Web Application Security: A 2023 Guide | Cyber Press
Written by: Cyber Writes
Web App Security
InfoSec tools | InfoSec services | InfoSec books
Jun 24 2023
The Complete Active Directory Security Handbook
Exploitation, Detection, and Mitigation Strategies
The Complete Active Directory Security Handbook – by Picus Security
Download pdf
InfoSec tools | InfoSec services | InfoSec books
Jun 23 2023
Digital‑first economy has introduced unforeseen risks say 89 percent of CISOs
Salt Security has released key findings from its ‘State of the CISO’ report. Conducted by Global Surveyz for Salt, the global CISO survey gathered feedback from 300 CISOs/CSOs around the world on issues resulting from digital transformation and enterprise digitalization.
The results highlight significant CISO challenges including the biggest security control gaps they must manage, the most significant personal struggles they face, and the impact that broader global issues are having on their ability to deliver effective cyber security strategies.
Today’s digital-first economy has transformed the role of the modern CISO, increasing threats and changing security priorities.
Key findings include:
- 89 percent of CISOs report that the rapid deployment of digital services has generated unforeseen risks to securing critical business data.
- Digital initiatives have produced new individual concerns, the top being the risk of personal liability and litigation resulting from security breaches, with 48 percent of CISOs citing that challenge.
- 94 percent of CISOs worldwide say the speed of AI adoption is the macro dynamic having the greatest impact on their role.
- 95 percent of CISOs plan to prioritize API security over the next two years, a 12 percent increase compared with that priority two years ago.
Biggest CISO challenges in a digital-first economy
The 2023 report shows that the digital-first economy has brought new security challenges for CISOs. Interestingly, most of the challenges cited by CISOs represent nearly equal levels of concern, forcing CISOs to address multiple challenges at the same time.
CISOs cite the following top security challenges:
- Lack of qualified cyber security talent to address new needs (40 percent)
- Inadequate adoption of software (36 percent)
- Complexity of distributed technology environments (35 percent)
- Increased compliance and regulatory requirements (35 percent)
- Difficulties justifying the cost of security investments (34 percent)
- Getting stakeholder support for security initiatives (31 percent)
Also notable, while most CISOs (44 percent) report security budgets are about 25 percent higher than two years ago, nearly 30 percent identify lack of budget to address new security challenges from digital transformation as a key challenge, and 34 percent of CISOs cite difficulty justifying the cost of security investments as a challenge.
Supply chain and APIs top security control gaps
Two thirds of CISOs state that they have more new digital services to secure compared to 2021. In addition, 89 percent of CISOs state that the rapid introduction of digital services creates unforeseen security risks in protecting their companies’ vital data. API adoption and supply chain/third party vendors presented the two highest security control gaps in organizations’ digital initiatives.
CISOs rank security control gaps resulting from digital initiatives as follows:
- Supply chain/third party vendors (38 percent)
- API adoption (37 percent)
- Cloud adoption (35 percent)
- Incomplete vulnerability management (34 percent)
- Outdated software and hardware (33 percent)
- Shadow IT (32 percent).
Global trends impacting the CISO role
The vast majority of CISOs admit to feeling the impact of a number of global trends. More CISOs cited the speed of AI adoption as having significant impact, followed by macro-economic uncertainty, the geo/political climate, and layoffs. Specific CISO responses regarding the impact of global trends were:
- Speed of AI adoption (94 percent)
- Macro-economic uncertainty (92 percent)
- Geo/political climate (91 percent)
- Layoffs (89 percent)
Threat of litigation and increased liability top CISOs’ personal concerns
The digital-first economy has also impacted CISOs on a personal level. Among the personal challenges reported were:
- Concerns over personal litigation stemming from breaches (48 percent)
- Increased personal risk/liability (45 percent)
- Expanded responsibilities and not enough time to fulfill (43 percent)
- Increased job-related stress (38 percent)
- Bigger teams to manage (37 percent)
Nearly 50 percent of CISOs cite litigation concerns. With several high-profile CISO lawsuits making waves recently, CISOs are fearful of being found personally liable in the event of a breach, putting their livelihood at risk.
CISOs say their boards of directors are knowledgeable about cyber risks and mitigation
On a positive note, 96 percent of CISOs worldwide report that their boards of directors are knowledgeable or very knowledgeable about cyber security issues. In addition, the survey showed that 26 percent of CISOs present to the board on cyber risks mitigation and business exposure once a quarter or more, and 57 percent present to the board at least once every six months.
InfoSec tools | InfoSec services | InfoSec books
Jun 23 2023
10 open-source recon tools worth your time
Altdns
Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging) and takes in a list of subdomains you know of.
From these two lists provided as input to Altdns, the tool then generates a massive output of “altered” or “mutated” potential subdomains that could be present. It saves this output so that it can then be used by your favorite DNS brute-forcing tool.
Amass
The OWASP Amass project performs network mapping of attack surfaces and external asset discovery using open-source information gathering and active reconnaissance techniques.
The high adoption rate of Amass potentially means better data consistency and integration with other tools. As such, it can constitute a trustworthy tool to use in proof of concepts and engagements, and it may be easier to convince your clients or manager to use it for periodic mapping of the organization’s attack surface.
Aquatone
Aquatone is a tool for the visual inspection of websites across a large number of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface. Aquatone is started by piping the output of a command into the tool. It doesn’t really care how the piped data looks, as URLs, domains, and IP addresses will be extracted with regular expression pattern matching. This means you can give it the output of any tool you use for host discovery.
Assetfinder
Assetfinder lets you find domains and subdomains potentially related to a given domain. Implemented:
- crt.sh
- certspotter
- hackertarget
- threatcrowd
- wayback machine
- dns.bufferover.run
- virustotal
- findsubdomains
Gobuster
Gobuster is a tool used to brute-force:
- URIs (directories and files) in web sites
- DNS subdomains (with wildcard support)
- Virtual Host names on target web servers
- Open Amazon S3 buckets
- Open Google Cloud buckets
- TFTP servers
Gotator
Gotator is a tool to generate DNS wordlists through permutations.
HTTPX
HTTPX is a fully featured HTTP client library for Python 3. It includes an integrated command line client, has support for both HTTP/1.1 and HTTP/2, and provides both sync and async APIs.
Naabu
Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple tool that does fast SYN/CONNECT/UDP scans on the host/list of hosts and lists all ports that return a reply.
MASSCAN: Mass IP port scanner
MASSCAN is an Internet-scale port scanner. It can scan the entire Internet in under 5 minutes, transmitting 10 million packets per second, from a single machine. Its usage (parameters, output) is similar to Nmap, the most famous port scanner.
WhatWeb – Next generation web scanner
WhatWeb identifies websites. Its goal is to answer the question, “What is that Website?”. WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1800 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
Open Source Intelligence Methods and Tools: A Practical Guide to Online Intelligence
InfoSec tools | InfoSec services | InfoSec books
Jun 19 2023
Red teaming can be the ground truth for CISOs and execs
As these breaches continue to make headlines, the time is now for boardroom executives to take on the responsibility of setting the tone for cybersecurity across the company. After all, instilling priorities at the board level and having that message trickle down across the company is a key tenet of business success.
But is cybersecurity treated differently? Some would argue that while cyber is certainly a priority in boardroom discussions, execs have still yet to take full responsibility for their security posture and often silo this to SecOps teams or their CISO. Given the potential for ransomware to destabilize operations, finances, and reputation, more execs should put cybersecurity front and center on the agenda. Perhaps they would if they understood the truth of what they were looking at.
Why isn’t the board on-board?
While organizations around the world continue their journey to cyber-maturity, companies that don’t engage with the boardroom directly on cybersecurity are opening the door to serious risk in the future. This lack of engagement can be due to several variables, including lack of strong board cybersecurity expertise/experience, or simply an underestimation of risk. CISOs, whether they are in that boardroom or not, will recognize that this must change, and that change can only come from clearer communication of risk.
If you want the board to take more of an interest in cybersecurity or fully grasp the risk of not making it a priority for the company, then you need to speak to their level of risk. They want the ground truth, spoken to them in a way they understand and cuts through the technical jargon. How will the consequences of not doing this affect their bottom line? How will a ransomware attack affect their reputation? Why is this a priority right now?
The CISOs among us may feel like they’ve been trying to have this conversation to no avail, but the risk of getting lost in translation is far too high. To engage the board, you need to clearly demonstrate the direct link between what happens if a hacker finds a vulnerability in your network and how badly things can go wrong as a result. If you speak a truth that they understand, you’ll unlock the trust, transparency and cooperation that is needed to give cybersecurity the attention it deserves at all levels of the business. Red teams can help you achieve this.
Red teams and “offensive security”
What red teams can give CISOs is the cold, hard truth of how their network stacks up against threats that could be ruinous to the business. Red teams leave no stone unturned and pull on every thread until it unravels. This shines light on the vulnerabilities that will harm the finances or reputation of the business.
With a red team, objective-based continuous penetration testing (led by experts that know attackers’ best tricks) can relentlessly scrutinize the attack surface to explore every avenue that could lead to a breakthrough. This proactive, “offensive security” approach will give a business the most comprehensive picture of their attack surface that money can buy, mapping out every possibility available to an attacker and how it can be remediated.
It is also not limited to testing the technology stack; for businesses concerned that their employees are susceptible to social engineering attacks, red teams can emulate social engineering scenarios as part of their testing. A stringent social engineering assessment program should not be overlooked in favor of only scrutinizing weaknesses in IT infrastructure. Cybersecurity is a human problem that needs humans to create a solution, using the available technology.
Get the facts, earn their trust
For CISOs, the evidence from red teams gives the who, what, when and how of how their attack surface stands up to scrutiny, with none of the negative consequences of a malicious breach. This is the evidence they can take to the board and confidently state the case for cybersecurity to be taken seriously at the exec level and gain the trust they need to put their best foot forward against ransomware.
For the board, they will simultaneously see the big picture of threats to their attack surface, but also be presented with a plan for remediation. They can trust the IT team that everything is being done to resolve vulnerabilities before it can affect the business. And because red teams have the knowledge to accurately gauge how urgent of a risk each vulnerability is, the presentation can zero-in on what needs to be done immediately, keeping these discussions succinct and solutions focused.
Once that trust has been built, red teams make it easy for the board to stay updated on cybersecurity. Continuous penetration testing persists even after vulnerabilities are remediated to make sure that the problem is truly fixed. This means cybersecurity always has its place on the agenda and there is transparency between CISOs and execs on how the organization is proactively looking to patch vulnerabilities, before an attacker knows they exists.
If an organization’s cybersecurity is not receiving the attention it deserves, then the board needs to know. However, it can be hard to get engagement from the wxecs if the information security team don’t speak “board language”. By deploying the expertise of a red team, you’ll have the facts you need to cut to the heart of what these decision-makers really care about with hard evidence of the risks they are facing, unlocking the support from the top needed to keep the entire business secure.
InfoSec tools | InfoSec services | InfoSec books
Jun 15 2023
LLM meets Malware: Starting the Era of Autonomous Threat
Malware researchers analyzed the application of Large Language Models (LLM) to malware automation investigating future abuse in autonomous threats.
Executive Summary
In this report we shared some insight that emerged during our exploratory research, and proof of concept, on the application of Large Language Models to malware automation, investigating how a potential new kind of autonomous threats would look like in the near future.
- We explored a potential architecture of an autonomous malware threat based on four main steps: an AI-empowered reconnaissances, reasoning and planning phase, and the AI-assisted execution.
- We demonstrate the feasibility of using LLM to recognize infected environments and decide which kind of malicious actions could be best suited for the environment.
- We adopted an iterative code generation approach to leverage LLMs in the complicated task of generating code on the fly to achieve the malicious objectives of the malware agent.
- Luckily, current general purpose LLM models still have limitations: while incredibly competent, they still need precise instruction to achieve the best results.
- This new kind of threat has the potential to become extremely dangerous in the future, when computational requirements of LLMs would be low enough to run the agent completely locally, and also with the usage of specific models instead of general purpose ones.
Introduction
Large Language Models started shaping the digital world around us, since the public launch of OpenAI’s ChatGPT everybody spotted a glimpse of a new era where the Large Language Models (LLMs) would profoundly impact multiple sectors soon.
The cyber security industry is not an exception, rather it could be one of the most fertile grounds for such technologies, both for good and also for bad. Researchers in the industry have just scratched the surface of this application, for instance with read teaming application, as in the case of the PentestGPT project, but also, more recently even with malware related applications, in fact, Juniper researchers were using ChatGPT to generate malicious code to demonstrate the speedup in malware writing, and CyberArk’s ones tried to use ChatGPT to realize a polymorphic malware, along with Hays researchers which created another polymorphic AI-powered malware in Python.
Following this trail of this research, we decided to experiment with LLMs in a slightly different manner: our objective was to see if such technology could lead even to a paradigm-shift in the way we see malware and attackers. To do so, we prototyped a sort of “malicious agent” completely written in Powershell, that would be able not only to generate evasive polymorphic code, but also to take some degree of decision based on the context and its “intents”.
Technical Analysis
This is an uncommon threat research article, here the focus is not in a real-world threat actor, instead we deepen an approach that could be likely adopted in the near future by a whole new class of malicious actors, the AI-powered autonomous threat.
A model for Autonomous Threats
First of all we are going to describe a general architecture that could be adopted for such an objective. An architecture which inevitably has common ground with Task-Driven Autonomous Agents like babyAGI or autoGPT. But for the sake of our experimentation, we decided to shape the logic flow of the malicious agent to better match common malware operations.
As anticipated before, our Proof of Concept (PoC) autonomous malware is an AI-enabled Powershell script, designed to illustrate the potential of artificial intelligence in automation and decision-making, with each phase of execution highlighting the adaptability and intelligence of the AI.
Breaking down the state diagram, at high level, the agent runs into the following stages.
Footprinting
During the discovery phase, the AI conducts a comprehensive analysis of the system. Its goal is to create a thorough profile of the operating environment. It examines system properties such as the operating system, installed applications, network setups, and other pertinent information.
This thorough assessment is not just for ensuring the system is ready to go, but also assists the AI in figuring out if it’s working within a controlled environment, whether it’s interacting with a server or a client. One of the crucial determinations it makes is whether it is functioning within a sandboxed environment. Sandboxes are controlled settings, often used for testing or monitoring potentially harmful activities. If the AI detects it is operating within a sandbox, it halts all execution, avoiding unnecessary exposure in a non-targeted environment.
This system data becomes a vital input that lets the malicious-AI make informed decisions and respond appropriately. It provides a comprehensive understanding of its operating environment, similar to a detailed map, allowing it to navigate the system effectively. In this sense, this phase readies the “malicious agent” for the activities that follow.
Reasoning
In the execution phase, the malicious agent maneuvers rely significantly on the context, built on a detailed understanding of the system environment gathered in the earlier analysis phase.
An intriguing aspect of this phase is the AI’s strategic decision-making, which closely emulates strategies used by well-known hacking groups. At the outset, the “malicious agent” mimics a specific, recognized hacking group. The selection of the group isn’t random but is determined by the particular context and conditions of the system.
After deciding which hacking group to mimic, the autonomous agent goes on to devise a comprehensive attack strategy. This strategy is custom-made to the specific system environment and the standard practices of the selected hacking group, for example, it may decide to include password stealing tasks in case it detects the Outlook application rather than install a backdoor account on the server.
Execution
Once the attack strategy is in place, the malicious agent begins to carry out each action in a step-by-step manner. For each action, the AI dynamically creates the necessary code and promptly puts it into action. This could include a broad range of operations, such as attempting privilege escalation, conducting password hunts, or establishing persistence.
However, the AI’s role isn’t just limited to implementation. It consistently keeps an eye on how the system responds to its actions and stays ready for unexpected occurrences. This attentiveness allows the AI to adapt and modify its actions in real time, showcasing its ability for resilience and strategic problem-solving within a changing system environment.
When guided by more specific prompts, AI proves to be exceptionally capable, even to the point of generating functional infostealers on the fly.
This AI-empowered PoC epitomizes the potential of AI in carrying out intricate tasks independently and adjusting to its environment.
Code Generation
One of the fundamental characteristics that set autonomous threats apart is their ability to generate code. Unlike traditional threats, which often require manual control or pre-programmed scripts to adapt and evolve, autonomous threats use AI algorithms to autonomously generate new code segments. This dynamic code generation ability not only allows them to adapt to changing system conditions and defenses but also makes their detection and analysis more challenging.
This process involves the use of specific prompts, allowing the AI to create custom solutions that suit the system’s unique conditions. The AI also takes an active role in monitoring the outcomes of its actions. It continually assesses the results of its code execution. If it detects errors or unsuccessful actions, it uses them as inputs for further processing. By feeding error data back into its processes, the AI can refine and optimize its code generation. This iterative process represents a significant step towards true autonomous problem-solving capabilities, as the AI dynamically adjusts its actions based on their results.
Environment Awareness
Autonomous threats take threat intelligence to a new level by being aware of their operating environment. Traditional threats often have a one-size-fits-all approach, attacking systems without fully understanding the environment. In contrast, autonomous threats can actively monitor their environment and adapt their actions accordingly.
The concept of environmental awareness is pivotal in AI-powered cyber threats. This environmental understanding enables the autonomous malware to choose an appropriate course of action based on the context around. For example, it might identify if it’s operating within a sandbox environment or decide to behave differently based on whether it’s operating on a server or client machine.
This awareness also influences the AI’s decision-making process during its operation. It can adjust its behavior according to the context, impersonating a particular known hacker group or choosing a specific attack strategy based on the evaluated system characteristics.
This environment-aware approach could enable malware writers to rely on very sophisticated, and harder to counter, evasion schemes.
Decision-Making Autonomy
Perhaps the most defining characteristic of autonomous malware is the decision-making autonomy. Unlike traditional threats that rely on pre-programmed behaviors or external control from a human operator, autonomous threats can make independent decisions about their actions.
These threats use advanced AI algorithms to analyze the available information, weigh the potential outcomes of different actions, and choose the most effective course of action. This decision-making process could involve choosing which systems to target, selecting the best method for attack, deciding when to lay dormant to avoid detection, and even determining when to delete themselves to avoid traceability.
This level of autonomy not only makes these threats more resilient to countermeasures, but it also allows them to carry out more complex and coordinated attacks. By making independent decisions, these threats can adapt to changing circumstances, carry out long-term infiltration strategies, and even coordinate with other autonomous threats to achieve their objectives.
Proof of Concept
In this proof of concept (PoC), we launched our AI-enabled script on a Windows client. The script’s execution process is designed to illustrate the potential of AI in automating complex tasks, decision making, and adjusting to the environment.
Firstly, the script initiates with an exhaustive system footprinting. During this phase, the AI takes a thorough survey of the system. The focus is on creating a detailed footprint of the operating environment by examining properties such as the operating system, installed software and other relevant details. This rigorous assessment not only prepares the system for the following actions but also helps the AI understand the context it’s operating within.
Simultaneously, a crucial part of this initial phase is sandbox detection. In fact, if the AI identifies the environment as a sandbox, the execution halts immediately.
Once the AI has confirmed it’s not within a sandbox, and it’s dealing with a client, it proceeds to develop an infostealer — a type of malware that’s designed to gather and extract sensitive information from the system. In this specific case, the AI installs a keylogger to monitor and record keystrokes, providing a reliable method to capture user inputs, including passwords.
Alongside keylogging, during the test sessions, the AI performed password hunting too.
Finally, after gathering all the necessary data, the AI proceeded to the data exfiltration. The AI prepares all the accumulated data for extraction, ensuring it’s formatted and secured in a way that it can be efficiently and safely retrieved from the system.
The demonstration video provides a real-time view of these actions carried out by the AI.
This PoC underlines how an AI system can perform complex tasks, adapt to its environment, and carry out activities that previously required advanced knowledge and manual interaction.
Consideration on Experimentation Session
In all the experiments conducted, a key theme that emerged was the level of exactness needed when assigning tasks to the AI. When presented with vague or wide-ranging tasks, the AI’s output frequently lacked effectiveness and specificity. This highlights an essential trait of AI at its current stage: while incredibly competent, it still needs precise instruction to achieve the best results.
For instance, when tasked to create a generic malicious script, the AI might generate code that tries to cover a wide spectrum of harmful activities. The outcome could be a piece of code that is wide-ranging and inefficient, potentially even drawing unwanted scrutiny due to its excessive system activity.
On the other hand, when given more narrowly defined tasks, the AI demonstrated the capability to create specific components of malware. By steering the AI through smaller, more exact tasks, we could create malicious scripts that were more focused and effective. Each component could be custom-made to carry out its task with a high level of effectiveness, leading to the creation of a cohesive, efficient malware when combined.
This discovery suggests a more efficient method of utilizing AI in cybersecurity — breaking down complex tasks into smaller, manageable objectives. This modular approach allows for the creation of specific code pieces that carry out designated functions effectively and can be assembled into a larger whole.
Conclusion
In conclusion, when we just look in the direction of LLMs and malware combined together, we clearly see a significant evolution in cybersecurity threats, potentially able to lead to a paradigm shift where malicious code operates based on predefined high-level intents.
Their ability to generate code, understand their environment, and make autonomous decisions makes them a formidable challenge for future cybersecurity defenses. However, by understanding these characteristics, we can start to develop effective strategies and technologies to counter these emerging threats.
Luckily, the autonomous malware PoC we set up and the potential upcoming ones have still limitations: they rely on generic language models hosted online, this mean the internet connectivity is, and will be, a requirement for at least some time. But, we are likely going to see the adoption of local LLM models, maybe even special-purpose ones, directly embedded in the future malicious agents.
AI technology is in a rapid-development stage, and even if it is pretty young, its adoption across various sectors is widening, including in the criminal underground.
About the author: B42 Labs researchers
Original post at https://medium.com/@b42labs/llm-meets-malware-starting-the-era-of-autonomous-threat-e8c5827ccc85
Transformers for Natural Language Processing: Build, train, and fine-tune deep neural network architectures for NLP with Python, Hugging Face, and OpenAI’s GPT-3, ChatGPT, and GPT-4
LLM meets Malware: Starting the Era of Autonomous Threat
InfoSec tools | InfoSec services | InfoSec books
Jun 14 2023
Building a culture of security awareness in healthcare begins with leadership
With the rise of modern trends such as cloud computing and remote work, healthcare institutions strive to balance accessibility, convenience, and robust security.
In this Help Net Security interview, Ken Briggs, General Counsel at Salucro, discusses how fostering a culture of security awareness has become paramount for healthcare organizations. Understanding the upcoming technological shifts and trends is crucial for preemptive preparation as we look toward the future.
The healthcare industry faces unique security challenges, especially with the increasing interconnectivity of systems. How important is it for organizations to obtain vendors who understand healthcare-specific security requirements?
Monitoring healthcare-specific security requirements is a full-time job. The amount of data processed at healthcare institutions grows exponentially, but it remains some of the most valuable information to the patients and—unfortunately—bad actors. These factors require a vendor’s mastery of healthcare-specific security requirements if technology is utilized by healthcare companies in any manner.
If a vendor does not appropriately respect the complex and evolving web of security obligations that healthcare institutions operate within, the vendor may not be able to build technology that is suitable for use by sophisticated healthcare enterprises.
Organizations should not shy away from holding vendors to a very high expectation of familiarity with security requirements within the healthcare industry. These organizations should look to healthcare-specific vendors who have a deep understanding of the standards, complexity, and sensitivity of these payments over non-healthcare-specific vendors.
How would you approach implementing a security program within a healthcare organization that meets the legal requirements and industry standards and goes beyond them to ensure maximum protection? What key elements or components should be included in such a program?
A well-tailored security program must be just that: tailored. Many security legal frameworks are moving from specificity in controls towards a discretionary-based approach. This “discretionary” standard is interpreted by governing bodies that interpret the leading-edge developments in the industry.
An organization must trace what data is stored or processed and ensure security controls are mapped internally to an organization and externally across vendors. Healthcare organizations must dedicate time to ensure appropriate administrative, technical, and physical controls are in place at the organization and its vendors to protect data stored and processed.
The saying “one size fits all” is never true for how a security program is administered and applied in the healthcare technology industry, or any other industry. However, the fundamental principles are the same: understanding what data is processed by an organization, identifying true risks (internal and external) to the data, evaluating the impacts of those risks, and whether existing controls are adequate to reduce those risks to an acceptable standard.
Considering the recent trends in cybersecurity, such as the rise of cloud computing and remote work, what considerations should healthcare organizations keep in mind to maintain a strong security posture? How can they balance convenience and accessibility with the need for robust security measures?
Cloud computing and remote work are certainly unique trends, but there are always trends in one way or another whether occurring within the organization, the market, or geographically.
Sophisticated security organizations work hard to build flexible security programs, but it’s important to revisit the program on a fluid cadence to ensure that external or internal changes—small or big—are encompassed withing the security controls. For example, in response to COVID-19 many healthcare billing and revenue cycle teams transitioned to remote work. How does that impact payment acceptance security? Is it more important to adopt remote devices to accept secure, P2PE payments, or transition to a deviceless approach that prioritizes security and online patient engagement? These are all questions that providers have needed to answer in the last three years, and highlight the importance of an approach to security measures that welcome rather than avoid adaptation.
The evaluation of the suitability of a security control should not perform in a silo as it must consider business objectives to not weigh down the business unnecessarily. This evaluation may even warrant a reduced burden by offloading obligations to a qualified vendor or utilizing additional services from an existing vendor. For example, in payments, the move to Point-to-Point Encryption in payment systems can offload very complicated security burdens to a vendor while reducing administrative barriers. Companies may be surprised at how well new technologies being adapted within healthcare organization can protect data with more transparency all while promoting consumer-friendly accessibility and convenience (which are tenants of a good data governance program).
How can healthcare organizations foster a culture of security awareness among their employees?
It all starts with leadership that buys into the security program and understands that investment in a security culture is an investment in risk minimization. There are three ways a company’s leadership can fast-track a security-minded culture:
- Establish a consistent awareness communication program, with friendly trainings and succinct reminders about security controls.
- Ensure that security is considered at the first stages of any material initiative having to do with data or technology (this is “security-by-design” operational principles). Your security team needs to be a partner in business enablement.
- Ensure the security team is proactive and available to other departments to ensure a clear line of sight where questions may arise. Expect your security department to be available and responsive.
How do you see the future of cybersecurity in the healthcare industry? What emerging technologies or trends do you believe will shape the landscape, and what steps should organizations take to prepare themselves for these changes?
Cybersecurity in the healthcare industry will be pushed to higher levels in at least two ways. First, legal frameworks that permit a discretionary application of security controls will reference security standards published from non-governmental security organizations as “industry standard.” These organizations have the resources and expertise to help set the standards of the industry. While this may mean more transparency of what are deemed acceptable standards, healthcare organizations may need to be subject to external third-party audits. Second, cybersecurity controls will continue to be bound together with privacy standards.
Although many laws may treat privacy and security as independent concepts, newer frameworks may treat one as dependent on the other. Sophisticated healthcare organizations are already managing to these predictions by eliminating silos between privacy and security operations, and ensuring a well-documented security program from policies to actions.
Security Awareness Program Builder: Practical guidelines for building your Information Security Awareness Program & prep guide for the Security Awareness and Culture Professional
InfoSec tools | InfoSec services | InfoSec books
Jun 14 2023
HACKING WOOCOMMERCE WEBSITES TO GET ORDER DETAILS AND CUSTOMER PERSONAL INFORMATION
The ever-changing topography of cyberspace always results in the introduction of new security flaws and vulnerabilities. A major vulnerability, which is now known as CVE-2023-34000 and has a CVSS score of 7.5, has been discovered in the WooCommerce Stripe Gateway Plugin, which has prompted an urgent call to action for both site administrators and security specialists. This plugin, which was built by WooCommerce and is presently being used in over 900,000 active installs, is well-known for its efficient capabilities to take payments directly on online and mobile businesses. Customers are able to finish their purchases without ever leaving the environment of the online shop thanks to an inherent feature of this plugin. This eliminates the need for an externally hosted checkout page.
Nevertheless, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability lies behind the plugin’s surface functionality. This vulnerability, in its unpatched condition, gives an unauthenticated user the potential to obtain extremely sensitive Personally Identifiable Information (PII) that is associated with any WooCommerce order. This data may contain sensitive information such as a user’s complete name, email address, and residence address in its exposed form.
Following the breadcrumb trail of this security hole leads to the ‘javascript_params’ function that is located inside the plugin. The ‘order_id’ variable is used by the code included inside this method in order to get an order object. This variable is derived from the query parameters, and it then gathers specific information from the order object, such as complete user details and addresses. Within this method, there is a noticeable lack of order ownership checks, which substantially increases the risk and makes it possible to return the ‘order’ as an object. Experts made the discovery that the ‘payment_scripts’ function might be used to activate the ‘javascript_params’ variable. This function then returns a JavaScript object variable to the front-end by way of the ‘wp_localize_script’ function. When a user visits the homepage of the website, the overall functionality causes the order’s personally identifiable information to be disclosed, which is then mirrored back into the page source.
After further examination, a second occurrence of the vulnerability was found to be placed inside the ‘payment_fields’ method. This vulnerability, like the one found in the ‘javascript_params’ function, stems from the fact that there is no order ownership verification taking place. The result is the same: the front-end has access to both the user’s billing email address and their complete name.
The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
InfoSec tools | InfoSec services | InfoSec books
Jun 12 2023
NEW UNDETECTABLE TECHNIQUE ALLOWS HACKING BIG COMPANIES USING CHATGPT
According to the findings of recent study conducted, harmful packages may be readily propagated into development environments with the assistance of ChatGPT, which can be used by attackers.
In a blog post published, researchers from Vulcan Cyber outlined a novel method for propagating malicious packages that they dubbed “AI package hallucination.” The method was conceived as a result of ChatGPT and other generative AI systems providing phantasmagoric sources, links, blogs, and data in response to user requests on occasion. Large-language models (LLMs) like ChatGPT are capable of generating “hallucinations,” which are fictitious URLs, references, and even whole code libraries and functions that do not exist in the real world. According to the researchers, ChatGPT will even produce dubious patches to CVEs and, in this particular instance, would give links to code libraries that do not even exist.
If ChatGPT produces phony code libraries (packages), then attackers may exploit these hallucinations to disseminate harmful packages without utilizing common tactics such as typosquatting or masquerade, according to the researchers from Vulcan Cyber who worked on this study. “Those techniques are suspicious and already detectable,” the researchers claimed in their conclusion. However, if the attacker is able to construct a package that can replace the ‘fake’ programs that are suggested by ChatGPT, then they may be successful in convincing a victim to download and install the malicious software.
This ChatGPT attack approach demonstrates how simple it has become for threat actors to utilize ChatGPT as a tool to carry out an attack.We should expect to continue to see risks like this associated with generative AI and that similar attack techniques could be used in the wild. This is something that we should be prepared for. The technology behind generative artificial intelligence is still in its infancy, so this is only the beginning. When seen through the lens of research, it is possible that we will come across a large number of new security discoveries in the months and years to come. Companies should never download and run code that they don’t understand and haven’t evaluated. This includes executing code from open-source GitHub repositories or now ChatGPT suggestions. Teams should do a security analysis on every code they wish to execute, and the team should have private copies of the code.
ChatGPT is being used as a delivery method by the adversaries in this instance. However, the method of compromising a supply chain by making use of shared or imported libraries from a third party is not a new one. The only way to defend against it would be to apply secure coding methods, as well as to extensively test and review code that was meant for usage in production settings.
According to experts, “the ideal scenario is that security researchers and software publishers can also make use of generative AI to make software distribution more secure”. The industry is in the early phases of using generative AI for cyber attack and defense.
InfoSec tools | InfoSec services | InfoSec books
Jun 08 2023
Search Engine for PenTesters
Search Engine For Pentesters
For Daily Updates Follow: Cyber Threat Intelligence
InfoSec tools | InfoSec services | InfoSec books
Jun 08 2023
9 free cybersecurity whitepapers you should read
In today’s rapidly evolving digital landscape, organizations face constant cyber threats that can compromise their sensitive data, disrupt operations, and damage their reputation. Staying informed about the latest cyberattacks and understanding effective protection methods is crucial.
This list of free cybersecurity whitepapers that don’t require registration covers a wide range of common cyber risks (ransomware, DDoS attacks, social network account hijacking). It explores the possible risks that could originate from new technologies such as generative AI (GenAI) and large language models (LLMs).
MS-ISAC guide to DDoS attacks
The Multi-State Information Sharing and Analysis Center (MS-ISAC) has created a guide to shed light on denial of service (DoS) and distributed denial of service (DDoS) attacks. A DoS attack aims to overwhelm a system and hinder its intended users’ access, while a DDoS attack involves multiple sources working together towards the same goal.
These attacks deplete network, application, or system resources, leading to issues such as network slowdowns, application crashes, and server failures. The MS-ISAC guide examines various techniques employed by cyber threat actors (CTAs) to execute successful DDoS attacks. The guide also provides recommendations for defending against these types of attacks.
The Ultimate Guide to Everything You Need to Know about DDoS Attacks
Ransomware missteps that can cost you
Ransomware has become one of the most concerning types of attacks. To be able to effectively tackle these attacks, IT professionals and managed services providers need to be prepared to respond quickly and appropriately.
The first step towards readiness lies in acquiring a comprehensive understanding of the primary issues and possible pitfalls that can significantly impact the outcome.
This whitepaper from N-able gives insights on one of the most common and disastrous type of attack and what are the frequent mistakes organizations do when trying to limit the damaging effects.
Ransomware Protection Playbook
The five ICS cybersecurity critical controls
To establish a robust and successful security program for industrial control systems (ICS) or operational technology (OT), a combination of five cybersecurity controls can be employed.
This SANS whitepaper points out these controls, empowering organizations to customize and implement them according to their specific environment and risk factors.
Rather than being overly prescriptive, these controls prioritize outcomes, ensuring flexibility and adaptability. Moreover, they are informed by intelligence-driven insights derived from the analysis of recent breaches and cyberattacks in industrial companies worldwide.
NIST Framework for Improving Critical Infrastructure Cybersecurity: Whitepaper
How to identify the cybersecurity skills needed in the technical teams in your organization
To keep an organization safe from information security threats, it is essential to understand cybersecurity skills gaps within your IT and InfoSec teams. To enhance your company’s protection, it is crucial to pinpoint these deficiencies and give importance to skills according to specific job roles.
This whitepaper from Offensive Security concentrates on optimal methods for nurturing internal cybersecurity talent within your technical teams, such as IT, information security, DevOps, or engineering.
Building a Career in Cybersecurity: The Strategy and Skills You Need to Succeed
Generative AI and ChatGPT enterprise risks
The increasing use of GenAI and LLMs in enterprises has prompted CISOs to assess the associated risks. While GenAI offers numerous benefits in improving various daily tasks, it also introduces security risks that organizations need to address.
This whitepaper from Team8 aims to provide information on these risks and recommended best practices for security teams and CISOs, as well as encourage community involvement and awareness on the subject.
Redefining browser isolation security
Traditional methods of data security and threat protection are inadequate in the face of evolving applications, users, and devices that extend beyond the corporate perimeter.
Legacy security approaches struggle to adapt to the hybrid work model, leading to visibility issues, conflicting configurations, and increased risks. To address these challenges, organizations need to update their risk mitigation strategies.
Remote browser isolation (RBI) technology offers a promising solution by separating internet browsing from local browsers and devices. However, traditional RBI approaches have limitations such as high costs, performance issues, and security vulnerabilities caused by deployment gaps.
This Cloudflare whitepaper examines the causes and consequences of these challenges, and shows how to approach browser isolation to tackle these common issues.
Browser Isolation Standard Requirements
S1 deload stealer: Exploring the economics of social network account hijacking
Social networks have become an essential part of our lives, but they have also been exploited by criminals. Threat actors have been using legitimate social media accounts to engage in illegal activities, such as extortion and manipulating public opinion for influencing elections.
Financially motivated groups have also employed malvertising and spam campaigns, as well as operated automated content-sharing platforms, to increase revenue or sell compromised accounts to other malicious individuals.
This whitepaper from Bitdefender highlights an ongoing malware distribution campaign that takes advantage of social media by hijacking users’ Facebook and YouTube accounts.
Building a budget for an insider threat program
To gain support from top-level executives when planning to implement a purpose-built insider threat solution, the value of the solution needs to be linked not just to reducing risks but also to providing additional business benefits.
The business case should show how an insider threat program can result in immediate cost savings, allow security resources to be allocated to other important projects in the future, and ultimately promote collaboration, productivity, and innovation.
This Code42 whitepaper provides a strategy for security teams to create a convincing business case.
The case for threat intelligence to defend against advanced persistent threats
Organizations are encountering an increasingly serious challenge posed by advanced persistent threats (APTs). Those responsible for managing business risk recognize that it is impossible to completely prevent such threats. Instead, the focus is on implementing defensive measures and utilizing threat intelligence to improve the chances of detecting attacks and reducing risk to an acceptable level.
Rather than fixating on the inevitability of being hacked, the emphasis is placed on minimizing the occurrence of attacks and efficiently identifying and responding to them, to mitigate their impact on the business.
This Cyberstash whitepaper examines the effectiveness and cost associated with threat intelligence in enhancing the security industry’s defensive capabilities against APTs.
InfoSec tools | InfoSec services | InfoSec books
Jun 07 2023
Disaster recovery challenges enterprise CISOs face
An essential aspect of organizational operations is effectively responding to and returning from a disruptive event, commonly called disaster recovery.
The primary objective of DR techniques is to restore the utilization of crucial systems and IT infrastructure following a disaster. To proactively tackle such scenarios, organizations conduct a comprehensive assessment of their systems and establish a formal document that serves as a guiding framework during times of crisis. This document is commonly known as a disaster recovery plan.
In this Help Net Security video, Chris Groot, General Manager of Cove Data Protection at N-able, discusses enterprise CISOs’ challenges with disaster recovery.
Resilience: Powerful Practices for Bouncing Back from Disappointment, Difficulty, and Even Disaster
InfoSec tools | InfoSec services | InfoSec books
Jun 06 2023
10 Best Vulnerability Scanner Tools For Penetration Testing – 2023
A Vulnerability Scanner Tools is one of the essential tools in IT departments Since vulnerabilities pop up every day and thus leaving a loophole for the organization.
The Vulnerability scanning tools help detect security loopholes in the application, operating systems, hardware, and network systems.
Hackers are actively looking for these loopholes to use them to their advantage. Vulnerabilities inside a network need to be identified and fixed immediately to leave your attackers at bay.
What do Vulnerability Scanner Tools do?
Vulnerability scanners are one right way to do this. With their continuous and automated scanning procedures, they can scan the network for potential loopholes.
It is on your internet or any device, they would help the IT departments identify the vulnerability and fix it both manually and automatically.
Vulnerability scanning tools do have two different approaches for performing their routines, authenticated and unauthenticated scans.
In the latter case, a penetration tester will show the scan disguised as a hacker without him having trusted access to the corporate network.
What are the Three types of Vulnerability Scanners?
This type of scan will help organizations identify the loopholes which will allow hackers to penetrate the system without trusted permissions.
Following are the types of vulnerability scanners
- Discovery Scanning
- Full Scanning
- Compliance Scanning
What is an example of a Vulnerability Scanner?
The best Web vulnerability scanner in the market should allow you to perform both authenticated and unauthenticated types of scans to nullify network vulnerabilities among other related vulnerability scanners online
In this article, we’ll take a look at the top 10 best vulnerability scanning tools available in the market.
10 Best Vulnerability Scanner Tools
| Vulnerability Scanner Tools | Key Features |
Vulnerability Manager Plus | Customization of Patches to Application Detecting zero-day vulnerabilities Audit end-of-life software Security recommendations Custom Scan Configuration |
| Tripwire IP360 | Flexible Scanning Full Network Discovery Vulnerability Risk Scoring Asset Discovery |
| Nessus vulnerability scanner | Target Profiling Sensitive data discovery Malware Detection PCI DSS requirements Vulnerability scanning |
| Comodo HackerProof | Daily Vulnerability Scanning Web-based Management Tool PCI Scanning Tools |
| Nexpose community | Real Risk Score Integration with Metasploit Powerful Reporting Adaptive Security |
| OpenVAS Vulnerability Scanner | Targeted IP Address Task Naming Authorized (credentialed) Scans Scheduling scans |
| Nikto | Support for Proxy with authentication Cookies Support Username Enumeration Outdated component report |
| Wireshark | Live capture and offline analysis Deep inspection of protocols VoIP analysis Read/write Capture file Coloring rules |
| Aircrack-ng | Analyzing WiFi networks for weaknesses Capture and injection of WiFi cards Sniff wireless packets Recover lost keys |
| Retina network security scanner | Discover the Full network Environment Identify Application Flaw Analyze threats and gain security intelligence |
10 Best Vulnerability Scanner Tools 2023
- OpenVAS Vulnerability Scanner
- Tripwire IP360
- Nessus vulnerability scanner
- Comodo HackerProof
- Nexpose community
- Vulnerability Manager Plus
- Nikto
- Wireshark
- Aircrack-ng
- Retina network security scanner
InfoSec tools | InfoSec services | InfoSec books
Jun 05 2023
What are the Common Security Challenges CISOs Face?
Chief Information Security Officers (CISOs) hold a critical and challenging role in today’s rapidly evolving cybersecurity landscape. Here are the common security challenges CISOs face.
As organizations increasingly rely on technology to drive their operations, CISOs face complex security challenges that demand their expertise and strategic decision-making.
These challenges arise from the constant emergence of sophisticated cyber threats, the need to protect sensitive data, and the ever-evolving regulatory landscape.
The role of a CISO requires balancing proactive risk mitigation with the ability to respond swiftly to incidents and breaches.
This article will delve into the top challenges CISOs face, including protecting digital assets, managing security incidents, ensuring compliance, dealing with insider threats, and the relentless pursuit of cyber resilience.
By understanding these challenges, CISOs can develop robust cybersecurity strategies and lead their organizations toward a secure and resilient future.
Who is a CISO?
Chief Information Security Officer (CISO) is a senior executive responsible for overseeing and administering an organization’s information security plan.
A CISO’s primary responsibility is safeguarding the confidentiality, availability, and integrity of an organization’s information assets and systems.
They are accountable for creating and enforcing strategies, policies, and procedures to defend against cyber threats, protect sensitive data, and mitigate security risks.
CISOs play a crucial role in maintaining an organization’s security posture by establishing and enforcing security standards, conducting risk assessments, and implementing appropriate security controls.
They collaborate with other executives, IT teams, and stakeholders to align security initiatives with business objectives and ensure that security measures are integrated into the organization’s operations.
In addition to their technical expertise, CISOs often engage in risk management, incident response planning, security awareness training, and compliance with regulatory requirements.
They stay updated on the latest cybersecurity trends, threats, and technologies to address emerging risks and implement appropriate security measures effectively.
The role of a CISO has become increasingly important as cyber threats evolve in complexity and frequency.
CISOs are responsible for safeguarding the organization’s sensitive information, maintaining the trust of customers and stakeholders, and ensuring business continuity in the face of cybersecurity challenges.
What are all the Roles and Responsibilities of CISO?
- Developing and Implementing Information Security Strategy: The CISO is responsible for developing and implementing an overarching information security strategy aligned with the organization’s business objectives. This includes setting security goals, defining security policies and procedures, and establishing risk management frameworks.
- Leading the Security Team: The CISO manages and provides leadership to the security team, including hiring, training, and supervising security personnel. They ensure the team has the necessary skills, resources, and support to carry out their responsibilities effectively.
- Overseeing Security Operations: The CISO oversees day-to-day security operations, including incident response, vulnerability management, threat intelligence, and security monitoring. They ensure appropriate controls, technologies, and processes are in place to protect the organization’s assets.
- Risk Management: The CISO is responsible for identifying and assessing security risks to the organization’s information systems and assets. They develop and implement risk management strategies to safeguard critical data and systems, including risk mitigation, transfer, and acceptance.
- Compliance and Regulatory Requirements: The CISO ensures that the organization complies with relevant security regulations, industry standards, and legal requirements. They stay updated on emerging regulations and ensure appropriate controls and processes are in place to meet compliance obligations.
- Security Incident Response: The CISO leads the organization’s response to security incidents, including data breaches, malware attacks, and other security breaches. They establish incident response plans, coordinate efforts, and collaborate with relevant stakeholders, such as legal, PR, and law enforcement agencies.
- Security Awareness and Training: The CISO promotes a culture of security awareness throughout the organization. They develop and deliver security awareness programs and training initiatives to educate employees on security best practices and minimize human-related security risks.
- Vendor and Third-Party Risk Management: The CISO assesses and manages security risks associated with third-party vendors and partners. They establish vendor security requirements, conduct due diligence, and monitor compliance with security standards and contractual obligations.
- Security Governance and Reporting: The CISO provides regular reports and updates on the organization’s security posture to executive management, board members, and other relevant stakeholders. They ensure that security metrics and key performance indicators (KPIs) are established to measure the effectiveness of security programs.
- Incident Investigation and Forensics: In the event of security incidents, the CISO oversees the investigation and forensic analysis to identify the root cause, assess the impact, and prevent future occurrences. As required, they collaborate with internal and external resources, such as forensic experts and law enforcement agencies.
Security Challenges CISOs Face
CISOs face various common security challenges as they strive to protect their organizations’ digital assets and information. Perimeter 81 Guide helps CISOs to prevent their network from being at Risk. Some of the key challenges they encounter include:
- Sophisticated Cyberattacks: CISOs must defend against increasingly sophisticated cyber threats, including advanced persistent threats (APTs), ransomware attacks, social engineering, and zero-day exploits. These attacks can bypass traditional security measures and require constant vigilance and adaptive security strategies.
- Insider Threats: CISOs need to address the risks posed by insiders, including employees, contractors, or partners who have authorized access to systems and data. Insider threats can involve accidental data breaches, negligence, or malicious intent, requiring a balance between enabling productivity and implementing controls to prevent unauthorized access or data leakage.
- Compliance and Regulatory Requirements: CISOs must ensure their organizations comply with industry-specific regulations, such as GDPR, HIPAA, PCI-DSS, or SOX, and evolving privacy laws. Navigating complex compliance requirements and maintaining a robust security posture to meet these standards can be a significant challenge.
- Cloud Security: As organizations increasingly adopt cloud services and infrastructure, CISOs must address the unique security challenges associated with cloud computing. This includes securing data stored in the cloud, managing access controls, and ensuring the security of cloud service providers (CSPs) and their environments.
- Security Skills Gap: CISOs often need more skilled cybersecurity professionals. The industry’s rapid growth and evolving threat landscape have resulted in high demand for cybersecurity talent, making recruiting and retaining qualified professionals challenging.
- Third-Party Risk: Organizations rely on third-party vendors and suppliers, introducing potential security risks. CISOs must assess the security posture of third parties, establish contractual security obligations, and monitor their adherence to security standards to mitigate the risk of breaches through these external connections.
- Security Awareness and Training: Human error remains a significant factor in cybersecurity incidents. CISOs must promote a strong security culture, provide regular training and awareness programs, and educate employees about cybersecurity best practices to minimize the risk of social engineering, phishing attacks, and other user-related vulnerabilities.
- Incident Response and Recovery: CISOs must develop and test robust incident response plans to manage and recover from security incidents effectively. This involves identifying and containing breaches, conducting forensic investigations, and implementing remediation measures to minimize the impact and prevent future incidents.
- Emerging Technologies: Adopting technologies like the Internet of Things (IoT), artificial intelligence (AI), and blockchain introduces new security challenges. CISOs must understand the security implications of these technologies, assess risks, and implement appropriate controls to protect against potential vulnerabilities and attacks.
- Budget and Resource Constraints: CISOs often face budget limitations and the need to prioritize security initiatives. Balancing the allocation of resources to address immediate security needs while investing in long-term security capabilities can be a significant challenge.
What are the Security Compliance CISO Should Follow
As a Chief Information Security Officer (CISO), there are several security compliance frameworks and regulations that you should consider following, depending on the nature of your organization and its operations. Here are some of the key security compliance frameworks and regulations:
- General Data Protection Regulation (GDPR): If your organization deals with the personal data of individuals in the European Union (EU), GDPR sets requirements for the protection, processing, and transfer of personal data. It includes principles for data minimization, consent, data breach notification, and the rights of individuals.
- Payment Card Industry Data Security Standard (PCI DSS): PCI DSS applies to organizations that handle credit card information. It sets requirements for securing payment card data, including network security, encryption, access controls, and regular vulnerability assessments.
- Health Insurance Portability and Accountability Act (HIPAA): HIPAA applies to organizations in the healthcare industry that handle protected health information (PHI). It establishes requirements for the privacy and security of PHI, including access controls, encryption, risk assessments, and breach notification.
- Sarbanes-Oxley Act (SOX): SOX applies to publicly traded companies in the United States. It sets requirements for financial reporting and establishes controls and processes to ensure the accuracy and integrity of financial statements. While not solely focused on security, it includes provisions for protecting financial data.
- National Institute of Standards and Technology (NIST) Cybersecurity Framework: The NIST Cybersecurity Framework provides guidelines and best practices for managing cybersecurity risks. It covers risk assessment, security controls, incident response, and continuous monitoring.
- ISO 27001: ISO 27001 is an international standard that provides a framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It covers various aspects of information security, including risk management, access controls, incident management, and security awareness.
- Federal Information Security Management Act (FISMA): FISMA applies to U.S. federal agencies and sets requirements for securing federal information and systems. It mandates risk assessments, security controls, incident response planning, and continuous monitoring.
Security Challenges CISOs Face to Manage Security Team
Managing a security team as a Chief Information Security Officer (CISO) requires effective leadership, communication, and coordination. Here are some key aspects to consider when managing a security team:
- Establish Clear Roles and Responsibilities: Clearly define the roles and responsibilities of each team member to ensure everyone understands their specific duties and areas of expertise. This clarity helps streamline operations and avoid confusion.
- Set Goals and Objectives: Define strategic goals and objectives for the security team aligned with the organization’s overall security strategy. Communicate these goals to the team and regularly track progress to ensure everyone is working towards the same objectives.
- Provide Guidance and Mentorship: Offer team members guidance, mentorship, and professional development opportunities. Encourage skill development, certifications, and staying up-to-date with the latest security trends and technologies—support team members in their career growth.
- Foster Collaboration and Communication: Promote a collaborative and open communication culture within the team. Encourage knowledge sharing, cross-functional collaboration, and effective communication channels. Regular team meetings, brainstorming sessions, and updates are valuable for aligning efforts.
- Support Decision-Making: Empower team members to make decisions within their areas of responsibility. Provide guidance and support when needed, but encourage autonomy and ownership in decision-making. Foster an environment where team members feel comfortable taking calculated risks.
- Establish Incident Response Procedures: Develop clear incident response procedures and ensure the team is well-prepared to handle security incidents effectively. Conduct regular drills, tabletop exercises, and simulations to test and improve the team’s incident response capabilities.
- Stay Informed and Adapt: Stay up-to-date with the latest security threats, industry trends, and best practices. Encourage continuous learning and professional development for the team. Adapt security strategies and measures as the threat landscape evolves.
- Collaborate with Other Departments: Work closely with other departments, such as IT, legal, HR, and executive management, to ensure security initiatives are aligned with business objectives and integrated into overall organizational operations. Build relationships and foster a culture of security awareness throughout the organization.
- Regularly Evaluate and Improve: Regularly evaluate the team’s performance, processes, and procedures. Collect feedback from team members and stakeholders to identify areas for improvement. Implement changes and adjustments as necessary to enhance the team’s effectiveness and efficiency.
- Lead by Example: Demonstrate strong leadership skills, integrity, and a commitment to security best practices. Lead by example in adhering to security policies and procedures. Encourage a positive and supportive work environment.
Final Thoughts
CISOs face many common security challenges as protectors of their organization’s digital assets and information.
From sophisticated cyberattacks and insider threats to compliance requirements and resource constraints, these challenges highlight the complex and evolving nature of the cybersecurity landscape.
CISOs must navigate these challenges by adopting a proactive and strategic approach to security, leveraging advanced technologies, fostering a strong security culture, and collaborating with stakeholders.
To overcome these challenges, CISOs must stay abreast of emerging threats, continuously evaluate and improve their security measures, and prioritize investments in critical security capabilities.
They must also foster strong partnerships with internal teams, third-party vendors, and industry peers to collectively address security challenges and share best practices.
While the security challenges CISOs face may seem daunting, they also present opportunities for innovation and growth.
By effectively addressing these challenges, CISOs can enhance their organizations’ security posture, safeguard critical assets, and instill confidence in customers and stakeholders.
Ultimately, the role of a CISO requires a comprehensive and adaptable approach to cybersecurity, where staying one step ahead of threats and continuously improving security measures are paramount.
By embracing these challenges, CISOs can help shape a secure and resilient future for their organizations in an increasingly interconnected and threat-filled digital landscape.
InfoSec tools | InfoSec services | InfoSec books
Jun 01 2023
IF YOUR LAPTOP OR PC HAS GIGABYTE MOTHERBOARD THEN IT HAS BACKDOOR FOR HACKERS
Researchers at the cybersecurity firm Eclypsium, which focuses on firmware, reported today that they have found a secret backdoor in the firmware of motherboards manufactured by the Taiwanese manufacturer Gigabyte. Gigabyte’s components are often used in gaming PCs and other high-performance systems. Eclypsium discovered that whenever a computer with the affected Gigabyte motherboard restarts, code inside the motherboard’s firmware silently triggers the launch of an updater application, which then downloads and runs another piece of software on the machine. Researchers discovered that the hidden code was built in an unsafe manner, making it possible for the mechanism to be hijacked and used to install malware rather than Gigabyte’s intended software.
Despite the fact that Eclypsium claims the hidden code is intended to be a harmless utility to keep the motherboard’s firmware updated, researchers determined that the implementation was vulnerable. And since the updater application is activated from the computer’s firmware rather than the operating system, it is difficult for users to either delete it or even detect it on their own. In the blog post, the company details the 271 different versions of Gigabyte motherboards that the researchers think are vulnerable. According to experts, individuals who are interested in discovering the motherboard that is used by their computer may do so by selecting “Start” in Windows and then selecting “System Information.”
Users who don’t trust Gigabyte to silently install code on their machine with a nearly invisible tool may have been concerned by Gigabyte’s updater alone. Other users may have been concerned that Gigabyte’s mechanism could be exploited by hackers who compromise the motherboard manufacturer to exploit its hidden access in a software supply chain attack. The update process was designed and built with obvious flaws that left it susceptible to being exploited in the following ways: It downloads code to the user’s workstation without properly authenticating it, and in certain cases, it even does it through an unsecured HTTP connection rather than an HTTPS one. This would make it possible for a man-in-the-middle attack to be carried out by anybody who is able to intercept the user’s internet connection, such as a malicious Wi-Fi network. The attack would enable the installation source to be faked.
Even if Gigabyte does release a fix for its firmware issue—after all, the problem stems from a Gigabyte tool that was intended to automate firmware updates—experts points out that firmware updates frequently fail silently on users’ machines, in many cases due to the complexity of the updates themselves and the difficulty of matching the firmware with the hardware.
In other instances, the updater that is installed by the mechanism in Gigabyte’s firmware is configured to be downloaded from a local network-attached storage device (NAS). This is a feature that appears to be designed for business networks to administer updates without all of their machines reaching out to the internet. Under such circumstances, a malicious actor on the same network might potentially fake the location of the NAS in order to covertly install their own malware in its place.
The company has said that it has been collaborating with Gigabyte in order to report its results to the motherboard maker, and that Gigabyte has indicated that it intends to solve the concerns.
Meantime you can block the following URLs:
- http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
- https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
- https://software-nas/Swhttp/LiveUpdate4
A list of affected models is available here.
InfoSec tools | InfoSec services | InfoSec books
May 31 2023
HACK PUBLIC WIFI NETWORKS USING WPA2 OR WPA3 SECURITY & RADIUS SERVER WITH NEW TECHNIQUE
Researchers from Tsinghua University and George Mason University have discovered a significant weakness in the NPU chipset. By exploiting this flaw, attackers are able to eavesdrop on data being broadcast across 89% of real-world Wi-Fi networks.
Hardware acceleration, such as the use of NPU chipsets in Wi-Fi networks, increases the data transmission rate and decreases latency. However, it also creates security problems owing to the direct transmission of wireless frames by Access Point (AP) routers.
Researchers from Tsinghua University and George Mason University have recently found a security weakness in the wireless frame forwarding mechanism used by the NPU. Attackers may take use of the vulnerability to conduct a Man-in-the-Middle attack (MITM) on Wi-Fi networks by circumventing the need for rogue access points (APs). Intercepting a victim’s plaintext communication while avoiding link layer security methods such as WPA3 is possible with this technique. The research paper that team wrote has been approved for presentation at the 2023 IEEE Symposium on Security and Privacy.
The scenario shown in Figure depicts a situation in which an attacker and a victim supplicant are both connected to the same Wi-Fi network in order to access Internet services. Imagine that you have successfully completed the phone authentication process and are now able to access the Wi-Fi network at Starbucks. Each session to the AP router is protected by a Pairwise Transient Key (PTK) session key, and the Wi-Fi network that you are trying to connect to has WPA2 or WPA3 installed to provide security.
They made the discovery that the security methods, such as WPA2 and WPA3, may be readily evaded, giving attackers the ability to read the plaintext of the victim supplicant’s communication. An impersonation of the access point (AP) is created by the attacker via the use of spoofing the source IP address. The attacker then sends a victim supplicant an ICMP redirect message, which is an ICMP error message with a type value of 5.
Because of the need to maximize performance, the NPU in the AP router (for example, Qualcomm IPQ5018 and HiSilicon Gigahome Quad-core) would immediately transfer the bogus message of ICMP redirection that it has received to the victim supplicant. After receiving the message, the victim supplicant will be deceived into changing its routing cache and substituting the next hop to the server with the IP address of the attacker. This will allow the attacker to get access to the server. Because of this, future IP packets that were supposed to be sent to the server are instead routed to the attacker at the IP layer. This gives the attacker the ability to send the packets to their intended destination. The MITM attack is successfully carried out by the attacker, who does not make use of any rogue AP in the process. This allows the attacker to intercept and change the traffic of the victim supplicant invisibly.
Both Qualcomm and Hisilicon have verified that their NPUs are susceptible to the vulnerability that prohibits AP devices from successfully blocking faked ICMP redirect packets. This vulnerability has been given the identifier CVE-2022-25667 by Qualcomm.
Adding features to access points that will slow down maliciously constructed ICMP redirection. If the message has clear unlawful features (for instance, the source IP address of the message is provided with the AP’s IP address, and the message can only be created by the AP itself), then the AP should block and discard the message as soon as it is detected. This strategy depends on the participation of both the NPU chip makers and the AP suppliers in a collaborative effort.
Improving the ability of supplicants to check the ICMP packets that they have received. The supplicant has the ability to successfully detect bogus ICMP messages and mount a defense against this attack provided it ensures that the source IP address and source MAC address of the received ICMP message are consistent with one another.
The Home Network Manual: The Complete Guide to Setting Up, Upgrading, and Securing Your Home Network
InfoSec tools | InfoSec services | InfoSec books
May 30 2023
The essence of OT security: A proactive guide to achieving CISA’s Cybersecurity Performance Goals
The widespread adoption of remote and hybrid working practices in recent years has brought numerous benefits to various industries, but has also introduced new cyber threats, particularly in the critical infrastructure sector.
These threats extend not only to IT networks but also to operational technology (OT) and cyber-physical systems, which can directly influence crucial physical processes.
In response to these risks, the US government reinforced critical infrastructure security by introducing Cross-Sector Cybersecurity Performance Goals (CPGs) mandated by the US Cybersecurity Infrastructure & Security Agency (CISA).
Recently, CISA updated the CPGs to align with NIST’s standard cybersecurity framework, establishing each of the five goals as a prioritized subset of IT and OT cybersecurity practices.
In this article, we will look in more detail at CISA’s revamped CPGs and discuss the potential solutions available to help organizations achieve these critical goals.
CPG 1.0 Identify: Scoping out the vulnerabilities in the OT environment
CISA’s first CPG is “Identify”, which includes identifying the vulnerabilities in the IT and OT assets inventory, establishing supply chain incident reporting and vulnerability disclosure program, validating the effectiveness of third-party security controls across your IT and OT networks, establishing OT security leadership, and mitigating known vulnerabilities. Critical infrastructure organizations must address all these sub-categories exclusively to achieve the first CPG.
Addressing these responsibilities requires a dynamic effort. Firstly, organizations must strengthen their IT and OT relationship by fostering more effective collaboration between the security teams of both departments. But, most importantly, IT and OT teams must come together to understand the potential cyber threats and risks of each environment and how it affects the other. To achieve the first CPG, it is critical that these departments are not kept in isolation but rather collaborate and communicate frequently.
At the same time, organizations must establish OT leadership by clearly identifying a single leader who will be responsible and accountable for OT-specific cybersecurity. From there, organizations must create an asset inventory or glossary that clearly identifies and tracks all OT and IT assets across the entire ecosystem. These assets should be regularly audited based on their vulnerability management program. It’s also highly critical to have an open, public, and easily accessible communication channel where vendors, third parties, or employees can disclose any potential vulnerability in relation to the OT and IT assets.
CPG 2.0 Protect: Safeguarding privileged access to OT assets
CISA’s second CPG is “Protect”, which emphasizes the account security aspects of OT assets. To achieve this goal, critical infrastructure organizations are required to strengthen their password policies, change default credentials across OT remote access systems, apply network segmentation to segregate OT and IT networks, and separate general user and privileged accounts.
Addressing all these aspects of account security can be a chore for most organizations, but they can turn to unified secure remote access (SRA) solutions that can extend multiple account-level security controls to OT remote users via enforcement of multi-factor authentication (MFA), least privilege policies, and role-based access. Such solutions can also support advanced credential policies to further reduce the risk of unauthorized access and denial of service attacks.
It’s also important that organizations only leverage SRA solutions that are based on zero trust policies. This will help organizations establish effective network segmentation that eliminates direct, unfettered remote connectivity to OT assets, and to continuously monitor personnel activity during all remote OT connections.
CPG 3.0 Detect: Awareness of critical threats and potential attack vectors across your OT environment
CISA’s third CPG emphasizes the detection of relevant threats and knowledge of potential attack vectors and TTPs (tactics, techniques, and procedures) that can compromise OT security and potentially disrupt critical services.
Detecting relevant threats and TTPs across OT assets and networks requires a proactive approach that combines advanced monitoring and analysis. Real-time monitoring solution should be complemented with comprehensive network visibility, allowing for the swift detection of anomalies and unusual patterns.
A critical aspect of threat detection in OT environments — and meeting the CPG mandate — is the sharing of information and collaboration between various stakeholders. Threat intelligence platforms play an essential role in gathering and disseminating information about current and emerging threats. By leveraging this valuable data, organizations can stay ahead of potential risks, fine-tune their defenses, and ensure the safety and security of their OT assets. Additionally, conducting regular security assessments, penetration testing, and vulnerability scanning will help uncover any weaknesses in the infrastructure, allowing for timely remediation and improved resilience against cyberattacks.
CPG 4.0 and 5.0: Respond and Recover
The final two CISA’s CPGs stress the importance of incident reporting and planning. Regardless of how robust your OT security practices are, cyber threats are almost inevitable in today’s interconnected and increasingly remote networking era. So, while proactive security solutions are necessary, attacks still are unavoidable, especially in a highly targeted sector like critical infrastructure.
Therefore, CISA stresses that organizations must have a comprehensive plan and process outlined for reporting security incidents and effectively recovering their affected systems or services upon a breach.
Advanced SRA solutions can help organizations to achieve these goals through automated recording of user activities and asset-related data, as well as creating automated backups of critical data. More specifically, they can log all user sessions, encrypt all user- and asset-related data, and retain logs of OT remote user activity. These measures help to ensure that critical information is stored in accordance with all relevant regulatory requirements and backup and recovery needs.
Conclusion
Overall, the vulnerabilities of ageing OT assets and siloed OT and IT networks have created a significant threat to critical infrastructure entities, which has been further exacerbated by the prevalence of remote access.
CISA’s OT-specific goals and actions within the CPGs provide a much-needed set of guidelines for CNI organizations to strengthen their security posture and increase cyber resilience. By following CISA’s recommendations and employing innovative security technologies, organizations can minimize the risk of cyberattacks affecting the physical world and public safety.
InfoSec tools | InfoSec services | InfoSec books
May 29 2023
CISO-approved strategies for software supply chain security
Integrating proprietary and open-source code, APIs, user interfaces, application behavior, and deployment workflows creates an intricate composition in modern applications. Any vulnerabilities within this software supply chain can jeopardize your and your customers’ safety. In this Help Net Security video, Tim Mackey, Head of Software Supply Chain Risk Strategy at Synopsys, discusses supply chain security practices and approaches.
Software Transparency: Supply Chain Security in an Era of a Software-Driven Society
InfoSec tools | InfoSec services | InfoSec books
May 29 2023
WANT TO OWN A TESLA OR ALREADY OWN ONE, CHECK THIS MASSIVE CONFIDENTIAL DATA BREACH OF TESLA
The research that was published in the German daily Handelsblatt said that customers of Tesla Inc. lodged over 2,400 complaints about difficulties with self-acceleration and 1,500 complaints regarding issues with brakes between the years of 2015 and March 2022.
According to reports, a big data dump that was based on a whistleblower’s breach of internal Tesla papers suggests that problems with Tesla’s autonomous driving system may be considerably more frequent than authorities and the media have suggested. This was discovered after the whistleblower gained unauthorized access to internal Tesla documents.
Particularly, in an article titled “My autopilot almost killed me,” Handelsblatt reported receiving 100 terabytes of data and 23,000 files. Within those files were 3,000 entries highlighting consumers’ safety concerns and tales of more than 1,000 crashes.
The publisher included a note stating that the data includes the phone numbers of customers.
According to the hundreds of clients that Handelsblatt is claimed to have contacted, the fears were quite serious.
According to one man from Michigan, his Tesla “suddenly braked hard, as hard as you can imagine.” When I was ordered to fasten my seatbelt, the vehicle was on the verge of coming to a complete halt. I was then struck by a second car.
The files were shown to the Fraunhofer Institute for Secure Information Technology by Handelsblatt. The institute concluded that there is no reason to presume that “the data set does not come from IT systems belonging to or in the environment of Tesla.”
Employees are instructed that, unless lawyers are involved, they should not deliver written comments but rather should convey them “VERBALLY to the customer.” Unless attorneys are involved, written critiques should not be given.
The post quotes the instructions as saying, “Do not copy and paste the report below into an email, text message, or leave it in a voicemail to the customer,” and it is clear that this is a requirement.
An report featured a doctor from California who said that her Tesla accelerated on its own in the autumn of 2021 and smashed into two concrete pillars. She noted that the company never sent emails and that everything was always communicated verbally.
According to the attorneys for Tesla, the news organization is required to provide a copy of the data to Tesla, and all other copies of the data must be destroyed. The attorneys for Tesla also warned legal action “for the theft of confidential and personal data.”
According to reports, the alleged papers would undoubtedly be important to current wrongful death lawsuits made against Tesla. These claims assert that the company’s technology has significant safety faults. Additionally, they may compel local, state, and federal authorities to take action.
The state’s data protection officer, Dagmar Hartge, recognized the seriousness of the allegations and pointed out that, should the allegations prove to be accurate, the data breach would have significant repercussions on a worldwide scale. The situation has been sent to privacy advocates in the Netherlands so that additional investigation might be conducted.
“Tesla takes the protection of its proprietary and confidential information, as well as the privacy of its employees and customers, very seriously.” “We intend to initiate legal proceedings against this individual for his theft of Tesla’s confidential information and employees’ personal data,” Tesla stated in a response that was reported by the publication. The statement was made in reaction to the theft of sensitive information and personal data pertaining to Tesla employees.
The Chinese regulatory authorities have already started to take action. Approximately two weeks ago, Tesla was forced to provide an emergency software update for the majority of the automobiles it has sold in China as a direct result of problems with unexpected and sudden acceleration.
Since 2016, Musk has made many claims that his self-driving vehicles would be really autonomous, but he has not delivered on those claims.
Data Privacy: A runbook for engineers
InfoSec tools | InfoSec services | InfoSec books
May 27 2023
CISO-level tips for securing corporate data in the cloud
The presence of each third-party application increases the potential for attacks, particularly when end users install them without proper oversight or approval. IT security teams face challenges in obtaining comprehensive knowledge about the apps connected to their corporate SaaS platforms, including their permissions and activities.
In this Help Net Security video, Matt Radolec, Senior Director, Incident Response and Cloud Operations at Varonis, offers advice for CISO-level executives to enhance the security of corporate cloud data.
In what situations would a vCISO Service be appropriate?
Previous DISC InfoSec posts on CISO
InfoSec tools | InfoSec services | InfoSec books
« Previous Page — Next Page »
