InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
A powerful new AI model called GPT-4 has been released recently by OpenAI, which is capable of comprehending images and texts. The company describes this as the next-stage milestone in its effort to scale up deep learning.
In November 2022, ChatGPT was launched and has since been used by millions of people worldwide. The all-new GPT-4 is now available through ChatGPT Plus, while it is the paid GPT subscription option of OpenAI available for $20 per month.
However, currently, there is a cap on the usage amount, and to access the API, the developers need to be registered on a waitlist.
The GPT-4 can also perform a number of tasks at once, with a maximum word count of 25,000. That is eight times more than the ChatGPT can.
Pricing & Implementation
Here below, we have mentioned the pricing tags:-
For 1,000 “prompt” tokens (Raw text), which is about 750 words will cost $0.03.
For 1,000 “completion” tokens (Raw text), which is about 750 words will cost $0.06.
A prompt token is part of a word that has been fed into GPT-4 in order for it to function. While the content that is generated by the GPT-4 is referred to as completion tokens.
In addition, Microsoft recently announced that it is using the GPT-4 version for its Bing Chat chatbot. Since the investment from Microsoft into OpenAI has amounted to $10 billion.
Stripe is another early adopter of GPT-4, which uses it to scan business websites. By doing so, it provides a summary of the results to customer service staff as part of the scanning process.
A new subscription tier for language learning has been developed by Duolingo based on the GPT-4. In order to provide financial analysts with access to information retrieved from company documents, Morgan Stanley is creating a GPT-4-powered system.
It appears that Khan Academy is also working towards automating some sort of tutoring process using GPT-4 that can help students.
A simulated bar exam was given to GPT-4, and it performed particularly well in it, as it managed to achieve scoring around the top 10% of test takers. Interestingly, GPT-3.5, on the other hand, scored in the bottom 10% of the group.
GPT-4 Action
The GPT-4 algorithm is a form of generative artificial intelligence, similar to the ChatGPT algorithm. With the help of algorithms and predictive text, the generating AI constructs the content based on the prompts that are presented by the user.
As you can see in the image below, GPT-4 generates recipes based on images that have been uploaded.
The reasoning skills of GPT-4 are more advanced than those of ChatGPT. In order to find available meeting times, the model can, for instance, search for three schedules with three available times.
In short, the GPT-4 is much smarter and more capable as compared to the GPT-3.5. GPT-4 is capable of receiving and processing textual and visual information, one of its most impressive features.
At the moment, it is not yet possible for OpenAI customers to utilize the image understanding capability of GPT-4. However, currently, OpenAI is testing this technology with only one partner, Be My Eyes.
OpenAI has warned that, just like its predecessors, the GPT-4 is still not entirely reliable. This model needs to be further improved by the entire community by building on top of the model, exploring it, and contributing to it through collective efforts.
There is still a lot of work to be done, and the company affirmed that they are looking forward to working together to improve it.
Apache HTTP Server is one of the web servers that is used the most often throughout the globe. It is responsible for providing power to millions of websites and apps. Recent vulnerabilities found in the server, on the other hand, have the ability to disclose sensitive information and make it easier for attackers to carry out further attacks. The Apache HTTP Server has recently been found to contain two significant vulnerabilities, both of which are detailed below. It is imperative that you rapidly upgrade Apache HTTP Server to the most recent version in order to protect your system against the vulnerabilities described.
Apache HTTP Server request splitting vulnerability, CVE-2023-25690. This vulnerability is brought about by an issue that occurs in mod proxy whenever it is activated with a RewriteRule or ProxyPassMatch of some kind. This vulnerability might be used by a remote attacker to overcome access constraints in the proxy server, route undesired URLs to existing origin servers, and poison cache. Attacks using HTTP Request Smuggling are possible on Apache HTTP Server versions 2.4.0 through 2.4.55, if the server is configured with certain mod proxy settings. It occurs when mod proxy is enabled along with some form of RewriteRule or ProxyPassMatch. In these configurations, a non-specific pattern matches some portion of the user-supplied request-target (URL) data, and the matched data is then re-inserted into the proxied request-target utilizing variable substitution. This causes CVE-2023-25690 to be triggered. This might result in requests being split or smuggled, access rules being bypassed, and unwanted URLs being proxied to existing origin servers, all of which could lead to cache poisoning.
Versions of the Apache HTTP Server ranging from 2.4.30 to 2.4.55 are impacted by the problem. This attack is carried out by introducing unusual characters into the header of the origin response, which has the potential to either truncate or divide the response that is sent to the client. An attacker might take use of this vulnerability to inject their own headers into the request, causing the server to produce a split response.
Guardio Labs discovered a Chrome Extension that promotes rapid access to fake ChatGPT functionality capable of stealing Facebook accounts and establishing hidden account backdoors.
Using a maliciously imposed Facebook app “backdoor” that grants the threat actors super-admin powers stands out.
“By hijacking high-profile Facebook business accounts, the threat actor creates an elite army of Facebook bots and a malicious paid media apparatus,” Guardio Labs reports.
“This allows it to push Facebook paid ads at the expense of its victims in a self-propagating worm-like manner.”
Tactics Employed By This Powerful Stealer
The Guardio Labs research team discovered a new version of the malicious fake ChatGPT browser extension. This time, it has been updated with a frightening method to take control of your Facebook accounts and a sophisticated worm-like way for spreading.
On Facebook-sponsored posts, the malicious stealer extension dubbed “Quick access to Chat GPT” is advertised as a fast way to launch ChatGPT straight from your browser.
Malicious Sponsored Posts on Facebook leading to the Malicious “FakeGPT” extension
Reports say although the extension gives you that (by merely connecting to the official ChatGPT’s API), it also gathers all the data it can from your browser, steals cookies from allowed active sessions to any service you have, and uses targeted methods to take over your Facebook account.
Using two fake Facebook applications, portal and msg kig, backdoor access is maintained, and complete control of the target profiles is attained. Adding apps to Facebook accounts is a fully automated procedure.
DISC performs Vendor assessment, we’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form
Businesses from all industries are aware of the benefits of cloud computing. Some organizations are just getting started with migration as part of digital transformation initiatives, while others are implementing sophisticated multi-cloud, hybrid strategies. However, data security in cloud computing is one of the most challenging deployment concerns at any level due to the unique risks that come with the technology.
The cloud compromises the conventional network perimeter that guided cybersecurity efforts in the past. As a result, a distinct strategy is needed for data security in cloud computing, one that takes into account both the complexity of the data compliance, governance, and security structures as well as the dangers.
The Shifting Business Environment and Its Effects on Cloud Security
The top investment businesses implementing digital transformation initiatives want to make over the next three years is bolstering cybersecurity defenses. A paradigm shift in cybersecurity is being brought about by the rising trend of remote and hybrid workplaces, which is altering investment priorities.
Cloud computing provides the underlying technology for this transition as organizations want to increase resilience, and people want the freedom to work from anywhere. Yet, the lack of built-in security safeguards in many cloud systems highlights the need for data security in cloud computing.
What Is Cloud Data Security?
Cloud data security involves adopting technological solutions, policies, and processes to safeguard cloud-based systems and apps and the data and user access that go with them. The fundamental tenets of information security and data governance apply to the cloud as well:
Confidentiality: Protecting the data from illegal access and disclosure is known as confidentiality.
Integrity: Preventing unauthorized changes to the data so that it may be trusted
Accessibility: Making sure the data is completely accessible and available when it’s needed.
Cloud data security must be taken into account at every stage of cloud computing and the data lifecycle, including during the development, deployment, and administration of the cloud environment.
Data Risks in Cloud
Cloud computing has revolutionized the way data is gathered, stored, and processed, but it has also introduced new risks to data security. As more organizations rely on the cloud, cyberattacks and data breaches have become the biggest threats to data protection. While cloud technology is subject to the same cybersecurity risks as on-premises solutions, it poses additional risks to data security.
Application Programming Interfaces (APIs) with Security Flaws
Security flaws in APIs used for authentication and access are a common risk associated with the cloud. These flaws can be exploited by hackers to gain unauthorized access to sensitive data. Common issues include insufficient or improper input validation and insufficient authentication mechanisms. APIs can also be vulnerable to denial-of-service attacks (DoS), causing service disruptions and data loss.
Account Takeover or Account Hijacking
Account takeover or hijacking is a common threat in cloud computing, where hackers gain unauthorized access to user accounts and can steal or manipulate sensitive data. Hackers can gain access to cloud accounts due to weak or stolen passwords used by users. This is because users often use simple, easy-to-guess passwords or reuse the same password across multiple accounts. Once a hacker gains access to one account, they can potentially access other accounts that use the same password.
Insider Risks
Insider threats are a significant concern in cloud computing due to the lack of visibility into the cloud ecosystem. Cloud providers typically have a vast and complex infrastructure, which can make it challenging to monitor user activity and detect insider threats. Insider threats can occur when insiders, such as employees, contractors, or partners, intentionally or unintentionally access or disclose sensitive data.
Security Measures Protecting Data in Cloud Computing
Identity governance is the first step in securing data in the cloud. Across all of your on-premises and cloud platforms, workloads, and data access, you need a thorough, unified perspective. Identity management gives you the following:
Install Encryption
Encryption is an essential security measure for protecting sensitive and important data, including Personally Identifiable Information (PII) and intellectual property, both in transit and at rest.
Third-party encryption solutions can offer additional layers of security and flexibility beyond what is provided by CSPs. For example, some third-party encryption solutions may offer more robust encryption algorithms or the ability to encrypt data before it is uploaded to the cloud. They can also provide granular access controls, enabling organizations to determine who can access specific data and under what circumstances.
Archive the Data
Backing up cloud data is critical for data protection and business continuity. The 3-2-1 rule is a best practice, involving having at least three copies of the data, stored in two different types of media, with one backup copy stored offsite. Businesses should have a local backup in addition to the cloud provider’s backup, providing an extra layer of protection in case the cloud provider’s backup fails or is inaccessible.
Put Identity and Access Management (IAM) into Practice
IAM (Identity and Access Management) is essential for securing cloud resources and data. IAM components in a cloud environment include identity governance, privileged access control, and access management, such as SSO or MFA. To ensure effective IAM in a cloud environment, organizations must include cloud resources in their IAM framework, create appropriate policies and procedures, and regularly review and audit IAM policies and procedures.
Control Your Password Rules
Poor password hygiene is a common cause of security events. Password management software can help users create, store and manage strong, unique passwords for each account, making it easier to follow safe password procedures. This can encourage better password hygiene and reduce the risk of password-related security incidents.
Use Multi-factor Authentication (MFA)
MFA (Multi-factor authentication) is a security mechanism that adds an extra layer of security beyond traditional password-based authentication. It reduces the chance of credentials being stolen and makes it more challenging for threat actors to gain unauthorized access to cloud accounts.
MFA is particularly valuable in cloud environments, where many employees and contractors may access cloud accounts from various locations and devices. However, it is important to ensure that it is implemented correctly, easy to use, and integrated with existing security infrastructure and policies.
Summary
Your environment will get more complicated as you continue to utilize the cloud, particularly if you begin to rely on the hybrid multi-cloud. Data security in cloud computing is essential for reducing the dangers to your business and safeguarding not just your data but also your brand’s reputation.
Consider deploying solutions for controlling cloud access and entitlements to protect yourself from the always-changing cloud risks. For a thorough approach to identity management, incorporate these solutions into your entire IAM strategy as well.
A complete, identity-centered solution ensures that you constantly implement access control and employ governance more wisely, regardless of whether your data is on-premises or in the cloud. You will also profit from automation and other factors that increase identity efficiency and save expenses.
Security risk assessment services are crucial in the cybersecurity industry as they help organizations identify, analyze, and mitigate potential security risks to their systems, networks, and data. Here are some opportunities for providing security risk assessment services within the industry:
Conducting Vulnerability Assessments: As a security risk assessment service provider, DISC can conduct vulnerability assessments to identify potential vulnerabilities in an organization’s systems, networks, and applications. You can then provide recommendations to mitigate these vulnerabilities and enhance the organization’s overall security posture.
Performing Penetration Testing: Penetration testing involves simulating a real-world attack on an organization’s systems and networks to identify weaknesses and vulnerabilities. As a security risk assessment service provider, DISC can perform penetration testing to identify potential security gaps and provide recommendations to improve security.
Risk Management: DISC can help organizations identify and manage risks associated with their information technology systems, data, and operations. This includes assessing potential threats, analyzing the impact of these threats, and developing plans to mitigate them.
Compliance Assessment: DISC can help organizations comply with regulatory requirements by assessing their compliance with industry standards such as ISO 27001, HIPAA, or NIST-CSF. DISC can then provide recommendations to ensure that the organization remains compliant with these standards.
Cloud Security Assessments: As more organizations move their operations to the cloud, there is a growing need for security risk assessment services to assess the security risks associated with cloud-based systems and applications. As a service provider, DISC can assess cloud security risks and provide recommendations to ensure the security of the organization’s cloud-based operations.
Security Audit Services: DISC can provide security audit services to assess the overall security posture of an organization’s systems, networks, and applications. This includes reviewing security policies, processes, and procedures and providing recommendations to improve security.
By providing these services, DISC can help organizations identify potential security risks and develop plans to mitigate them, thereby enhancing their overall security posture.
We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form
Contact DISC InfoSec if you need further assistance in your ISO 27001 2022 transition Plan
As threats to both data security and personal privacy pile up, fighting back has never been more important. The Deeper Connect Pico packs both privacy tools and cybersecurity protection into a unit you can drop into your pocket.
The Pico is easy to install, taking just a minute to set up and connect. It has no subscriptions to manage or add-ons to buy, as it’s a hardware tool. Nor will it require any updates, as it’s built to be a plug-and-play device and comes with a wireless adapter.
Powered from any USB source and drawing only 1W of power, it weighs just .11 lbs and is only 3.4 inches long by 1.2 inches wide. The brushed aluminum casing is rugged and discreet, so you can throw it in your bag, hang it off your keychain, or keep it in your pocket.
Once connected, the Pico drops an enterprise-grade seven-layer firewall in front of snoops and malicious actors. Using an onboard quad-core ARM processor strong enough to work on the blockchain while you’re idle, the firewall prevents common attacks and alerts you when they happen, so you can take further action.
Also built into the hardware is an ad blocker that cuts off certain attacks and guards your privacy. It’s backed up by one-click parental control, so kids can log onto public networks while you keep the rules in place.
Providing extra security, the decentralized private network (DPN) uses other Picos as nodes for its network, with smart routing, multi-routing, and other functions across an ever-changing network that adds an extra layer of obfuscation for would-be snoops.
The world is becoming more complex, with more risks to your data when you connect to public networks. This hardware cybersecurity and VPN tool takes the worry out of connecting with others.
“Learning is an experience. Everything else is just an information.”
The quote implies that true learning is not just about acquiring information but also experiencing it in a way that creates a deeper understanding and meaning.
Learning involves more than just memorizing facts or acquiring knowledge. It requires actively engaging with the material, processing it, and making connections between different concepts. When we experience something, we engage with it on a deeper level, and this can lead to a more meaningful and lasting learning experience.
For example, imagine learning a new language by simply memorizing vocabulary words and grammar rules without ever actually practicing the language with native speakers or immersing oneself in the culture. In contrast, if we actively engage with the language by speaking it, listening to it, and experiencing the culture, we are more likely to develop a deeper understanding and appreciation for the language.
Therefore, while information is necessary for learning, it is not sufficient on its own. To truly learn and understand something, we must engage with it and experience it in a meaningful way.
Looking to enhance your Linux skills? Practical examples to build a strong foundation in Linux – credit: Ramesh Nararajan *******************************************
The threat actor who posted the data for sale has claimed credit for multiple other breaches, including one at grocery platform Weee! that exposed data on more than 1.1 million customers.
Hundreds of US lawmakers and their families are at risk of identity theft, financial scams, and potentially even physical threats after a known info-theft threat actor called IntelBroker made House of Representatives members’ personally identifiable information (PII) available for sale on the “Breached” criminal forum.
The information, confirmed as being obtained via a breach at health insurance marketplace DC Health Link, includes names, Social Security numbers, birth dates, addresses, and other sensitive identifying information. The data on the House members was part of a larger data set of PII belonging to more than 170,000 individuals enrolled with DC Health Link that the threat actor put up for sale this week.
DC Health Link: A Significant Breach
In a March 8 email to members of the House and their staff, US House Chief Administrative Officer Catherine Szpindor said the attack on DC Health Link does not appear to have specifically targeted US lawmakers. But the breach was significant and potentially exposed PII on thousands of people enrolled with DC Health Link.
“The FBI also informed us that they were able to purchase this PII, along with other enrollee information, on the Dark Web,” Speaker of the House Kevin McCarthy (R-Calif.) and House Minority Leader Hakeem Jeffries (D-N.Y.) said in a joint letter to the executive director at DC Health Link on March 8. The letter sought specifics from the health exchange on the breach, including details on the full scope of the attack and DC Health Link’s plans to notify affected individuals and offer credit monitoring services for them.
Despite the letter, details of the intrusion at DC Health Link are not yet available. The organization, governed by an executive board appointed by the DC mayor, did not immediately respond to a request for comment on the incident.
A report in BleepingComputer this week first identified the threat actor as the appropriately named IntelBroker, after the cybercriminals put the stolen data up for sale on March 6. According to the underground forum ad, the data set is available for “an undisclosed amount in Monero cryptocurrency.” Interested parties are asked to contact the sellers via a middleman for details.
IntelBroker’s Resume of Previous Breaches
This is not the first big heist for the group: A threat actor, using the same moniker in February, had claimed credit for a breach at Weee!, an Asian and Hispanic food delivery service. IntelBroker later leaked some 1.1 million unique email addresses and detailed information on over 11.3 million orders placed via the service.
Security vendor BitDefender, which covered the incident in its blog at the time, published an ad that IntelBroker placed on BreachedForums that showed the attacker boasting about obtaining full names, email addresses, phone number, and even order notes which included apartment and building access codes.
Meanwhile, Chris Strand, chief risk and compliance officer at Cybersixgill says his company has been tracking IntelBroker since 2022 and is about to release a report on the actor. “IntelBroker is a highly active Breached member with an 9/10 reputation score, who claimed in the past to be the developer of Endurance ransomware,” Strand says.
IntelBroker’s use of Breached to sell the health exchange PII, instead of a dedicated leak site or a Telegram channel, is consistent with the threat actor’s previous tactics. It suggests either a lack of resources or inexperience on the individual’s part, Strand says.
“In addition to IntelBroker’s presence on Breached, the threat actor has maintained a public GitHub repository titled Endurance-Wiper,” he tells Dark Reading.
In November, IntelBroker claimed that it used Endurance to steal data from high level US government agencies, Strand notes. The threat actor has in total made some 13 claims about breaching top US government agencies, likely to attract customers to a ransomware-as-a-service (RaaS) program. Other organizations that IntelBroker claims to have broken into include Volvo, cult footwear maker Dr. Martens, and an Indonesian subsidiary of The Body Shop.
“Our intelligence analysts have been tracking IntelBroker since 2022, and we have been collecting intel attributed to that threat actor since then, as well as associated threats that have been related or attributed to IntelBroker,” Strand says.
Is House Members’ PII a National Security Threat?
Justin Fier, senior vice president of red team operations at Darktrace, says the threat actor’s reason for putting the data up for sale appears to be purely financially motivated rather than political. And given the high profile of the victims, IntelBroker may find that the attention the breach is garnering will increase the value of the stolen data (or bring more heat than it would like).
The buyers might be another story. Given the availability of physical addresses and electronic contact information, the kinds of potential follow-on attacks are myriad, ranging from social engineering for identity theft or espionage, to physical targeting, meaning that interested parties could run the gamut in terms of motivation.
“The amount tells you a great deal about who they may be thinking of in terms of buyers,” he says. If all that the threat actor ends up asking is a couple of thousand dollars, they are likely to be a smaller criminal enterprise. But “you start talking millions, they are clearly then catering to nation-state buyers,” he says.
Fier assesses that the data that the threat actor stole on US House members as potentially posing a national security issue. “We shouldn’t only think external nation-states that might want to purchase this,” Fier says. “Who is to say that other political parties and/or activists couldn’t weaponize it?”
Akamai reported that on February 23, 2023, at 10:22 UTC, it mitigated the largest DDoS attack ever. The attack traffic peaked at 900.1 gigabits per second and 158.2 million packets per second. The record-breaking DDoS was launched against a Prolexic customer in Asia-Pacific (APAC).
“On February 23, 2023, at 10:22 UTC, Akamai mitigated the largest DDoS attack ever launched against a Prolexic customer based in Asia-Pacific (APAC), with attack traffic peaking at 900.1 gigabits per second and 158.2 million packets per second.” reads the post published by Akamai.
The company pointed out that the attack was intense and short-lived, with most attack traffic bursting during the peak minute of the attack. The overall attack lasted only a few minutes.
Akamai mitigated the attack by redirecting the malicious traffic through its scrubbing network.
Most of the malicious traffic (48%) was managed by scrubbing centers in the APAC region, but the company claims that all its 26 centers were loaded, with only one center in HKG handling 14,6% of the total traffic.
Akamai states that there was no collateral damage thanks to its defense.
The previous record-breaking distributed denial of service attack mitigated by Akamai hit a company customer in Europe on September 2022. At the time, the malicious traffic peaked at 704.8 Mpps and appeared to originate from the same threat actor behind another record-breaking attack that Akamai blocked in July and that hit the same customer.
In January, Microsoft announced that its Azure DDoS protection platform has mitigated a record 3.47 Tbps attack that targeted one of its customers with a packet rate of 340 million packets per second (pps).
The attack took place in November and hit a customer in Asia, it originated from approximately 10,000 sources and from multiple countries across the globe, including the United States, China, South Korea, Russia, Thailand, India, Vietnam, Iran, Indonesia, and Taiwan.
The 3.47 Tbps attack was the largest one Microsoft has mitigated to date, likely the massive one ever recorded.
A surge of cybersecurity incidents and a general feeling of work overload is leading to widespread burnout among IT security professionals, two surveys indicated.
A Cynet survey of chief information security officers (CISOs) of small to midsize businesses found nearly two-thirds (65%) said their ability to protect their organization is compromised due to an overwhelming workload–with nearly 100% admitting they needed additional resources.
The stress levels are affecting entire IT security teams, with nearly three-quarters (74%) of CISOs surveyed admitting they have lost team members because of work-related stress issues.
Nearly half (47%) of these CISOs have had more than one team member exit their role over the last 12 months.
Burning Out and Fading Away
Respondents to a Magnet Forensics survey said the rapid evolution of cybercrime is weighing on security teams substantially more than it did last year, leading to widespread burnout. Alert and investigation fatigue are twin contributing factors, the survey revealed.
The study also revealed that the evolving nature of threats is extending response times beyond what they feel is acceptable—43% of respondents said it takes them between one week and more than a month.
Nearly a third of respondents said that identifying the root cause of an incident requires either a “complete overhaul” or “major improvements” in the organization’s threat posture.
“We’re seeing a direct correlation between burnout and the increased activity of cybercriminals who are relying on more complex strategies and bombarding organizations with more attacks,” explained Adam Belsher, CEO of Magnet. “New cybersecurity regulations also impacted our respondents who said they’re now under increased pressure to get answers faster.”
He pointed out that a global talent shortage resulted in hiring challenges, and that digital forensics and incident response practitioners (DFIR) find themselves in a difficult situation.
“They need to respond to more incidents, get answers faster and do so while knowing no reinforcements are on the way,” Belsher noted. “It’s no surprise that they’re burned out.”
George Tubin, director of product marketing for Cynet, added that what stood out most is what a vicious cycle this work-related stress is. Their stress at work spills over into their personal lives, which increases their stress at work—and repeat.
“Because of their workload and stress, these CISOs said they’re missing vacations and private events and they’re also losing their tempers with family and friends. This only exacerbates their stress levels,” he says.
In addition, 80% of them have received complaints about how they handled security tasks and two-thirds said their ability to protect their organizations is compromised due to work overload and stress.
More Cybersecurity Staff Needed to Combat Burnout
The Cynet survey also asked CISOs whether they need more people, and the general consensus is that they could use 30% more staff.
They also said they’ve compromised on hiring decisions because it’s so hard to find good cybersecurity people.
“But, when we asked them what initiatives could help them reduce stress levels, rather than say hire more, more CISOs stated technology consolidation and automation, as well as outsourcing,” Turbin says. “Cybersecurity technology has become so complicated and so expensive that the cure is almost as bad as the disease.”
Belsher noted that each factor contributing to the burnout of DFIR practitioners is out of their hands.
“They can’t control how often cybercriminals attack their organizations or the methods they use,” he said. “Cybercriminals have continued to find new threat vectors and ways to scale the volume of their attacks. That won’t change in 2023.”
That means organizations must adapt to this threat landscape beyond trying to hire themselves out of this problem.
“If we maintain the status quo, burnout will only get worse,” he says. “Automation is essential to scaling the capacity of DFIR teams.”
Turbin agreed, noting a couple of the survey questions asked the respondents to compare the past year with previous years; the results were consistent or have become slightly worse.
“Unless these security leaders can somehow relieve their stress, mainly through simplifying and automating their cybersecurity technology, I expect the situation to get worse before it gets any better,” he said.
He added that CEOs and the board should be concerned about the threat of burnout, especially considering that this stress is leading to a degradation in security outcomes that increased risk for the organization.
“CEOs and board members should proactively reach out to their security leaders to discuss ways to reduce stress and improve the company’s security posture,” he advised.
Belsher pointed out that cybersecurity and IT personnel can’t tackle burnout alone.
“Mental health is a company-wide imperative that executives, HR departments and all people leaders should play an active role in addressing,” he said.
It is possible to use AI for offensive security, just as it is possible to use any technology for malicious purposes. However, the use of AI for offensive security raises significant ethical concerns and legal considerations.
AI could be used to automate and scale attacks, such as phishing, malware propagation, or social engineering. It could also be used to analyze large amounts of data to identify vulnerabilities or weaknesses in security systems, and to develop targeted attacks.
However, the use of AI for offensive security could also have unintended consequences, such as collateral damage or false positives. Furthermore, it raises concerns about accountability and responsibility, as it may be difficult to trace the origin of an attack that is automated and conducted by a machine learning system.
Overall, the use of AI for offensive security is a complex and controversial issue that requires careful consideration of the ethical and legal implications. It is important to always use technology responsibly and ethically.
Chat GPT is just the tip of the iceberg!15 Artificial Intelligence tools that may be useful to you:
1.Midjourney: a tool that creates images from textual descriptions, similar to OpenAI’s DALL-E and Stable Diffusion. 2. RunwayML: Edit videos in real time, collaborate and take advantage of over 30 magical AI tools. 3. Otter AI: Transform audio into text with high accuracy. Use this tool for meeting notes, content creation and much more. 4. Copy.AI: This is the first copyright platform powered by artificial intelligence. This tool helps generate content for websites, blog posts, or social media posts, helping increase conversions and sales. 5. Murf AI: Convert text to audio: generate studio-quality narrations in minutes. Use Murf’s realistic AI voices for podcasts, videos and all your professional presentations. 6. Flow GPT: Share, discover and learn about the most useful ChatGPT prompts. 7. Nocode.AI: The Nocode platform is a way to create AI solutions without ever writing a single line of code. It’s a great way to quickly test ideas, create new projects, and launch businesses and new products faster. 8. Supernormal: This tool helps create incredible meeting notes without lifting a finger. 9. TLDRthis: This AI-based website helps you summarize any part of a text into concise and easy-to-digest content, so that you can rid yourself of information overload and save time. 10. TheGist: Summarize any Slack channel or conversation with just one click! This AI analyzes Slack conversations and instantly creates a brief summary for you. 11. Sitekick: Create landing pages with AI by telling it what you want via text. 12. Humanpal: Create Avatars with ultra-realistic human appearances! 13. ContentBot: – Write content for articles, ads, products, etc. 14. Synthesia– Create a virtual presenter that narrates your text for you. Synthesia is a video creation platform using AI. It’s possible to create videos in 120 languages, saving up to 80% of your time and budget. 15. GliaCloud: This tool converts your text into video. Generate videos for news content, social media posts, live sports events, and statistical data in minutes.
With the rise of online commerce, digital marketing, online data storage and internet communication, big and small businesses should already know the importance of cybersecurity. Statistics report that more than 50% of cyberattacks happen every week to different companies worldwide. Inadequate cybersecurity precautions can increase the risk of a company losing its customers’ sensitive or confidential data and security breaches. For this reason, entrepreneurs and business owners from all industries must implement a robust security information and event (SIEM) strategy in their companies.
What Is SIEM?
SIEM is a technological security solution that provides a comprehensive view of all data and activities happening in an IT infrastructure. It monitors network activities and detects unusual or suspicious behaviours to mitigate cyberattacks. With many businesses expanding their IT systems and networks, new risks emerge with this upgrade. These risks often include potential breach compliance and increased susceptibility to cybercriminals.
You must have an efficient Security Operations Center (SOC) to implement SIEM technology in your organisation. The SOC is responsible for managing all the security monitoring and analysing the data gathered from the SIEM platform.
Suppose you don’t have a SOC on your side yet. You can work with services like Castra or any managed security operations agency that can work for your company. You’ll work with a team of experts who proactively monitors your business’ security 24/7, giving you peace of mind that your organisation and its highly sensitive data are always protected.
Both the SIEM and SOC are crucial to each other. Without SIEM, the SOC will have difficulty monitoring your company’s IT infrastructure. And without SOC, no experts will be there to analyse the data gathered from the SIEM tool.
What Are The Main Roles Of SIEM?
There’s a lot more to this cybersecurity solution than simply detecting abnormalities and suspicious activities in all your network applications. To learn more, here are the primary roles of SIEM that will significantly benefit your business:
1. Log Collection And Management
SIEM solutions will collect and analyse event data from different sources across your company’s network and IT infrastructure to gain better network visibility. SIEM analyses various applications, external and internal technologies, multiple cloud environments and even logs from different users in real time. This process makes it easier for the SOC or security experts to manage the company’s network flow from one centralised location.
This increase and improvement in network visibility also help reduce false positive alerts. All potential cyber threats and issues are catalogued according to their type, status and severity. This categorisation makes it easier for the security team to identify and review false and true security alerts.
2. Event Correlation and Analytics
Another role that SIEM plays in effective log analysis is employing event correlation, forensics and analytics. These processes are necessary to quickly detect cyberattacks and data breaches in real time and mitigate threats to business security. With this function, SIEM can eliminate the need for manual processes, significantly improving the IT security experts’ mean time to detect (MTTD) and mean time to respond (MTTR) against any cyberattack.
3. Incident Tracking and Security Alerts
SIEM’s centralised network management can be an efficient tool for incident tracking and security alerts. This solution enables security and IT experts to identify and track all entities across all connected applications, devices and users from one platform.
This tool also has customisable and predefined correlation rules where the management or business administrators can be alerted immediately in case of any cyberattack. This way, they can take the necessary actions before the threat worsens into more complicated and dangerous security issues.
For example, SIEM detected a potential cyber threat from one of your employees’ computers. Instead of manually checking the employee’s computer to run some security tests, the SIEM will automatically trigger the alert and employ security controls to stop the suspicious attack from progressing. This significantly minimises the time it takes for the security team to deal with the security concern.
Furthermore, SIEM’s incident management will help ensure that the compromised, corrupted, or attacked data/device will be quarantined, along with its malicious codes. This will prevent the cyberattack from spreading and attacking more devices, avoiding large-scale breaches.
Regardless of how small or big your organisation is, SIEM is highly effective in protecting your network from ever-evolving threats. Most importantly, your company can customise this solution to meet your business’s requirements.
4. Compliance Management and Reporting
Most organisations from different industries must report different forms of regulatory compliance. Since SIEM is an efficient tool for collecting and verifying various data from the company’s entire infrastructure, this makes SIEM a popular choice for retrieving compliance reports.
SIEM can produce real-time compliance reports for various compliance standards. It also reduces the hassle of the security team manually creating reports that are only at risk of inaccuracy.
Conclusion
SIEM allows businesses and organisations to protect their networks and IT infrastructures from various security challenges. Its comprehensive security surveillance and other major roles for your company make SIEM a worthy investment for your organisation.
There are many web vulnerability scanners available on the market and their performance varies widely. Here we show you how you can quickly and objectively evaluate web vulnerability scanners, to help you find the best product for detecting security issues in your web applications.
Evaluating a web vulnerability scanner can be a complex task, but here are some key factors to consider:
Accuracy: The most important factor to consider is the accuracy of the scanner. A good scanner should be able to detect all types of vulnerabilities accurately, without generating false positives or negatives.
Coverage: The scanner should be able to scan all areas of the web application, including dynamic and static content, as well as all types of input fields, including cookies and hidden fields.
Speed: The scanner should be fast and efficient, with the ability to scan large web applications quickly.
Ease of use: The scanner should be easy to use, with a user-friendly interface and clear reporting of vulnerabilities.
Reporting: The scanner should generate detailed reports of vulnerabilities, with clear descriptions of each vulnerability, its severity, and recommendations for remediation.
Integration: The scanner should be able to integrate with other tools, such as bug tracking systems and penetration testing tools.
Support: The vendor should provide good technical support and regularly update the scanner with new vulnerability signatures and features.
It’s also important to test the scanner against known vulnerabilities to see how it performs in real-world scenarios. Additionally, comparing multiple scanners against the same web application can help identify strengths and weaknesses of each scanner.
Cyber Security operations center is protecting organizations and the sensitive business data of customers. It ensures active monitoring of valuable assets of the business with visibility, alerting and investigating threats, and a holistic approach to managing risk.
Analytics service can be an in-house or managed security service. Collecting event logs and analyzing logs with real-world attacks is the heart of the security operation center.
Events – The security operations center
Events are generated by systems that are error codes, devices generate events with success or failure to their normal function. so event logging plays an important role to detect threats. In the organization, there are multiple numbers and flavors of Windows, Linux, firewalls, IDS, IPS, Proxy, Netflow, ODBC, AWS, Vmware, etc.
These devices usually track attackers’ footprints as logs and forward them to SIEM tools for analysis. In this article, will see how events are pushed to the log collector. To know more about windows events or event ids refer Here.
Log Collector
It’s a centralized server to receive logs from any device. Here I have deployed Snare Agent on Windows 10 machine. So we will collect windows event logs and Detect attacks on windows 10 machines attacks using Snare Agent.
The snare is SIEM(SECURITY INCIDENT AND EVENT MANAGEMENT) Solution for log collector and event analyzer in various operating systems Windows, Linux, OSX Apple, and supports database agent MSSQL events generated by Microsoft SQL Server. It supports both Enterprise and Opensource Agents.
Snare Installation
For Demo purposes, I have been using no credentials but it is always recommended to use strong passwords to protect logs without a leak.
Snare Web interface:-
By default, snare will run at Port 6161.
A random port can also be chosen with TCP or UDP or TLS/SSL Protocols.
Snare will ask for credentials to log in. Here I have given no authentication.
The below figure shows the snare agent install success and provides additional details on screen.
Network & File Destination Configuration
Our windows 10 is started sending event logs to the Snare console.
Snare console is running at localhost and collecting logs from a windows machine.
NOTE: Logs can be sent to a centralized server, then the centralized server push logs to SIEM (To reduce the load in SIEM this method is used), send snare logs directly to SIEM (If your SIEM is capable of good storage for a long and short-term log retention this method can be deployed), It recommended to configure your SIEM with port details of snare and test connection should be the successor to collect logs.
So you can change network destination IP to SIEM IP or LOG COLLECTOR IP.
Above figure shows destination is configured with localhost to collect and store event logs in various format SNARE, SYSLOG, CEF (Common Event Format) or LEEF (Log Event Extended Format)
By default, it will be collecting logs and saving file with snare format & logs are forwarded to SIEM.
Access Configuration
Web server port, authentication for console access, and Web server Protocol can be easily defined according to your environment.
The above figure shows a configuration with Web server port 6161, Snare agent port 6262, and HTTP as web server protocol for demo purposes, It is recommended to install a certificate for secure connection to forward logs.
Objective Configuration
The objective includes events with different categories which can be windows Log on/Log off, access to file or directory, security policy change, system restart, and shutdown.
Modify or delete specific events to assign a priority(Critical, High, Low & Information)
Audit Service Statistics
Audit Service ensures snare is connected and sends logs to SIEM.
It shows daily average bytes of events transmitted to SIEM.
In case of network failures, Soc Administrator can check the status of the service.
Security Certification – The security operations center
To make connection encrypted and generate a self-signed certificate to WEB-UI, snare agent, and network destination certificate validation to establish a secure way of forwarding logs to SIEM.
Restart-Service
If SIEM is not collecting Event logs from the Snare agent for a while, then it’s time to troubleshoot and retrieve logs from the snare server.
The above figure shows Snare services are restarted successfully.
Events – The security operations center
Windows 10 is forwarding event logs to your deployed SIEM or events can be viewed in the snare console.
Every time you cannot open and lookup for intrusions to your environment with snare, for this reason, we are forwarding logs to SIEM for Intelligence to detect attacks.
SIEM will be Intelligent to trap attackers by building an effective correlation rule.
Above pictures with Event Ids 4625 which is failed password attempt to Windows 10 machine followed by Successful 4689 Event.
NOTE: Above figures shows failed attempts followed by a successful login.
Correlation rule & Incidents
It’s an engine designed to write a defensive rule to detect offensive guys, Each rule will be a unique incident.
Example: Assume that you’re writing a rule for a brute-force attempt, Brute-force attempts will have continuous threads with a different passphrase to the server.
As per NOTE: failed attempts followed by a successful login.
Correlation Rule : failed password attempts + Followed by successful Login = Brute-force (Incident)
Now your customer environment is ready for Known use case(Brute-force detected), you can also build or write your own use case and deploy in your SIEM to detect sophisticated cyber-attacks !!!
LayerX has published its annual browser security report in which the company highlights the most prominent browser security risks of 2022. The report includes predictions and recommendations for 2023 as well.
The report focuses on Enterprise environments, but several of its key takeaways apply to small business and home environments as well. The browser security threats of 2022 make up the largest part of the document, but users find predictions, recommendations and an interesting monthly overview of major security events in the report as well.
The nine major threats that LayerX identified in 2022 were the following ones:
Phishing attacks via high reputation domains.
Malware distribution via file sharing systems.
Data leakage through personal browser profiles.
Outdated browsers.
Vulnerable passwords.
Unmanaged devices.
High-risk extensions.
Shadow SaaS.
MFA bypass with AiTM attacks.
Some of these are quite clear, others may require explanation. For phishing attacks, the researchers discovered that threat actors are hosting phishing URLs on legitimate SaaS platforms at an alarming rate. The rate of phishing attacks that use these legitimate platforms has increased by 1100% when compared to 2021, according to a Palo Alto Networks study.
LayerX conducted tests on how well browsers and network security tools protected against 1-day phishing sites. According to the test, the best performing browser had a catch rate of just 36%. Network security software blocked 48% of threats.
Similarly, malware is distributed via sanctioned services such as Google Drive and Microsoft OneDrive, to overcome blocks that may be in place for lesser known services and sites.
An analysis of data leakage in browsers concluded that 29% of users connected work browsers to personal profiles, and that 5.8% of identities were exposed in data breaches.
Outdated browsers are another threat to security, according to LayerX’s report. Ana analysis of 500 Chrome browsers revealed that a good number was either critically outdated or vulnerable to 1-day attacks.
Weak passwords and the reuse of passwords continue to be major issues. According to LayerX’s report, 29% of users use weak or medium strength passwords, and 11% of users reuse passwords regularly. The company noticed that 29% browser profiles were personal and set to sync.
Web browser extensions are another attack vector, as they “can grant excessive permissions once installed”. A recent Incogni study found that almost half of the analysed browser extensions posted either a high security or privacy risk.
The report includes an overview of browser security highlights of the year 2022. It is an interesting account that lists major security events in 2022. Some of these involved attacks, like the January 2022 video player attack that stole credit card information from over a hundred sites. Others highlight security advances, like the passwordless logins announcement by major tech companies in May, or the end of Internet Explorer in June.
The report ends with four predictions and recommendations. Predictions include that browsers will become “the main attack surface”, that attacks will “be increasingly SaaS-based and less file-based”, and that malicious web pages “will become more sophisticated”.
Closing Words
The report offers insights on the browser threat landscape of 2022, and how threats will evolve in 2023 and beyond. While most of it is aimed at Enterprise and large business environments, it may still be of interest to home users and small businesses alike.
The recommendations focus on SaaS and Enterprise-grade protections, but all users may use the listed threats to improve security. For example, outdated browsers may be updated more frequently, and weak or reused passwords may be replaced with unique strong passwords.
The report is available for download here, but a short form needs to be filled out before the download link is made available.
Chief information security officers (CISOs) are senior-level executives responsible for overseeing an organization’s information security strategy and operations. They are responsible for identifying, evaluating and mitigating security risks and ensuring the organization’s information assets are protected from cyber threats and attacks.
CISOs play a critical role in protecting an organization’s valuable information assets. As such, they must possess a strong understanding of the latest threats and technologies in the cybersecurity landscape. They must also have strong leadership and communication skills and the ability to work effectively with other organizational executives and stakeholders. But why are they often forced to also play the role of firefighter?
When a CISO is referred to as a “firefighter,” it typically means that they are spending a significant amount of time responding to security incidents and putting out fires rather than being able to focus on proactively preventing those incidents from occurring in the first place. Here are some reasons why a CISO may become a firefighter:  1. Lack of resources: A CISO may not have sufficient resources (e.g., budget, staff, or technology) to implement a comprehensive cybersecurity program effectively. This can lead to security incidents that require a reactive response.
2. Insufficient risk management:Â A CISOÂ may not have a robust risk management program in place, which means that security incidents are more likely to occur. Without proper risk management, a CISO may be caught off guard by security incidents and have to react quickly to mitigate the damage.
3. Lack of security awareness:Â Employees may not be properly trained on cybersecurity best practices, which can lead to security incidents such as phishing attacks or malware infections. When employees are unaware of the risks, they may inadvertently engage in behaviors that put the organization at risk.
4. Rapidly evolving threat landscape:Â Cyberthreats constantly evolve, so a CISO must be vigilant and adapt to new threats. If a CISO is not proactive in staying up-to-date with the latest threats, they may be caught off guard when a new threat emerges.
5. Organizational culture:Â The organizational culture may not prioritize cybersecurity, making it difficult for a CISO to implement a comprehensive cybersecurity program. If the organization does not prioritize cybersecurity, it may not allocate sufficient resources to the CISO to effectively prevent security incidents. Â To avoid being a firefighter, a CISO must take proactive measures to prevent security incidents from occurring. This includes implementing a comprehensive cybersecurity program, conducting regular risk assessments and educating employees on cybersecurity best practices. By taking a proactive approach, a CISO can reduce the likelihood of security incidents and spend less time reacting to them.
It is important to note that being a firefighter is not necessarily negative, as incident response is a critical component of a comprehensive cybersecurity strategy. While it is important for CISOs to be proactive in identifying and mitigating potential threats, it is also crucial for them to respond quickly and effectively when incidents occur.
Ideally, CISOs should be able to balance their time between proactive prevention efforts and reactive incident response. This requires having a comprehensive security program in place, including technical controls, policies, procedures and employee training programs. By taking a holistic approach to cybersecurity, CISOs can work to reduce the number and severity of security incidents they need to respond to and shift their focus more towards proactive prevention.
Applied Programming Interfaces (API) are an essential component of most modern programs and applications. In fact, cloud applications and mobile applications now rely heavily on APIs because they are designed to control various elements. Many large companies have hundreds or even thousands of APIs built into their infrastructure. The number of API interfaces will only increase over time.
It’s important to keep your website or web applications foolproof against malicious activities. What you need to do is to use some security testing tools to identify and measure the extent of security issues with your web application(s).
The primary function of security testing is to perform functional testing of a web application under observance and find as many security issues as possible that could potentially lead to hacking. All of this is done without the need to access the source code. To prevent API vulnerabilities and weaknesses, security testing is critical. API security testing ensures APIs work as designed and can only do what they are intended to. A particular tool might be the best choice for one company but not another, depending on their respective needs. Below is the list of open source API testing tools. As per cyber security course experts, although open source tools, as a rule, do not have the same support as commercial platforms, experienced developers can easily deploy them, often even for free, to increase the security level of their APIs
TAURUS
Taurus makes it possible to turn autonomous API testing programs into an ongoing testing process. At first look, the tool is easy to use. The user installs it, creates a configuration file and allows the tool to do its job. There are additional functions: the ability to create interactive reports, more complex scripts for testing their APIs, configure failure criteria to immediately begin to eliminate the problems detected.
APACHE JMETER
Apache JMeter (it is not surprising that it was written in Java) was originally made to test the load on web applications, but recently expanded its capabilities – now it is suitable for testing the operation of any application, program or API. Its functionality allows you to test performance on both static and dynamic resources. The tool can generate a large simulated (but realistic) load of traffic so that developers can understand how their APIs will cope during load testing. Apache JMeter does not require programming skills. It can handle many different types of applications, servers and protocols, and it supports request chaining. Tests can use CSV files to generate heavy loads of realistic traffic that put APIs under pressure.
CRAPI
At the tool craPI is not the most nice name (“crap” – “sucks”), but it efficiently performs its API testing functions. This is one of the few tools that can connect to the target system and use a basic set of tests with a whole set of additional functions to study root client. As per cyber security course experts, the program can do this without the need to create any new connections. Advanced API developers will be able to save a lot of time with cRAPI .
ASTRA
Astra mainly focuses on the transfer of a representative state (REST) of the API, which can be extremely hard because they are constantly changing. Given that the REST architecture stresses scalability when interacting between components, it can be difficult to ensure the security of the REST API over time. Astra helps solve this problem by offering integration with CI / CD-Pipeline, and by checking that the most common vulnerabilities no longer appear in the supposedly safe REST API . Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during the development cycle.
KARATE
Karate is an open source framework that combines automated API testing, performance testing and mocking into a single framework. While it is implemented in Java, it doesn’t require users to have advanced programming skills. As per cyber security course experts, test definitions can also serve as the functional documentation for the API itself. Karate can be integrated with CI/CD tools. Additionally, tests can double as performance tests with the addition of Gatling, which verifies if server responses are as expected under load. Karate has extensive documentation, a wide range of test examples and an active user community.
