InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
When it comes to online behaviors, women are far safer than men, according to a wide-ranging survey from SecurityAdvisor.
Despite the fact that women made up 42% of the sample data, they account for 48% of the top safe users and only 26% of risky users. Men, on the other hand, account for 74% of risky users: A big driver of these risky behaviors stems from men’s and women’s online behaviors.
According to SecurityAdvisor’s data, men are more likely to visit dangerous adult websites, use P2P software and watch pirated content than women.
SecurityAdvisor analyzed more than 500,000 malicious emails and an additional 500,000+ dangerous website visits by enterprise employees in more than twenty countries. Employees range from entry-level to executives and operate across many industries, including health care, financial services, communications, professional services, energy and utilities, retail and hospitality.
“Our partner here, Kelley McElhaney from Berkeley University, noted that women are more aware of long-term ramifications of risky behaviors,” SecurityAdvisor CEO Sai Venkataraman said. “Also, society tends to tolerate failures by dominant groups better, hence men don’t fear the consequences or fear consequences less.”
He also pointed out that men, from an early age, are socialized to take risks and win, hence they are less afraid of a potential negative outcome and engage in riskier behaviors.
What do AWS Partners with Level 1 Managed Security Service (MSSP) Competency provide?
All AWS Level 1 MSSP Competency Partners provide at minimum the ten 24/7 security monitoring, protection, and remediation services as defined in the Level 1 Managed Security Services baseline. Those ten 24/7 services specifically are below.
Many of the Level 1 MSSP Competency Partners also provide additional security assessment and implementation professional services as well to assist customers in their AWS cloud journey.
AWS Infrastructure Vulnerability Scanning – Routine scanning of AWS infrastructure for known software vulnerabilities.
AWS Resource Inventory Visibility – Continuous scanning and reporting of all AWS resources and their configuration details, updated automatically with newly added or removed resources.
AWS Security Best Practices Monitoring – Track and detect misconfigurations of AWS resources to improve cloud security posture and reduce business risk.
AWS Compliance Monitoring – Scanning AWS environment for compliance standards such as: CIS AWS Foundations, PCI DSS, HIPAA, HITRUST, ISO 27001, MITRE ATT&CK, and SOC2.
Monitor, Triage Security Events – Gain visibility into security alerts with a consolidated list of security events and recommended remediation guidance.
24/7 Incident Alerting and Response – Receive notification of high priority security events and expert guidance on recommended remediation steps 24/7.
DDoS Mitigation – Increase visibility and resilience to DDoS attacks and reduce the risk of availability, financial, and security impacts to applications.
Managed Intrusion Prevention System (IPS) – Add a layer of security for AWS-based endpoints, helping with defense against known threat patterns, to increase overall security posture.
Managed Detection and Response (MDR) for AWS-Based Endpoints – A combination of technology and cloud security experts working to continuously detect, investigate, and remove threats from within AWS-based endpoints.
Managed Web Application Firewall (WAF) – A firewall managed service designed to protect web-facing applications and APIs against common exploits.
OpenSSL, as its name suggests, is mainly used by network software that uses the TLS protocol (transport layer security), formerly known as SSL (secure sockets layer), to protect data in transit.
Although TLS has now replaced SSL, removing a huge number of cryptographic flaws along the way, many of the popular open source programming libraries that support it, such as OpenSSL, LibreSSL and BoringSSL, have kept old-school product names for the sake of familiarity.
Despite having TLS support as its primary aim, OpenSSL also lets you access the lower-level functions on which TLS itself depends, so you can use the libcrypto part of OpenSSL to do standalone encryption, compute file hashes, verify digital signatures and even do arithmetic with numbers that are thousands of digits long.
The solution is, instead, to focus on building applications that are secure by design, with zero-trust security baked-in rather than bolted-on. This is one of the three key strategic criteria we see for forward-looking enterprises that are accelerating the security of their applications.
Make applications secure by design – zero-trust is now the recommended security model.
Embrace tools that enable agility and efficiency and eliminate complexity.
Embrace open source for future-proofing, maximum visibility and to avoid proprietary lock-in.
Integrating security and the WAN is the next wave in network architecture. That means embedding zero-trust and access management capabilities in applications.
Zero-trust, to continue with the sporting event analogy, requires ticket checks before fans reach the stadium; it determines if they are authentic fans and therefore whether they can enter, where they can go once they’re inside the venue and which events they can watch. Zero-trust uses context as well as identity to authenticate users, and it enables policies that permit access only within a certain time window, a particular network segment or to a specific application. It removes the element of implicit trust that is so easily exploited, whether deliberately by bad actors or accidentally by careless users.
There are numerous ways of approaching the implementation of an ISMS. The most common method to follow is a ‘Plan Do Check Act’ process.
ISO 27001 is the international security standard that details the requirements of an ISMS.
ISO 27001, along with the best-practice guidelines contained in ISO 27002, serve as two excellent guides to get you started with implementing an ISMS.
A certified ISMS, independently audited by an approved certification body, can serve as the necessary reassurance to customers and potential clients that the organization has taken the steps required to protect their information assets from a range of identified risks.
The strength of an ISMS is based on the robustness of the information security risk assessment, which is key to any implementation.
The ability to recognize the full range of risks that the organization and its data may face in the foreseeable future is a precursor to implementing the necessary mitigating measures (known as ‘controls’).
ISO 27001 provides a list of recommended controls that can serve as a checklist to assess whether you have taken into consideration all the controls necessary for legislative, business, contractual, or regulatory purposes.
John Binns, a 21-year-old American who moved to Turkey a few years ago, told The Wall Street Journal he was behind the security breach. Mr. Binns, who since 2017 has used several online aliases, communicated with the Journal in Telegram messages from an account that discussed details of the hack before they were widely known.
The August intrusion was the latest in a string of high-profile breaches at U.S. companies that have allowed thieves to walk away with troves of personal details on consumers. A booming industry of cybersecurity consultants, software suppliers and incident-response teams have so far failed to turn the tide against hackers and identity thieves who fuel their businesses by tapping these deep reservoirs of stolen corporate data.
Samsung says that it can disable any of its Samsung TV sets remotely using TV Block, a feature built into all television products sold worldwide.
This was revealed by the South Korean multinational in a press release issued earlier this month in response to the July South African riots that led to large-scale looting, which also impacted Samsung warehouses and stores.
“TV Block is a remote, security solution that detects if Samsung TV units have been unduly activated, and ensures that the television sets can only be used by the rightful owners with a valid proof of purchase,” Samsung said.
“The aim of the technology is to mitigate against the creation of secondary markets linked to the sale of illegal goods, both in South Africa and beyond its borders. This technology is already pre-loaded on all Samsung TV products.”
As Samsung explains, the goal behind remotely disabling stolen TV sets is to limit looting and “third party purchases,” and ensuring that the TVs can only be used by “rightful owners with a valid proof of purchase.”
It should be noted that this is a local privilege escalation (LPE) vulnerability, which means that you need to have a Razer devices and physical access to a computer. With that said, the bug is so easy to exploit as you just need to spend $20 on Amazon for Razer mouse and plug it into Windows 10 to become an admin.
The proliferation of APIs that power applications, microservices, containers and serverless functions have created one of the greatest sources of security risk that businesses face today. The reason is simple: It’s not the development team’s responsibility to handle security. At the same time, however, security operations teams don’t have visibility into APIs. Because you can’t protect what you can’t see, Lebin Cheng, head of API security, office of the CTO at Imperva, pointed out three primary ways APIs create security risk for organizations:
A legacy application, initially deployed for internal use, is exposed externally using gateways that perform only fundamental authentication and authorization, with inadequate protection against sophisticated data exfiltration attempts. Because APIs are often connected directly to a data source, this can give attackers direct access to sensitive data.
Modern applications are increasingly built with outsourced components and/or services. This means that the majority of the application stack isn’t actually owned by the enterprise. What connects all these components is the API, but organizations often lack the visibility to monitor these API calls or the ability to secure the APIs in runtime.
The speed of software development is the Achilles’ heel of a security team. Developers need to move quickly and publish lines of code and APIs. However, the traditional approach of penetration testing for vulnerabilities isn’t feasible in today’s modern application workflow because it takes too long to conduct. This is creating a tug-of-war internally between the DevOps and SecOps teams.
“Data exfiltration through a compromised or vulnerable API is the risk organizations need to be most worried about,” said Cheng in an email interview. According to research by Imperva Research Labs, the number of new API vulnerabilities grew at the same time other vulnerabilities decreased; by 2024, it’s predicted that API abuses and related data breaches will nearly double in volume.
Instead of waning, cyber attacks continue to rise as the years pass. Several reasons contribute to this phenomenon, despite developing and deploying more robust network and data security platforms. First, the recent spate of disruptive cyberattacks hampering operations of organizations and government agencies proves that cybercriminals are becoming bolder in perpetuating their malicious activities.
These nefarious actors attack small, medium, and large corporations and organizations. Several attacks were publicized. Most of them are high-profile ransomware victims: Kaseya, JBS, SolarWinds, Colonial Pipeline, Acer, AXA, and CAN Financial. Many of them opted to pay the ransom demand not to disrupt operations that can affect thousands of businesses and consumers.
The nagging question is why cyberattacks are happening more often today. First, attackers are getting more sophisticated. Second, many are organized hacking groups, while some are already identified as government-backed hackers. The increase in cyberattacks can be attributed to several reasons, namely:
The willingness of many victims to pay the ransom;
Increased use of unregulated cryptocurrencies, which are harder to trace;
Publication of cyberattacks enticed other hackers to try the activity themselves, taking the publication of the attacks as successes of cybercriminals– this turned into a get-rich-quick scheme;
Increasing numbers of people going online, especially amid the pandemic.
Given that, companies also need to carefully consider their ability to respond and recover from a ransomware incident. While the key component of recovery is maintaining and testing backups of critical data, one aspect of recovery that’s often overlooked is having access to the stored packet data from the lead-up and ransomware attack itself.
High-quality packet data is important for ransomware recovery in three critical ways: (a) For determining the timeframe for backup restoration; (b) For creating a record of the attack for incident response (especially for legal and compliance reporting); (c) and for analyzing the attack itself to prevent it from happening again.
Razer gaming mice come with a buggy installer. It starts automatically when you plug in one of Razer’s devices.
The installer runs as SYSTEM. And it lets you start a shell—which also runs as SYSTEM. A classic elevation-of-privilege bug. And one that’s incredibly simple to exploit.
Déjà vu? It’s like PrintNightmare all over again. In today’s SB Blogwatch, we point the fingers of blame.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: A VHS player with a window.
It took us about two minutes” Razer is a very popular computer peripherals manufacturer known for its gaming mouses and keyboards. When plugging in a Razer device into Windows 10 or Windows 11, the operating system will automatically download and begin installing the Razer Synapse software. … A zero-day vulnerability in the plug-and-play Razer Synapse installation … allows users to gain SYSTEM privileges [which is] the highest user rights available in Windows. … It took us about two minutes to gain SYSTEM privileges in Windows 10 after plugging in our mouse. … Razer has contacted the security researcher to let them know that they will be issuing a fix. … Razer also told the researcher that he would be receiving a bug bounty reward.
Google disclosed the details of a Windows AppContainer vulnerability because Microsoft initially had no plans to fix it.
Google Project Zero experts disclosed the details of a Windows AppContainer flaw after Microsoft announced it had no plans to fix it.
The team focused its analysis on Windows Firewall and AppContainer that were designed by Microsoft to limit the attack surface of applications. Bypass network restrictions in AppContainer sandboxes could allow an attacker to access services on localhost, as well as granting access to intranet resources in an enterprise organization.
Google Project Zero researcher James Forshaw discovered an issue in the configuration of Windows Firewall that could allow attackers to bypass restrictions and allowed an AppContainer process to access the network.
“Recently I’ve been delving into the inner workings of the Windows Firewall. This is interesting to me as it’s used to enforce various restrictions such as whether AppContainer sandboxed applications can access the network. Being able to bypass network restrictions in AppContainer sandboxes is interesting as it expands the attack surface available to the application, such as being able to access services on localhost, as well as granting access to intranet resources in an Enterprise.” wrote Forshaw.
“I recently discovered a configuration issue with the Windows Firewall which allowed the restrictions to be bypassed and allowed an AppContainer process to access the network. Unfortunately Microsoft decided it didn’t meet the bar for a security bulletin so it’s marked as WontFix.”
According to Google, Microsoft decided to label the issue as WontFix.
“The default rules for the WFP connect layers permit certain executables to connect TCP sockets in AppContainers without capabilities leading to elevation of privilege.” reads the security advisory published by Microsoft. “Connecting to an external network resource from an AppContainer is enforced through default rules in the WFP. For example, connecting to the internet via IPv4 will process rules in the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer. This layer can contain rules such as “InternetClient Default Rule” which will match if the caller is in an AC and has the Internet Capability. If a match is made then the connection is allowed. Eventually an AC process will match the “Block Outbound Default Rule” rule if nothing else has which will block any connection attempt.”
In this post, I’ll collect links on Apple’s iPhone backdoor for scanning CSAM images. Previous links are here and here.
Apple says that hash collisions in its CSAM detection system were expected, and not a concern. I’m not convinced that this secondary system was originally part of the design, since it wasn’t discussed in the original specification.
Good op-ed from a group of Princeton researchers who developed a similar system:
Our system could be easily repurposed for surveillance and censorship. The design wasn’t restricted to a specific category of content; a service could simply swap in any content-matching database, and the person using that service would be none the wiser.
Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices
The consequences of such an action could prove dire for your business, though, so before you let another day of stress go by, read on to learn some warning signs and tips on how to deal with burnout. The goal is to get your team working at maximum capacity without overworking them.
Signs of burnout
Burnout is the word used to describe acute exhaustion when your work becomes overwhelming and too stressful. It can lead to poor performance, absenteeism, or resignations. It is a real problem in many industries, but it’s hugely prevalent in information security because of the long hours and high pressure.
Fortunately, burnout comes with early warning signs that you can spot and address. These include:
Anger at colleagues
A constant feeling of exhaustion that could manifest in team members getting lost in daydreams or even nodding off at their desk
Expressions of hopelessness or being overwhelmed by their responsibilities or current task
The team member isolating themselves from others, i.e., avoiding time out with colleagues or social events
Unhappiness in the role
An inability to stop and take breaks
An increase in working hours (coming in early, staying late, skipping lunch, or frequently emailing during out-of-office hours)
If any of your staff shows some of these symptoms, it’s time to act!
Researchers have disclosed a nasty new way for bad people to mess up the internet for the rest of us. They’ve found a fantastically powerful reflective-amplification attack technique that could easily be used for distributed denial of service (DDoS).
You’ll be pleased to know the researchers haven’t wasted their time dreaming up a fancy name or a logo. On the other hand, they’re far from hopeful that the problems can be fixed.
Nation-states would have to fix their firewalls, which ain’t gonna happen. In today’s SB Blogwatch, this is why we can’t have nice things.
Weaponizing this attack is relatively simple” Academics said they discovered a way to abuse the TCP protocol, firewalls, and other network middleboxes to launch giant distributed denial of service (DDoS) attacks. … The research is the first of its kind to describe a method to carry out DDoS reflective amplification attacks via the TCP protocol, previously thought to be unusable for such operations. … Reflective amplification … happens when an attacker sends network packets to a third-party server on the internet, the server processes and creates a much larger response packet, which it then sends to a victim instead of the attacker. … The amplification factor for these TCP-based attacks is also far larger than UDP protocols, making TCP protocol abuse one of the most dangerous forms of … DDoS. … The flaw they found was in the design of middleboxes, which are equipment installed inside large organizations that inspect network traffic. … If the attacker tried to access a forbidden website, then the middlebox would respond with a “block page,” which would typically be much larger than the initial packet—hence an amplification effect. … Weaponizing this attack is relatively simple.
Distributed Denial of Service (DDoS) Attacks: Classification, Attacks, Challenges and Countermeasures
Think of APIs as the new network; interconnected in complex ways and with API interactions happening both within and outside of the organization.
“Public-facing APIs—for example, consumer banking—are usually a key area of focus when it comes to zero-trust,” said Dunne. “This is due to the obvious risk exposure when APIs are documented and made available on the public internet.”
However, the larger risk is found in private and internal APIs, because there is a common assumption that since they aren’t documented or found on a public network, they aren’t exposed.
But as threat actors become more sophisticated in their search for and discovery of private APIs, there is increased risk of the bad guys gaining access to massive amounts of sensitive data. Private APIs need the same layers of protection as public-facing APIs.
“APIs are, by definition, atomic in nature—meaning they can be invoked independently,” explained Setu Kulkarni, vice president, strategy at NTT Application Security in an email interview. “That creates a real challenge for securing these APIs.”
Given that, Kulkarni added, a critical consideration for implementing zero-trust in APIs is to ensure that there is appropriate access control built into the API implementation. Every API function call requires not just authentication but also authorization. Also, adding zero-trust around session validation helps to prevent unintended data leakage.
FireEye Mandiant researchers have discovered a critical vulnerability in the Kalay cloud platform that exposes millions of IoT devices to attacks.
Researchers at FireEye’s Mandiant have discovered a critical vulnerability, tracked as CVE-2021-28372, in a core component of the Kalay cloud platform which is used by millions of IoT devices from many vendors.
The flaw could be easily exploited by a remote attacker to take over an IoT device, the only info needed for the attack is the Kalay unique identifier (UID) of the targeted user. The identifier could be obtained via social engineering.
“The vulnerabilities described in this post affect a core component of the Kalay platform. Mandiant was not able to create a comprehensive list of affected devices; however, ThroughTek’s website reports more than 83 million active devices on the Kalay platform at the time of writing this post.” states the report published by Mandiant.“An attacker would require comprehensive knowledge of the Kalay protocol and the ability to generate and send messages. The attacker would also need to obtain Kalay UIDs through social engineering or other vulnerabilities in APIs or services that return Kalay UIDs. From there, an attacker would be able to remotely compromise affected devices that correspond to the obtained UIDs.”
An attacker that has obtained the UID of a targeted device could send a specially crafted request to the Kalay network to register another device with the same UID on the network. Then the Kalay servers will overwrite the existing device. Once the victim will connect the device, his connection will be directed to the attacker that could obtain the credentials used by the victim to access the device.
Most of the devices using the platform are video surveillance products such as IP cameras and baby monitors, an attacker could exploit this flaw to eavesdrop audio and video data.
The attacker could also use RPC (remote procedure call) functionality to completely take over the device.
Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things
While Security Orchestration Automation and Response (SOAR) solutions help automate and structure these activities, the activities themselves require telemetry data that provide the breadcrumbs to help scope, identify and potentially remedy the situation. This takes increasing significance in the cloud for a few reasons:
The public cloud shared security model may lead to gaps in the telemetry (e.g., lack of telemetry from the underlying infrastructure that could help correlate breadcrumbs at the infrastructure level to the application level).
Lack of consistency in telemetry information as applications increasingly segment into microservices, containers and Platform-as-a-Service, and as various modules come from different sources such as internal development, open source, commercial modules, and outsourced development.
Misconfigurations and misunderstandings as control shifts between DevOps, CloudOps and SecOps.
All the above coupled with a significant expansion of attack surface area with the decomposition of monolith applications into microservices.
When incidents occur, the ability to quickly size up the scope, impact and root cause of the incident is directly proportional to the availability of quality data, and its ability to be easily queried, analyzed, and dissected. As companies migrate to the cloud, logs have become the de-facto standard of gathering telemetry.
This book is designed for security and risk assessment professionals, DevOps engineers, penetration testers, cloud security engineers, and cloud software developers who are interested in learning practical approaches to cloud security. It covers practical strategies for assessing the security and privacy of your cloud infrastructure and applications and shows how to make your cloud infrastructure secure to combat threats, attacks, and prevent data breaches. The chapters are designed with a granular framework, starting with the security concepts, followed by hand-on assessment techniques based on real-world studies, and concluding with recommendations including best practices.
FEATURES:
Includes practical strategies for assessing the security and privacy of your cloud infrastructure and applications
Covers topics such as cloud architecture and security fundamentals, database and storage security, data privacy, security and risk assessments, controls related to continuous monitoring, and more
Presents several case studies revealing how threat actors abuse and exploit cloud environments to spread malware
Recent research indicates that 51 percent of SOC teams feel emotionally overwhelmed by the impossible volume of security alerts they must deal with, with the stress impacting their home lives.
Increasing the maturity of a SOC allows analysts to stop fighting fires and focus on higher value work. With careful planning and the right combination of automation and standardized processes, a mature, effective, and world-class SOC can be established.
The danger of alert overload
The cybersecurity landscape has become increasingly hostile, and teams must deal with an ever-increasing barrage of security alerts. Teams have reported spending nearly a third of their time simply dealing with false positives, and we have long since passed the tipping point where these numbers can be dealt with on a manual basis.
This is exacerbated by the fact that the on-going skills gap means recruiting and retaining a full team of analysts has become an increasingly costly proposition. Few firms can afford large teams, and even an army of analysts will not be able to comfortably tackle hundreds of alerts a day in addition to their other duties.
In addition to the sheer number of alerts they must deal with, SOC teams are hampered by inefficient processes. Many analysts end up using an ad-hoc suite of security solutions cobbled together from different providers and great deal of time can be wasted every day as analysts swap back and forth between different solutions. There is no easy way to compare data from different tools to identify trends and more complex threats. Uniting solutions under a single management system can help to win back lost time and establish a single view of threat data.
The Industry Standard, Vendor-Neutral Guide to Managing SOCs and Delivering SOC Services
This completely new, vendor-neutral guide brings together all the knowledge you need to build, maintain, and operate a modern Security Operations Center (SOC) and deliver security services as efficiently and cost-effectively as possible.
Leading security architect Joseph Muniz helps you assess current capabilities, align your SOC to your business, and plan a new SOC or evolve an existing one. He covers people, process, and technology; explores each key service handled by mature SOCs; and offers expert guidance for managing risk, vulnerabilities, and compliance. Throughout, hands-on examples show how advanced red and blue teams execute and defend against real-world exploits using tools like Kali Linux and Ansible. Muniz concludes by previewing the future of SOCs, including Secure Access Service Edge (SASE) cloud technologies and increasingly sophisticated automation.
This guide will be indispensable for everyone responsible for delivering security services―managers and cybersecurity professionals alike.
* Address core business and operational requirements, including sponsorship, management, policies, procedures, workspaces, staffing, and technology * Identify, recruit, interview, onboard, and grow an outstanding SOC team * Thoughtfully decide what to outsource and what to insource * Collect, centralize, and use both internal data and external threat intelligence * Quickly and efficiently hunt threats, respond to incidents, and investigate artifacts * Reduce future risk by improving incident recovery and vulnerability management * Apply orchestration and automation effectively, without just throwing money at them * Position yourself today for emerging SOC technologies
![CYBER SECURITY FOR TOP EXECUTIVES: Everything you need to know about Cybersecurity by [Alejandra Garcia]](https://m.media-amazon.com/images/I/51UZgLnDdYS.jpg)
