firewalls and EX switches used by the company.

In a fresh warning it said that earlier versions of the operating systems might get stalled due to the processing of erroneous messages in the code known as the Border Gateway Protocol (BGP), which is responsible for directing all traffic on the internet.

Critical remote code injection and DoS vulnerabilities in Juniper’s Junos OS. Secure your network

To be more specific, a “UPDATE” message that is formatted in a particular manner “will eventually create a sustained Denial of Service (DoS) condition for impacted devices,” which would prevent such devices from carrying out their duties.

A security advisory that had been issued in June and was connected to BGP was also updated by the business on Wednesday. This issue also addressed the possibility of attacks that denied service to users.

In both instances, the corporation was providing workarounds as a means of resolving the problems “out of cycle” from its typical operating system update releases.

A third warning, issued on August 17 and most recently updated on Wednesday, refers to vulnerabilities in J-Web, which is an interface for the SRX firewalls and EX switches used by the firm, which researchers in the security field at Watchtower Labs investigated.

In such a scenario, “an unauthenticated, network-based attacker” has the ability to link together the exploitation of the vulnerabilities “to remotely execute code on the devices.”

In addition, the Cybersecurity and Infrastructure Security Agency (CISA) released a brief advisory on Wednesday about the vulnerabilities in the operating system.

In addition to that, researchers carried out extensive study, the results of which offered a comprehensive understanding about the exploitation of this weakness as well as the vulnerabilities associated to it.

In the course of their investigation, the researchers focused on two particular vulnerabilities in Juniper (CVE-2023-36846 and CVE-2023-36845), both of which were described in the company’s security advisory. Both of these vulnerabilities, Missing authentication for key functions and PHP External Variable Modification, have something in common: they both affect PHP.

After further investigation, it was found that the J-Web was totally developed in PHP, and that the authentication process is handled by a user class. In addition, a PHP file called webauth_operation.php was found.

In addition, a total of 150 distinct functions, which served a variety of purposes ranging from basic aids to the formatting of IP addresses, were found to be in use. These functions ranged in complexity from simple to complicated. Every one of these tasks required interaction with the command line interface (CLI) of the appliance.

Researchers from Watchtwr have produced a comprehensive analysis, which can be seen on their website. The report contains in-depth information on these vulnerabilities as well as the techniques used to attack them.

It has been announced that a repository on GitHub containing the Proof-of-concept for this vulnerability has been made available. Security professionals may utilize this repository to test and repair their susceptible environments using the Proof-of-concept.

Future Crimes Everything Is Connected Everyone Is Vulnerable and What We Can Do About It

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: JUNIPER SRX FIREWALLS

Aug 30 2023

Email Authentication Protocols: SPF, DKIM, and DMARC – A Detailed Guide

Category: Email Securitydisc7 @ 9:12 am
Email Authentication Protocols: SPF, DKIM, and DMARC – A Detailed Guide


Email communication is essential for personal and professional contact in the modern digital environment.

Email is widely used, making it a perfect target for cybercriminals, leading to increased phishing attempts, spam, and email spoofing.

Strong email security measures are becoming essential as these threats become more sophisticated. Email authentication techniques like SPF, DKIM, and DMARC are crucial in situations like this.

By authenticating the sender’s identity and confirming the accuracy of the received messages, these procedures act as the first line of protection against email-based threats.

This article will thoroughly review these three important email authentication methods, including their roles, how they cooperate, and why they are crucial for upholding a reliable and secure email communication infrastructure.

What are Email Authentication Protocols?

Secure email communications can be achieved through Email Authentication Protocols, standards, or technologies that validate the sender’s identity and protect the message’s integrity.

These standards aim to protect users from spam, phishing, and other malicious email-based assaults.

As a bonus, they make it less likely that a good email will be incorrectly deleted as spam or malware.

Here are the primary email authentication protocols commonly in use:

  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Sender Policy Framework (SPF)

The Sender Policy Framework (SPF) is an email authentication technology developed to prevent spam.

By letting domain owners choose which mail servers can send emails on their behalf, SPF assists receiving servers in authenticating the sender of incoming messages.

For this purpose, the DNS records of the domain are consulted to ensure that the emails come from the addresses they claim to represent.

The Sender Policy Framework (SPF) aims to improve email security by limiting the possibility that an unauthorized sender may use a specific domain in the “From” address.

This helps keep the sender’s and the recipient’s inboxes free of unwanted messages and strengthens the confidence each party has in email.

How It Works

  • Domain owners create SPF records showing trusted IP addresses and domains from which emails can be sent.
  • Email servers do a Sender Policy Framework (SPF) record check whenever they receive an email.
  • When a message is received, the server checks the IP address to see if it is one of the approved senders mentioned in the SPF record.
  • The SPF check is successful if the sending IP address is known and accepted; otherwise, the email may be flagged as suspicious and deleted.

How Do Attackers Abuse SPF:

Sender Policy Framework (SPF) is an email authentication system that checks the sender’s name to stop email spoofing and phishing. But, like any other system, SPF isn’t completely safe from possible attack vectors. Here are some possible ways to attack SPF:

Manipulating SPF Records: Attackers could try to change or create SPF records by changing the DNS records of a domain. This would let them list unauthorized IP addresses or servers as valid senders. This can make it possible for tactics like spoofing or phishing to work.

Domain Hijacking: If an attacker takes control of a legal domain, they can change the SPF records to include their own malicious servers. This can cause bad emails that look like they came from a trusted source to be sent.

Subdomain Attacks: SPF records are often set up for an organization’s primary domain, but they might forget to set up SPF records for subdomains. Attackers who send emails from subdomains without the proper SPF records can use this against you.

Inadequate SPF Policies: Organizations may have weak SPF policies that let many IP addresses send emails on their behalf. This can give attackers a bigger pool of possible IP numbers to trick people.

DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) is an email authentication technology that uses encryption to confirm an email’s authenticity.

The sending server adds a distinctive DKIM signature using a private key to each email. The receiving server verifies the signature of the incoming email using a public key obtained from the sender’s DNS records.

If it matches, the email can be trusted as genuine and safe from tampering. DKIM is designed to prevent email spoofing and phishing attacks and guarantee the safe delivery of email communications by verifying the sender’s domain and the message’s encrypted signature.

How It Works

  • Using a private key, the email’s computer makes a digital signature.
  • The email packaging has been changed to include this signature.
  • From the DNS records, the email server that receives the email gets the sender’s public key.
  • The digital signature is then decrypted and checked using the public key.
  • The genuine email has not been changed if the signature is correct.

How Do Attackers Abuse DKIM

  1. Private Key Compromise: DKIM relies on a private key stored on the sending server to sign outgoing emails. If an attacker gains access to the private key, they can sign malicious emails that recipients might consider legitimate, as the DKIM signature would appear valid.
  2. DNS Record Manipulation: DKIM public keys are stored in DNS records as text (TXT) records. If an attacker gains control over a domain’s DNS records, they could modify or replace the DKIM public key, allowing them to sign fraudulent emails that appear authentic.
  3. Subdomain Spoofing: Organizations might configure DKIM for their main domain but overlook implementing it for subdomains. Attackers could then send emails from subdomains that lack proper DKIM signing, making it harder for recipients to verify the email’s authenticity.
  4. Key Length and Algorithms: If an organization uses weak encryption algorithms or short key lengths for DKIM signing, it becomes easier for attackers to crack the encryption and forge DKIM signatures.

Solution: Organizations should adopt efficient incident response plans, regularly monitor email traffic for anomalies, and stay updated on emerging threats to stay ahead of the evolving email threat landscape with AI-powered solutions like Trustifi.

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

To improve upon SPF and DKIM, a new email authentication protocol called Domain-based Message Authentication, Reporting, and Conformance (DMARC) was developed.

Domain administrators can instruct receiving mail servers on what to do with messages that do not pass authentication.

Domain owners can direct mail servers to stop accepting spam by adding a DMARC policy record to their DNS settings. Email traffic and any security risks can be better understood using DMARC’s reporting features.

DMARC is designed to strengthen email security by adding an extra layer of verification, decreasing phishing and spoofing, and increasing the credibility and delivery of legitimate communications.

How it Works

  • The receiving server references the DMARC policy if SPF or DKIM authentication fails.
  • The DMARC policy can direct the server to take various actions, such as classifying spam, placing it in quarantine, or outright rejecting it.
  • To improve their email protection measures, domain administrators can use forensic and aggregate data on authentication activity.

DMARC Attack Vector

Aggressive Enforcement: Some organizations may choose to use DMARC with a strategy of “quarantine” or “reject” right from the start. This can work, but if the policy isn’t carefully set, it can also cause valid emails to be blocked.

Reporting Address Spoofing: Attackers could try to change the DMARC reporting address to send reports of failed DMARC checks to sites they control. This could give them a chance to learn more about how the organization’s email system works.

Targeted Spoofing: Attackers could try to pose as people or parts of an organization that haven’t fully set up DMARC. This specific method makes it more likely that their emails will be read.

As with other email-related attacks, attackers could use social engineering to get receivers to ignore DMARC warnings or think a DMARC-failed email is real.

Where are SPF, DKIM, and DMARC Records Stored?

Spf records:

SPF records are TXT (text) records in the DNS. Emails from this domain must be sent from the IP addresses or parts specified in these records.

The recipient’s email server will check the SPF record for the sender’s field in the Domain Name System (DNS) to ensure the email is legitimate.

Example SPF record:

v=spf1 ip4:192.0.2.1 ip6:2001:db8::1 include:example.com all

DKIM Records: 

DKIM records are similarly stored in DNS, although they are TXT entries. These entries store the public key to authenticate the domain’s digital signatures in outgoing emails.

The DKIM record is retrieved from the DNS by the receiving email server, which then uses the public key to verify the signature and ensure the email’s authenticity.

Example DKIM record:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDnWLKu6qIH66AjqkMYyq3A5bkD

  sY+T4rQzSXFJWzh7DQoKmmrkRDbCIPRrkRHF/EpTExGDD2P8WOEqdGTfVbRy14

  5k3soVGMItcL1QvWskhNKLQYGJME6XE1WUCmAw29FcYKavqnGQFWFpDBIMVFOFw

  7/TZS0Lj1QIDAQAB

DMARC Records:

DNS also stores DMARC records in the TXT record format. The measures to take if an email fails SPF or DKIM checks are provided in the domain’s DMARC policy, defined by these records.

To keep the domain owner aware of authentication actions, DMARC additionally provides reporting tools.

Example DMARC record:

v=DMARC1; p=quarantine; pct=25; rua=mailto:reports@example.com; ruf=mailto:forensics@example.com

Checking an Email for SPF, DKIM, and DMARC Compliance

It takes multiple procedures and the capacity to query DNS records to ensure an email complies with SPF, DKIM, and DMARC.

Here are the measures taken to ensure that an email adheres to these standards:

Check SPF Compliance:

  • Extract the IP address of the email server that sent the email from the email headers.
  • Retrieve the SPF record from the domain’s DNS that the email claims to be sent from. This is usually found in a TXT record in the domain’s DNS.
  • Check if the sending server’s IP address is listed in the SPF record. If it is, the email passes the SPF check; otherwise, it fails.

Check DKIM Compliance:

  • Check the email headers for a DKIM signature. This will usually be found in a header field called ‘DKIM-Signature’.
  • Extract the ‘d=’ parameter from the DKIM signature to find the signing domain and the ‘s=’ parameter to find the selector.
  • Retrieve the DKIM public key from the DNS of the signing domain. This will be found in a TXT record at selector>._domainkey.signing domain>’.
  • Use the public key to verify the DKIM signature in the email header. If the signature is valid, the email passes the DKIM check; otherwise, it fails.

Check DMARC Compliance:

  • Ensure that the email has passed both the SPF and DKIM checks. At least one of them must pass for the DMARC check to pass.
  • Retrieve the DMARC record from the domain’s DNS from which the email claims to be sent. This is usually found in a TXT record at ‘ _dmarc.domain>’.
  • Check if the ‘From’ address domain matches the SPF domain or the DKIM signing domain. If it does, then the email passes the DMARC alignment check.
  • Follow the policy specified in the DMARC record for handling emails that fail the DMARC check.

How to configure SPF, DKIM, and DMARC for a domain

Configure SPF:

  • Identify Authorized IP addresses or servers: Determine the IP addresses or servers authorized to send email on behalf of your domain.
  • Create an SPF Record: Create an SPF record by creating a TXT record in your domain’s DNS settings. The value of this TXT record will start with ‘v=spf1’ followed by the authorized IP addresses or servers.
Example SPF Record: 'v=spf1 ip4:192.168.0.1 -all'

This example authorizes the IP address ‘192.168.0.1’ to send emails on behalf of your domain and denies all others.

  • Update DNS Settings: Add the SPF record to your domain’s DNS settings.

Configure DKIM:

  • Generate a DKIM Key Pair: Generate a public-private key pair for DKIM. Your email server will use the private key to sign outgoing emails, and your domain’s DNS settings will make the public key available.
  • Configure Email Server: Configure your email server to sign outgoing emails using the private DKIM key.
  • Create a DKIM Record: Create a DKIM record by creating a TXT record in your domain’s DNS settings.
  • The name of this TXT record will be in the format selector>._domainkey.yourdomain>’, and the value will contain your DKIM public key.
Example DKIM Record: 'v=DKIM1; k=rsa; p=MIGfMA0...'

This example specifies that the key type is RSA and includes the public key.

  • Update DNS Settings: Add the DKIM record to your domain’s DNS settings.

Configure DMARC:

  • Create a DMARC Record: Create a DMARC record by creating a TXT record in your domain’s DNS settings. The name of this TXT record will be ‘_dmarc.your domain>’, and the value will contain your DMARC policy.
Example DMARC Record: 'v=DMARC1; p=reject; rua=mailto:report@example.com'

This example specifies that emails that fail the DMARC check should be rejected and that reports should be sent to ‘report@example.com’.

  • Update DNS Settings: Add the DMARC record to your domain’s DNS settings.

Conclusion

The SPF, DKIM, and DMARC standards are essential components of a reliable email security architecture in an age when email is vulnerable to a wide range of attacks.

Though each has advantages and disadvantages, they provide an enormous defense against a significant fraction of email-based attacks.

By implementing these authentication processes, your email systems’ security will improve, and your emails’ deliverability will also be enhanced, reducing the possibility that your legitimate messages will be miscategorized as spam.

Applying these standards to your digital communication infrastructure can significantly improve the safety and dependability of your communications.

The Art of Email Security | Email security: attack and defence

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: DKIM, DMARC, SPF

Aug 29 2023

Cyber Security Awareness

Category: Security Awarenessdisc7 @ 11:21 am
Cyber-Security-Awareness-eBookDownload

Cyber Security Awareness: Employee Handbook

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cyber Security Awareness

Aug 29 2023

Is the cybersecurity community’s obsession with compliance counter-productive?

Category: Security Compliancedisc7 @ 9:31 am
Is the cybersecurity community’s obsession with compliance counter-productive?

Does anyone think the chances of surviving a plane crash increase if our tray tables are locked and our carry-on bags are completely stowed under our seats? That we’ll be OK if the plane hits a mountain if we have our seat belts buckled securely across our waists? Not even the flight attendants, who will be responsible for throwing us off the plane if we don’t comply, really believe those rituals make us safer. And yet, we check the box every flight because a government agency said we can’t fly unless we do so...

I’m starting to wonder if the obsession with checking boxes in cybersecurity might be akin to securing our tray tables before take-off. We do as we’re told, check all the boxes, pat ourselves on the back, and in the process, distract ourselves from our ultimate goal: stopping the bad actors and protecting our data.

I started to think about this somewhat disconcerting cybersecurity community reality when scanning the titles of some of the attendees at a recent regional cybersecurity conference. I was surprised by the frequency of titles that combined security with compliance. To wit: Manager Information Security and Compliance, Manager, Security and Compliance Advisory, Senior Manager Internal Controls and Compliance, Sr. Manager – IT Security & Compliance (among others). To add to this: countless “auditor” titles – roles designed specifically to assure fealty to various standards requirements.

Nearly all enterprise breaches originate in one of three ways, and all cybersecurity professionals know this:

  • An unpatched vulnerability
  • Credential theft
  • Installation of malicious software (typically via phishing)

So, let’s try an experiment. Ask a CISO or experienced cybersecurity expert how they would defend their organization against these three breach types if:

1. They could completely ignore standards and compliance, and they’d be given no credit for any level of compliance (and there would be no ramifications for non-compliance)

2. They could re-deploy every dollar of budget allotted to standards compliance and auditing any way they liked

3. Their single objective was to win the game (stop the bad actors, and minimize their organization’s risk of a compromise)

How many would determine that the best use of their resources would be to attain or retain compliance with a cybersecurity standard? And how many would deploy those compliance and auditing resources to patch more vulnerabilities, invest in additional cybersecurity expertise, tools to identify and reduce their external threat footprint, and myriad other effective measures to genuinely reduce their organization’s cyber risk?

It’s not as if dedication to compliance is any more of a guarantee against a breach than any other technology, strategy or prayer. Here are a few examples of compliant companies that have suffered high profile breaches (thanks to ChatGPT for saving me the hours of research otherwise required to build this list):

  • Equifax (PCI and NIST CSF)
  • Target (PCI)
  • Marriott (PCI)
  • Anthem (HIPAA)
  • Premera Blue Cross (HIPAA)
  • CareFirst BCBS (HIPAA)
  • SolarWinds (NIST CSF)

This is, of course, not an exhaustive list. Show me a large enterprise that was breached and I’ll show you a large enterprise adhering to multiple compliance standards.

Indeed, just this month, several US government agencies were victims of an attack exploiting a vulnerability in file transfer software (albeit a zero-day). It’s fair to assume there are several regulations strictly adhered to by the agencies just breached.

So, why do we continue to be obsessed with cybersecurity compliance, standards, frameworks, etc.? The obvious reason is that organizations can be fined for non-compliance.

And yet, there’s been little effort among cybersecurity experts to challenge regulatory agencies. Indeed, many enthusiastically embrace compliance and congratulate themselves and their teams for achieving it. And, of course, no one loves compliance standards more than vendors, just like every barber in the world would celebrate a new law requiring everyone to get a haircut weekly.

The less obvious reason for our community’s love for compliance is that it covers behinds. “Yes, we were breached, but we did everything we were supposed to do, so don’t blame us.” Coaches in every sport will identify that as a loser’s attitude. Champions know there’s no checkbox formula for winning, and there’s no excuse for losing, especially “we did everything we were supposed to and still lost.” It’s cliche’, but the best teams and athletes “just know how to win.”

Am I suggesting we abandon frameworks and compliance? Not immediately, and not without serious debate and analysis. But there is a case to be made that the compliance-centric philosophy governing cybersecurity decision-making today simply isn’t working, and we in cybersecurity are the living embodiment of (not) Einstein’s definition of insanity: doing the same thing over and over and expecting a different result.

Cybersecurity spending continues to increase and yet breach incidents are increasing as well. It shouldn’t be sacrilegious to propose that we consider changing our foundational philosophy from checking boxes on a compliance audit form to doing whatever makes sense to defend our organizations, and win.

CISO Desk Reference Guide Executive Primer: The Executive’s Guide to Security Program

Security Awareness: Applying Practical Cybersecurity in Your World

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: compliance, Security Awareness

« Previous PageNext Page »