InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
The vulnerability (CVE-2023-21492) affects mobile devices manufactured by Samsung and running on the following versions of the Android operating system. The vulnerability results from the accidental inclusion of sensitive data in log files.
Android 11, Android 12, Android 13
CISA has just recently issued a warning on a security hole that affects Samsung devices and makes it possible for attackers to avoid Android’s address space layout randomization (ASLR) protection while carrying out targeted attacks.
Randomization of the memory locations at which important app and operating system components are loaded into the device’s memory is made possible thanks to Android’s Address Space Layout Randomization (ASLR), which is a fundamental component of Android’s security architecture. The information that has been revealed may be used by local attackers who have elevated rights to perform an ASLR bypass, which would therefore make it easier to exploit weaknesses in memory management. Samsung has essentially remedied this issue as a part of the most recent security upgrades by adopting safeguards that prevent kernel references from being recorded in future instances. This was done as part of a larger effort to introduce new security measures.
According to the advice that was included in the May 2023 Security Maintenance Release (SMR), Samsung has admitted that it was notified of an attack that targets this specific flaw that is now active in the wild.
Despite the fact that Samsung did not provide any particular information on the exploit of CVE-2023-21492, it is essential to keep in mind that during highly focused cyberattacks, security vulnerabilities are regularly exploited as part of a sophisticated chain of exploits.
These attacks used chains of exploits that targeted the vulnerabilities to spread spyware that was driven by commercial interests. While this is going on, security researchers working for Google’s Threat Analysis Group (TAG) and Amnesty International discovered and reported on two different attack operations in the month of March. Following the recent addition of the CVE-2023-21492 vulnerability to CISA’s list of Known Exploited Vulnerabilities, the United States Federal Civilian Executive Branch Agencies (FCEB) have been given a three-week window of time until June 9 to patch their Samsung Android devices in order to protect themselves from potential attacks that exploit this security flaw.
In accordance with BOD 22-01, government agencies have until the deadline of June 9, 2023 to fix any vulnerabilities that have been added to the CISA’s KEV list.
Insider attacks often catch organizations by surprise because they’re tricky to spot.
Banking on reactive solutions like antivirus software or a patch management solutionto avoid such attacks is not wise.
Understanding what contributes to the increasing number of insider threats and addressing these factors is the only way to secure your enterprise against such attacks.
An insider attack is often defined as an exploit by malicious intruders within an organization.
This type of attack usually targets insecure data. Insider threats might lurk within any company; in some industries, they can account for more than 70% of cyberattacks.
More often than not, insider attacks are neglected. Perhaps this is why they have been on a constant rise.
A survey by CA Technologies in 2018 found that about 90% of organizations feel vulnerable to insider attacks.
Organizations also feel that the data most vulnerable to insider attacks is sensitive personal information (49%), intellectual property (32%), employee data (31%), and privileged account information (52%).
Many insider attacks are associated with excessive access privileges. While it might be unpleasant or inconvenient not to trust employees, organizations must be vigilant.
This can be accomplished by monitoring possible sources of cyberattacks. A big problem is that many companies are unaware of how to identify and combat insider threats.
Questions then arise: Where can you find the best network security tools to gain more knowledge on combating insider attacks? What security standards should you follow to stay within your industry’s security compliance requirements and protect your digital assets better? How do you differentiate between a malicious insider and a non-malicious one?
Insider Threat Warnings That You Should Look Out For
Here are some tell-tale signs you can monitor to avoid an insider attack. Be on the lookout for anyone who:
Downloads large amounts of data on personal portable devices or attempts to access data they don’t normally use for their day-to-day work.
Requests network or data access to resources not required for their job, or searches for and tries to access confidential data.
Emails sensitive information to a personal email account or people outside your organization.
Accesses the network and corporate data outside of regular work hours.
Exhibits negative attitudes or behaviors—for instance, a disgruntled employee leaving the organization.
Ignores security awareness best practices, such as locking screens, not using USBs or external drives, not sharing passwords and user accounts, or does not take cyber threats seriously.
Once you have started monitoring, you can implement security measures to prevent attacks from occurring. We’ve put together a short list of solutions for curbing insider threats.
1. Zero Trust
Zero Trust, a new cybersecurity buzzword, is a holistic approach for tightening network security by identifying and granting access, or “trust”.
No specific tool or software is associated with this approach, but organizations must follow certain principles to stay secure.
More users, applications, and servers and embracing various IoT devices expands your network perimeter.
How do you exert control and reduce your overall attack surface in such cases?
How can you ensure that the right access is granted to each user?
IT security at some organizations reflects the age-old castle-and-moat defense mentality that everything inside an organization’s perimeter should be trusted while everything outside should not.
This concept focuses on trust too much and tends to forget that we might know little about the intentions of those we deem “insiders.”
The remedy is Zero Trust, which revokes excessive access privileges of users and devices without proper identity authentication.
By implementing Zero Trust, you can:
Understand your organization’s access needs.
Decrease risk by monitoring device and user traffic.
Lower the potential for a breach.
Profoundly increase your business’s agility.
2. Privileged access management
Privileged access management (PAM) means extending access rights to trusted individuals within an organization.
A privileged user hasadministrative access to critical systems and applications.
For example, if an IT admin can copy files from your PC to a memory stick, they are said to be privileged to access sensitive data within your network.
This also applies to accessing data via physical devices, logging in, and using different applications and accounts associated with the organization.
A privileged user with malicious intent might hijack files and demand your organization pay a ransom.
PAM takes some effort, but you can start simple. For instance, you can remove an employee’s access to the data associated with their previous role.
Consider an employee moving from finance to sales. In this case, the rights to access critical financial data must be revoked because we do not want to risk the organization’s financial security.
By implementing PAM, you can:
Make dealing with third-party devices and users safer and more accessible.
Protect your password and other sensitive credentials from falling into the wrong hands.
Eliminate excess devices and users with access to sensitive data.
Manage emergency access if and when required.
3. Mandatory Security Training for Existing & New Employees
Not all insider attacks are intentional; some happen because of negligence or lack of awareness.
Organizations should make it mandatory for all their employees to undergo basic security and privacy awareness training sessions regularly.
Employees can also be quizzed on these sessions to make the training more effective.
Ensuring employees are acquainted with the cost consequences that negligence can cause the organization can help prevent unintentional insider threats significantly.
With so much to lose, it’s a wonder more companies aren’t taking steps to reduce their chance of suffering from an insider attack.
As mentioned earlier, no particular software or tool is behind the security approaches mentioned above.
Rather, your organization must address these aspects while developing a homegrown security solution or utilizing a similar service or product from a vendor.
By doing so, you can protect your organization from bad actors within or outside of your organization.
However, to specifically tackle the threat posed by insiders who regularly misuse their access credentials or bring malicious plug-and-play devices to work, we recommend looking into other security protocols, such as identity and access management and user behavior analytics, to prevent internal security mishaps.
Predicting Insider Attacks: Using Machine Learning & Artificial Intelligence Algorithms
Zero trust adoption is beginning to accelerate as networks get more complex. Gartner predicts that by 2026, 10% of large enterprises will have a comprehensive, mature, and measurable zero-trust program in place (compared to just 1% today). But adoption has been slow; according to a 2023 PWC report, only 36% have started their journey to zero trust. What’s the hold up?
Integration and configuration at scale for zero trust is no small feat. From managing user experience (UX), to resource constraints and the cultural change required for adoption, zero trust can just be challenging.
Historically, zero trust focused on networks and identity access but, over time, it has become a comprehensive approach to cybersecurity that requires a more holistic view of an organization’s IT infrastructure. Where zero trust previously rejected the notion that endpoints had a role, because the “perimeter no longer mattered,” those working through implementation now see that endpoints are a crucial component to a robust zero trust strategy.
While every enterprise is different, there are some common roadblocks that slow the adoption process. In this article, we’ll offer up some tips to overcome these challenges.
Zero trust adoption tips
Most organizations’ IT infrastructure comprises two crucial components – networks and endpoints. Think of the network as roads and the endpoints as the destination for attackers. These can include servers, virtual machines, workstations, desktops, laptops, tablets, mobile devices, and more. And they run multiple applications, store and manipulate data, connect to other data sources, etc.
Cybercriminals strive to attack and control these endpoints when diving deeper into enterprise networks. From there, they can gain additional credentials, move laterally, maintain persistence, and eventually exfiltrate data. Because these endpoints are in constant use (and their numbers are growing), it can be challenging to secure them. Layer on top misconfigurations, which accounts for approximately a quarter of endpoint compromises, and it’s clear that security teams need a more holistic security framework.
Let’s dive into the tips. While this is not a comprehensive list, hopefully it will help you and your team overcome some of the initial heartburn associated with zero trust adoption for endpoints.
1. Break down information silos and consolidate technologies where you can – Organizational structures that don’t support deep collaboration between IT and security will only exacerbate concerns about increased attack surfaces and worsen challenges around compliance requirements. For zero trust success, teams must break down information silos and share data across teams and solutions. Beyond the zero trust benefits, consolidation can significantly reduce the cost of maintaining multiple systems and greatly improve efficiency by reducing the complexity and redundancy of numerous tools for a single task.
2. Maintain a comprehensive asset inventory and get complete visibility of endpoints – You must know what you have to protect it. While this may seem unnecessary for zero trust approaches where the first rule is to not trust anything, knowing what is under management by your organization versus personal devices enables you categorize how you validate and verify the trustworthiness of the endpoint. Now, this can be difficult, with challenges around complexity, lack of integration, human factors, and cost. But with on-demand asset discovery and real-time asset inventory, you should be able to achieve comprehensive visibility, giving you a clearer idea of endpoints that are actively managed versus devices that should be vetted more carefully.
3. Utilize automated policy-based controls for detection and remediation across asset types – Using staff to manually manage and enforce controls relies on human oversight and intervention to detect and remediate security issues. This is clearly no longer sustainable (especially as an organization scales), as evidenced by the increasing number of cyber-attacks and data breaches. Policy-based rules driven by automation can ensure security controls are consistently and uniformly applied across all assets and user activities. This can also eliminate manual tasks, such as requiring end users to accept a patch or update and restart their machines.
This kind of automated policy enforcement should also help fuel the policy enforcement or trust evaluation engine needed for zero trust implementations. With trusted policy-based profiles on hand, a trust evaluation engine can “ask” questions and assess a device or asset’s security posture. For example: Does it have a firewall on? Does it have the latest approved patches installed? Have any unknown programs been installed recently that have not been scanned with a vulnerability scanner?
Conclusion
As more and more organizations move to implement zero trust, it’s crucial to understand some of the key challenges associated with endpoint security. It requires a shift in mindset, an understanding of the requirements, and a set of tools that can help achieve a successful framework.
Tailoring the zero trust principles to meet your enterprise needs will help accelerate your journey. And hopefully these tips will help. To learn more about practical zero trust implementation guidance, check out some recent research by the National Institute of Standards and Technology and the National Cybersecurity Center of Excellence.
Researchers have identified a new sort of attack that they have given the name “Ghost Touch.” This new form of attack may access the screen of your mobile device without even requiring you to touch it.
It would seem that those who commit crimes online are constantly able to one-up themselves and surprise everyone with innovative new strategies. You are already familiar with methods such as phishing, frauds, and the use of malware to infect devices. However, researchers from the Zhejiang University in China and the Darmstadt University of Technology in Germany have now uncovered a new hardware-based way that cybercriminals may use to get their hands on your smartphone.
These are known as Ghost Touch, and they may be used to unlock a mobile device, allowing the user to get access to sensitive information like passwords or banking apps, and even install malware. According to their explanation, the attack makes advantage of “electromagnetic interference (EMI) to inject fake touch points into a touch screen without physically touching it.”
Make note of the fact that this latest attack is aimed. To put it another way, in order to adjust the gadget, it is essential to have knowledge on the make and model of the cell phone belonging to the victim. The attacker may additionally need extra knowledge about it, such as the access code, which has to be obtained via social engineering. This might be a need for the attack. The attack is effective from a distance of up to 40 mm and makes use of the sensitivity of the touch screen to electromagnetic interference (EMI). Attackers have the ability to inject electromagnetic impulses into the implanted electrodes of the screen, which will cause the screen to record these signals as touch events (a touch, exchange, press, or hold).
On a total of nine different smartphone models, including the iPhone SE (2020), the Samsung Galaxy S20 FE 5G, the Redmi 8, and the Nokia 7.2, its efficacy has been shown. If a user’s screen has been hacked, it will begin operating on its own without the user’s intervention. For instance, it will begin answering calls on the user’s behalf or it will become unblocked.
When a mobile device begins visiting arbitrary web sites, entering into the user’s bank account, opening files, playing a movie, or typing on Google without the user’s interaction, this is another clear indication that the device has been compromised.
“You can protect yourself against touchscreen attacks in a number of different ways, including adding more security to your phone and being more vigilant in public places,” the article states. They recommend that you keep your phone in your possession at all times, since this will significantly lower the likelihood that it will be hacked.
Check Point Research has been monitoring sophisticated attacks on authorities in numerous European countries since January 2023. The campaign made use of a broad number of tools, one of which was an implant, which is a tactic that is often linked with Chinese government-backed cybercriminals. This action has substantial infrastructure similarities with activities that have been previously published by Avast and ESET, which links it to the “Mustang Panda” malware family. This cluster of suspicious behavior is
being monitored by CPR as “Camaro Dragon” at the moment.
According to experts from Check Point named Itay Cohen and Radoslaw Madej, an investigation of these attacks has uncovered a bespoke firmware implant that was created specifically for TP-Link routers. “The implant features several malicious components, including a custom backdoor named ‘Horse Shell,’ that enables the attackers to maintain persistent access, build anonymous infrastructure, and enable lateral movement into compromised networks,” the firm claimed.
“Because of the implant’s firmware-agnostic design,” its components may be incorporated into different types of software by a variety of different manufacturers. At this time, the precise mechanism that was utilized to distribute the altered firmware images on the compromised routers is unclear. Likewise, its utilization and participation in real attacks are also unknown. It is believed that the first access may have been gained by taking advantage of security holes that were already known about or by brute-forcing devices that had passwords that were either the default or readily guessed.
According to what is currently known, the C++-based Horse Shell implant gives attackers the ability to run arbitrary shell commands, upload and download files to and from the router, and relay communication between two separate clients. However, in an intriguing turn of events, it is suspected that the router backdoor targets random devices on residential and home networks. This finding lends credence to the theory that hacked routers are being co-opted into a mesh network with the intention of establishing a “chain of nodes between main infections and real command-and-control.”
The purpose of relaying communications between infected routers by utilizing a SOCKS tunnel is to establish an extra layer of anonymity and disguise the end server. This is accomplished by the fact that each node in the chain possesses information only about the nodes that came before and after it in the chain.
To put it another way, the approaches obfuscate the origin and destination of the traffic in a manner that is comparable to how TOR works, which makes it far more difficult to discover the scope of the attack and disrupt it. The finding is just one more illustration of a long-standing pattern in which Chinese threat actors target internet-facing network equipment in order to manipulate the underlying software or firmware of such devices.
Cybersecurity researchers and IT admins have raised concerns over Google’s new ZIP and MOV Internet domains, warning that threat actors could use them for phishing attacks and malware delivery.
Earlier this month, Google introduced eight new top-level domains (TLD) that could be purchased for hosting websites or email addresses.
The new domains are .dad, .esq, .prof, .phd, .nexus, .foo, and for the topic of our article, the .zip and .mov domain TLDs.
While the ZIP and MOV TLDs have been available since 2014, it wasn’t until this month that they became generally available, allowing anyone to purchase a domain, like bleepingcomputer.zip, for a website.
However, these domains could be perceived as risky as the TLDs are also extensions of files commonly shared in forum posts, messages, and online discussions, which will now be automatically converted into URLs by some online platforms or applications.
The concern
Two common file types seen online are ZIP archives and MPEG 4 videos, whose file names end in .zip (ZIP archive) or .mov (video file).
Therefore, it’s very common for people to post instructions containing filenames with the .zip and .mov extensions.
However, now that they are TLDs, some messaging platforms and social media sites will automatically convert file names with .zip and .mov extensions into URLs.
For example, on Twitter, if you send someone instructions on opening a zip file and accessing a MOV file, the innocuous filenames are converted into an URL, as shown below.
Twitter automatically linkifying .zip and .mov file names Source: BleepingComputer
When people see URLs in instructions, they commonly think that the URL can be used to download the associated file and may click on the link. For example, linking filenames to downloads is how we usually provide instructions on BleepingComputer in our articles, tutorials, and discussion forums.
However, if a threat actor owned a .zip domain with the same name as a linkified filename, a person may mistakenly visit the site and fall for a phishing scam or download malware, thinking the URL is safe because it came from a trusted source.
While it’s very unlikely that threat actors will register thousands of domains to capture a few victims, you only need one corporate employee to mistakenly install malware for an entire network to be affected.
Abuse of these domains is not theoretical, with cyber intel firm Silent Push Labs already discovering what appears to be a phishing page at microsoft-office[.]zip attempting to steal Microsoft Account credentials.
ZIP domain used for Microsoft Account phishing Source: Silent Push Labs
Cybersecurity researchers have also started to play with the domains, with Bobby Rauch publishing research on developing convincing phishing links using Unicode characters and the userinfo delimiter (@) in URLs.
Rauch’s research shows how threat actors can make phishing URLs that look like legitimate file download URLs at GitHub but actually take you to a website at v1.27.1[.]zip when clicked, as illustrated below.
These developments have sparked a debate among developers, security researchers, and IT admins, with some feeling the fears are not warranted and others feeling that the ZIP and MOV TLDs add unnecessary risk to an already risky online environment.
Regarding the .zip domains I complained about – I think it's dumb and unnecessarily creates confusion and will leave to various minor phishing schemes/tricks/address-confusion attacks… but it's just going to get forced into being another TLD. It just feels uniquely unneeded.
People have begun registering .zip domains that are associated with common ZIP archives, such as update.zip, financialstatement.zip, setup.zip, attachment.zip, officeupdate.zip, and backup.zip, to display information about the risks of ZIP domains, to RickRoll you, or to share harmless information.
Open source developer Matt Holt also requested that the ZIP TLD be removed from Mozilla’s Public Suffix List, a list of all public top-level domains to be incorporated in applications and browsers.
However, the PSL community quickly explained that while there may be a slight risk associated with these TLDs, they are still valid and should not be removed from the PSL as it would affect the operation of legitimate sites.
“Removing existing TLDs from the PSL for this reason would just be wrong. This list is used for many different reasons, and just because these entries are bad for one very specific use-case, they are still needed for (almost) all others,” explained software engineer Felix Fontein.
“These are legit TLDs in the ICP3 root. This will not proceed,” further shared PSL maintainer Jothan Frakes.
“Really, the expressed concerns are more of a glaring example of a disconnect between the developer and security community and domain name governance, where they would benefit from more engagement within ICANN.”
At the same time, other security researchers and developers have expressed that they believe the fears regarding these new domains are overblown.
When BleepingComputer contacted Google about these concerns, they said that the risk of confusion between file and domain names is not new, and browser mitigations are in place to protect users from abuse.
“The risk of confusion between domain names and file names is not a new one. For example, 3M’s Command products use the domain name command.com, which is also an important program on MS DOS and early versions of Windows. Applications have mitigations for this (such as Google Safe Browsing), and these mitigations will hold true for TLD’s such as .zip.
At the same time, new namespaces provide expanded opportunities for naming such as community.zip and url.zip. Google takes phishing and malware seriously and Google Registry has existing mechanisms to suspend or remove malicious domains across all of our TLDs, including .zip. We will continue to monitor the usage of .zip and other TLDs and if new threats emerge we will take appropriate action to protect users.” – Google.
What should you do?
The reality is that you do not need to do anything extra than you are already doing to protect yourself from phishing sites.
As everyone should already know, it is never safe to click on links from people or download files from sites you do not trust.
Like any link, if you see a .zip or .mov link in a message, research it before clicking on it. If you are still unsure if the link is safe, do not click on it.
By following these simple steps, the impact of the new TLDs will be minimal and not significantly increase your risk.
However, the exposure to these links will likely increase as more applications automatically turn ZIP and MOV filenames into links, giving you one more thing to be careful about when online.
KeePass is a piece of software that is both open-source and free to use. It is a trusted companion for users of Windows, Linux, and Mac OS X, as well as users of mobile devices. However, a newly found security hole has brought attention to the program, demonstrating that not even the most secure of systems are immune to the possibility of having security problems.
This security flaw, which has been given the identifier CVE-2023-32784, makes it possible for the user’s master password to be dumped from memory even when the user’s workspace is closed or the program is no longer active. The master password is the main key that may be used to unlock the user’s database of passwords. A hostile actor could be able to extract the plain text master password from a memory dump. KeePass 2.x versions previous to 2.54 include this vulnerability. This vulnerability is widespread in KeePass 2.x versions. It’s possible that this is a dump of the KeePass process, but it might also be a swap file, a hibernation file, or even a RAM dump of the whole system. The fact that the initial character of the password cannot be reconstructed is the only minor solace in this situation.
A researcher by the name of vdohney built a proof-of-concept tool and gave it the suitable moniker “KeePass Master Password Dumper” in order to draw attention to this issue. This program provides a clear demonstration of how the master password might be retrieved from KeePass’s memory with the exception of the first character. This can be done without needing code to be executed on the machine that is being targeted, and it can be done even if the workspace is locked or if KeePass is no longer operating.
When entering passwords, KeePass 2.X makes use of a text box that was built specifically for it called SecureTextBoxEx. This text box is utilized not just for the insertion of the master password, but also in other locations in KeePass, such as password edit boxes (which means that the attack may also be used to retrieve the contents of other password edit boxes).
The vulnerability that is being exploited here is the fact that a leftover string is formed in memory for each character that is entered. Because of the way that.NET operates, once an instance of it has been created, it is very difficult to delete it. For instance, when the word “Password” is entered, it will leave behind the following strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. The proof-of-concept program looks through the dump to find these patterns and suggests a possible character to use for each location in the password.
The reliability of this attack is susceptible to change based on the manner in which the password was written as well as the number of passwords that were input within a single session. However, it appears that the way.NET CLR creates these strings implies that they are likely to be well ordered in memory. This is true even if there are numerous passwords used for a single session or if there are errors in the passwords. Therefore, if three distinct passwords were entered, you have a good chance of getting three options for each character place in that sequence. This enables you to recover all three passwords if they were entered.
Should You Be Concerned About This? It is dependent on the threat model you choose. This discovery does not significantly worsen your condition if your machine is already infected with malware that is operating in the background with the rights of your user. On the other hand, in contrast to KeeTheft and KeeFarce, there is no need for any kind of process injection or other code execution for the malware to be stealthy and dodge the antivirus software. This may make it simpler for the malware.
It might be a problem if you have a reasonable suspicion that someone could get access to your computer and undertake forensic examination. Even if KeePass is completely shut down or secured, it is still possible for the master password to be rediscovered. This is the worst-case situation.
If you have a clean machine and utilize full disk encryption with a strong password, you should be OK. Because to this discovery, it will be impossible for anybody to steal your credentials remotely over the internet.
Today, API security company Salt Security announced it is now an Amazon Web Service (AWS) Web Application Firewall (WAF) Ready Partner. This service helps customers discover Partner solutions validated by AWS Partner Network (APN) Solutions Architects that integrate with AWS WAF to accelerate adoption of an enhanced and holistic security approach. AWS WAF is available to all AWS customers and all AWS Regions and can be deployed directly from the AWS console.
This partnership differentiates Salt Security as an APN member with a product that works with AWS WAF and is generally available for AWS customers. AWS WAF Ready Partners help customers quickly identify easy-to-deploy solutions that can help detect, mitigate, and analyse some of the most common internet threats and vulnerabilities.
Today, businesses of all shapes and sizes are focused on ensuring that websites and applications are protected from external threats that can lead to a loss of revenue, loss of customer trust, and loss of brand reputation. Implementing a WAF can be a challenging task that requires deep security experience that can be expensive and hard to find in-house. AWS WAF Ready Partners offer customers a simpler solution to deploying and maintaining their application layer security solution through easy-to-deploy solutions in order to detect, mitigate, and analyze some of the most common internet threats and vulnerabilities.
Gilad Barzilay, head of business development, Salt Security said: “As an AWS Software Path Partner and member of AWS ISV Accelerate Program, Salt is proud to expand our existing relationship with AWS by becoming an AWS WAF Ready Partner. Many of our customers rely on Salt to secure their APIs on AWS. By achieving these designations, we make it easier and faster for businesses to protect the APIs running on their AWS environments. Our customers benefit from our unique cloud-scale API data lake architecture, which applies AI and ML for API discovery and threat protection.”
“Deploying the Salt platform took almost no effort,” said Jason Weitzman, senior application security engineer at Xolv Technology Solutions. “It integrated quickly with our existing Cloudflare, AWS, Jira and other systems. It also started identifying errors and delivering insights on how to craft better APIs within minutes.”
The Salt platform deploys out of band, to avoid any interference with application performance or availability. The Salt platform pairs with AWS WAF as an API traffic collection point and to block detected attackers. To support the seamless integration and deployment of solutions such as the Salt platform, AWS established the AWS Service Ready Program. The program helps customers identify solutions integrated with AWS services and spend less time evaluating new tools, and more time scaling their use of solutions that are integrated with AWS services.
APIs are a hot topic among cybersecurity professionals and C-suites at the moment due to their increasingly vital business roles. Earlier this year Salt released a new API report that showed a 400% Increase in Attackers, demonstrating the prevalence.
Unfortunately, some laws restrict genuine security research. As we await the findings of UK Home Office’s review of the 1990 Computer Misuse Act, it’s time to rethink traditional approaches to security testing and for the UK government to support the case for ethical hacking proactively.
Why criminals have had the upper hand
Cybercriminals have had the advantage over businesses for too long. Poorly written code in old applications, unpatched software, and forgotten digital scaffolding accidentally left up after projects were completed are a few examples of how mistakes made years ago enable fresh attacks. However, it’s not just coding errors from the past that cause issues. Software is now dominated by open-source products; at least one known open-source vulnerability was detected by Synopsis in 84% of all commercial and proprietary code bases.
Although organizations have begun designing more robust security processes and testing throughout the software development lifecycle, it is often the same people who built the systems that are checking for issues. In addition, security activities tend to be siloed (e.g., we test an application but ignore the API). This reductionist view of cybersecurity all too often misses the bigger picture, but for a cyber attacker the whole is the goal.
The case for ethical hacking
What’s needed is fresh eyes and an outsider mentality to see where issues exist. This is where ethical hacking comes in. An organization can have a legion of external researchers on their side probing continuously for any weaknesses, uncovering vulnerabilities that automated scans and internal teams miss, performing recon to discover new insecure assets.
Like cybercriminals, hackers will also be leveraging tools such as publicly available Common Vulnerabilities and Exposures (CVE) databases. They go beyond CVEs in known applications to discover and examine hidden assets that potentially pose a greater risk. One-third of organizations say they monitor less than 75% of their attack surface and 20% believe over half of their attack surface is unknown or not observable. So, it’s easy to understand why cybercriminals with significant and often cheap labor power plus an array of techniques target unknown assets and regularly uncover exploitable vulnerabilities.
The way to keep pace and avoid burnout in internal security teams is to engage hackers to work on their behalf by setting up a vulnerability disclosure program (VDP).
The value of a vulnerability disclosure program (VDP)
VDPs are structured frameworks for security researchers to help proactively and continuously test internet-facing applications and infrastructure, documenting and submitting any found vulnerabilities. Program providers have amassed communities of ethical hackers and security researchers numbering in the hundreds of thousands, all with unique skill sets and perspectives to strengthen the security of an organization’s applications. Hackers perform ongoing tests in internet-facing assets including third-party software such as open-source libraries.
When a VDP is implemented, statistics indicate that over a quarter receive a vulnerability report within the first day of a program launch and new customers are notified of four high or critical vulnerabilities within their first month of use.
Therefore, ongoing feedback from hackers regarding the potential impact of vulnerabilities effectively extends the reach and knowledge of in-house security teams. Trying to deliver, and maintain, this breadth and depth of coverage in-house simply isn’t viable for most organizations.
Ethical hacking in practice
So, what does ethical hacking look like in practice? Programs offered by vulnerability disclosure platform providers can be tailored to meet all sizes and types of requirements.
The UK’s National Cyber Security Centre is leading the way with its vulnerability disclosure reporting program that covers its own website and extends to any online government site, as necessary.
Another government example is the Ministry of Defence (MoD), which has worked with the hacking community to build out its bench of technical talent and to bring more diverse perspectives to protect and defend assets. This collaboration enabled an understanding of where their vulnerabilities were which is an essential step when working to reduce cyber risk and improve overall resilience.
Incentivizing hackers
Enterprises with large asset inventories could consider taking a further step in the form of a vulnerability rewards program (VRP) that offers financial incentives to report vulnerabilities. Businesses can invite hackers that specialize in specific technologies to participate, depending on the assets that are in scope for the program. By offering competitive rewards or bounties, companies will attract the top independent security talent worldwide.
If organizations are seen to provide more significant financial incentives for reporting vulnerabilities quickly and directly to them, then the value to cybercriminals of stockpiling vulnerabilities for future ransomware attacks will also diminish.
Reforming the law
Every digital organization operating in the UK should have a vulnerability disclosure program that can leverage the benefits of hacking.
To ensure encouragement and protection, the government needs to update the Computer Misuse Act (CMA). Currently, the CMA does not provide sufficient legal protections for good faith cyber vulnerability and threat intelligence research and investigation provided by UK-based cyber security professionals and hackers. We recommend the government revises the CMA to include a statutory defense for cyber security professionals who are acting in the public interest that defends them from prosecution by the state and from unjust civil litigation.
Tipping the balance towards safety
Outwitting cybercriminals remains a complex and burdensome task. Ethical hackers can help to tip the scales away from the bad actors for those organizations that are prepared to incorporate them into their security initiatives.
Supporting hackers financially and protecting them legally from misdirected prosecution will further increase the ever-growing community of hackers who are working to provide a safer internet for businesses and individuals.
The Toyota Motor Corporation confirmed on Friday that the car data of 2.15 million customers in Japan, including those of its premium brand Lexus, had been publicly accessible for almost a decade owing to “human error.” The statement was made in response to a report that the Toyota Motor Corporation had published on Friday. The disaster, which impacted virtually all of Toyota’s clientele who had registered for the company’s primary cloud service platforms after 2012, was brought on by a cloud system that had been inadvertently turned to the public rather than the private mode. Customers who had signed up for the T-Connect service, which offers a wide range of services such as AI voice-enabled driving assistance, automatic connection to call centers for vehicle management, and emergency support in the event of a situation such as a car accident or a sudden illness, were impacted as well. The G-Link services for Lexus vehicles were also impacted. According to the corporation, there have been no complaints of harmful usage; nonetheless, information such as car positions and identification numbers of vehicle devices may have been compromised. This is despite the fact that there have been no indications of malicious use.
This incidence comes to light at the same time that Toyota is ramping up its efforts in the areas of vehicle connection and cloud-based data management in order to provide autonomous driving and other functions supported by artificial intelligence. When asked why it took Toyota so long to realize the error, a spokeswoman for the firm said, “There was a lack of active detection mechanisms, and activities to detect the presence or absence of things that became public.” In other words, the corporation did not have any mechanisms or activities in place to detect the presence or absence of things that became public. The problem first surfaced in November of last year and continued through the middle of April of this year.
The Personal Information Protection Commission in Japan was made aware of an occurrence, but in keeping with their standard procedure, the commission has chosen not to divulge any more information at this time. Toyota has implemented safeguards to prevent unauthorized third parties from gaining access to the company’s data and is in the process of conducting an examination into all cloud environments that are administered by Toyota Connected Corp. Following a string of previous large data breaches in Japan, including one in March when mobile provider NTT DoCoMo revealed the data of up to 5.29 million users may have been compromised due to a firm to whom it had outsourced work.
The corporation said that it will be contacting individual consumers about the breach and that it has established a hotline for queries.
The problem comes after Toyota disclosed in October a second data breach affecting T-Connect that affected a far lesser amount of customers.
In April, Toyota revealed that there had been security breaches at its headquarters in Italy, which might have resulted in the exposure of customer information.
Because IoT devices often have weak security and are easily hacked, the Internet of Things (IoT) has been an increasingly attractive target for cyber assaults in recent years. This is due to the fact that IoT devices are connected to the internet. Pwn2Own was a competition held in Toronto in the last year that focused on hacking into Internet of Things (IoT) devices such as printers, routers, network-attached storage (NAS) devices, routers, and smart speakers. The competition was organized by the Zero Day Initiative (ZDI), which aimed to bring attention to the vulnerabilities of IoT devices and encourage better security practices from manufacturers. This competition invited skilled hackers to showcase their expertise in locating and exploiting flaws in the devices being used. As part of their investigation and participation in the Pwn2Own Toronto hacking competition that took place in December of last year, Team82 exposed five vulnerabilities that were found in NETGEAR’s Nighthawk RAX30 routers. If an exploit is successful, an attacker may be able to monitor the online activities of users, hijack users’ connections to the internet, and redirect traffic to malicious websites, as well as insert malware into network traffic.
These vulnerabilities might potentially be used by an attacker to obtain access to and manage networked smart devices (such as security cameras, thermostats, and smart locks), modify router settings (such as passwords or DNS settings), or exploit a network that has been hacked to launch attacks against other devices or networks.
NETGEAR products come with a dedicated server known as soap_serverd that operates on port 5000 (HTTP) and port 5043 (HTTPS). This server serves as a programmatic application programming interface (SOAP) for the router.
Users are given the ability to query the device and make changes to its settings thanks to the available API. The NETGEAR Nighthawk App for iOS and Android is the primary client that connects to the server. The vulnerabilities that were targeted are listed below.
They are able to extract the device serial number by using the CVE-2023-27357 vulnerability, which is known as Sensitive Information Exposed Without Authentication.
By using CVE-2023-27369, also known as an SSL Read stack overflow, researchers are able to deliver an HTTPS payload without being constrained by size requirements.
They are able to create a payload that is sufficiently large to replace the socket IP, bypass authentication, and obtain the device settings by using CVE-2023-27368, which is a sscanf stack overflow vulnerability.
They were able to alter the admin password by using CVE-2023-27370 (Plain text secrets in the configuration), which allowed us to access the plain-text answers to the security questions, along with the serial number that we obtained before.
Once they have updated the password, they were able to send a magic packet to the device in order to activate a limited telnet server. They get root access and remote code execution on the device by using the CVE-2023-27367 vulnerability, which is a restricted shell escape.
It is possible to compromise vulnerable RAX30 routers by chaining together these five CVEs. The most serious of these flaws allows for pre-authentication remote code execution on the device. NETGEAR has patched all five vulnerabilities uncovered by Team82, three of which were high-severity vulnerabilities that enable pre-authentication remote code execution, command injection, or authentication bypasses.
BLACK HAT ASIA Threat groups have infected millions of Androids worldwide with malicious firmware before the devices have even been shipped from their manufacturers, according to Trend Micro researchers at Black Hat Asia.
The mainly mobile devices, but also smartwatches, TVs and more, have their manufacturing outsourced to an original equipment manufacturer (OEM), a process the researchers say makes them easily infiltrated.
“What is the easiest way to infect millions of devices?” posed senior threat researcher Fyodor Yarochkin, speaking alongside colleague Zhengyu Dong.
He compared infiltrating devices at such an early stage of their life cycle to a tree absorbing liquid: you put the infection at the root, and it gets distributed everywhere, out to every single limb and leaf.
The malware installation technique began as the price of mobile phone firmware dropped. Competition between firmware distributors became so furious that eventually the providers could not charge money for their product.
“But of course there’s no free stuff,” said Yarochkin, who explained that the firmware started to come with an undesirable feature – silent plugins. The team manually analyzed dozens of firmware images looking for malicious software. They found over 80 different plugins, although many of those were not widely distributed.
The plugins that were the most impactful were those that had built a business model around them and were selling underground services, marketing them out in the open on places like Facebook, in blog posts, and on YouTube.
The objective of the malware is to steal info or make money from information collected or delivered.
The malware turns the devices into proxies which are used to steal and sell SMS messages, social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud.
One type of plugin, proxy plugins, allow the criminal to rent out devices for up to around five minutes at a time. For example, those renting the control of the device could acquire data on keystrokes, geographical location, IP address and more.
“The user of the proxy will be able to use someone else’s phone for a period of 1200 seconds as an exit node,” said Yarochkin. He also said the team found a Facebook cookie plugin that was used to harvest activity from the Facebook app.
Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million.
As for where the threats are coming from, the duo wouldn’t say specifically, although the word “China” showed up multiple times in the presentation, including in an origin story related to the development of the dodgy firmware. Yarochkin said the audience should consider where most of the world’s OEMs are located and make their own deductions.
“Even though we possibly might know the people who build the infrastructure for this business, its difficult to pinpoint how exactly the this infection gets put into this mobile phone because we don’t know for sure at what moment it got into the supply chain,“ said Yarochkin.
The team confirmed the malware was found in the phones of at least 10 different vendors, but that there was possibly around 40 more affected. For those seeking to avoid infected mobile phones, they could go some way of protecting themselves by going high end.
“Big brands like Samsung, like Google took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market,” said Yarochkin. ®
The Linux kernel is the most important part of the Linux operating system. It is in charge of managing system resources, delivering necessary services, and guaranteeing the general stability of the system. As a result, any vulnerability inside the kernel has the potential to have major implications, which might put the system’s overall security and integrity at risk. The Linux kernel has been found to include a major security flaw, which has been given the identifier CVE-2023-32233. This flaw makes it possible for locally authenticated users to gain additional rights while using the system. A locally authenticated attacker is able to get elevated privileges as root by submitting a specifically constructed request thanks to the vulnerability, which is caused by a use-after-free hole in Netfilter nf_tables while processing batch requests. The bug was caused by a use-after-free flaw. Linux has a subsystem known as netfilter nf_tables that is responsible for managing the setup of firewall rules. The problem is that Netfilter nf_tables is accepting some improper modifications to its configuration, which is causing the issue.
Security researchers Piotr Krysiuk and Piotr Krysiuk found the vulnerability and built an attack for it. The exploit makes it possible for local users without administrative privileges to launch a root shell by exploiting the problem. This attack was discussed in confidence with the Linux kernel security developers so that they may get assistance in developing a solution.
An adversary might take advantage of this vulnerability in a particular situation by constructing an erroneous batch request that includes actions that lead to a corruption of the internal state of Netfilter nf_tables. Because of this, the attacker is granted the ability to obtain root access to the system and further elevate their privileges.
The mainline kernel git repository now provides a patch that may be used to resolve the vulnerability that was discovered. Administrators and users of the system are strongly encouraged to deploy the patch as quickly as they can in order to prevent their systems from the possibility of being exploited.
Multiple versions of the Linux kernel, including the most recent stable release, Linux 6.3.1, have been used to successfully replicate the issue. If this vulnerability is not fixed, it may be used by hostile actors to obtain unauthorized access to the system with elevated privileges. As a result, sensitive data may be compromised, and serious disruption may occur.
Microsoft Patch Tuesday Security updates for May 2023 address a total of 40 vulnerabilities, including two zero-day actively exploited in attacks.
Microsoft’s May 2023 security updates address 40 vulnerabilities, including two zero-day flaws actively exploited in attacks. The flaws affect Microsoft Windows and Windows Components; Office and Office Components; Microsoft Edge (Chromium-based); SharePoint Server; Visual Studio; SysInternals; and Microsoft Teams.
Seven of the addressed vulnerabilities are rated Critical and 31 are rated Important in severity.
The two actively exploited zero-day vulnerabilities addressed with the relaese of Patch Tuesday Security updates for May 2023 are:
CVE-2023-29336 (CVSS 7.8) – Win32k Elevation of Privilege Vulnerability. This vulnerability is actively exploited in attacks. The flaw can be chained with a code execution bug to spread malware. The vulnerability was reported by researchers Jan Vojtěšek, Milánek, and Luigino Camastra from Avast Antivirus firm, a circumstance that suggests it was used as part of an exploit chain to deliver malware.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” reads the advisory.
CVE-2023-24932 (CVSS 6.7)– Secure Boot Security Feature Bypass Vulnerability. An attacker with physical access or Administrative rights to a target device could install an affected boot policy and bypass Secure Boot. The flaw was reported by Martin Smolar from ESET and Tomer Sne-or from SentinelOne.
“To exploit the vulnerability, an attacker who has physical access or Administrative rights to a target device could install an affected boot policy,” reads Microsoft’s advisory.
The most severe vulnerabilities addressed by Microsoft are:
CVE-2023-24941 (CVSS 9.8) – Windows Network File System Remote Code Execution Vulnerability.
CVE-2023-24943 (CVSS 9.8) – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability.
Microsoft also addressed a remote code execution flaw in SharePoint Server, tracked as CVE-2023-24955, that was demonstrated by the Star Labs team at the Pwn2Own Vancouver 2023 exploit contest. The flaw was part of an exploit chain used to obtain code execution on the target server.
Trading or investing in cryptocurrencies can be highly lucrative. But the extreme price movements often discourage beginners to buy cryptocurrencies. However, with a carefully charted risk management plan, it is possible to make gains and minimize losses.
Here are the 7 golden rules of risk management for cryptocurrency traders
Diversify your portfolio
One of the effective risk management strategies for a cryptocurrency trader is to diversify your portfolio. You must ensure that you put only some of the investments in a few carefully chosen cryptocurrencies, instead of putting all your money in just one. For instance, you might consider buying Kusama along with Bitcoin or Ethereum, after checking the Kusama Priceon that day.
Set up your stop-loss orders
A stop-loss order, in simple terms, is a preset order that will sell a part or all of the holdings automatically if the cryptocurrency price drops to some extent. It works like a safety net that helps in minimizing the loss for you, provided the market moves against you. When you set stop loss orders, you can reduce the losses and protect the investments. You need to put stop-loss orders at the proper levels.
Use the proper position sizing
Position sizing plays a crucial role in risk management. Regarding position sizing, you need to allocate some specific trade amount in your portfolio. You have to use the correct position size to manage the risk well. You need to ensure that you do not take a lot of trouble on a single trade, as it can lead to a lot of losses. In simple terms, you need to raise only one to 2% of the complete portfolio on one trade, so even if there is a loss, it will not impact your portfolio to a great extent.
Set only realistic profit goals
When you have a clear profit goal at the back of your mind, you can manage risk to a great extent. You need to ensure realistic profit goals depending on the market trends and technical analysis. Avoid getting greedy when you are in the grade you set unrealistic high profits, which can lead to risky trading decisions. You have to ensure that you are disciplined, stick to the profit target, and lock in the gain at the right time.
Do your own research (DYOR)
Information and market sentiment play a crucial role in the cryptocurrency market, so you must have all the information regarding the trade and prices. When you have the correct information on the latest developments and news, you can trade well. To have the correct information, you must do some research on all the cryptocurrencies that you are trading, like the technology market capitalization trading volume and historical price performance.
Consider using leverage with care
Leverage makes it very easy for you to trade with a considerable capital amount, and it is eventually more than what you have. Leverage is both a boon and, of course, it can lead to huge profits and losses at the same time.
Even though leverage can help in improving your potential income, it can also increase the risk of losses to a great extent. You need to use leverage with a lot of care and thoroughly understand all the risks involved before you consider implementing it in your strategy.
Lastly, you need to ensure that you keep your leverage high and have the right stop-loss orders whenever you are trading with leverage. This will help you in managing your risk well.
Manage your emotions
Emotions like fear or greed can have a significant impact on your decision-making process, and they can also lead to impulsive trading decisions. This can lead to risks unnecessarily, so it is essential for you to keep a check on your emotions and maintain a rational approach while you are trading. You need to ensure that you avoid making any impulsive decisions based on fear or greed and stick to your risk management plan. It is OK to take a step back and reconsider your emotions when you feel that your emotions are taking over.
In short, risk management is a critical element of cryptocurrency trading, considering the volatile nature of the market. When you follow these rules for risk management, you can indeed reduce your potential losses.
A database containing the personal information of more than 1 million people was stolen from NextGen Healthcare, Inc., a provider of cloud-based healthcare technology.
NextGen Heathcare provided a disclosure to the Maine Attorney General’s office that said the breach occurred on March 29 and lasted through April 14. The compromise was discovered on April 24, the company reported.
The compromise occurred due to “unauthorized access to database stemming from use of stolen client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen,” the healthcare technology provider said.
NextGen’s disclosure indicated the databased contained “name or other personal identifier in combination with Social Security Number.”
NextGen had not responded to Dark Reading’s request for comment at the time of this post.
NextGen Breach Follow-on Attacks Likely
The NextGen breach poses a major threat to its victims, according to Tom Kellermann, senior vice president of cyber strategy at Contrast Security.
“This is a massive cybercrime which will result in widespread identity theft,” Kellermann said in a statement provided to Dark Reading. “Healthcare providers have long been preferred targets by cybercriminals who specialize in identity theft due to two reasons: First they have woeful inadequate cybersecurity and second, they store the most sensitive PII.”
In 2021, there were more data breaches of healthcare-related organizations than any other sector, accounting for 24% of all cybersecurity incidents, according to Steve Gwizdala, vice president of healthcare at ForgeRock.
“Vigilance and new ways of enhancing cybersecurity measures will be crucial to healthcare organizations and businesses responsible for protecting the personal information of consumers stored online — across the entire supply chain,” Gwizdala said in a statement.
Kimsuky is an advanced persistent threat (APT) organization that originates in North Korea and has a lengthy history of launching targeted attacks all around the globe. According to what is currently known about the organization, they have been mainly tasked with conducting information gathering and espionage activities in behalf of the North Korean government from at least the year 2012. Throughout the course of history, Kimsuky targets have been spread throughout several nations in North America, Asia, and Europe. In its most recent efforts, the organization has continued their strategy of worldwide targeting, which is centered on a variety of contemporary geopolitical concerns. The most recent Kimsuky ads, for instance, have been centered on nuclear agendas between China and North Korea; these agendas are pertinent to the continuing confrontation between Russia and Ukraine. In 2018, the gang was seen deploying a malware family known as BabyShark, and most recent observations show that the group has developed the malware with an enhanced capacity for reconnaissance. Experts call to this component of BabyShark as ReconShark.
During a recent campaign, Kimsuky targeted the employees of the Korea Risk Group (KRG), which is an information and analysis organization that specializes in subjects that have both direct and indirect effects on the Democratic People’s Republic of Korea (DPRK). Kimsuky continues to employ phishing emails that have been carefully designed by himself for the purpose of deploying ReconShark. Notably, spear-phishing emails are created with a degree of design quality customized for certain persons, which increases the possibility that the target would open the email. This involves using correct formatting, language, and visual signals so that the content seems authentic to readers who are not paying attention. Notably, both the targeted emails, which include links to download harmful papers, as well as the malicious documents themselves, exploit the names of genuine people whose knowledge is relevant to the subject matter of the bait, such as Political Scientists.
Kimsuky’s nefarious emails include a link that, when clicked, will direct the recipient to a file that requires a password in order to access it. Most recently, they started hosting the infected document for download on Microsoft OneDrive, which is a cloud storage service.Exfiltrating information about the infected platform is the primary function of ReconShark. This includes information about current processes, information about the battery that is attached to the device, and information about endpoint threat detection measures that have been implemented.
In a manner similar to those of earlier iterations of BabyShark, ReconShark depends on Windows Management Instrumentation (WMI) to query information on processes and batteries. ReconShark does more than just steal information; it also distributes additional payloads in a multi-stage process. These payloads may be built as scripts (VBS, HTA, and Windows Batch), macro-enabled Microsoft Office templates, or Windows DLL files. The types of detecting mechanism processes that are active on compromised computers are taken into consideration when ReconShark chooses which payloads to send out.
In order to avoid being detected by static analysis methods, some ReconShark sequences are encoded using a pretty simple encryption. Typically, the instructions or scripts that are included inside these strings are for downloading and/or running payloads. All of the infrastructure that has been spotted as part of this campaign is housed on a shared hosting server provided by NameCheap. LiteSpeed Web Server (LSWS) was often used by operators of the Kimsuky malware in order to manage the harmful functionality. The continual attacks by Kimsuky and their use of the innovative reconnaissance tool ReconShark provide insight on the ever-changing nature of the North Korean threat environment. Organizations and people need to be aware of the tactics, techniques, and procedures (TTPs) utilized by North Korea state-sponsored advanced persistent threats (APTs) and take the required steps to defend themselves against attacks of this kind.
Your company website should be protected from bugs, hackers, and other online threats. If it isn’t, it might crash, your data will be put at risk, and the company might lose a lot of money.
WAYS TO MAKE A WEBSITE SECURE INCLUDE:
Using anti-malware.
Obtaining a Secure Sockets Layer (SSL) certificate.
Setting tough passwords to crack.
Keeping the site updated.
Controlling who can leave comments.
The first step is obtaining an SSL certificate. Anti-malware helps detect malicious agents and prevent attacks.
Make sure you look out for phishing emails and other scams. Finally, it might be a good idea to accept comments manually if you wish to enable this function on your site. Don’t forget to run regular backups.
Below, each suggestion is explored in detail.
1. USE ANTI-MALWARE TOOLS
Some providers of this type of software offer free plans, but the more effective ones are paid. They have features like malware detection and removal, web scanning, web application firewalls, DDoS protection, vulnerability patching, and PCI compliance.
If you choose a reliable hosting platform for your website, it will do all the work around your site’s security for you. Many hosting services provide anti-malware tools and devices as part of their plans.
2. INSTALL AN SSL CERTIFICATE
There are a few ways to get SSL installed. Your hosting company might have a free certificate with your plan. Platforms like WordPress typically have this option too. A high-quality website builder will have free SSL.
Alternatively, you can opt for a basic Let’s Encrypt SSL and install it for free. However, an advanced certificate is imperative as a guarantee of the best security level possible. The prices of these certificates vary. You can purchase them from domain registrars and hosting providers.
The free SSL version might suffice for a startup or small company. However, if you’re processing large volumes of personal or financial data or operating a big online store, free SSL will not suffice for your needs.
3. MAKE YOUR PASSWORDS STRONGER
It’s tempting to use simple, but easy-to-guess passwords and passphrases. You should never reuse passwords for multiple profiles. Instead, opt for a password manager and use unique ones everywhere.
You could combine a few random but memorable phrases or use a randomly generated character sequence. Use long passwords or passphrases, and don’t use personal information in them.
You can create a truly uncrackable password using the above and other tips. Of course, you should never share passwords with anyone. It would help if you changed them occasionally too.
4. DISABLE AUTOMATIC COMMENTS
If you wish to enable comments on your company blog, don’t let visitors post comments directly. This makes you vulnerable to malicious links, on which other visitors to your site might click, thereby installing malware or exposing personal data. Sometimes, comments are just plain annoying.
One option is setting up the website so that comments need to be manually approved before they appear. You can use an anti-spam plugin or software or obligate people to register to leave comments.
After a few weeks have passed, you could turn off comments on posts.
5. KEEP YOUR WEBSITE’S SOFTWARE UPDATED
Most website builders handle security issues and software updates, so this shouldn’t concern you if you’re using a reputable one.
WordPress and other free platforms tend to leave updates to the user. It depends on what type of hosting you choose. Managed hosting is more expensive, but the hosting provider will run updates when necessary. Unmanaged hosting is more affordable, but you’ll be responsible for the updates for your core software as well as for any installed plugins.
World Password Day is always hard to write tips for, because the primary advice you’ll hear has been the same for many years.
That’s because the “passwordless future” that we’ve all been promised is still some time away, even if some services already support it.
Simply put, we’re stuck with the old, while at the same time preparing for the new.
That’s why we’ve come up with four tips for 2023, but split them into two halves.
Thus the headline: 2 + 2 = 4.
We’ve got two Timeless Tips that you already know (but might still be putting off), plus two Tips To Think About Today.
TIMELESS TIP 1. PASSWORD MANAGEMENT
Use a password manager if you can.
Password managers help you choose a completely different password for every site. They can come up with 20 random characters as easily as you can remember your cat’s name. And they make it hard to put the right password into the wrong site, because they can’t be tricked by what a site looks like. They always check the URL of the website instead.
TIMELESS TIP 2. GO TWO-FACTOR
Use 2FA when you can.
2FA is short for two-factor authentication, where a password alone is not enough. 2FA often relies on one-time codes, typically six digits long, that you have to put in as well as your same-every-time password. So it’s a minor inconvenience for you, but it makes things harder for the crooks, because they can’t jump straight in with just a stolen password.
TIP FOR TODAY 1. LESS IS MORE
Get rid of accounts you aren’t using.
Lots of sites force you to create a permanent account even if you only want to use them once. That leaves them holding personal data that they don’t need, but that they could leak at any time. (If sites can’t or won’t close your account and delete your data when asked, consider reporting them to the regulator in your country.)
TIP FOR TODAY 2. REVISIT RECOVERY
Revisit your account recovery settings.
You may have old accounts with recovery settings such as phone numbers or email addresses that are no longer valid, or that you no longer use. That means you can’t recover the account if ever you need to, but someone else might be able to. Fix the recovery settings if you can, or consider closing your account (see previous tip).
And with that, Happy World Password Day, everybody 🌻
ISO 27001 is a globally recognized standard on information and cyber security. By being compliant with this standard, you are operating in accordance with globally identified best practices. By being ISO 27001 certified, you’re not only operating in accordance with it, but you will also receive a clear stamp as evidence to your customers and other stakeholders that you are working aligned with security best practices.
Common Trap When Pursuing ISO 27001
Often companies who want to pursue ISO 27001 will quickly drop the idea when they start looking into the standard – this is because, often companies fall into the trap of starting with the controls as specified in ISO 270002 . When you only focus on the controls and implementation guidance, it can feel overwhelming and be frustrating as you will notice a lot of the implementation guidance will not make sense to your company and you can be under the impression that you are required to follow all the implementation guidance in order to become compliant or go for the certification.
This is false!
Falling into this trap, you are missing out on the core purpose of the standard. It is not about implementing all the controls and all the guidance you get from the standard – it is about building a functional management system that is aligned with your company context – it is about understanding the issues and risks you as a company are facing, and taking the appropriate measures to protect your assets and information.
How To Go About It The Right Way!
You should always start by focusing on the standard clauses in ISO 27001 that provide clear guidance on how to build a functional management system, when this is done correctly the controls will fall into place in the correct order at the right time in accordance with your company context and the risks that you as a company need to manage.
When people say that small companies should not pursue iso because it is too complex and has too many requirements – the above is the reason why it does not have to be.
All companies should prioritize and have a functional management system on how they secure their own company and the company assets. Protecting your values is a crucial element to stay in business!
Make sure you understand your company, your needs, and please avoid looking at other companies and the measures they have taken to protect themself and think that you have to do the same. Make your management system your own, build it so that it isdesigned to protect your assets. This way, you will have greater success and security will not be something that is forced on your company, it will be a tool to help you work more efficiently and securely.
Summary
To sum it up, ISO 27001 is a great standard to pursue both for small and large organizations.
Make sure you understand the purpose of the standard, and as a result implement a management system that is a perfect fit for your organization for long term success. ISO 27001 done right will result in a more secure and effective company that will again support the main goal of business continuity.
What is BS ISO/IEC 27001:2022 – Expert Commentary about? BS ISO/IEC 27001:2022 is the third edition of this standard. It technically revises, cancels, and replaces the Second Edition – ISO/IEC 27001:2013 (also published as BS EN ISO/IEC 27001:2017). BS ISO/IEC 27001:2022 presents the requirements for an information security management system (ISMS). An ISMS assists an organization to preserve the confidentiality, integrity, and availability of information, in the face of an ever-changing threat landscape, no matter the source of risk. Thus, it deals with threats that can be technological, human, physical and environmental in nature.
The standard requires an organization to adopt a risk management framework to determine the necessary information security controls best suited to their business needs and risk appetite. To help organizations ensure that they have not inadvertently omitted any necessary control, the framework uses a reference set of controls (BS ISO/IEC 27001, Annex A), which also facilitates reliable comparisons to be drawn between organizations. The level of change incorporated into the revised version of the standard is medium.
The main changes compared to the previous edition are: a fully revised reference information security control set (Annex A), which now aligns with ISO/IEC 27002:2022 and alignment with the revised harmonized structure (HS) for management system standards.
Download ISO27000 family of information security standards today!
