Dec 12 2022

95.6% of New Malware in 2022 Targeted Windows

Category: Malware,Windows SecurityDISC @ 11:06 am
95.6% of New Malware in 2022 Targeted Windows

Malware attacks are a growing problem in our increasingly digital world. By infiltrating computers and networks, malicious software can cause serious harm to those affected by it.

One of the most common types of malware is ransomware (encryption-based malware), which prevents users from accessing their files until they pay a hefty fee to the cyber attacker. This type of attack has been used to target everything from individuals to large organizations, including government agencies and healthcare providers.

In addition to financial losses, malware attacks can have devastating effects on businesses and individuals. In some cases, sensitive data can be stolen or destroyed as part of an attack. This can lead to identity theft and other forms of fraud, as well as put organizations at risk for long-term damage if confidential information is exposed or compromised.

Research Findings

A recent study by Atlas VPN shows how malware infection is on the rise and the trends in the new malware samples found in the first three quarters of 2022. 

According to researchers, 59.58 million samples of new Windows malware were found in the first three quarters of 2022 and these make up 95.6% of all new malware discovered during that time period. 

This analysis was based on data by AV-TEST GmbH, an independent organization that evaluates and rates antivirus and supplies services in IT Security and Antivirus Research. The study also includes new malware samples detected in the four quarters of 2021 and the first three quarters of 2022. 

Windows, Linux, and Android Malware

Overall, there is a downward trend in the data with the malware samples this year has decreased by 34% as compared to the same period last year. However, the numbers are still exceptionally high.

Following Windows on the list is Linux malware with 1.76 million new malware samples – 2.8% of the total malware threats in 2022. 

Android malware takes third place with the first three quarters of 2022 seeing 938,379 new Android malware threats, constituting 1.5% of the total new malware. 

Lastly, 8,329 samples of never before seen malware threats aimed at macOS were observed in the same period. 

Total Number of Malware

The study also shows that the total number of malware threats found in the first three quarters of 2022 across all operating systems amount to 62.29 million. This is about 228,164 malware threats daily. 

If we make a quarter-by-quarter comparison, the first quarter of 2022 saw the most significant number of malware samples – 22.35 million. However, this number dropped by 4% to 21.49 million in the second quarter of this year. Again, it decreased by another 14% to 18.45 million. 

The numbers continue to plummet into the fourth quarter of the year with 7.62 million new threats found in October and November – nearly 60% less than at the same time last year. 

Protection Against Malware

Malware is a pervasive threat to internet users on both personal and professional networks. It can cause serious damage to computers, networks, and data that can be expensive to fix. Fortunately, there are steps you can take to protect yourself from malware.

The most important step in protecting your network from malware is keeping your anti-malware software up to date. Regularly updating anti-malware programs ensures that they’re able to detect the latest threats and keep them away from your computer or network.

Additionally, be sure not to click on suspicious links or download files from unknown sources as these could contain malicious code that could harm your system.

Another way to stay safe online is by using a secure web browser with built-in security features like pop-up blockers, phishing protection, and ad blockers ((don’t use it on Hackread.com though :0)) for enhanced protection against malicious activities.

95.6% of New Malware in 2022 Targeted Windows

Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware

Tags: Malware, Malware Analysis

Dec 11 2022

Phishing Scams: How To Recognize A Scam Email, VOIP call, or Text

Category: Email Security,PhishingDISC @ 11:55 am
Phishing Scams: How To Recognize A Scam Email, VOIP call, or Text

A phishing scam is not only about stealing your login credentials, but it can also install malware, including ransomware, which is why it is essential to learn how to tackle this growing threat.

The number of phishing scams reported in the first quarter of 2022 set a new record of over one million total attacks, according to a report by the Anti-Phishing Working Group.

And the scams have been growing fast in recent years. The number of attempts reported in the first quarter of 2022 is more than triple the average numbers just two years before, in early 2020.

With so many attacks underway—and growing by the day—what’s the best way to recognize these scams and prevent them? We’ll look at how to recognize and protect yourself from the most common types of phishing fraud. Meanwhile, you can also learn how to detect phishing images in an email.

Most prevalent types of phishing scams

Phishing today refers to a type of scam that steals people’s personal information by posing as a trusted third party. For example, a scammer might pretend to be a government worker to get you to share your Social Security number or pretend to be from your bank to get you to share account details.

With so many communication channels today, there are more phishing methods than ever before. And scammers have adapted to each type of channel by leveraging trust signals inherent to each one.

This can make it hard for the untrained eye to spot a phishing scam and even difficult to recognize if you’ve been hacked after falling for an attack. The first sign that tips off most victims is an unexpected charge, damaged credit score, or depleted bank account.

Here are the six most common types of phishing scams and how to protect yourself.

1. Email scams

Anyone can fall for an email scam; this U.S. judge did. By far the most common type of phishing attack is via email. You’re probably familiar with the spam emails we all get on a day-to-day basis, but the most sophisticated phishing attacks look very different.

These emails often look identical to official messages and notifications, including the company’s logo and exactly the same content as a real message. For example, one of today’s most common scams is a message notification from LinkedIn that’s almost impossible to tell apart from the real thing.

How to protect yourself:

  • Never click on links in emails. Instead, visit the official site.
  • Beware of email addresses that aren’t from the business domain, especially if the address is from a free provider like Gmail.
  • Disable automatic image loading, as this can let scammers know you’ve seen the message.

2. Voice phishing (vishing)

Another common method fraudsters use to trick victims is over the phone. These calls usually claim to have a one-of-a-kind offer or urgent, life-threatening warning.

Most scammers use a VoIP phone system that lets them change the phone number, meaning the call appears as though it’s from a local number even if it’s not.

How to protect yourself:

  • Never answer calls from numbers you don’t recognize, even if it has a local area code.
  • Don’t return calls from numbers. you don’t recognize (one type of scam collects expensive per-dial and per-minute fees, hoping you’ll call back).
  • Remember that most U.S. government agencies, including the IRS, Medicare, and the Social Security Administration, almost never call by phone and do not have the power to arrest you.
Phishing Scams: How To Recognize A Scam Email, VOIP call, or Text

3. Phishing websites

One of the most common destinations for phishing scams is a fraudulent site that looks like the official website. The cloned site will often be identical to the real page, using the company’s logos, color scheme, and fonts.

After establishing trust with the design, the site will ask you to share personal information, anything from your email and password to your Social Security number or bank account details. For example, this attack impersonating American Express used an email message and web page almost impossible to tell apart from the real brand.

Phishing email and the phishing page (Screenshots via Armorblox)

How to protect yourself:

  • If you get a message with a link—even if it looks trustworthy—go to the official site instead.
  • Check the URL of a website to make sure it’s correct. (You’ll notice the American Express phishing page above comes from a site other than AmericanExpress.com.)
  • Don’t automatically trust an HTTPS connection. The “green padlock” icon is an important trust signal, but it doesn’t mean a site is safe. Hackers can use them on phishing sites, too.

4. SMS text message scams (smishing)

Text messages don’t have much space for the scammer’s message, but that hasn’t stopped criminals from trying new tactics to trick innocent victims. The goal of most SMS scams is to get you to click on a link or make a call, so immediately be suspicious of any message with a link or number (though of course, some legitimate messages have these as well).

One of the most common ruses right now with text scams is, ironically enough, helping to protect you from scams. You’ll often see a message “confirming” an expensive purchase or withdrawal, directing you to a number or link to cancel or investigate. There is nothing to cancel or investigate, but the scammer will pretend to resolve the situation by collecting your personal data for a future attack.

How to protect yourself:

  • Don’t trust texts from numbers you don’t recognize. Instead, visit the official site.
  • Beware of texts that use vague terms like “your bank” or “package service.” Scammers use these (instead of actual company names) so the message can apply to anyone.
  • Don’t reply to scam messages, even unsubscribe. This only confirms you have an active number and will result in more attacks.

5. Social media phishing

Social media has become one of the more recent additions to the phishing repertoire. Scammers reach out either using a fake lookalike account or a compromised account.

One common ruse is a friend reaching out for help, usually with an authentication code. But it’s not a friend—it’s a scammer who’s taken over their account and is trying to take over yours. Another ruse is a message from someone posing as the official company support account, asking you to provide information to verify you’re the authentic owner or to keep your page active.

Fake Support chatbot (Image: Trustwave)

How to protect yourself:

  • Beware of anyone who reaches out and asks for personal information or verification codes, even if they appear to be coming from a friend.
  • Don’t respond to messages from “official” accounts. If you’ve received an alert from the social networking site, it’ll usually appear in your account settings.
  • Don’t ever share your social media password with a third-party website.

6. Man-in-the-middle attack

This type of phishing scam requires the attacker to be nearby but can be one of the most dangerous because it’s almost impossible to detect. It works when you and the attacker are on the same Wi-Fi network, like at a coffee shop or airport. The attacker intercepts everything you send and receive and can redirect your browser to safe sites to look-alike sites without you knowing.

Once the attacker has set up a man-in-the-middle attack, they can see almost all the information you share, including usernames, passwords, credit card details, and more.

How to protect yourself:

  • Never use public Wi-Fi networks. A better option is to connect to a hotspot from your cell phone, which has a secure and private connection.
  • If you have to use public Wi-Fi, turn on a VPN. This can protect you against most types of man-in-the-middle attacks and safeguard your personal details.

How to prevent phishing

Every type of phishing requires a slightly different method to spot, and scammers are constantly developing new methods that leverage our weaknesses. But there are a few common warning signs you can look for across different types of phishing attacks.

  • Unfamiliar senders. Emails, texts, or calls from people you don’t recognize are automatically suspect.
  • Poor spelling or grammar. Major corporations pay careful attention to small details like this. Scammers, on the other hand, don’t usually worry about a few typos and often use poor English.
  • Urgency and threats. Scammers demand immediate action or scare you using intimidation tactics, like arrest or deportation, so you don’t recognize warning signs of a scam.
  • Unusual payment methods. Phishing scams often take the opportunity to charge a “fee” for a service but will only accept forms of payment like gift cards, money orders, or cryptocurrency. Legitimate businesses use other methods.

What to do if you’re a victim of phishing

You’ve learned how to protect yourself from phishing scams, but what if you’ve already fallen victim? If you know you’ve shared information with a scammer, here’s what you should do, based on what information you’ve shared.

  • Credit or debit card details. Call the issuing company and have the card canceled immediately. Ask to reverse or dispute any fraudulent charges.
  • Login details or passwords. Log into the compromised account, change the password, look for an option to close all active sessions, and add two-factor authentication if possible. Do the same for any other accounts using the same password.
  • Medical insurance information. Call your insurance company and any impacted companies, explain the fraud, and dispute any fraudulent charges.
  • Social Security number. Set up a credit freeze at each of the three credit bureaus (Experian, Equifax, and TransUnion). This prevents anyone from requesting credit in your name.
  • Name, email, date of birth, or other information. Keep a close eye on your accounts for signs of identity theft.

No matter what kind of information you’ve shared, it’s always a good idea to report the fraud to the Federal Trade Commission at IdentityTheft.gov. Filing the report helps protect others, gives you documentation of the attack, and will provide you with recovery steps specific to your situation

Conclusion

Phishing attacks are on the rise, and scammers are developing even more intricate scams all the time. But if you know the most common warning signs and stay vigilant, you can protect yourself and take quick action in case you’ve been compromised.

Tags: Phishing scams

Dec 09 2022

Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

Category: Hacking,MalwareDISC @ 1:44 pm
Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

ThreatFabric’s security researchers have reported a new dark web platform through which cybercriminals can easily add malware to legitimate Android applications.

Dubbed Zombinder, this platform was detected while investigating a campaign in which scammers were distributing multiple kinds of Windows and Android malware, including Android banking malware like Ermac, Laplas “clipper,” Erbium, and the Aurora stealer, etc.

This comes just days after a new dark web marketplace called InTheBox surfaced online, serving smartphone malware developers and operators.

Further probe helped researchers trace the adversary to a third-party dark web service provider called Zombinder. It was identified as an app programming interface binding service launched in March 2022.

Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

According to ThreatFabric’s blog post, numerous different threat actors are using this service and advertising it on hacker forums. On one such forum, the service was promoted as a universal binder that binds malware with almost any legitimate app.

The campaign is designed to appear as it helps users access internet points by imitating the WiFi authorization portal. In reality, it pushes several different malware strains.

What does Zombinder Do?

In the campaign detected by ThreatFabric’s researchers, the service is distributing the Xenomorph banking malware disguised as the VidMate app. It is distributed via modified apps advertised/downloaded from a malicious website mimicking the application’s original website. The victim is lured to visit this site via malicious ads.

The Zombinder-infected app works just as it is marketed while the malicious activity carries on in the background and the victim stays unaware of the malware infection.

Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

At the moment, Zombinder is focusing entirely on Android apps but the service operators are offering Windows apps binding services. Those who downloaded the infected Windows app were delivered the Erbium stealer as well. It is an infamous Windows malware distributed to steal stored passwords, cookies, credit card details, and cryptocurrency wallet data.

It is worth noting that two downloaded buttons on the malicious website’s landing page, one for Windows and the other for Android. when a user clicks on the Download for Windows button, they are delivered malware designed for Microsoft operating system, including Aurora, Erbium, and Laplas clipper. Conversely, the Download for Android button distributes the Ermac malware.

How to Stay Protected?

If you want to stay safe, do not sideload apps even if you are desperate to make a specific product work. Also, avoid installing apps from unauthentic or unknown sources onto your Android mobile phone and rely on legitimate sources such as Google Play Store, Amazon Appstore, or Samsung Galaxy Store. Always check the app’s rating, and reviews, and check out the app developers’ website before installing a new app.

Cyber Deep Web

Tags: Cyber Deep Web, dark net, dark web, Zombinder

Dec 09 2022

ATTACKING ACTIVE DIRECTORY WITH LINUX

Category: Cyber Attack,Windows SecurityDISC @ 11:33 am

ATTACKING-ACTIVE-DIRECTORY-with-Linux-compressed-1Download

Mastering Active Directory: Design, deploy, and protect Active Directory Domain Services for Windows Server 2022

Tags: ATTACKING ACTIVE DIRECTORY, Mastering Active Directory

Dec 08 2022

Pwn2Own Toronto 2022 Day 2: Participants earned $281K

Category: HackingDISC @ 3:55 pm
Pwn2Own Toronto 2022 Day 2: Participants earned $281K

Pwn2Own Toronto 2022 Day Two – Participants demonstrated exploits for smart speaker, smartphone, printer, router, and NAS.

On the first day of the Zero Day Initiative’s Pwn2Own Toronto 2022 hacking competition participants earned $400,000 for 26 unique zero-day exploits.

On the second day of the competition, participants earned more $281,000 for smart speaker, smartphone, printer, router, and NAS exploits.

Researchers from Qrious Secure team used two flaws to execute an attack against the Sonos One Speaker, they earned $60K and 6 Master of Pwn points.

STAR Labs team also hacked the Sonos One Speaker in the Smart Speaker category using one unique bug and another previously known bug. The team earned $22,500 and 4.5 Master of Pwn points.

The Bugscale team demonstrated an exploit against the Synology router and HP Printer using one unique bug and another previously known flaw. The team earned $37,500 and 7.5 Master of Pwn points.

The researchers from Interrupt Labs executed an improper input validation attack against the Samsung Galaxy S22 in the Mobile Phone category. The team earned $25K and 5 Master of Pwn points.

pwn2own toronto 2022

The researcher Luca Moro was awarded $40,000 for a Classic Buffer Overflow attack against the WD My Cloud Pro Series PR4100 in the NAS category.

Tags: Pwn2Own Toronto 2022

Dec 08 2022

Don’t Sell Your Laptop Without Following These Steps

Category: data security,Information Security,Password SecurityDISC @ 9:13 am
Don’t Sell Your Laptop Without Following These Steps

Before selling or trading in your laptop, it is important to prepare the device for its new owner as this will help ensure all of your personal data remains safe.

In an age when every day, a new version of a laptop with better features, sleek design, and improved performance hits the market, it is no wonder that you also wish to buy a new laptop to achieve excellence in performance and enjoy new features.

You have money, you can buy a new laptop, great! But what about your previous laptop? If you are thinking of selling it, then…stop.

If you think selling a laptop is all about saving your data, finding a seller, and selling it, then you need to think again. It goes beyond this! It is not all about getting a fair price, but also saving your personal information and private data from reaching a stranger – that might cost you a lot if that stranger is fraudulent or malicious.

Before selling or trading in your laptop, it is important to prepare the device for its new owner. This can be done by taking several simple precautions that will help ensure all of your personal data remains safe.

1 Save Your Important Data

It goes without saying that your first step should be keeping a backup of your essential data, including personal and work-related files and folders, containing documents, presentations, emails, plans, strategies, or anything else that you have prepared with so much hard work.

If you don’t want to see your data slipping from your fingers, then this should be your number one step.

You can save your data on a data drive or upload it to a reliable cloud service. Or send them to your own email address (well, this is my favorite way of saving my data!). Do whatever suits you, but saving data is a must before selling your laptop.

However, this can only work if you have a few GB of data. In case you have terabytes of data then owning a workstation from companies like Western Digital (WD) is a good way to go.

2 Delete Passwords Permanently

Nobody wants the passwords of important accounts to get leaked. Full stop! But have you ever thought about how to save your passwords before giving your laptop? What — did you just say you can do it by signing off from all your accounts and deleting history and cookies? Ah, I wish it was really that easy, but it is not. 

Where technology has brought so much ease into our lives, there it has also become a trouble in many ways — like this one. Unfortunately, some software can extract passwords even if you log out from your accounts.

That is where you should act smartly if you don’t want someone to sneak into your Facebook and start sending weird messages through your accounts to your friends. It could trigger so many controversies – eh. So, cut iron with iron.

You can also use apps such as password generators. One such example is the IPVanish password generator which lets users delete passwords permanently from their browsers. If you wish to do that manually, follow these easy steps:

For Chrome browser: First, open Chrome and click on the three-dot menu icon located in the top right corner. Then select “Settings” and click on “Passwords” under Autofill. Here you will find a list of all the websites that have saved credentials, along with their usernames and passwords.

Select an entry to see the details, then click on the three-dot menu icon next to it and select “Remove.” You’ll be asked to confirm by clicking “remove” again; once confirmed all login information for that website will be deleted from your computer. (Read more on Google.)

For Firefox: First, launch the Firefox browser on your device. Then, click the ‘Menu’ icon (three lines in the upper right corner) and select ‘Options’ or ‘Preferences’. In this menu, you will see a section for ‘Logins & Passwords. You can then scroll through all of your saved logins and passwords until you find the one that needs to be deleted.

For Safari Browser: To begin, open up the Safari browser on your computer and click the ‘Safari’ menu at the top left corner. In that menu option, select ‘Preferences’ and then navigate to the ‘Passwords’ tab. (Read more on Mozilla.)

Here you will see a list of all of your stored passwords that have been saved by Safari. To delete one or more of these passwords, simply check off each box next to each entry that you wish to remove and hit delete in the bottom right corner. (Read more on Apple.)

3 Format the Drive

Have you saved your important data? Great! Now, what about data that is still on your laptop? Obviously, you can’t leave it like this for others to see your private information and confidential data. No, just deleting data files and clearing Recycle Bin or Shift + Delete might not work. It can still keep the issue of data leakage and privacy breaches there. 

In this condition, most people go for drive formatting that cleans up your laptop and makes it data free. However, this method works if your files are overwritten and you are using a solid-state drive (SSD) with TRIM enabled.

With HDD or TRIM disabled, you would have to overwrite the hard drive if you don’t want cheap software to recover your data – yes, even after formatting. It is very easy to recover a permanently deleted file through even cheap software. So, be safe than sorry!

4 Prepare Your Laptop for Selling

Once you are done saving your information, next, it is time to prepare your laptop for sale at a good price. The price of your gadget also depends on its model, functionalities, current market price, and a lot more. However, improving the outer condition, and speed, upgrading Windows, and enhancing the memory storage can enhance the price of your laptop. 

So, work on the following things to get good bucks:

  • First, install the latest Windows to make your buyer happy. You can vow anyone with the latest functionalities already installed on the laptop, so that person wouldn’t have to go through all the trouble. It is a good chance to impress a buyer.
  • Second, work on the speed of the laptop. Half of the work is already done when you delete files and data. So, reset the laptop to speed it up.
  • Clean up your laptop, please. Don’t take your laptop to a buyer with all the lint or dust trapped between keys and scratches on the screen. You can remove lint or dust with a brush and change the screen cover. This simple work can make a lot of difference.
  • Lastly, visit a laptop expert and ask for a thorough inspection so that you can rectify if there are any internal faulty parts.

Don't Sell Your Laptop Without Following These Steps

PROFESSIONAL HARD DRIVE ERASER 32/64Bit Professional Edition – Wipe your Hard Drive Securely for for ALL operating systems

Tags: data erase, data security

Dec 07 2022

Top 10 free MITRE ATT&CK tools and resources

Category: Attack MatrixDISC @ 11:19 am
Top 10 free MITRE ATT&CK tools and resources

MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK is open and available to any person or organization for use at no charge. Below you can find a collection of MITRE ATT&CK tools and resources available for free.

eBook: Getting Started with ATT&CK

This free eBook pulls together the content from blog posts on threat intelligence, detection and analytics, adversary emulation and red teaming, and assessments and engineering onto a single, convenient package.

eBook

CALDERA

CALDERA is a cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response. It is built on the MITRE ATT&CK framework and is an active research project at MITRE.

The framework consists of two components:

  • The core system. This is the framework code, consisting of what is available in this repository. Included is an asynchronous command-and-control (C2) server with a REST API and a web interface.
  • Plugins. These repositories expand the core framework capabilities and provide additional functionality. Examples include agents, reporting, collections of TTPs, etc.
mitre attack tools

Whitepaper: Best Practices for MITRE ATT&CK Mapping

CISA uses ATT&CK as a lens through which to identify and analyze adversary behavior. CISA created this guide with the Homeland Security Systems Engineering and Development Institute (HSSEDI), a DHS-owned federally funded research and development center (FFRDC), which worked with the MITRE ATT&CK team.

Whitepaper

CASCADE

CASCADE is a research project at MITRE which seeks to automate much of the investigative work a “blue-team” team would perform to determine the scope and maliciousness of suspicious behavior on a network using host data.

The prototype CASCADE server has the ability to handle user authentication, run analytics, and perform investigations. The server runs analytics against data stored in Splunk/ElasticSearch to generate alerts. Alerts trigger a recursive investigative process where several ensuing queries gather related events. Supported event relationships include parent and child processes (process trees), network connections, and file activity. The server automatically generates a graph of these events, showing relationships between them, and tags the graph with information from the ATT&CK project.

mitre attack tools

Metta

Metta is an information security preparedness tool. This project uses Redis/Celery, Python, and vagrant with VirtualBox to do adversarial simulation. This allows you to test your host based instrumentation but may also allow you to test any network based detection and controls depending on how you set up your vagrants. The project parses YAML files with actions and uses Celery to queue these actions up and run them one at a time without interaction.

mitre attack tools

Sandbox Scryer

Sandbox Scryer is an open-source tool for producing threat hunting and intelligence data from public sandbox detonation output. The tool leverages the MITRE ATT&CK Framework to organize and prioritize findings, assisting in assembling IOCs, understanding attack movement and hunting threats. By allowing researchers to send thousands of samples to a sandbox for building a profile for use with the ATT&CK technique, Sandbox Scryer can help solve use cases at scale.

Sandbox Scryer

Whitepaper: Finding Cyber Threats with ATT&CK-Based Analytics

This whitepaper presents a methodology for using the MITRE ATT&CK framework, a behavioral-based threat model, to identify relevant defensive sensors and build, test, and refine behavioral-based analytic detection capabilities using adversary emulation. This methodology can be applied to enhance enterprise network security through defensive gap analysis, endpoint security product evaluations, building and tuning behavioral analytics for a particular environment, and performing validation of defenses against a common threat model using a red team emulating known adversary behavior.

Whitepaper

Atomic Red Team

Atomic Red Team is a library of tests mapped to the MITRE ATT&CK framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments. You can execute atomic tests directly from the command line, no installation required.

mitre attack tools

Red Team Automation (RTA)

RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.

RTA is composed of python scripts that generate evidence of over 50 different ATT&CK tactics, as well as a compiled binary application that performs activities such as file time stopping, process injections, and beacon simulation as needed.

mitre attack tools

Mapping CVEs to MITRE ATT&CK

Vulcan Cyber’s research team has created this site to showcase an ongoing project to map documented CVEs to relevant tactics and techniques from the MITRE ATT&CK matrix. You can search for CVES based on specific techniques and vice versa. For more information about this project, please read the associated whitepaper.

Website

Aligning Security Operations with MITRE ATT&CK Framework: An effective guide to leveling up your SOC for better security

Tags: MITRE ATT&CK tools

Dec 06 2022

Bug in Toyota, Honda, and Nissan Car App Let Hackers Unlock & Start The Car Remotely

Category: API security,App Security,cyber security,Mobile Security,Remote codeDISC @ 10:31 am

Bug in Toyota, Honda, and Nissan Car App Let Hackers Unlock & Start The Car Remotely

The majority of major automobile manufacturers have addressed vulnerability issues that would have given hackers access to their vehicles to perform the following activities remotely:-

  • Lock the car
  • Unlock the car
  • Start the engine
  • Press the horn
  • Flas the headlights
  • Open the trunk of certain cars made after 2012
  • Locate the car

Flaw in SiriusXM

SiriusXM, one of the most widely used connected vehicle platforms available on the market, has a critical bug in its platform that affects all major vehicle brands.

There is a particular interest among security researchers in the area of connected cars, like Yuga Labs’ Sam Curry. In fact, he’s the one who was responsible for discovering a security hole in the connected cars of major car manufacturers during his routine research.

There are a number of car manufacturers who use Sirius XM telematics and infotainment systems as a part of their vehicle technology.

Affected Car Brands

Here below we have mentioned the brands’ names that are affected due to this critical bug in SiriusXM:-

  • Acura
  • BMW
  • Honda
  • Hyundai
  • Infiniti
  • Jaguar
  • Land Rover
  • Lexus
  • Nissan
  • Subaru
  • Toyota

Vulnerability Analysis

During the process of analyzing the data, it was found that there is a domain (http://telematics(.)net) that is used during the vehicle enrollment process for the remote management of Sirius XM.

The flaw is associated with the enrollment process for SiriusXM’s remote management functionality which results in the vehicle being tampered with.

There is not yet any technical information available about the findings of the researchers at the present time, since they haven’t shared anything in detail.

Upon further analysis of the domain, it becomes apparent that the Nissan Car Connected App is one of the most plentiful and frequently referenced apps in this domain.

In order for the data exchanged through the telematics platform to be authorized, the vehicle identification number (VIN) only needs to be used. The VIN of the vehicle can therefore be used to carry out a variety of commands by anyone who knows the number.

The next step would be to log in to the application later on, and then the experts examined the HTTPS traffic that came from a Nissan car owner.

Researchers discovered one HTTP request during the scan in which they conducted a deep analysis. 

It is possible to obtain a bearer token return and a “200 OK” response by passing a VPN prefixed ID through as a customerID in the following way:-

Car App

Using the Authorization bearer in an HTTP request, researchers attempted to obtain information about the user profile of the victim and, as a result, they successfully retrieved the following information:-

  • Name
  • Phone number
  • Address
  • Car details

In addition to this, the API calls used by SiriusXM for its telematics services worked even if the user did not have an active subscription with SiriusXM.

As long as the developers or owners are not involved in the process of securing a vulnerable app, it is impossible to guarantee the security of that app. This is why they should be the only ones who can issue security updates and patches.

Recommendations

Here below we have mentioned the recommendations made by the security analysts:-

  • Ensure that you do not share the VIN number of your car with unreliable third parties.
  • In order to protect your vehicle from thieves, it is imperative to use unique passwords for each app connected to the vehicle.
  • Keep your passwords up-to-date by changing them on a regular basis.
  • Keeping your system up-to-date should be a priority for users.

The Car Hacker’s Handbook: A Guide for the Penetration Tester

Tags: Car Security

Dec 05 2022

THE EMOTIONS OF A Social Engineering Attack

Category: social engineeringDISC @ 11:04 am

Emotions-of-a-Social-Engineering-Attack-1-1Download

Tags: Social Engineering Attack

Dec 05 2022

A New Linux Flaw Lets Attackers Gain Full Root Privilege

Category: Linux SecurityDISC @ 10:41 am
A New Linux Flaw Lets Attackers Gain Full Root Privilege

The Threat Research Unit at Qualys’ has revealed how a new Linux flaw tracked as (CVE-2022-3328),  may be combined with two other, seemingly insignificant flaws to gain full root rights on a compromised system.

The Linux snap-confine function, a SUID-root program installed by default on Ubuntu, is where the vulnerability is located.

The snap-confine program is used internally by snapd to construct the execution environment for snap applications, an internal tool for confining snappy applications.

Linux Flaw Let Attackers Gain Full Root Privilege

The newly discovered flaw, tracked as CVE-2022-3328, is a race condition in Snapd, a Canonical-developed tool used for the Snap software packaging and deployment system. 

The issue specifically affects the ‘snap-confine’ tool that Snapd uses to build the environment in which Snap applications are executed.

“In February 2022, Qualys Threat Research Unit (TRU) published CVE-2021-44731 in our “Lemmings” advisory. The vulnerability (CVE-2022-3328) was introduced in February 2022 by the patch for CVE-2021-44731).” reads the post published by Qualys.

“The Qualys Threat Research Unit (TRU) exploited this bug in Ubuntu Server by combining it with two vulnerabilities in multipathd called Leeloo Multipath (an authorization bypass and a symlink attack, CVE-2022-41974, and CVE-2022-41973), to obtain full root privileges”.

The CVE-2022-3328 weakness was chained by the researchers to two other flaws in Multipathd, a daemon responsible for looking for failed paths. Particularly, in several distributions’ default installations, including Ubuntu, Multipathd runs as root.

Two Vulnerabilities Impact Multipathd

The device-mapper-multipath, when used alone or in conjunction with CVE-2022-41973, enables local users to gain root access. 

In this case, the access controls can be evaded and the multipath configuration can be changed by local users who have the ability to write to UNIX domain sockets.

This problem arises because using arithmetic ADD rather than bitwise OR causes a keyword to be incorrectly handled when repeated by an attacker. Local privilege escalation to root may result from this.

Together with CVE-2022-41974, the device-mapper-multipath enables local users to get root access. Further, due to improper symlink handling, local users with access to /dev/shm can modify symlinks in multipathd, which could result in controlled file writes outside of the /dev/shm directory. Hence, this could be used indirectly to elevate local privileges to the root.

Notably, any unprivileged user might get root access to a vulnerable device by chaining the Snapd vulnerability with the two Multipathd vulnerabilities.

“Qualys security researchers have verified the vulnerability, developed an exploit, and obtained full root privileges on default installations of Ubuntu,” Qualys said.

On Ubuntu default installations, Qualys security researchers have confirmed the vulnerability, developed an exploit and got full root access.

Although the vulnerability cannot be used remotely, the cybersecurity company issues a warning that it is unsafe because it can be used by an unprivileged user.

Linux Flaw Let Attackers Gain Full Root Privilege

Mastering Linux Security and Hardening

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Follow DISC #InfoSec blog

Ask DISC an InfoSec & compliance related question

 

Tags: Linux Flaw, Mastering Linux Security and Hardening, Root Privilege

Dec 05 2022

Data of Israeli Employees from 29 Logistics Firms Sold Online

Category: Data Breach,data securityDISC @ 10:33 am
Data of Israeli Employees from 29 Logistics Firms Sold Online

The 50GB worth of data is currently being sold on two clear web forums with a price tag of 1 BTC per database.

A group of hackers has posted a trove of approximately 50GB of data for sale on two online forums and a Telegram group. The data was posted on 26 and 27th November 2022. This was revealed to Hackread.com by researchers at VPNMentor.

A probe into the incident revealed that the data belonged to 29 Israeli transportation, logistics services and forwarding firms. Researchers believe that the hackers breached a software provider’s single point of failure, gained unauthorized access to these logistics firms’ supply chains, and exfiltrated a trove of personal data and shipping records.

50 GB of Israeli Firms’ Data on Sale

Hackers have posted the stolen data for sale. Visitors can buy a complete employee and customer information dataset from the targeted companies. The per-database rate is 1 BTC, which equals $17,000. An analysis of the graphics associated with these posts revealed that the data is part of a Black Friday Sale.

Previously, when some Israeli delivery firms were targeted in cyberattacks, the Israeli government’s cyber agencies named Iranian threat actors as the perpetrators. However, it is unclear if the same actors are responsible in this instance.

Details of Leaked Data

According to VPNMentor’s blog post, exposed data includes contract details and shipment information of the affected Israeli firms. The hackers have listed 1.1 million records for sale on different online forums. It seems like they have shared a small sample of data.

Whether 1 record represented 1 person or 1.1 million people were impacted in this data breach couldn’t be determined. The exposed information includes full names, addresses, and contact numbers.

Researchers were unsure whether the exposed addresses were work or home addresses. Customers’ exposed data includes full names and shipping details (sender and receiver’s addresses, number of packages, contact numbers, etc.).

Data of 1 Million Israeli Employees from 29 Logistic Firms Sold Online

Possible Dangers

These records can be exploited to intercept packages or blackmail/threaten courier firms’ employees into handing over valuable shipments. Threat actors can use personal data such as full names or contact details to target people with scams and phishing attacks.

Customers of these firms should be wary of suspicious SMS messages and calls and do not share personal information via phone. They should reveal sensitive data only to a trusted source only when necessary.

Tags: Data loss, Logistics Firms, phishing attacks, scams

Dec 04 2022

8 Reasons Why Enterprises Use Java

Category: Security programDISC @ 11:53 am
8 Reasons Why Enterprises Use Java

What is an enterprise application in java?

An enterprise application in Java is a software program whose backend was created with the help of the Java programming language. Java is an excellent choice for creating back-end functionality.

In addition, the use of Java microservices enables the creation of large-scale, complex but well-performing solutions, that’s why it is often chosen by enterprises that are dealing with large amounts of data and need to create multi-functional complex solutions for their business.

What is Java used for?

8 Reasons Why Enterprises Use Java

8 Reasons Why Enterprises Use Java

Tags: Java

Dec 02 2022

Essential Business Knowledge for InfoSec Professionals

Category: Security ProfessionalDISC @ 11:14 pm
Essential Business Knowledge for InfoSec Professionals

The role of InfoSec professionals has morphed into a critical business function. One should expect getting involved in “business” discussion often, and at increasing higher levels of business structure up to board of directors. Understanding and speaking business language is more important than ever for the success of any InfoSec professionals. Knowing basic business lingo is also crucial for effective communication inside an organization.

Lack of basic business knowledge and common business terminology hinders success and progress. 

I have started creating a body of knowledge for basic business skills required for success of security professionals and elevating their status in the business hierarchy. Following are eight major domains of essential business knowledge for information security professionals.

  • DOMAIN 1 – Essential Business Terminology for InfoSec Professionals
  • DOMAIN 2 – Business Communication for InfoSec Professionals
  • DOMAIN 3 – Funding Requests and Managing InfoSec Budget
  • DOMAIN 4 – Working with Vendors and Partners
  • DOMAIN 5 – Building Alliances, Collaboration to Advance InfoSec Goals
  • DOMAIN 6 – Excellence in InfoSec Customer Service, Knowing and Serving Customers
  • DOMAIN 7 – Creating Business Value with InfoSec
  • DOMAIN 8 – General Soft Skills to Succeed as InfoSec Professional

what are major skill gaps?

ISACA published a report on “State of Cybersecurity 2022” in which they presented their findings on the global workforce. The most striking of all the findings is Figure 14 of the report showing major skill gaps among security professionals.

At the top of these skill gaps is “soft skills” that includes communications, flexibility, leadership and others. This is similar to what we have been talking about creating a body of knowledge for Core Cybersecurity Skills and Practices. Please see a screenshot of Figure 14 from the ISACA report (the report is available for download at https://www.isaca.org/go/state-of-cybersecurity-2022).

Business Knowledge for Cybersecurity Executives

Business Analysis – Fourth Edition

Tags: Business Knowledge for Cybersecurity Executives, InfoSec Professionals

Dec 02 2022

CISOs in investment firms help fast-track cybersecurity startups

Category: CISO,vCISODISC @ 1:48 pm
CISOs in investment firms help fast-track cybersecurity startups

In this Help Net Security video, Frank Kim, CISO-in-Residence at YL Ventures, discusses the growing role of CISOs in investment firms and how their role as advisors helps drive cybersecurity startups.

Frank works closely with cybersecurity startup founders on ideation, product-market-fit, and value realization, on an in-house and regular basis.

He provides them with what can be considered an important perspective into the needs of modern CISOs, security teams, and businesses, and he specifically guides them on how to make security solutions provide business value at business speed, resolving the gap between business and tech latency.

Tags: CISO in Residence, cybersecurity startups, Frank Kim, YL Ventures

Dec 02 2022

Spyware Vendor Variston Exploited Chrome, Firefox and Windows 0-days

Category: Spyware,Zero dayDISC @ 10:30 am
Spyware Vendor Variston Exploited Chrome, Firefox and Windows 0-days

A Barcelona-based company, a spyware vendor named Variston IT, is exploiting flaws under the guise of a custom cybersecurity solutions provider.

On 30th November, Google’s Threat Analysis Group (TAG) reported that a Barcelona-based company, actually a spyware vendor, named Variston IT has been exploiting n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender under the guise of a custom cybersecurity solutions provider. 

In their detailed technical report, TAG explained that Variston IT had been using their exploitation framework called Heliconia to install spyware on the targeted devices. The researchers at Google received an anonymous submission to Chrome’s bug reporting program which brought to their attention the exploitation framework.

Heliconia actually contains three separate exploitation frameworks. One of them is used to compromise the Chrome renderer bug so that it can escape the walls of the app’s sandbox and run malware on the operating system.

Another one is used to deploy malicious PDF documents containing an exploit for Windows Defender (a built-in antivirus engine in the newer versions of Windows).  The last framework is for compromising Windows and Linux machines by using a set of Firefox exploits. 

Spyware Vendor Variston Exploited Chrome, Firefox and Windows 0-days
A manifest file in the source code provides a product description (Image: Google)

In its report, the tech giant observed that the Heliconia exploit is successful against Firefox versions 64 to 68, which suggests that it was created and used as early as December 2018 when Firefox 64 first came out.

Google, Microsoft, and Mozilla fixed the vulnerabilities in 2021 and early 2022. They further stated that, although they had not detected active exploitation, it is likely that the vulnerabilities had been exploited before they could be fixed.

Spyware Vendor Variston Exploited Chrome, Firefox and Windows 0-days

7 Steps to Removing Spyware

Tags: Spyware Vendor Variston, Windows 0-days

Dec 01 2022

Zero Trust Essentials eBook

Category: Zero trustDISC @ 11:43 am

Zero-Trust-Essentials-eBook-1Download

Zero Trust Security: An Enterprise Guide

Tags: Zero Trust Essentials, Zero Trust Security

Dec 01 2022

The CHRISTMA EXEC network worm – 35 years and counting!

Category: MalwareDISC @ 11:32 am
The CHRISTMA EXEC network worm – 35 years and counting!

Forget Sergeant Pepper and his Lonely Hearts Club Band, who taught the band to play a mere 20 years ago today.

December 2022 sees the 35th anniversary of the first major self-spreading computer virus – the infamous CHRISTMA EXEC worm that temporarily crushed the major mainframe networks of the day…

… not by any deliberately coded side-effects such as file scrambling or data deletion, but simply by leeching too much network bandwidth for its own unauthorised purpose.

As a decoy to disguise the fact that it read in the 1980s IBM equivalents of your email address book (NAMES) and your known-hosts file (NETLOG) in order to find as many new recipients of the malware as possible to send itself to, the malware displayed this:

                *               
                *               
               ***              
              *****             
             *******            
            *********           
          *************                A
             *******            
           ***********                VERY
         ***************        
       *******************           HAPPY
           ***********          
         ***************            CHRISTMAS
       *******************      
     ***********************         AND MY
         ***************        
       *******************         BEST WISHES
     ***********************    
   ***************************     FOR THE NEXT
             ******             
             ******                    YEAR
             ******

If you’re wondering why the virus is widely known as CHRISTMA EXEC, rather than by the full word CHRISTMAS

…that’s because filenames were limited to eight characters, which could be followed by a space and what we would today call an “extension” of EXEC in order to turn them into scripts that could be run directly by the user – executed, in technical jargon.

The virus itself was written in IBM’s powerful text-based scripting language REXX (the resoundingly named Restructured Extended Executor), so a non-programmer looking at the message would probably recognise it as “program code”, and therefore tend to ignore it as unimportant and irrelevant, for all that it might look interesting.

Except that the author of the virus found a cheerful way to embed an instructional lure right into the code itself, which starts with a remark (as in the C language, text between /* and */ in REXX programs is treated as a comment and ignored when the file gets used)…

/*********************/
/*    LET THIS EXEC  */
/*                   */
/*        RUN        */
/*                   */
/*        AND        */
/*                   */
/*       ENJOY       */
/*                   */
/*     YOURSELF!     */
/*********************/

…and then offers the following cheery advice to non-techies:

/*  browsing this file is no fun at all
       just type CHRISTMAS from cms     */

CMS is short for Conversational Monitor System, a command prompt environment on top of IBM’s venerable VM/370 operating system and its many variants, which offered individual users a real-time virtual machine that behaved like a computer all of their own, with its own disk space for storing personal files and programs.

Handily, the user didn’t have to be taught to leave the final -S off the word CHRISTMAS, because CMS would automatically ignore any extra characters and hunt for CHRISTMA EXEC, which was the very script program that the user had just received without expecting it or asking for it.

As stated above, the code did indeed display the Christmas Tree ASCII art – or, more precisely, EBCDIC art, given that IBM famously had its own character encoding system known as Extended Binary Coded Decimal Interchange Code (pronounced ebb-si-dick).

But it also trawled through your NAMES and NETLOG files, which listed other users and computers you regularly contacted, and copied itself to all of them, so that for every user who innocently typed CHRISTMAS at the command prompt…

…a sea of copies of the virus (20? 50? 200?) would be distributed, potentially worldwide, and if any of those recipients (20? 50? 200?) innocently typed CHRISTMAS at the command prompt…

…a sea of copies of the virus would be distributed, and so on, and so on.

Shades of the future

As we said in this week’s podcast, where we discussed this seminal worm:

[This is j]ust like modern macro malware that says to the user, “Hey, macros are disabled, but for your ‘extra safety’ you need to turn them back on… why not click the button? It’s much easier that way.”

35 years ago, malware writers had already figured out that if you ask users nicely to do something that is not at all in their interest, some of them, possibly many of them, will do it.

Detection of Network Worm to Eliminate Security Threats in MANET: Wormhole Attack and its Challenges

Tags: CHRISTMA EXEC network worm

Nov 30 2022

10 Best Vulnerability Scanning Tools For Penetration Testing

Category: Access Control,Security ToolsDISC @ 10:57 am
10 Best Vulnerability Scanning Tools For Penetration Testing – 2023

A Vulnerability Scanning Tool is one of the essential tools in IT departments Since vulnerabilities pop up every day and thus leaving a loophole for the organization.

The Vulnerability scanning tools help in detecting security loopholes in the application, operating systems, hardware, and network systems.

Hackers are actively looking for these loopholes to use them to their advantage. Vulnerabilities inside a network need to be identified and fixed immediately to leave your attackers at bay.

What does a Vulnerability Scanner do?

Vulnerability scanners are one right way to do this, with their continuous and automated scanning procedures they can scan the network for potential loopholes.

It is on your internet or any device, they would help the IT departments identify the vulnerability and fix it both manually and automatically.

Vulnerability scanning tools do have two different approaches for performing their routines, authenticated and unauthenticated scans.

In the latter case, a penetration tester will show the scan disguised as a hacker without him having trusted access to the corporate network.

What are the Three types of Vulnerability Scanners?

This type of scan will help organizations identify the loopholes which will allow hackers to penetrate the system without trusted permissions.

Following are the types of vulnerability scanners

  • Discovery Scanning
  • Full Scanning
  • Compliance Scanning

What is an example of a Vulnerability Scanner?

The best Web vulnerability scanner in the market should allow you to perform both authenticated and unauthenticated types of scans to nullify network vulnerabilities among other related vulnerability scanners online

In this article, we’ll take a look at the top 10 best vulnerability scanning tools available in the market.

10 Best Vulnerability Scanner Tools

Vulnerability ScannerKey Features
OpenVAS Vulnerability ScannerCustom Scan Configuration
Targeted IP Address
Task Naming
Authorized (credentialed) Scans
Scheduling scans
Tripwire IP360Flexible Scanning
Full Network Discovery
Vulnerability Risk Scoring
Asset Discovery
Nessus vulnerability scannerTarget Profiling
Sensitive data discovery
Malware Detection
PCI DSS requirements
Vulnerability scanning
Comodo HackerProofDaily Vulnerability Scanning
Web-based Management Tool
PCI Scanning Tools
Nexpose communityReal Risk Score
Integration with Metasploit
Powerful Reporting
Adaptive Security
Vulnerability Manager PlusCustomization of Patches to Application
Detecting zero-day vulnerabilities
Audit end-of-life software
Security recommendations
NiktoSupport for Proxy with authentication
Cookies Support
Username Enumeration
Outdated component report
WiresharkLive capture and offline analysis
Deep inspection of protocols
VoIP analysis
Read/write Capture file
Coloring rules
Aircrack-ngAnalyzing WiFi networks for weaknesses
Capture and injection of WiFi cards
Sniff wireless packets
Recover lost keys
Retina network security scannerDiscover the Full network Environment
Identify Application Flaw
Analyze threats and gain security intelligence

10 Best Vulnerability Scanning Tools 2023

  1. OpenVAS Vulnerability Scanner
  2. Tripwire IP360
  3. Nessus vulnerability scanner
  4. Comodo HackerProof
  5. Nexpose community
  6. Vulnerability Manager Plus
  7. Nikto
  8. Wireshark
  9. Aircrack-ng
  10. Retina network security scanner

for more details on these vulnerability scanning tools

Vulnerability Scanning Tools

Checkout latest books on Vulnerability Scanning Tools

Tags: Vulnerability Scanning Tools

Nov 29 2022

Strategies for closing the cybersecurity skills & leadership gap

Category: CISO,Cyber career,vCISODISC @ 11:33 am
arlington-research-nFLmPAf9dVc-unsplash.jpg

As organizations begin to address the risks of an increasingly complex digital landscape, they are recognizing that cybersecurity challenges are compounded by a lack of available talent and skills to mount a necessary defense. The digital skills shortage in the U.S. is at a critical point, highlighting a need for increased investment in workforce training. The Biden White House recently said that roughly 700,000 cyber-defense-related positions nationally are unfilled.

Clearly, CISOs and leaders across the C-suite are focused on the challenge, and many are investing heavily in shoring up gaps in their cybersecurity approach. In an age when a cyberattack can be an existential threat to any organization, cybersecurity engineers will serve as the first responders to such threats.

But organizations are struggling to fill these roles. Cyber professionals face ever-increasing pressure to keep up with more sophisticated and complex threats. The burnout in the profession is significant. What’s more, there hasn’t been a good understanding of the variety of jobs that there are in cybersecurity, and the various skills that can be leveraged for those jobs.

What complicates the effort to fill these roles are the demands placed on them. A strong cybersecurity professional must have advanced skills and experience in the following: meeting the immediate needs of securing the enterprise while also satisfying regulators and compliance officials; keeping a close eye on protections for customers and their personal data; and, if an incident occurs, navigating those interactions and coordinating with law enforcement. These are skills rarely found together.

In fact, not only is there a challenge in filling day-to-day roles within the cybersecurity portfolio, there is also a leadership gap. Many highly skilled cybersecurity professionals avoid taking leadership positions in the field precisely because they do not feel prepared to take on these multivariate tasks.

The solution rests in a two-pronged approach.

#1. Leverage cybersecurity frameworks and automation.

Organizations need to reduce the demand on crisis cyber defense by deploying automated platforms and technologies, such as zero trust security, to screen out threats and examine their entire value chain — including suppliers, vendors and others who may be the source of the greatest potential risks. As part of this effort, trained cybersecurity professionals should be deployed during the software development lifecycle and across business processes so that security and protections can be embedded by design rather than bolted on later.

#2. Migrate cybersecurity to the cloud.

https://www.securitymagazine.com/articles/98664-strategies-for-closing-the-cybersecurity-skills-and-leadership-gap

Navigating the Cybersecurity Career Path

Tags: cybersecurity skills, Navigating the Cybersecurity Career Path

Nov 29 2022

Why the updated ISO 27001 standard matters to every business’ security

Category: Information Security,ISO 27kDISC @ 10:13 am

On the morning of August 4, 2022, Advanced, a supplier for the UK’s National Health Service (NHS), was hit by a major cyberattack. Key services including NHS 111 (the NHS’s 24/7 health helpline) and urgent treatment centers were taken offline, causing widespread disruption. This attack served as a brutal reminder of what can happen without a standardized set of controls in place. To protect themselves, organizations should look to ISO 27001.

ISO 27001 is an internationally recognized Information Security Management System standard. It was first published in 2005 to help businesses implement and maintain a solid information security framework for managing risks such as cyberattacks, data leaks and theft. As of October 25, 2022, it has been updated in several important ways.

The standard is made up of a set of clauses (clauses 4 through 10) that define the management system, and Annex A which defines a set of controls. The clauses include risk management, scope and information security policy, while Annex A’s controls include patch management, antivirus and access control. It’s worth noting that not all of the controls are mandatory; businesses can choose to use those that suit them best.

Why is ISO 27001 being updated?

It’s been nine years since the standard was last updated, and in that time, the technology world has changed in profound ways. New technologies have grown to dominate the industry, and this has certainly left its mark on the cybersecurity landscape. 

With these changes in mind, the standard has been reviewed and revised to reflect the state of cyber- and information security today. We have already seen ISO 27002 (the guidance on applying the Annex A controls) updated. The number of controls has been reduced from 114 to 93, a process that combined several previously existing controls and added 11 new ones.

Many of the new controls were geared to bring the standard in line with modern technology. There is now, for example, a new control for cloud technology. When the controls were first created in 2013, cloud was still emerging. Today, cloud technology is a dominant force across the tech sector. The new controls thus help bring the standard up to date.

In October, ISO 27001 was updated and brought in line with the new version of ISO 27002. Businesses can now achieve compliance with the updated 2022 controls, certifying themselves as meeting this new standard, rather than the now-outdated list from 2013.

How can ISO 27001 certification benefit your business?

Implementing ISO 27001 brings a host of information security advantages that benefit companies from the outset.

Companies that have invested time in achieving ISO 27001 certification will be recognized by their customers as organizations that take information security seriously. Companies that are focused on the needs of their customers should want to address the general feeling of insecurity in their users’ minds.

Moreover, as part of the increasingly rigorous due-diligence processes that many companies are now undertaking, ISO 27001 is becoming mandatory. Therefore, organizations will benefit from taking the initiative early to avoid missing out commercially.

In the case of cyber-defense, prevention is always better than cure. Attacks mean disruption, which almost always proves costly for an organization, in regard to both reputation and finances. Therefore, we might view ISO 27001 as a form of cyber-insurance, where the correct steps are taken preemptively to save organizations money in the long term.

There’s also the matter of education. Often, an organization’s weakest point, and thus the point most often targeted, is the user. Compromised user credentials can lead to data breaches and compromised services. If users were more aware of the nature of the threats they face, the likelihood of their credentials being compromised would decrease significantly. ISO 27001 offers clear and cogent steps to educate users on the risks they face.

Ultimately, whatever causes a business to choose implementation of ISO 27001, the key to getting the most out of it is ingraining its processes and procedures in their everyday activity.

Overcoming the challenge of ISO 27001 certification

A lot of companies have already implemented many controls from ISO 27001, including access control, backup procedures and training. It might seem at first glance that, as a result, they’ve already achieved a higher standard of cybersecurity across their organization. However, what they continue to lack is a comprehensive management system to actually manage the organization’s information security, ensuring that it is aligned with business objectives, tied into a continuous improvement cycle, and part of business-as-usual activities.

While the benefits of ISO 27001 may be obvious to many in the tech industry, overcoming obstacles to certification is far from straightforward. Here are some steps to take to tackle two of the biggest issues that drag on organizations seeking ISO 27001 certification:

  • Resources — time, money, and manpower: Businesses will be asking themselves: How can we find the extra budget and dedicate the finite time of our employees to a project that could last six to nine months? The key here is to place trust in the industry experts within your business. They are the people who will be implementing the standard day-by-day, and they should be placed at the wheel.
  • Lack of in-house knowledge: How can businesses that have no prior experience implementing the standard get it right? In this case, we advise bringing in third-party expertise. External specialists have done this all before: They have already made the mistakes and learned from them, meaning they can come into your organization directly focused on implementing what works. In the long run, getting it right from the outset is a more cost-effective strategy because it will achieve certification in a shorter time.

Next steps toward a successful future

While making this all a reality for your business can seem daunting, with the right plan in place, businesses can rapidly benefit from all that ISO 27001 certification has to offer.

It’s also important to recognize that this October was not the cutoff point for businesses to achieve certification for the new version of the standard. Businesses will have a few months before certification bodies will be ready to offer certification, and there will likely then be a two-year transition period after the new standard’s publication before ISO 27001:2013 is fully retired.

Ultimately, it’s vital to remember that while implementation comes with challenges, ISO 27001 compliance is invaluable for businesses that want to build their reputations as trusted and secure partners in today’s hyper-connected world.

Source: https://wordpress.com/read/blogs/126020344/posts/2830377

ISO 27001 Risk Assessment and Gap Assessment

ISO 27001 Compliance and Certification

Tags: iso 27001, iso 27002

« Previous PageNext Page »