InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Google announced the completion of the $5.4 billion acquisition of threat intelligence firm Mandiant. The acquisition was announced in March 2022 by both companies:
“RESTON, Va., March 8, 2022 – Mandiant, Inc. (NASDAQ: MNDT) today announced that it has entered into a definitive agreement to be acquired by Google LLC for $23.00 per share in an all-cash transaction valued at approximately $5.4 billion, inclusive of Mandiant’s net cash.” reported the press release.
Mandiant is considered a leading cyber security firm, in 2013 FireEye acquired it, but FireEye separated Mandiant Solutions in 2021 as part of a $1.2 billion private equity transaction.
The cybersecurity firm will join Google Cloud, but despite the acquisition, Google will maintain the Mandiant brand.
Google is expanding its offer adding cybersecurity services to its portfolio, as part of this strategy the company also acquired the Israeli Israeli startup Siemplify which has developed a SOAR (security orchestration, automation and response) technology.
“Today we’re excited to share the next step in this journey with the completion of our acquisition of Mandiant, a leader in dynamic cyber defense, threat intelligence and incident response services. Mandiant shares our cybersecurity vision and will join Google Cloud to help organizations improve their threat, incident and exposure management.” reads the Google’s announcement.
“Combining Google Cloud’s existing security portfolio with Mandiant’s leading cyber threat intelligence will allow us to deliver a security operations suite to help enterprises globally stay protected at every stage of the security lifecycle. With the scale of Google’s data processing, novel analytics approaches with AI and machine learning, and a focus on eliminating entire classes of threats, Google Cloud and Mandiant will help organizations reinvent security to meet the requirements of our rapidly changing world.”
State of the Hack discusses the latest in information security, digital forensics, incident response, cyber espionage, APT attack trends, and tales from the front lines of significant targeted intrusions.
The FBI on Monday warned that hundreds of vulnerabilities in widely used medical devices are leaving a door open for cyberattacks.
In a white notice from the FBI’s Internet Crime Complaint Center (IC3), the law enforcement agency said it has identified “an increasing number” of vulnerabilities posed by unpatched medical devices that run on outdated software and devices that lack adequate security features.
The FBI specifically cited vulnerabilities found in insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers and intrathecal pain pumps, noting that malicious hackers could take over the devices and change readings, administer drug overdoses, or “otherwise endanger patient health.”
“Cyber threat actors exploiting medical device vulnerabilities adversely impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity,” the alert said.
“Medical device vulnerabilities predominantly stem from device hardware design and device software management. Routine challenges include the use of standardized configurations, specialized configurations, including a substantial number of managed devices on the network, lack of device embedded security features, and the inability to upgrade those features.”
The FBI noted that medical device hardware is often used for more than 30 years at some healthcare facilities, giving cybercriminals and state actors ample time to discover and exploit bugs.
Many legacy devices used by hospitals and clinics contain outdated software because they do not get manufacturer support for patches or updates, the FBI said, adding that many devices are not designed with security in mind.
The white notice then quotes several reports from cybersecurity firms that highlighted the magnitude of the problem, most notably that about 53% of all connected medical devices and other internet of things (IoT) devices in hospitals had known critical vulnerabilities.
One report found an average of 6.2 vulnerabilities per medical device and reported that more than 40% of medical devices are at the end-of-life stage, offering little to no security patches or upgrades.
Last year, German healthcare giant B. Braun updated several faulty IV pumps after McAfee discovered vulnerabilities allowing attackers to change doses.
Healthcare organizations continue to face a barrage of ransomware incidents and cyberattacks. Cybersecurity firm Proofpoint released a report last week that found 89% of healthcare professionals surveyed experienced at least one cyberattack in the last 12 months.
More than 20% of those attacked saw an increase in mortality rates and over half said the attacks caused longer patient stays, delays in procedures and overall decreases in the quality of care.
The European Agency for Cybersecurity (ENISA) each October promotes cybersecurity among EU citizens and organizations, and is partnering with Anima People, specialists in behavioral science related to security, in a critical project to evaluate cybersecurity awareness campaigns in behavior change among employees. Organizations worldwide will benefit by the intelligence they need to design successful campaigns in the future, helping to drive long-term behavior conducive to a cyber-secure world. Please participate by completing this survey:https://
ISO 27001 is a widely-known international standard on how to manage information security.
In this Help Net Security video, Nicky Whiting, Director of Consultancy, Defense.com, talks about the challenges of achieving ISO 27001, a widely-known international standard.
ISO 27001 certification is not obligatory. Some organizations choose to implement it in order to benefit from the best practice it contains. Others decide they want to get certified to reassure customers and clients.
HP Secure Erase; HP Sure Click; HP BIOSphere Gen6; HP Sure Admin; Hood Sensor Optional Kit; HP Client Security Manager Gen6; HP Sure Start Gen7; HP Sure Recover Gen4; HP Sure Sense Gen2; HP Sure Run Gen5[19,20,21,22,23,24,25,26,31]
The global cybersecurity workforce gap is estimated at 2.7 million people, with the problem particularly acute when it comes to entry-level roles.
Cybersecurity nevertheless promises an interesting and potentially lucrative career. Even though the profession is open to people with any degree or none – providing they have the aptitude to learn – it can still be daunting to make the initial first steps and difficult to know where to begin.
The talent pool might potentially be expanded through more inclusive and broader hiring strategies. Against this, unrealistic hiring practices sometimes create barriers to entry for those looking to enter the profession, especially those seeking a career change.
The path into a career in information security is, however, eased by a growing number of entry level training schemes and courses. The Daily Swig has surveyed this landscape to chart some promising routes offered by various reputable training providers.
For example, cybersecurity skills training organization (ISC)2reports that more than 1,400 individuals have undertaken its entry-level infosec certification pilot exam since the program launched at the end of January 2022.
The qualification is designed to support industry entrants embarking on cybersecurity careers, ranging from recent university graduates, to career changers, to IT professionals looking to switch roles and focus on infosec. In all cases, the certificate offers a means to validate their foundational security skills.
Laying down foundations
For employers seeking to fill entry-level roles, the qualification offers evidence that newcomers have the foundational knowledge, skills, and abilities necessary to thrive in the sector. According to (ISC)2, the qualification shows that candidates for junior roles are familiar with technical concepts whilst having an aptitude for on-the-job learning.
The (ISC)2 entry-level pilot exam evaluates candidates across five domains; security principles; business continuity, disaster recovery, and incident response concepts; access control concepts; network security; and security operations.
Within the cybersecurity education market, however, (ISC)2 is far from the only game in town.
World of choice
The SANS Institute offers a five-day, in-person Introduction to Cyber-Security course that covers a mix of technical and business issues. SANS Institute courses are well regarded but not inexpensive.
GIAC Information Security Fundamentals, for example, retails at $6,600.
Other paid-for SANS Institute introductory courses focusing on specific areas of cybersecurity – such as cloud computing, digital forensics, and incident response – are also available.
SANS also offers free-of-charge security workshops and other content, though this material is more geared towards the professional development needs of those who have already established a cybersecurity career.
eLearning
Coursera offers access to online courses from leading universities and companies.
The Coursera platform provides routes that run the gamut from short online classes and hands-on projects that teach job-relevant skills in less than two hours, to job-ready certificates and degree programs. Short courses cost up to $99 while professional certifications run between $2,000-$6,000 and degrees between $9,000-$45,000.
A yearly subscription to Coursera’s online courses costs $399.
Coursera offers a variety of entry-level cybersecurity courses, each affiliated to universities or technology companies.
For example, Introduction to Cyber Security Specialization from New York University includes four courses aimed at beginners. It can be completed in about four months with four hours of learning per week.
There’s also an Introduction to Cyber Security course from the UK’s Open University that is particularly suitable for those looking for a flexible course aimed at beginners. The course doesn’t lead to a formal qualification but is available online and is accredited by several reputable organizations in the UK cybersecurity sector.
“Over eight weeks, the course will take on average three hours a week to complete,” an Open University (OU) spokesperson told The Daily Swig.
“The course is accredited by APMG International, the Institute of Information Security Professionals, and the (UK) National Cyber Security Centre. The Certificate of Achievement for this course demonstrates awareness of cybersecurity issues across 12 of the IISP skills groups, and demonstrates that participants have completed a course that meets the awareness level requirements of NCSC Certified Training.”
Another option from the Open University involves a part-time degree course that offers a BSc in Cyber Security at the end of six years. There’s also a postgraduate micro-credential in Cyber Security Operations.
Quite a few well established and respected infosec professionals got their start in the field by simply picking up a book and getting stuck in.
There’s no better example of this than noted bug bounty hunter David Litchfield, who 25 years ago passed his Certified Novell Administrator (CNA) exam courtesy of a related CNA guidebook, thus certifying his ability to maintain networks running the then ubiquitous but since obsolete Novell NetWare networking software.
Fast forward to the 2020s and you’ll find PortSwigger’s* Web Security Academy offering a free-of-charge service that explains key concept and vulnerabilities in web security. This learning exercise is reinforced through a series of labs graded ‘Apprentice’, ‘Practitioner’, or ‘Expert’.
Practice in the labs gives learners proficiency with Burp Suite, a web security testing tool that’s the industry standard for pen testers and bug bounty hunters alike.
Next, The Daily Swig’s own John Leyden plans to try his hand at modules from the (ISC)2 entry level qualification to see how he fares. Stay tuned for a follow-up feature this autumn.
The cybersecurity skills shortage continues to present multiple challenges and have repercussions for organizations. The skills gap can be addressed through training and certifications to increase employees’ education.
The talent shortage and a variety of specialized fields within cybersecurity have inspired many to reskill and join the industry. One way to get more knowledge is to take advantage of online learning opportunities. Below you can find a list of free online cybersecurity courses that can help further your career.
Cryptography I
Stanford University
Instructor: Dan Boneh, Professor
In this course you will learn the inner workings of cryptographic systems and how to correctly use them in real-world applications. The course begins with a detailed discussion of how two parties who have a shared secret key can communicate securely when a powerful adversary eavesdrops and tampers with traffic. You will examine many deployed protocols and analyze mistakes in existing systems. The second half of the course discusses public-key techniques that let two parties generate a shared secret key. Throughout the course participants will be exposed to many exciting open problems in the field and work on optional programming projects.
DDoS Attacks and Defenses
University of Colorado
Instructor: C. Edward Chow, Professor
In this course you will learn the history of DDoS attacks, analyze Mirai IoT malware, and perform source code analysis. You’ll learn about the intrusion tolerance paradigm with proxy-based multipath routing for DDoS defense. By developing and deploying such a new security mechanism, you can improve the performance and reliability of the system at the same time and it does not have to be just an overhead. By the end of this course, you should be able to analyze new DDoS malware, collect forensic evidence, deploy firewall features to reduce the impact of DDoS on your system, and develop strategies for dealing with future DDoS attacks.
Hardware Security
University of Maryland
Instructor: Gang Qu, Associate Professor
In this course, you will study security and trust from the hardware perspective. Upon completing the course, students will understand the vulnerabilities in current digital system design flow and the physical attacks on these systems. They will learn that security starts from hardware design and be familiar with the tools and skills to build secure and trusted hardware.
Software Security
University of Maryland
Instructor: Michael Hicks, Professor
This course explores the foundations of software security. You will learn about software vulnerabilities and attacks that exploit them, and consider defenses that prevent or mitigate these attacks, including advanced testing and program analysis techniques. Importantly, you’ll take a “build security in” mentality, considering techniques at each phase of the development cycle that can be used to strengthen the security of software systems. Successful learners in this course typically have completed sophomore/junior-level undergraduate work in a technical field, have some familiarity with programming, ideally in C/C++ and one other “managed” program language (like ML or Java), and have prior exposure to algorithms.
Web Security Fundamentals
KU Leuven University
Instructor: Philippe De Ryck, Founder, Pragmatic Web Security
This course provides an overview of the most common attacks, and illustrates fundamental countermeasures that every web application should implement. Throughout the course, you will gain insights into the threats that modern web applications face. You’ll build an understanding of common attacks and their countermeasures; not only in theory, but also in practice. You’ll be provided with an overview of current best practices to secure web applications. Although no previous security knowledge is necessary to join this course, it will help to be familiar with the basic concepts behind web applications, including HTTP, HTML, and JavaScript.
Security Governance & Compliance
University of California, Irvine
Instructor: Jacob Horne, Cybersecurity Consultant
In this course, students are introduced to the field of cyber security with a focus on the domain of security & risk management. Topics include the fundamental concepts and goals of cybersecurity (the CIA triad), security governance design, the NIST cybersecurity framework, relevant laws and regulations, and the roles of policies, strategies, and procedures in cybersecurity governance.
Windows Server Management and Security
University of Colorado
Instructor: Greg Williams, Director of Networks and Infrastructure
This course explores what it takes to design and build the server side of Windows in an enterprise environment. This course will explore everything from Windows Server installation to configuring users, to hardening the server operating system itself. The first week of this course provides an overview of how Windows operates in an enterprise environment and what it may look like in the real world. Week 2 will show you how Windows users interact with the system. Week 3 will explore authorization in a Windows environment. Week 4 explores built in security features of Windows and demonstrates how to use each technology effectively and in what circumstances you would use what technology for what purpose.
More docked ships bring a new challenge. The longer a ship is docked, the more vulnerable the port is to a cyberattack.
Source: Hans-Joachim Aubert via Alamy Stock Photo
Evidence indicates that the world’s ports are returning to pre-pandemic levels. During the first 11 months of 2021, the value of US international freight increased by more than 22% (PDF) compared with the same 11 months in 2020. More freight means more ships docking at port. And not only are more ships docking, but their dwell times are increasing as well. The average container vessel dwell time at the top 25 US container ports was estimated at 28.1 hours in 2020. In the first half of 2021, average container vessel dwell times increased to 31.5 hours.
While this increase in activity is undoubtedly welcome, more docked ships bring a new challenge. The longer a ship is docked, the more vulnerable the port is to a cyberattack.
The Cyber-Risk to Ships
The maritime industry is especially vulnerable to cyber incidents. There are multiple stakeholders involved in the operation and chartering of a ship, which often results in a lack of accountability for the IT and OT system infrastructure and the ship’s networks. The systems may rely on outdated operating systems that are no longer supported and cannot be patched or run antivirus checks.
Going forward, this threat is expected to increase. Critical ship infrastructure related to navigation, power, and cargo management has become increasingly digitized and reliant on the Internet to perform a broad range of legitimate activities. The growing use of the Industrial Internet of Things (IIoT) will increase the ships’ attack surface.
Common ship-based cyber vulnerabilities include the following:
Obsolete and unsupported operating systems
Unpatched system software
Outdated or missing antivirus software and protection from malware
Unsecured shipboard computer networks
Critical infrastructure continuously connected with the shore side
Inadequate access controls for third parties including contractors and service providers
Inadequately trained and/or skilled staff on cyber-risks
Troubled Waters?
Maritime cybersecurity has become a significant issue affecting ports around the world. According to the firm Naval Dome, cyberattacks on maritime transport increased by 400% in 2020. Cybersecurity risks are especially problematic to ports around the globe since docked ships regularly interact digitally with shore-based operations and service providers. This digital interaction includes the regular sending of shipping documents via email or uploading documents via online portals or other communications with marine terminals, stevedores, and port authorities.
For example, many port authorities require a Port State Control (PSC) survey to be completed by foreign ships docking in their ports. Among other activities, this survey verifies several ship certificates and approximately 40 different documents required by international maritime authorities.
Some past examples of port-based cyber breaches:
Port of Rotterdam: In June 2017, the port of Rotterdam was hit with a ransomware attack that paralyzed the activities of two container terminals operated by APMT, a subsidiary of the Møller-Maersk group. Note that the port of Rotterdam had completely automated its operations as part of a Smart Port strategy.
Port of Shahid Rajaee: In May 2020, the port of Shahid Rajaee, Iran, suffered a cyberattack that almost totally shut down its operations. The Washington Post reported that the “computers that regulate the flow of vessels, trucks and goods all crashed at once, creating massive backups on waterways and roads leading to the facility.” This cyberattack was presumed to be Israel’s response to an attack on its water network.
Port of Kennewick: In November 2020, the port of Kennewick, Wash., was hit with ransomware that completely locked access to its servers. Even with the small size of this port, it took nearly a week for port authorities to access their data. Malware injected via a phishing email is thought to be the cause of this attack.
Knowing that they are vulnerable to cyber breaches does not help alleviate the challenge to ports that have no choice but to accept documents originating from these ships. If ports block these documents, the ships cannot dock, and this ultimately causes delays in global logistics and the supply chain.
The Danger
Ports have no choice but to accept the ships’ documents. Refusal to accept these documents means loss of port revenue and blockages in the smooth flow of the supply chain. Document sending must proceed. But file-borne threats pose a significant challenge for ports. Malware is designed to access or damage a computer without the owner’s knowledge. Hackers embed malicious code into seemingly innocent files. When those files are opened, the malware automatically executes and allows the hackers to gain access to valuable data or cause damage to the maritime industry.
Many of these threats first enter the ship through email phishing schemes — attempts to fool employees and individuals into opening and clicking on malicious links or attachments in emails or uploading malicious documents to website portals. These “hacks” often exploit vulnerabilities in the ships’ networks, using the vessel to gain access to the ship’s partners, including the port.
No, not all ransomware attacks unfold in the way you might expect.
Most contemporary ransomware attacks involve two groups of criminals: a core gang who create the malware and handle the extortion payments, and “members” of a loose-knit clan of “affiliates” who actively break into networks to carry out the attacks.
Once they’re in, the affiliates then wander around the victim’s network, getting the lie of the land for a while, before abruptly and often devastatingly scrambling as many computers as they can, as quickly as they can, typically at the worst possible time of day.
The affiliates typically pocket 70% of the blackmail money for any attacks they conduct, while the core criminals take an iTunes-ike 30% of every attack done by every affiliate, without ever needing to break into anyone’s computers themselves.
That’s how most malware attacks happen, anyway.
But regular readers of Naked Security will know that some victims, notably home users and small business, end up getting blackmailed via their NAS, or networked attached storage devices.
Plug-and-play network storage
NAS boxes, as they are colloquially known, are miniature, preconfigured servers, usually running Linux, that are typically plugged directly into your router, and then act as simple, fast, file servers for everyone on the network.
No need to buy Windows licences, set up Active Directory, learn how to manage Linux, install Samba, or get to grips with CIFS and other network file system arcana.
NAS boxes are “plug-and-play” network attached storage, and popular precisely because of how easily you can get them running on your LAN.
As you can imagine, however, in today’s cloud-centric era, many NAS users end up opening up their servers to the internet – often by accident, though sometimes on purpose – with potentially dangerous results.
Notably, if a NAS device is reachable from the public internet, and the embedded software, or firmware, on the NAS device contains an exploitable vulnerability, you could be in real trouble.
Crooks could not ony run off with your trophy data, without needing to touch any of the laptops or mobile phones on your network, but also modify all the data on your NAS box…
…including directly rewriting all your original files with encrypted equivalents, with the crooks alone knowing the unscrambling key.
Simply put, ransomware attackers with direct access to the NAS box on your LAN could derail almost all your digital life, and then blackmail you directly, just by accessing your NAS device, and touching nothing else on the network.
They don’t bother attacking Windows computers, Mac laptops, mobile phones or tablets; they just go straight for your main repository of data.
(You probably turn off, “sleep”, or lock most of your devices at night, but your NAS box probably quietly runs 24 hours a day, every day, just like your router.)
By targeting vulnerabilities in the products of well-known NAS vendor QNAP, the DEADBOLT gang aims to lock everyone else on your network out of their digital lives, and then to squeeze you for several thousands dollars to “recover” your data.
After an attack, when you next try to download a file from the NAS box, or to configure it via its web interface, you might see something like this:
In a typical DEADBOLT attack, there’s no negotiation via email or IM – the crooks are blunt and direct, as you see above.
In fact, you generally never get to interact with them using words at all.
If you don’t have any other way to recover your scrambled files, such as a backup copy that’s not stored online, and you’re forced to pay up to get your files back, the crooks expect you simply to send them the money in a cryptocoin transaction.
The arrival of your bitcoins in their wallet serves as your “message” to them.
In return, they “pay” you the princely sum of nothing, with this “refund” being the sum total of their communication with you.
The “refund” is a payment worth $0, submitted simply as a way of including a bitcoin transaction comment.
That comment consists of 16 apparently random data bytes, seen encoded as 32 hexadecimal characters in the screenshot below, which constitute the AES decryption key you will use to recover your data:
Cobalt’s has announced a new offering, Agile Pentesting! With Agile Pentesting, conduct a pentest that has a targeted scope focused on a specific area of an asset, or a specific vulnerability across an asset. Agile Penesting is flexible in nature, and aligns pentesting to DevSecOps workflows in a way that’s friction-free.
Leverage Agile Pentesting to level up your security program for:
* New Release Testing: pentest a new release before or shortly after it reaches production
* Delta Testing: pentest for incremental improvements based on code differences since date or version
* Single OWASP Category Testing: pentest a single vulnerability or small subset of vulnerabilities across an asset to validate fixes
* Microservice Testing: pentest Kubernetes within AWS, Azure, or GCP, as well as hosted network devicesReady to ship code securely with Cobalt’s Agile Pentesting?
Ready to ship code securely with Cobalt’s Agile Pentesting?
Enter to Win a Free Cobalt Agile Pentest!Sometimes the best things in life actually are free! Click here to enter your information to be one of the three lucky winners to receive a free Agile Pentest from Cobalt, worth $6,600 in value! The drawing will take place on September 22nd.
47 document templates – unlimited access to all documents required for ISO 27001 & 27017 & ISO 27018 certification, plus commonly used non-mandatory documents
Access to video tutorials
Email support
Expert review of a document
One hour of live one-on-one online consultations with an ISO 27001 & ISO 27017 & ISO 27018 expert
Upcoming: free toolkit update for the new ISO 27001 2022 revision
Fully optimized for small and medium-sized companies
Here are a few measures your organization can implement to minimize fraudulent behavior and losses.
Since the Great Resignation in 2021, millions of employees across the nation have left their roles with current employers in search of better ones. According to Microsoft, 40% of employees reported they are considering leaving their current roles by the end of 2022. With many still working in remote or hybrid positions due to the pandemic, larger businesses have started implementing measures to gain a better understanding of employee morale and sentiment to prevent turnover.
While most employees leave companies on good terms, some may become extremely unhappy or disgruntled prior to their departure and are more likely to defraud the company either before leaving or on their way out the door. The unfortunate reality is that no business is immune to fraud, but luckily, there are several steps you can take to prevent it from happening.
Understand Contributors to Fraudulent Behavior
According to the Cressey Fraud Triangle, fraudulent behavior often occurs due to three contributing factors. These include pressure or motive to commit a fraud (usually a personal financial problem), perceived opportunity within the organization to commit a fraud (poor oversight or internal controls), and rationalization (the ability to justify the crime to make it seem acceptable).
Very often, a fraudster needs all three sides of the triangle to successfully commit a crime. Therefore, it is extremely important for organizations to do their best to create controls and understand the risk associated with each of these areas. For example, an employee may be disgruntled and also have personal financial issues. However, if internal controls are robust and the employee doesn’t have access to financial instruments, valuable assets or software systems, their ability to defraud the company is extremely limited or will get identified immediately.
Additionally, there are actions an organization can take that may significantly mitigate the risk that an employee would find themselves in a situation where they could justify stealing from their employer, even if internal controls are limited or the employee is in a position of a high level of trust or authority. These including offering strong employee assistance programs, investing in the employee experience, exploring employee enrichment opportunities, surveying employees, monitoring morale, performing adequate exit interviews, and completing frequent anti-fraud training.
Create a Web of Fraud Detectors
There are typically eight key warning signs which may indicate an employee is more likely to commit fraud in an organization. According to the ACFE Global Fraud Survey, the top three are living beyond one’s means, financial difficulties, and an unusually close association with a vendor/customer. Businesses must stay vigilant and identify potentially fraudulent behavior as soon as possible; monitoring for red flags among employees is often a helpful step.
Educating all employees about how to identify warning signs and report fraudulent activity is a beneficial practice for any business. According to that same ACFE Global Fraud Survey, organizations that implement fraud awareness training and other anti-fraud controls have seen quicker fraud detection and lower fraud losses as a result of their efforts. In fact, 42% of fraud is discovered by a tip, and 55% of all fraud is reported by employees of the company. Utilizing company employees to monitor for fraudulent behavior within the organization and creating a culture in which fraud is unacceptable under all circumstances are helpful in creating a team of full-time fraud detectors.
Create and Maintain Strong Internal Controls
There are many aspects about an employee’s personal life that an employer can’t control. And no matter how hard you try, an employer cannot always keep all employees engaged, satisfied and ultimately happy. But employers can control the opportunity side of the fraud triangle.
Establishing and maintaining strong and effective internal controls can greatly improve the chances that an organization either prevents fraudulent behavior or detects it before it can damage the company. Specifically, adequate fraud prevention controls over bank account activity, cash handling, purchasing and vendor management, credit card use, expense reimbursements, payroll, and inventory are crucial in protecting the company against a rogue employee who uses their position to misappropriate company assets.
When employers create enriching work environments where their employees feel supported and can convey internal or external stressors, they’re boosting employee morale and minimizing the risk of fraudulent behavior. Unfortunately, you can’t control all employee behavior no matter how hard you try, so it is crucial to also invest in adequate anti-fraud controls and trainings to protect your company even further. Very often, the cost of anti-fraud activities is far less than the cost of an actual fraud. Unfortunately, many companies don’t discover this fact until it’s too late.
ust as developers and security teams were getting ready to take a breather and fire up the BBQ for the holiday weekend, the U.S.’s most prestigious security agencies (NSA, CISA, and ODNI) dropped a 60+ page recommended practice guide, Securing the Software Supply Chain for Developers.
My first reaction was that it’s great to see these agencies adding to the public discourse in these still heady days where we’re all sorting out software supply chain security best practices. This is an important voice in shaking out the still many requirements, frameworks, and best practices, and kudos to them for sharing some of their hard-fought lessons learned.
But I think it’s also important for developers at large to weigh what makes sense in the most extraordinarily sensitive national security environments, versus what makes sense for the average enterprise developer and security team.
Here’s what stuck out to me as the good, bad, and ugly implications of the report.
The good
There are some excellent, prescriptive recommendations in the report where these agencies are advocating specific frameworks like Supply chain Levels for Software Artifacts (SLSA, pronounced “salsa”) and Secure Software Development Framework (SSDF). The report mentions these frameworks 14 and 38 times, respectively, and for developers and security teams that realize they have a software supply chain security problem but don’t know where to start, now they have a clear path to take their first steps.
The upshot of these frameworks is they give developers clear guidance on (1) how to develop secure code, from design issues to organizational structure issues for more secure software; (2) build system integrity (making sure malicious code isn’t being injected in our build systems); and (3) what happens after software is built and how to operate systems security (vulnerability remediation, monitoring, those types of aspects).
I also think the report does an excellent job of emphasizing what software signing buys developers in terms of artifact security, and how by making the investment in signing and verifying at the start of the software development lifecycle, you can save yourself a lot of toil not having to worry about the security of the package managers further down the line.
The bad
The guide suggests that “all development systems must be restricted to development operations only” … and goes on to say “no other activity such as email should be conducted for business nor personal use.”
I can’t see a future where developers are told they can’t do Slack, email and web browsing on their dev machines, and here’s an example where what’s mandatory in air-gapped environments like the NSA don’t really map out to mainstream developer scenarios.
I also find that the SBOM guidance has great points, but also misses concrete threats and mitigation examples. Overall the industry continues to tell everyone to use SBOMs, but doesn’t really explain what to do with them or what the real benefits are. And while I like the guidance to compare SBOMs with software composition analysis (SCA) results, the reality is that today’s vulnerability scanners actually miss a lot of the transitive dependencies that make software supply chains an attractive threat surface in the first place.
The ugly
While open source is mentioned 31 times in the guide, it’s mostly superficial references, with no new recommendations. We all know most source code being used today is open source, and it has unique aspects for security – the report doesn’t pay any care to how to choose which open source projects to use, what to look for when deciding on a new dependency, approaches to scoring systems, or how to tell the security health of an OSS project.
There’s quite a bit of information overload. Half of the document explains what its contents are, and the other half presents a couple of frameworks and the intersections of those frameworks. I think what we’re going to see next is a tidal wave of security vendor product whitewashing, claiming to have the first capabilities conforming to these guidelines – but it’s important to remember that there is no accreditation process, and most of this will simply be marketing bluster.
What’s next
Software supply chain security is pretty unique – you’ve got a whole lot of different types of attacks that can target a lot of different points in the software lifecycle. You can’t just take one piece of security software, turn it on, and get protected from everything.
Guides and recommendations like this that come down from the most sophisticated organizations that have gone through the early paces give a lot of great clues for developers at large, and I hope the NSA/CSA/ODNI will continue to disclose this type of insight … even if it may require some decoding for what applies to more mainstream developer scenarios outside of the Pentagon.
A list of free open source vulnerability scanners which developers and penetration testers can use to scan systems for vulnerabilities and potential malware.
A vulnerability assessment is an in-depth analysis of a network’s hardware, software, and other components to locate and fix potential security holes. Once identified, the software prioritizes security holes by how quickly they must be patched or mitigated. In most cases, the vulnerability scanning tool will also include guidance on how to fix or lessen the impact of any vulnerabilities it finds.
The results from vulnerability scanners can be used as a guide by security teams as they evaluate the safety of their network and take preventative measures.
Devs can use the following open-source vulnerability assessment tools to test their vulnerabilities for free.
Aqua Trivy
For developers to make informed decisions about which components to use in their applications and containers, open-source tools like Aqua Trivy can help them identify vulnerabilities and understand the associated risks. Trivy’s array of vulnerability scanners allows it to detect vulnerabilities in a wide variety of systems.
Static analysis of vulnerabilities in application containers is the focus of the Clair open-source project (currently including OCI and Docker).
Clients can index their container images via the Clair API and compare them to a database of known security flaws.
Tsunami
Tsunami is a flexible, plugin-based network security scanner designed to detect and scan critical vulnerabilities accurately.
Tsunami is scalable, runs quickly, and scans quietly.
Vaf
Vaf is a platform-independent web fuzzer that can quickly thread through requests, fuzz HTTP headers, and even act as a proxy.
Zed Attack Proxy ZAP
Under the OWASP banner, Zed Attack Proxy (ZAP) is developed and maintained as a free, open-source penetration testing tool and can be used as an effective vulnerability scanner.
ZAP is highly adaptable and extensible; it can even be deployed on a Raspberry Pi and is optimized for testing websites and deployed as a vulnerability scanner.
Just three days after Chrome’s previous update, which patched 24 security holes that were not in the wild…
…the Google programmers announced the release of Chrome 105.0.5195.102, where the last of the four numbers in the quadruplet jumps up from 52 on Mac and Linux and 54 on Windows.
The release notes confirm, in the clipped and frustrating “indirect statement made in the passive voice” bug-report style that Google seems to have borrowed from Apple:
CVE-2022-3075
:Insufficient data validation in Mojo.
Reported by Anonymous on 2022-08-30
[...]
Google is aware of reportsrts [sic] that an exploit
for
CVE-2022-3075
exists in the wild.
Microsoft has put out an update, too, taking its browser, which is based on Chromium, to Edge 105.0.1343.27.
Following Google’s super-brief style, Microsfoft wrote merely that:
This update [Edge 105.0.1343.27] contains a fix for
CVE-2022-3075
,
which has been reported by the Chromium team as having an exploit
in the wild
As always, our translation of security holes written up in this non-committal way is: “Crooks or spyware vendors found this vulnerability before we did, have figured out how to exploit it, and are already doing just that.”
…………..
What to do?
Patch early, patch often!
In Chrome, check that you’re up to date by clicking Three dots > Help > About Google Chrome, or by browsing to the special URL chrome://settings/help.
The Chrome version you are looking for (or Chromium version , if you’re using the non-proprietary, open source flavour) is: 105.0.5195.102 or later.
In Edge, it’s Three dots > Help and feedback > About Microsoft Edge.
The Edge version you’re after is: 105.0.1343.27 or later.
Google’s release notes also list an update to the Extended Stable Channel, which you might be using if you’re on a computer provided by work – like Mozilla’s Extended Support Release or ESR, it’s an official version that lags behind on features but keeps up with security patches, so you aren’t forced to adopt new features just to get patched.
The Extended Stable version you want is: 104.0.5112.114.
Google has also just announced a Chrome for iOS update, available (as always) via the App Store.
There’s no mention of whether the iOS version was affected by CVE-2022-3075, but the version you’re after, in any case, is 105.0.5195.100.
(We’re guessing that by iOS, Google means both iOS and iPadOS, now shipped as different variants of Apple’s underlying mobile operating system.)
Nothing in the release notes so far [2022-09-05T13:45Z] about Android – check in Google Play to see if you’re up to date.
Researchers discovered a previously undocumented software control panel, named TeslaGun, used by a cybercrime gang known as TA505.
Researchers from cybersecurity firm PRODAFT have discovered a previously undocumented software control panel, tracked as TeslaGun, used by a cybercrime group known as TA505.
Russian TA505 hacking group, aka Evil Corp, has been active since 2014 focusing on Retail and banking sectors. The group is also known for some evasive techniques they put in place over time to avoid the security controls and penetrate corporate perimeters with several kinds of malware, for instance abusing the so-called LOLBins (Living Off The Land Binaries), legit programs regularly used by victim, or also the abuse of valid cryptographically signed payloads.
Now PRODAFT experts state that the group has carried out mass phishing campaigns against at least 8160 targets. Most of the victims are in the finance sector or individuals. TeslaGun victim data revealed that 3667 targets are in the US.
The financially-motivated group is known to have used multiple malware in its attacks, including FlawedAmmyy, the ServHelper backdoor and FlawedGrace malware.
The ServHelper backdoor is written in Delphi and according to the experts, the development team continues to update it by implementing new features since 2019. Researchers pointed out that almost every new campaign used a new variant of the malware.
Once downloaded the ServHelper backdoor set up reverse SSH tunnels that allow attackers to access to the infected system via Remote Desktop Protocol (RDP) on port 3389. In 2019, Proofpoint experts also discovered another ServHelper variant that does not include the tunneling and hijacking capabilities, in this case, the backdoor was used only as a downloader for the FlawedGrace RAT.
The TeslaGun control panel was used by the threat actors to manage the ServHelper backdoor, it acts as a C2 infrastructure allowing operators to issue commands.
“The actors regularly migrate their proxy servers to new servers in the same datacenter to attain a low detection rate. During our investigation, we observed several TeslaGun management panels predominantly residing in MivoCloud SRL, Moldova” reads the report published by the experts.“The TeslaGun panel has a pragmatic, minimalist design. The main dashboard only contains infected victim data, a generic comment section for each victim, and several options for filtering victim records.”
TeslaGun panel shows a table containing victims’ data, including SYSID/ID/IP, Country/State/City, First Time Connected/Last Time Connected, Command, Answer Operations/Tun Port/Operations, and Comments.
TeslaGun also allows operators to send one command to all victim devices at the same time, or to configure a default command that runs when a new victim device is added to the panel.
During this investigation, the PTI researchers also discovered TA505 users executing RDP connections using tunnels.
The tool used by the gang to execute RDP connections allows to launch multiple hidden RDP instances. Once infected a victim, TA505 operators can connect to the victim via RDP to use remote connections simultaneously.
“ServHelper is an example of backdoor malware runs by a financially motivated and highly sophisticated threat group. TA505 appears to be well-embedded in the international cybercrime community, as demonstrated by its ability to collect and sell RDP connections to victim devices. The PTI team was able to gain valuable insight into how TA505 organizes its activities and achieves its goals. This will help cybersecurity policies to protect against backdoor attacks like ServHelper.” concludes the report. “From how TA505 commented their victims on TeslaGun panels perspective, it is obviously seen that TA505 is actively searching for online banking and shopping accounts, particularly from victims in the United States, but also from Russia, Romania, Brazil, and the UK.”
Information classification is a process in which organisations assess the data that they hold and the level of protection it should be given.
Organisations usually classify information in terms of confidentiality – i.e. who is granted access to view it. A typical system contains four levels of confidentiality:
Confidential (only senior management have access)
Restricted (most employees have access)
Internal (all employees have access)
Public information (everyone has access)
As you might expect, larger and more complex organisations will need more levels, with each one accounting for specific groups of employees who need access to certain information.
The levels shouldn’t be based on employees’ seniority but on the information that’s necessary to perform certain job functions.
Take the healthcare sector for example. Doctors and nurses need access to patients’ personal data, including their medical histories, which is highly sensitive.
However, they shouldn’t have access to other types of sensitive information, such as financial records.
In these cases, a separate classification should be created to distinguish between sensitive medical information and sensitive administrative information.
Where does ISO 27001 fit in?
Organizations that are serious about data protection should follow ISO 27001.
Control objective A.8.2 is titled ‘Information Classification’, and instructs that organisations “ensure that information receives an appropriate level of protection”.
ISO 27001 doesn’t explain how you should do that, but the process is straightforward. You just need to follow four simple steps.
1) Enter your assets into an inventory
The first step is to collate all your information into an inventory (or asset register).
You should also note who is responsible for it (who owns it) and what format it’s in (electronic documents, databases, paper documents, storage media, etc.).
2) Classification
Next, you need to classify the information.
Asset owners are responsible for this, but it’s a good idea for senior management to provide guidelines based on the results of the organization’s ISO 27001 risk assessment.
Information that would be affected by more significant risks should usually be given a higher level of confidentiality. But be careful, because this isn’t always the case.
There will be instances where sensitive information must be made available to a broader set of employees for them to do their job. The information may well pose a threat if it’s confidentiality is compromised, but the organisation must make it widely available in order to function.
3) Labelling
Once you’ve classified your information, the asset owner must create a system for labelling it.
You’ll need different processes for information that’s stored digitally and physically, but it should be consistent and clear.
For example, you might decide that paper documents will be labelled on the cover page, the top-right corner of each subsequent page and the folder containing the document.
For digital files, you might list the classification in a column on your databases, on the front page of the document and the header of each subsequent page.
4) Handling
Finally, you must establish rules for how to protect each information asset based on its classification and format.
For example, you might say that internal paper documents can be kept in an unlocked cabinet that all employees can access.
By contrast, restricted information should be placed in a locked cabinet, and confidential information stored in a secure location.
Additional rules should be established for data in transit – whether it’s being posted, emailed or employees carry it with them.
You can keep track of all these rules by using a table like this:
Use a table to simplify the data handling documentation process.
Researchers from Cyble analyzed a new, highly evasive JavaScript skimmer used by Magecart threat actors.
Cyble Research & Intelligence Labs started its investigation after seeing a post on Twitter a new JavaScript skimmer developed by the Magecart threat group used to target Magento e-commerce websites.
#JavaScript#skimmer overlayed onto payment page of an infected #Magento ecommerce store to steal payment card data from visitors
In Magecart attacks against Magento e-stores, attackers attempt to exploit vulnerabilities in the popular CMS to gain access to the source code of the website and inject malicious JavaScript. The malicious code is designed to capture payment data (credit/debit owner’s name, credit/debit card number, CVV number, and expiry date) from payment forms and checkout pages. The malicious code also performs some checks to determine that data are in the correct format, for example analyzing the length of the entered data.
In this specific case, the researchers discovered that when a user visits the compromised website, the skimmer loads the payment overlay and asks the user to enter the payment information.
The skimmer is obfuscated and embedded in the JavaScript file “media/js/js-color.min.js”
nce the victim has entered its payment data in the form, the JavaScript file collects them and then sends the Base64-encoded data to the URL included in the JavaScript using the POST method
Cyble experts noticed that upon executing the JavaScript, it checks if the browser’s dev tool is open to avoid being analyzed.
“Online shopping activity is constantly on the rise due to its ease of use, digital transformation, and the sheer convenience. Skimmer groups continue to infect e-commerce sites in large numbers and are improving their techniques to remain undetected.” concludes the report. “Historically, Magento e-commerce websites have been the most highly targeted victims of skimmer attacks. While using any e-commerce website, ensure that you only use known and legitimate platforms.”
