InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
I’ve been meaning to talk more about what I actually do, which is help the teams within Microsoft who are threat modeling (for our boxed software) to do their jobs better. Better means faster, cheaper or more effectively. There are good reasons to optimize for different points on that spectrum (of better/faster/cheaper) at different times in different products. One of the things that I’ve learned is that we ask a lot of developers, testers, and PMs here. They all have some exposure to security, but terms that I’ve been using for years are often new to them.
I wanted to chime in and offer up this handy chart that we use. It’s part of how we teach people to go from a diagram to a set of threats. We used to ask them to brainstorm, and have discovered that that works a lot better with some structure.
Cybersecurity measures are increasingly failing to close gaps, and the healthcare industry, in particular, has become a high-dollar target due to limited budgets and quick ransom pay-offs.
In this Help Net Security video, Maureen Kaplan, Chief Revenue Officer at SilverSky, discusses how attackers are now narrowing their focus from larger healthcare systems to smaller hospitals and specialty clinics to more easily retrieve patient data and use it for launching fraud and identity theft.
Due to the massive deficit of cyber defenses and limited security budgets of the healthcare industry, attackers have shifted their points of entry to systemic technology like EMR systems to wreak as much havoc as possible while demanding ransom.
Kaplan talks about the steps health IT leaders can take for a more cost-effective approach to safeguarding patient and employee data.
Want to feel like James Bond? Check out this easy-to-use encrypted flash drive.
Losing hardware is a pain, but everything is replaceable.
Allowing data to fall into someone else’s hands is the ultimate headache. Once your data is out there in the wild, it’s game over.
The “solution” is to encrypt your data. But the problem with that solution is that unless the encryption is easy and foolproof, users are going to sacrifice data security for convenience.
If you want easy-to-use high security encryption, then you need hardware that’s aimed at professionals, and that hardware doesn’t get much better than the Apricorn Aegis Secure Key 3.0.
Apricorn Aegis Secure Key 3.0 tech specs:
No software – so there’s nothing to keylog or to hack.
OS agnostic – the device is completely cross platform compatible.
Onboard keypad – all authentication takes place within the device itself.
All data, passwords and encryption keys are 256-bit encrypted at rest.
No host computer is involved in setup, authentication or encryption.
Forced enrollment – no default PINs ensures that data is not put at risk by employees who fail to change a factory set PIN before deployment.
IP68 rated against water and dust damage.
Separate administrator and user access.
Read-only options that can be enforced by the administrator or set by the user if allowed by policy.
Highly configurable with policy such as time out values, data recovery PINs, and programmable PIN lengths.
Brute force PIN attack protection.
Extruded aluminum enclosure with protective sleeve.
FIPS 140-2 Level 3 validated.
Can be automatically configured remotely using Apricorn’s Aegis Configurator tool.
Up to 195MB/s read speed/162MB/s write speed.
Super Speed USB 3.2 (backwards compatible with USB 3.0, 2.0 and 1.1)
Capacities ranging from 30GB to 2TB.
“For an added level of security, there’s also the ability to set a self-destruct PIN to quickly wipe the drive of its contents yet make it seem like it is fully working.”
Cybersecurity researchers at Kaspersky Security Labs have recently identified an unofficial version of WhatsApp for Android, which is dubbed by experts “YoWhatsApp.”
This unofficial version of WhatsApp is mainly designed to steal users’ account access keys or login credentials. There are many unofficial versions of legitimate apps that are advertised as being unofficial versions.
While these unofficial versions lure users by advertising features that the official versions do not have. Though YoWhatsApp is an unofficial version of WhatsApp, but, it’s a fully working messenger with some key additional features like we have mentioned below:-
UI customization
Blocking access to individual chats
Several emojis
Unofficial WhatsApp: YoWhatsApp
There is no difference between YoWhatsApp and the standard WhatsApp application in terms of permissions. The promotion of this unofficial Android mod is done using ads on popular Android apps such as the following ones:
Snaptube
Vidmate
n the latest version of YoWhatsApp, version 2.22.11.75, the threat actors were able to obtain the keys to the WhatsApp accounts of their victims and take full control.
It is claimed that YoWhatsApp will allow users to send files up to 700 MB using their service. While there is a limit of 100 MB per file that can be sent from the official app to your contacts, and this makes the YoWhatsApp more appealing.
In a modified version of WhatsApp, the app sends the user’s access keys to a server located remotely on the developer’s server.
From the basics to advanced techniques, here’s what you should know.
Source: Rancz Andrei via Alamy Stock Photo
Cybersecurity has been compared to a never-ending game of whack-a-mole, with an ever-changing cast of threats and threat actors. While the attacks that make headlines may change from year to year, the basic fact remains: Any network, no matter how obscure the organization it supports, most likely will come under attack at some point. Thus, attaining and maintaining a strong security posture is of critical importance for organizations of any size.
An organization’s security posture, however, is constantly changing. Employees join or leave the company; endpoints are added and discarded; and network and security technologies are deployed, decommissioned, configured, and updated. Each change in network elements can represent a potential attack vector for malware and other threats.
That’s why security teams should review their security processes periodically and keep aligned with new developments in defensive and offensive testing and modeling. Doing so can help move the needle on security maturity from the most basic to an advanced, much stronger security posture, and from a reactive to a proactive model.
The Basics: Vulnerability Scanning
The first step most IT organizations undertake is vulnerability scanning, which seeks out potential weaknesses in the network and endpoints that could be exploited by attackers. There’s a wide variety of scanners available as open source or commercial software, as managed services, and on cloud platforms like AWS and Alibaba. Some of the more popular scanners include Nessus, Burp Suite, Nmap, and Qualys, though each has its own area of focus. Several offer automatic patch remediation, as well.
Another consideration is whether to perform an external scan — which can discover potential vulnerabilities that hackers can exploit — or internal scanning that can find potential paths attackers would take once inside the network. Many, if not most, IT teams will do both.
While vulnerability scanning is relatively easy to use, it’s not the end-all, be-all of a security strategy. For example, scanning might not detect subtle misconfigurations or the more complicated attack paths that advanced persistent threats (APTs) might take. They’re also often prone to false positives and must be updated consistently.
Overall, though, vulnerability scanning is an important baseline step. Once it’s running well, the next step is penetration testing.
Penetration Testing
Penetration testing typically entails human ethical hackers who attempt to gain access to the network interior, much as an outside hacker would. Here, too, there’s a wide variety of tools and services available — many of the aforementioned vulnerability scanners offer tools that can be used in pen testing. Others include Metasploit, Kali Linux, Cobalt.io, and Acunetix.
Run periodically, pen testing can uncover weaknesses that aren’t found by vulnerability scanners. Furthermore, human-managed pen testing can explore more complex pathways and technique combinations that hackers increasingly leverage to exploit victims, such as phishing.
Not surprisingly, the biggest trends impacting networking and cybersecurity are essentially the same trends noted in penetration testing this year: rampant ransomware attacks, the newly distributed workforce, and the rise of Web applications and cloud usage to support remote workers. Each of these trends will require thoughtful consideration in choosing tools and designing plans for penetration testing.
While penetration testing can provide a great deal of benefit, it’s a good idea to periodically review the wealth of information on best practices available online.
Red Team/Purple Team
The third step in the quest for security maturity is usually the establishment of a red team that will manually attempt to attack and penetrate the organization’s security defenses. This may be a completely separate team, or it may be closely allied with the blue team (the defenders) in a combination called a purple team. As another option, some vendors offer red-team services on a subscription or one-off basis.
A red team will imitate the tactics, techniques, and procedures (TTPs) that attackers use — which usually turns up more points of vulnerability than penetration testing can reveal. The blue team can then begin to resolve these weaknesses, further hardening the network against attack.
But too often, red and blue teams devolve into an adversarial relationship that’s counterproductive. It’s also quite expensive to set up a red team, and given the shortage of cybersecurity professionals, it may not be feasible. Therefore, many CISOs are investigating two newer trends: adversary emulation and adversary simulation.
Using Adversary TTPs for Good
There are vast, freely available libraries of common tactics, techniques, and procedures used during attacks, such as MITRE’s ATT&CK framework. Adversary emulation and simulation leverage these libraries to evaluate security based on intelligence for specific attacks and then simulating the TTPs used.
For example, MITRE developed a sample adversary emulation plan for APT3, an advanced persistent threat that previously targeted mostly US entities. The emulation plan covers three phases from command-and-control setup to initial access; from host compromise through to execution; and data collection through exfiltration. The Center for Threat-Informed Defense has posted other emulation plans.
Adversary emulation lets security teams assess their defenses against real-world attacks. It can also be used to test the security infrastructure’s detection and response rates.
Looking Ahead
Security vendors are moving beyond simply advocating the concept of MITRE’s ATT&CK and MITRE Shield. Many vendors are leveraging one or both to improve their own products and services. For example, some security vendors map anomalies and events to the ATT&CK framework, making it easier for security teams to respond.
MITRE’s CALDERA also deserves attention. It provides an intelligent, automated adversary emulation system that can be programmed for a specific attack profile and launched into the network to test its defenses. Caldera can also be used to train blue teams on detecting and remediating specific attacks.
Keeping abreast of developments in key security processes is important for security teams as they strive to defend the network against changing threats. By so doing, they can move the organization closer to a far stronger security posture.
This book is the hands-on and methodology guide for pentesting with Kali Linux. You’ll discover everything you need to know about the tools and techniques hackers use to gain access to systems like yours so you can erect reliable defenses for your virtual assets. Whether you’re new to the field or an established pentester, you’ll find what you need in this comprehensive guide.
Build a modern dockerized environment
Discover the fundamentals of the bash language in Linux
Use a variety of effective techniques to find vulnerabilities (OSINT, Network Scan, and more)
Analyze your findings and identify false positives and uncover advanced subjects, like buffer overflow, lateral movement, and privilege escalation
Apply practical and efficient pentesting workflows
Learn about Modern Web Application Security Secure SDLC
If you’re getting started along the exciting path of hacking, cybersecurity, and pentesting, Linux Basics for Hackers is an excellent first step. Using Kali Linux, an advanced penetration testing distribution of Linux, you’ll learn the basics of using the Linux operating system and acquire the tools and techniques you’ll need to take control of a Linux environment.
First, you’ll learn how to install Kali on a virtual machine and get an introduction to basic Linux concepts. Next, you’ll tackle broader Linux topics like manipulating text, controlling file and directory permissions, and managing user environment variables. You’ll then focus in on foundational hacking concepts like security and anonymity and learn scripting skills with bash and Python. Practical tutorials and exercises throughout will reinforce and test your skills as you learn how to:
Cover your tracks by changing your network information and manipulating the rsyslog logging utility
Write a tool to scan for network connections, and connect and listen to wireless networks
Keep your internet activity stealthy using Tor, proxy servers, VPNs, and encrypted email
Write a bash script to scan open ports for potential targets
Use and abuse services like MySQL, Apache web server, and OpenSSH
Build your own hacking tools, such as a remote video spy camera and a password cracker
In this book you’ll learn an offensive approach to enhance your penetration testing skills by testing the sophisticated tactics employed by real hackers. You’ll go through laboratory integration to cloud services so that you learn another dimension of exploitation that is typically forgotten during a penetration test. You’ll explore different ways of installing and running Kali Linux in a VM and containerized environment and deploying vulnerable cloud services on AWS using containers, exploiting misconfigured S3 buckets to gain access to EC2 instances.
This book delves into passive and active reconnaissance, from obtaining user information to large-scale port scanning. Building on this, different vulnerability assessments are explored, including threat modeling. See how hackers use lateral movement, privilege escalation, and command and control (C2) on compromised systems. By the end of this book, you’ll have explored many advanced pentesting approaches and hacking techniques employed on networks, IoT, embedded peripheral devices, and radio frequencies.
For more information about this book, we have a video with the author you can watch here.
This is a comprehensive guide for those who are new to Kali Linux and penetration testing that will have you up to speed in no time. Using real-world scenarios, you’ll understand how to set up a lab and explore core penetration testing concepts.
Throughout this book, you’ll focus on information gathering and even discover different vulnerability assessment tools bundled in Kali Linux. You’ll learn to discover target systems on a network, identify security flaws on devices, exploit security weaknesses and gain access to networks, set up Command and Control (C2) operations, and perform web application penetration testing. In this updated second edition, you’ll be able to compromise Active Directory and exploit enterprise networks.
Finally, this book covers best practices for performing complex web penetration testing techniques in a highly secured environment.
Research from Netacea reveals that as of September 2022, there are over 1,600 professional refund service adverts on hacker forums.
Cybercrime’s continued shift to a service-driven economy has enabled several new professionalized hacking services with Refund Fraud-as-a-Service being one of the latest to rise in popularity over the last few years. This is according to Netacea’s latest threat report, which researched rising trends across a multitude of hacking forums.
Refund fraud is the abuse of refund policies for financial gain and costs e-commerce businesses more than $25 billion every year. Those interested in committing refund fraud can outsource the process to professional social engineers offering Refund-as-a-Service. This poses a significant challenge to retailers, as previously legitimate customers can enlist highly experienced fraudsters to perpetrate this fraud on their behalf, making it difficult to identify fraudulent activity. As online shopping continues its upward trend, professional fraudsters will look to cash in on the opportunity.
Over 540 new refund fraud service adverts were identified in the first three quarters of 2022
Refund fraud services increased by almost 150% from 2019 – 2021
Netacea’s report explores the current structure of the underground Refund-as-a-Service market, the changing tactics and methods used by adversarial groups to perform refund fraud, and how threat intelligence and fraud teams can work collaboratively to effectively combat it.
“As shown in the rise of ransomware-as-a-service attacks, cybercriminals have shifted to a service-based economy — and refund fraud is no exception” said Cyril Noel-Tagoe, Principal Security Researcher, Netacea. “As we approach Black Friday and the holiday season, e-commerce stores should take the necessary steps to reduce their risk of refund fraud, including educating employees on the methods and tactics fraudsters take.”
Additional steps include:
Delivery carriers should replace or complement signatures with one-time passwords to prevent refund fraudsters from claiming that packages did not arrive.
E-commerce stores and delivery carriers should work together to look for patterns in their data sets that may indicate fraudulent activity.
Reputation is power in the underground market. In the instance that an e-commerce store identifies the claim to be fraudulent after a refund payment has been made, the store should rebill the customer’s account. An influx of rebill complaints from customers may cause the refund fraud service to drop the retailer from their store list, to avoid negative reviews.
Trellix released a recent report on the evolution of BazarCall social engineering tactics. Initially BazarCall campaigns appeared in late 2020 and researchers at Trellix noticed a continuous growth in attacks pertaining to this campaign.
Reports say at first, it delivered BazaarLoader (backdoor) which was used as an entry point to deliver ransomware. A BazaarLoader infection will lead to the installation of Conti Ransomware in a span of 32 hours.
It was also found to be delivering other malware such as Trickbot, Gozi IFSB, IcedID and more. In this case, “BazarCall has ceaselessly adapted and evolved its social engineering tactics”. These campaigns were found to be most active in United States and Canada. They were also targeting some Asian countries like India and China.
What is BazarCall?
BazarCall begins with a phishing email but from there deviates to a novel distribution method – using phone call centers to distribute malicious Excel documents that install malware.
In BazarCall’s case, targeted users must dial the number. And when they do, the users are connected with actual humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices.
The second Tuesday of every month is Microsoft’s regular day for security updates, still known by almost everyone by its unofficial nickname of “Patch Tuesday”.
But the second Tuesday in October is also Ada Lovelace Day, celebrating Ada, Countess of Lovelace.
Ada was a true pioneer not only of computing, but also of computer science, and gave her name to the programming language Ada.
The Ada language, intriguingly, emerged from a US Department of Defense project aimed at “debabelising” the world of governmental coding, where every department semed to favour a different language, or a different language dialect, making it more difficult, more expensive, and less reliable to get them to work together.
Ada Lovelace’s era
You might be surprised to find, given how strongly Ada’s name is associated with the beginnings of computer science, that she lived in the first half of the nineteenth century, long before anything that we currently recognise as a computer, or even a calculator, existed.
(Ada died of uterine cancer in 1852 at just 36 years old.)
But although computers in their modern sense didn’t exist in the 1800s, they very nearly did.
Here’s how it almost happened.
Charles Babbage, in the early 1800s, famously devised a mechanical calculating device called the Difference Engine that could, in theory at least, automatically solve polynomial equations in the sixth degree, e.g. by finding values for X that would satisfy:
aX6 + bX5 +cX4 +dX3 +eX2 + fX + g = 0
The UK government was interested, because a device of this sort could be used for creating accurate mathematical tables, such as square roots, logarithms and trigonometric ratios.
And any machine good at trigonometric calculations would also be handy for computing things like gunnery tables that could revolutionise the accuracy of artillery at land and sea.
But Babbage had two problems.
Firstly, he could never quite reach the engineering precision needed to get the Difference Engine to work properly, because it involved sufficiently many interlocking gears that backlash (tiny but cumulative inaccuracies leading to “sloppiness” in the mechanism) would lock it up.
Secondly, he seems to have lost interest in the Difference Engine when he realised it was a dead end – in modern terms, you can think of it as a pocket calculator, but not as a tablet computer or a laptop.
So Babbage leapt ahead with the design of a yet more complex device that he dubbed the Analytical Engine, which could work out much more general scientific problems than one sort of polynomial equation.
Perhaps unsurprisingly, if regrettably in hindsight. the government wasn’t terribly interested in funding Babbage’s more advanced project.
Given that he hadn’t managed to build the mechanism needed for a much simpler equation solver, what chance did a giant, steam-powered, general-purpose computer have of ever delivering any useful results?
An IRONSCALES survey published in October 2021 shows over 80% of respondents experienced an increase in email phishing attacks since the start of the pandemic.
Phishing involves the utilization of legitimate-looking emails to steal the login credentials or other sensitive information of a target organization. While it’s just as much a risk for small and medium-sized businesses, in the public sector, phishing attacks could potentially be nation-state sponsored, making it a possible double whammy.
While taking advantage of the latest and greatest software to protect yourself from top cybersecurity threats is par for the course, what makes phishing so pernicious is that it relies on human error. With phishing emails looking more authentic than ever, they are harder to catch.
Distributed Denial of Service (DDoS) Attacks
A recent report says ransom DDoS attacks increased 29% year over year and 175% quarter over quarter in quarter four of 2021. Some of the biggest targets were the public sector, schools, travel organizations, and credit unions.
DDoS attacks are known to bring down some of the largest websites and are quite difficult to prevent. They are considered by some to be the most “powerful weapon” on the internet, easily making DDoS attacks one of the top cyber security threats to the government.
DDoS attacks can happen at any time, affect any part of a website, and disrupt and interrupt services, usually leading to massive financial damage.
Nation-State Sponsored Cyber Attacks
With mainstream media daily broadcasting events as they are occurring to every channel imaginable (cable TV, smartphones, social media, etc.) cyber warfare has become an increasingly common way to launch disinformation campaigns, perform cyber espionage or terrorism, and even cyber-sabotage targets.
Nation-state-sponsored cyber attacks aim to
Hinder communication
Gather intelligence
Steal intellectual property
Damage to digital and physical infrastructure
They are even used for financial gain.
Though cyber attacks are sometimes used in tandem with real life attacks, what makes cyber warfare especially challenging is that it happens virtually and often covertly. There usually isn’t any declaration of war. That makes it difficult to prove who is responsible for the attack.
Ransomware
Ransomware attacks may not be an emerging trend by any means. They may not even be anything new. But they do have a history of wreaking havoc on the public sector and therefore need to be taken seriously.
Rewind to 2019 when the U.S. was hit by an unrelenting barrage of ransomware attacks that ultimately affected at least 966 government agencies, educational establishments, and healthcare providers to $7.5 billion (Emsisoft).
These attacks resulted in 911 services being interrupted, surveillance systems going offline, badge scanners and building access systems not working, websites going down, extended tax payment deadlines, and much more.
The threat of ransomware attacks still looms today and is no less a concern in 2022 than they were in 2019. As far as cyber security threats to the government are concerned, ransomware attacks should be kept on the cybersecurity radar.
What The Public Sector Can Do to Stay Ahead?
Beyond taking full advantage of the latest tech, for the public sector to stay ahead of cyber security in the public sector, you have to create a culture of cybersecurity within your organizations, offering ongoing training to their teams.
You need to secure all infrastructure, including cloud, mobile, and Internet of Things (IoT). You also want to improve compromise detection and be fully prepared for any attack. Plans should be documented and practiced regularly, so detection and response are immediate.
Conclusion
The top cybersecurity threats are generally a consequence of new technologies the public sector is either looking to implement or is already implementing. It is harder to know all the variables and potential vulnerabilities with anything new.
This isn’t to suggest that old technologies are more reliable, however. Like antivirus software, the virus definitions must be continually updated for the software to remain effective. The public sector needs to stay on the cutting edge of best practices.
The public sector must also remain agile in adapting to new threats, whether offering ongoing cybersecurity training, hiring skilled consultants to keep their new technological infrastructures in check, partnering with experienced cybersecurity service providers like Indusface, or otherwise.
A WOMAN IN TEHRAN CLIMBED ONTO A CAR AND SET HER HIJAB ABLAZE. “AMIN” WAS JUST FIVE METERS AWAY. (PHOTO CREDIT: TWITTER)
The death of 22-year-old Mahsa Amini in Iran has ignited the most powerful protests the country has seen in years. Authorities there have rolled out a host of new tools to throttle mobile phone connections, block social media sites, and make it harder for people on the ground to organize. Our Click Here team spoke to one man who has been protesting since Amini’s death was announced, and he talked to us about the dangers of using social media and technology while participating in street demonstrations. He asked us not to use his real name because speaking to foreign reporters could get him arrested. Amin talked with us about getting around internet restrictions, the dangers of using social media in Iran, and how protesters handle their passwords.
Our interview with him has been edited and condensed for clarity.
BidenCash, a popular dark web carding site, released a dump of more than 1.2 million credit cards to promote its service.
Operators behind the popular dark web carding market ‘BidenCash’ have released a dump of 1,221,551 credit cards to promote their underground payment card shop. Multiple security firms, noticed the promotional activity, but the news was first reported by threat intelligence firm Cyble and the Italian firm D3Lab.
It is a great gift to fraudsters that can download for free the dump and use it for fraudulent activities.
The announcement of the availability of the dataset consisting of over 1.2 million credit and debit cards information on a notorious cybercrime forum mainly hosting Russian and English-speaking Threat Actors.
Not too long ago, the role of chief information security officer was a purely technical position designed to help an organization overcome cybersecurity challenges. Today, however, the CISO role has evolved — growing both in responsibility and stature within a company. The CISO is now a critical member of the executive team, responsible for tying not only cybersecurity, but overall risk management, to the company’s business strategy and operations.
The modern CISO is involved in strategic decision-making, for example, ensuring the business securely embraces digital transformation while assuring the board, clients, and investors that cyber capabilities and defenses are active and evolving with current threats. And they are responsible for leveraging people, processes, and technologies to enable their organization to fulfill its overarching business objectives securely.
Given this evolution in responsibilities, a CISO’s first 90 days on the job should look a lot different today than it did even several years ago.
The First 90 Days
While many CISOs want to immediately demonstrate value by jumping in with big ideas and projects on day one, they will be able to make much more of a long-term impact if they first take the time to understand the company’s mission, values, and business objectives. They also need to get up to speed on core activities, products, services, research and development, intellectual property, and merger and acquisition plans. And they need to understand all potential issues, previous breaches, regulatory or external obligations, and existing technical debt.
With this in mind, here are a few recommendations on what a CISO’s focus should be during their first 90 days on the job.
Gain An Understanding of the Organization’s Larger Mission and Culture
The very first day, begin to deploy a collection of interview and interrogation techniques with a goal of understanding the business, its purposes and its priorities. Interview your employees, midlevel business leaders, and customers to get a sense of all key stakeholders, initial pain points, and how mature the cybersecurity culture is within the organization. Finally, gently interrogate your partners, suppliers, and vendors to determine who is just selling and who is a trusted advisor. Going through this process will open lines of communication, uncover challenges, and help build a 90-day action plan and road map.
Identify the Crown Jewels
Determine which data and systems underpin the company’s strategic mission and core competencies, represent intellectual property, differentiate the enterprise from its competitors, or support major customer segments or revenue lines. These crown jewels are the digital assets that are most likely to be targeted by threat actors, and thus must have their cyber-hygiene efforts accelerated. If the C-suite and board understand these critical areas, they can tell you their risk appetite, and you can implement security strategies accordingly.
Develop a Plan Based on the Company’s Current IT and Business Landscape
Once assets are identified and prioritized, develop a written risk management plan with checklists for deliverables, structure and communication between key internal and external stakeholders. On this latter point, the CISO always must act as an information broker and as a partner to all the key organizational decision-makers. One effective way to do this is to establish formal and informal communication with these roles, so the organization can move forward strategically.
Master the Basics
There are many technologies needed to secure the modern company, but there are a few must-haves that should be implemented right away, if they aren’t already. These are baseline controls, including vulnerability management and anti-malware defenses for the endpoint, and non-negotiable controls, including multifactor authentication, sensitive data encryption, application whitelisting, 24/7 security monitoring, file integrity monitoring, privileged access management, network segmentation, data loss prevention, and a rigorous assessment and audit function connected to vulnerability and patching strategies.
Implement Benchmarks
Prove the value of security plans, processes, and technologies to the C-suite, business unit executives, and the board by implementing benchmarks and maturity assessments that show how the company stacks up against competitors, how security strategies stack up against industry best practices and frameworks, and how security initiatives are enabling the business with secure operations.
Always Treat Security as a Business Problem
Security incidents can result in myriad consequences on the business, and conversely, strong security can help the business succeed in a secure fashion. This is why it’s so important that IT and security teams always remain integrated with the business side of the organization. As part of this, ensure ongoing communication and collaboration between executive leaders, the board, and security leaders. When management understands the business risks posed by cybersecurity threats, they’ll be more apt to pay attention and participate in security efforts.
At the end of the first 90 days, a CISO should be able to answer questions such as: How well protected is the organization? What is our capability maturity against industry standard frameworks? What are our most critical vulnerabilities and cyber-risk scenarios? What data is most important to the organization? What data risks could have the most significant negative impact on the organization? And what will it take to improve the organization’s security posture, and do we have a road map?
While this may seem like a lot to get to the bottom of in a three-month timespan, following these six steps will set your company up for both short- and long-term security and business success.
An intrusion detection system (IDS) is a type of security software designed to automatically alert administrators when someone or something is trying to compromise information system through malicious activities such as DDOS Attacks or security policy violations.
An IDS works by monitoring system activity through examining vulnerabilities in the system, the integrity of files and analyzing patterns based on already known attacks. It also automatically monitors the Internetto search for any of the latest threatswhich could result in a future attack.
Detection Methods
An IDS can only detect an attack. It cannot prevent attacks. In contrast, an IPS prevents attacks by detecting them and stopping them before they reach the target.
An attack is an attempt to compromise confidentiality, integrity, or availability. The two primary methods of detection are signature-based and anomaly-based. Any type of IDS (HIDS or NIDS) can detect attacks based on signatures, anomalies, or both.
The HIDS monitors the network traffic reaching its NIC, and the NIDS monitors the traffic on the network.
Host Based intrusion detection system (HIDS)
A host-based intrusion detection system (HIDS) is additional software installed on a system such as a workstation or a server.
It provides protection to the individual host and can detect potential attacks and protect critical operating system files. The primary goal of any IDS is to monitor traffic.
The role of a host Intrusion Detection System is passive, only gathering, identifying, logging, and alerting. Examples of HIDS:
The primary goal of any IDS is to monitor traffic. For a HIDS, this traffic passes through the network interface card (NIC). Many host-based IDSs have expanded to monitor application activity on the system.
As one example, you can install a HIDS on different Internet-facing servers, such as web servers, mail servers, and database servers. In addition to monitoring the network traffic reaching the servers, the HIDS can also monitor the server applications.
It’s worth stressing that a HIDS can help detect malicious software (malware) that traditional anti-virus software might miss.
Because of this, many organizations install a HIDS on every workstation as an extra layer of protection, in addition to traditional anti-virus software. Just as the HIDS on a server is used primarily to monitor network traffic, a workstation HIDS is mainly used to monitor network traffic reaching the workstation. However, a HIDS can also monitor some applications and can protect local resources such as operating system files. In other organizations, administrators only install a HIDS when there’s a perceived need.
For example, if an administrator is concerned that a specific server with proprietary data is at increased risk of an attack, the administrator might choose to install a HIDS on this system as an extra layer of protection.
Each uncompleted session consumes resources on the server, and if the SYN flood attack continues, it can crash the server.
Some servers reserve a certain number of resources for connections, and once the attack consumes these resources, the system blocks additional connections. Instead of crashing the server, the attack prevents legitimate users from connecting to the server.
IDSs and IPSs can detect an SYN flood attack and respond to block the attack. Additionally, many firewalls include a flood guard that can detect SYN flood attacks and take steps to close the open sessions.
About 1 in 5 phishing email messages reach workers’ inboxes, as attackers get better at dodging Microsoft’s platform defenses and defenders run into processing limitations.
Source: Andrea Danti via Alamy Stock Photo
This week’s report that cyberattackers are laser-focused on crafting attacks specialized to bypass Microsoft’s default security showcases an alarming evolution in phishing tactics, security experts said this week.
Threat actors are getting better at slipping phishing attacks through the weak spots in platform email defenses, using a variety of techniques, such as zero-point font obfuscation, hiding behind cloud-messaging services, and delaying payload activation, for instance. They’re also doing more targeting and research on victims.
As a result, nearly 1 in 5 phishing emails (18.8%) bypassed Microsoft’s platform defenses and landed in workers’ inboxes in 2022, a rate that increased 74% compared to 2020, according to research published on Oct. 6 by cybersecurity firm Check Point Software. Attackers increasingly used techniques to pass security checks, such as Sender Policy Framework (SPF), and obfuscate functional components of an e-mail, such as using zero-size fonts or hiding malicious URLs from analysis.
The increasing capabilities of attackers is due to the better understanding of current defenses, says Gil Friedrich, vice president of email security at Avanan, an email security firm acquired by Check Point in August 2021.
“It is a family of 10 to 20 techniques, but they all lead to the objective of deceiving a company’s security layers,” he says. “The end result is always an email that looks genuine to the recipient but looks different to the algorithm that analyzes the content.”
Meanwhile, cybercriminals services, such as phishing-as-a-service and malware-as-a-service, are encapsulating the most successful techniques into easy-to-use offerings. In a survey of penetration testers and red teams, nearly half (49%) considered phishing and social engineering to be the attack techniques with the best return on investment.
This October is Cyber Security Awareness Month, an event designed to educate people about information security and the steps they can take to stay safe online.
Now in its nineteenth year, the campaign provides tools and resources to help people learn more about the cyber security industry and the ways they can get involved.
This year’s event focuses on phishing and ransomware – two of the biggest threats that organisations currently face.
The attack method is often used to deliver ransomware, which itself is responsible for significant damage. Our research discovered more than 100 publicly disclosed ransomware attacks in the first half of 2022, with intrusions shuttering businesses and creating huge financial problems.
Getting involved
There are events being held throughout October as part of National Cyber Security Awareness Month. Both national governments and private organisations have supported the campaign and are running programmes online and in person.
You can find a full list of events on Stay Safe Online, where you can also find information security tips.
The theme of this year’s campaign is ‘See Yourself in Cyber’, and individuals are encouraged to get involved online with the hashtag #BeCyberSmart.
A key component of that is protecting yourself from scams. The campaign reminds people that: “The signs can be subtle, but once you recognize a phishing attempt you can avoid falling for it.
“Before clicking any links or downloading attachments, take a few seconds (like literally 4 seconds) and ensure the email looks legit.”
The campaign also highlights the benefits of multi-factor authentication, strong passwords and regularly updating software.
How IT Governance can help
You can also follow the latest developments with Cyber Security Awareness Month by following us on LinkedIn. We’ll will provide the latest updates on the campaign to help you get involved in events near you.
Plus, our experts will provide quick and simple tips to boost your cyber security awareness. Did you know, for example, that one of the most effective ways to boost your defences is also one of the simplest – ensuring that your accounts are protected by strong, unique passwords.
This applies not only to login credentials but also to databases and other sensitive information that you store online. The InterContinental Hotel Group was recently caught out by a cyber attack, after criminal hackers discovered a database protected by the password ‘Qwerty1234’.
The breach enabled the attackers to access the most sensitive parts of the hotel giant’s computer systems, and ultimately led to a phishing attack in which an employee was duped into downloading malware that destroyed huge volumes of sensitive data.
Another top tip for preventing cyber attacks is to test your employees with Phishing Challenge E-learning Game. These are messages that use the same techniques as genuine scams without the malicious payload.
The attacks give you the opportunity to monitor how your employees respond to a bogus email. Do they click a link right away? Do they recognise that it’s a scam and delete it? Do they contact the IT team to alert them of the threat?
Simulated phishing is an essential technique in an organisation’s cyber security practices. It complements traditional staff awareness training to assess the effectiveness of your programme in a real-world scenario.
In the private sector, hackers and cybercriminals are prone to leaving organizations with good security infrastructures alone. Because they often go after low-hanging fruit, hacking into a well-protected network is perceived as more trouble than it’s worth.
But the public sector is a different matter entirely. The government and government agencies have access to assets and data that criminals would love to get their hands on, even with the added trouble. So, even though the public sector is well protected, it will not stop cybercriminals from attempting to break in.
An IRONSCALES survey published in October 2021 shows over 80% of respondents experienced an increase in email phishing attacks since the start of the pandemic.
Phishing involves the utilization of legitimate-looking emails to steal the login credentials or other sensitive information of a target organization. While it’s just as much a risk for small and medium-sized businesses, in the public sector, phishing attacks could potentially be nation-state sponsored, making it a possible double whammy.
While taking advantage of the latest and greatest software to protect yourself from top cybersecurity threats is par for the course, what makes phishing so pernicious is that it relies on human error. With phishing emails looking more authentic than ever, they are harder to catch.
Distributed Denial of Service (DDoS) Attacks
A recent report says ransom DDoS attacks increased 29% year over year and 175% quarter over quarter in quarter four of 2021. Some of the biggest targets were the public sector, schools, travel organizations, and credit unions.
DDoS attacks are known to bring down some of the largest websites and are quite difficult to prevent. They are considered by some to be the most “powerful weapon” on the internet, easily making DDoS attacks one of the top cyber security threats to the government.
DDoS attacks can happen at any time, affect any part of a website, and disrupt and interrupt services, usually leading to massive financial damage.
Nation-State Sponsored Cyber Attacks
With mainstream media daily broadcasting events as they are occurring to every channel imaginable (cable TV, smartphones, social media, etc.) cyber warfare has become an increasingly common way to launch disinformation campaigns, perform cyber espionage or terrorism, and even cyber-sabotage targets.
Nation-state-sponsored cyber attacks aim to
Hinder communication
Gather intelligence
Steal intellectual property
Damage to digital and physical infrastructure
They are even used for financial gain.
Though cyber attacks are sometimes used in tandem with real life attacks, what makes cyber warfare especially challenging is that it happens virtually and often covertly. There usually isn’t any declaration of war. That makes it difficult to prove who is responsible for the attack.
Ransomware
Ransomware attacks may not be an emerging trend by any means. They may not even be anything new. But they do have a history of wreaking havoc on the public sector and therefore need to be taken seriously.
Rewind to 2019 when the U.S. was hit by an unrelenting barrage of ransomware attacks that ultimately affected at least 966 government agencies, educational establishments, and healthcare providers to $7.5 billion (Emsisoft).
These attacks resulted in 911 services being interrupted, surveillance systems going offline, badge scanners and building access systems not working, websites going down, extended tax payment deadlines, and much more.
The threat of ransomware attacks still looms today and is no less a concern in 2022 than they were in 2019. As far as cyber security threats to the government are concerned, ransomware attacks should be kept on the cybersecurity radar.
What The Public Sector Can Do to Stay Ahead?
Beyond taking full advantage of the latest tech, for the public sector to stay ahead of cyber security in the public sector, you have to create a culture of cybersecurity within your organizations, offering ongoing training to their teams.
You need to secure all infrastructure, including cloud, mobile, and Internet of Things (IoT). You also want to improve compromise detection and be fully prepared for any attack. Plans should be documented and practiced regularly, so detection and response are immediate.
There are several open-source packet analyzers available, but Wireshark is among the most popular. Moreover, the application has been upgraded to version 4.0.0 and comes with multiple new features and fixes.
It is not only network administrators who use Wireshark packet analyzers to analyze packets, but also security analysts to analyze packets.
Wireshark network protocol analyzer can be used for the following primary purposes:-
Troubleshooting
Analysis
Development
Education
An array of organizations use the tool to manage their business activities related to their business, and it has been adopted by organizations of all sizes.
The official Windows 32-bit package of Wireshark is no longer being distributed with the release of this version. Here below we have mentioned all the new additions:-
With many new extensions available, the display filter syntax has become much more powerful.
Redesigns have been made to the Conversation and Endpoint dialogs.
Packet Detail and Packet Bytes are now displayed underneath the Packet List pane in the default layout for the main window.
A number of improvements have been made to the hex dump import from Wireshark and from text2pcap.
A great deal of improvement has been made in the performance of using MaxMind geolocation.
New and Updated Features
In this latest release, Here below we have mentioned all the new and updated features:-
The macOS packages now ship with Qt 6.2.4 and require macOS 10.14. They previously shipped with Qt 5.15.3.
The Windows installers now ship with Npcap 1.71. They previously shipped with Npcap 1.70.
The Windows installers now ship with Npcap 1.70. They previously shipped with Npcap 1.60.
The ‘v’ (lower case) and ‘V’ (upper case) switches have been swapped for editcap and mergecap to match the other command line utilities.
The ip.flags field is now only the three high bits, not the full byte. Display filters and Coloring rules using the field will need to be adjusted.
New address type AT_NUMERIC allows simple numeric addresses for protocols which do not have a more common-style address approach, analog to AT_STRINGZ.
The Conversation and Endpoint dialogs have been redesigned.
The Windows installers now ship with Qt 6.2.3. They previously shipped with Qt 6.2.4.
The Windows installers now ship with Npcap 1.60. They previously shipped with Npcap 1.55.
The Windows installers now ship with Qt 6.2.4. They previously shipped with Qt 5.12.2.
The display filter syntax has been updated and enhanced.The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane.
The HTTP2 dissector now supports using fake headers to parse the DATAs of streams captured without first HEADERS frames of a long-lived stream (such as a gRPC streaming call which allows sending many request or response messages in one HTTP2 stream). Users can specify fake headers using an existing stream’s server port, stream id and direction.
The IEEE 802.11 dissector supports Mesh Connex (MCX).
The “Capture Options” dialog contains the same configuration icon as the Welcome Screen. It is now possible to configure interfaces there.
The “Extcap” dialog remembers password items during runtime, which makes it possible to run extcaps multiple times in row without having to reenter the password each time. Passwords are never stored on disk.
It is possible to set extcap passwords in tshark and other CLI tools.
The extcap configuration dialog now supports and remembers empty strings. There are new buttons to reset values back to their defaults.
Support to display JSON mapping for Protobuf message has been added.
macOS debugging symbols are now shipped in separate packages, similar to Windows packages.
In the ZigBee ZCL Messaging dissector the zbee_zcl_se.msg.msg_ctrl.depreciated field has been renamed to zbee_zcl_se.msg.msg_ctrl.deprecated
The interface list on the welcome page sorts active interfaces first and only displays sparklines for active interfaces. Additionally, the interfaces can now be hidden and shown via the context menu in the interface list
The Event Tracing for Windows (ETW) file reader now supports displaying IP packets from an event trace logfile or an event trace live session.
ciscodump now supports IOS, IOS-XE and ASA remote capturing.
The PCRE2 library is now required to build Wireshark.
You must now have a compiler with C11 support in order to build Wireshark.
A cybersecurity framework provides a formal and comprehensive set of guidelines to help organizations define their security policies, assess cybersecurity posture, and improve resilience. Cybersecurity frameworks specify security controls, risk assessment methods, and suitable safeguards to protect information systems and data from cyberthreats. Though originally developed for government agencies and other large organizations, cybersecurity frameworks can also be a useful source of security best practices for medium and small businesses. Without getting too formal, let’s see what cybersecurity frameworks exist, why you may want to use one, and how to hand-pick the cybersecurity processes and actions that apply to your specific web application security program.
Why cybersecurity frameworks exist
Depending on the organization, a successful cyberattack can have serious social, economic, or even political consequences. Whether they result in a denial of service, a data breach, or a stealthy and persistent presence in targeted systems, cyberattacks are now a permanent concern not only for business and government but even for military operations. Well-defined cybersecurity programs are vital for organizations of all sizes, but simply saying “secure everything” isn’t good enough, especially given the complexity of today’s interconnected information systems and supply chains. And with data security and privacy high on the agenda, a systematic and formalized approach is necessary to identify specific security controls that keep sensitive information inaccessible to malicious actors.
With public and private organizations of all sizes facing similar cybersecurity events and challenges, it became clear that a common cybersecurity framework would benefit everyone. By working to a common set of best-practice policies and recommendations, everyone would be able to define their own cybersecurity practices and protective technologies while maintaining a common baseline for auditing and certification. And for organizations that may lack the resources or technical resources to design their own policies from scratch, having such a starter policy kit could be the only way to come up with a reasonably complete and effective cybersecurity policy.
Commonly used cybersecurity frameworks
You can think of a cybersecurity framework as a common box of parts for building cybersecurity policies. More formally, a cybersecurity framework can be any document that defines procedures and goals to guide more detailed policies. Existing documents that contain such cybersecurity guidelines include:
The NIST Cybersecurity Framework: The most widely used document for cybersecurity policy and planning, developed by the National Institute of Standards and Technology.
ISO 27001 Information Security Management: Guidelines for information security management systems (ISMS) prepared by the International Organization for Standardization.
Risk management frameworks: Documents such as NIST’s Risk Management Framework (NIST SP 800-37 Rev. 2) and the ISO 27005:2018 standard for Information Security Risk Management focus on risk management strategies, including cybersecurity risk management.
Industry-specific frameworks: Many industries have their own security standards for these sectors, such as PCI DSS for electronic payment processing, HIPAA rules for healthcare, or COBIT for IT management and governance.
A closer look at the NIST cybersecurity framework
In 2013, a US presidential executive order was issued calling for a standardized cybersecurity framework to describe and structure activities and methodologies related to cybersecurity. In response to this, NIST developed its Framework for Improving Critical Infrastructure Cybersecurity, commonly called the NIST Cybersecurity Framework (NIST CSF). It is a detailed policy document created not only to help organizations manage and reduce their cybersecurity risk but also to create a common language for communicating about cybersecurity activities. While the framework was initially intended only for companies managing critical infrastructure services in the US private sector, it is now widely used by public and private organizations of all sizes.
The NIST CSF is divided into three main components:
Framework core: The main informational part of the document, defining common activities and outcomes related to cybersecurity. All the core information is organized into functions, categories, and subcategories.
Framework profile: A subset of core categories and subcategories that a specific organization has chosen to apply based on its needs and risk assessments.
Implementation tiers: A set of policy implementation levels, intended to help organizations in defining and communicating their approach and the identified level of risk for their specific business environment.
The framework core provides a unified structure of cybersecurity management processes, with the five main functions being Identify, Protect, Detect, Respond, and Recover. For each function, multiple categories and subcategories are then defined. This is where organizations can pick and mix to put together a set of items for each function that corresponds to their individual risks, requirements, and expected outcomes. For clarity and brevity, each function and category has a unique letter identifier, so for example Asset Management within the Identify function is denoted as ID.AM, while Response Planning within the Response function is RS.RP.
Each category includes subcategories that correspond to specific activities, and these subcategories get numerical identifiers. To give another example, subcategory Detection processes are tested under the Detection Processes category and Detect function is identified as DE.DP-3. Subcategory definitions are accompanied by references to the relevant sections of standards documents for quick access to the normative guidelines for each action.
Applying the NIST framework to application security
By design, the NIST CSF has an extremely broad scope and covers far more activities than any specific organization is likely to need. To apply the framework to web application security, you start by analyzing each of the five functions as they relate to your existing and planned application security activities and risk management processes. Then, you select the categories and subcategories relevant to your specific needs and use them as the backbone of your own security policy to ensure you cover all the risks and activities you need. For general web application security, a skeleton cybersecurity policy would need to include at least the following subcategories for each function:
Identify:
ID.AM-2: Software platforms and applications within the organization are inventoried
ID.RA-1: Asset vulnerabilities are identified and documented
Protect:
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
Learn to identify security vulnerabilities in applications and implement secure code practices to prevent events like data breaches and leaks. Become familiar with DevSecOps practices, and SAST for identifying security flaws.
