InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Aug 12 2021
The main components of the security tool are the Cobalt Strike client — also known as a Beacon — and the Cobalt Strike team server, which sends commands to infected computers and receives the data they exfiltrate. An attacker starts by spinning up a machine running Team Server that has been configured to use specific “malleability” customizations, such as how often the client is to report to the server or specific data to periodically send.
How to Identify Cobalt Strike on Your Network
Aug 11 2021
Remember Mt. Gox? Sure you do!
Although it’s usually said aloud as “Mount Gox”, as if it were a topographic feature, it actually started life as MTGOX, short for Magic: The Gathering Online Exchange, where MTG fans could trade cards via the internet.
The web domain was eventually repurposed for what was, back in 2014, the world’s biggest Bitcoin cryptocurrency exchange.
Mt. Gox was headquartered in Japan, holding what was then a mind-blowing $500,000,000 in other people’s bitcoins (BTC).
And then a strange thing happened: the money, or at least the bitcoins, vanished, just like that.
We’ve never really found out what happened.
Early suggestions blamed a cryptographic flaw known as transaction malleability, but sceptics argued that this sort of treachery, even if if were possible on such an epic scale, would be visible in the Bitcoin transaction record, also known as the blockchain.
Simply put, transaction malleability means that two different transactions can be rigged to have the same supposedly unique identifier. Crooked transactors could, in theory, fraudulently concoct duplicate-yet-different transaction pairs, and use these transactions to trick a naive exchange into thinking that something had gone wrong. Them the crooks could dishonestly repudiate one of the transactions in each pair and demand a refund.
Some experts say that Bitcoin and cryptocurrencies are just a scam; others say they’re “the most important invention since the internet.” It’s hard to tell who’s right.
Authored by Silicon Valley leaders from Google, Microsoft, and Facebook, Bubble or Revolution cuts through the hype to offer a balanced, comprehensive, and accessible analysis of blockchains and cryptocurrencies.
Aug 11 2021
The first step toward a zero-trust environment consists of establishing a zero-trust network architecture that covers all aspects of users interacting with corporate internal and cloud-based IT resources, wherever the users or the resources might be located.
This requires an evaluation of the context of user access, combined with the creation of risk profiles. Based on these risk profiles and continuous context analysis, the security team can implement and enforce centralized security policies – independently from any old-fashioned network firewall perimeter.
Establishing context entails checking numerous aspects such as the IP address and geographic location, device status (corporate-owned, privately owned), OS status (jailbroken/rooted or secure), patch status, and so on, as well as verifying digital certificates for identity and access management.
The constant evaluation of all this data is then matched with predefined granular policies. For example, businesses might determine that employees can only access sensitive resources if the device is fully secured, and the user is identified via multi-factor authentication. Otherwise, a pop-up notification will inform the employee how to proceed, while the device might be put into quarantine until its desired state is achieved.
Aug 10 2021
Evan Grant, a researcher at network security scanning company Tenable, recently decided to have a go at hacking a home router.
The idea, it seems, was more to learn about the general techniques, tools and procedures available to router hackers than to conduct a security assessment of any particular product.
Understandably, therefore, Grant picked a router model using two non-technical criteria: was it popular, and was it available in Canada (Grant’s home country)?
After opening up the router casing to get access to the circuit board, Grant made good progress, by quickly:
Grant’s first stop was to download a binary file (executable program) called httpd, which is the name under which you typically find a home or small business router’s web server, used for managing the device from a browser.
The name httpd stands for HTTP daemon, where HTTP means that the program handles web traffic, and daemon is the Unix/Linux name for what Windows users know as a service: software that runs in the background whether anyone is logged in or not. (The word daemon is properly pronounced “die-moan” or “day-moan”, but many sysadmins just call them “demons”, and you may need to follow suit to avoid causing confusion.)
Network Security Assessment: Know Your Network
Aug 10 2021
This is pretty shocking coming from Apple, which is generally really good about privacy. It opens the door for all sorts of other surveillance, since now that the system is build it can be used for all sorts of other messages. And it breaks end-to-end encryption, despite Apple’s denials:
Does this break end-to-end encryption in Messages?
No. This doesn’t change the privacy assurances of Messages, and Apple never gains access to communications as a result of this feature. Any user of Messages, including those with with communication safety enabled, retains control over what is sent and to whom. If the feature is enabled for the child account, the device will evaluate images in Messages and present an intervention if the image is determined to be sexually explicit. For accounts of children age 12 and under, parents can set up parental notifications which will be sent if the child confirms and sends or views an image that has been determined to be sexually explicit. None of the communications, image evaluation, interventions, or notifications are available to Apple.
Detecting Backdoor Using Stepping Stone Detection Approach
Aug 09 2021
Researchers at the security consultancy Dolos Group, hired to test the security of one client’s network, received a new Lenovo computer preconfigured to use the standard security stack for the organization. They received no test credentials, configuration details, or other information about the machine.
They were not only able to get into the BitLocker-encrypted computer, but then use the computer to get into the corporate network.
Trusted Platform Modules: Why, when and how to use them
Aug 09 2021
Industrial Cybersecurity: Efficiently secure critical infrastructure systems
Aug 08 2021
WordPress is a PHP-based content management system that may be used in conjunction with MySQL. The best part about WordPress is that it is free and open source software. It offers many plugins and themes that make it easier for non-technical users to deploy a website. It also allows continuous backup. And since it is open-source, there is no need to worry about security because most of the major flaws have already been addressed.
Considering WordPress is open source and very customizable, there are a few issues to address while installing it on your server. We’ll go through some of the WordPress flaws and how to protect your installation.
Table of Contents
Aug 07 2021
This iteration of the RedMonk Programming Languages is brought to you by Microsoft. Developers build the future. Microsoft supports you in any language and Java is no exception; we love it. We offer the best Java dev tools, infrastructure, and modern framework support. Modernize your Java development with Microsoft.
While we generally try to have our rankings in July immediately after they are run, we generally operate these on a better late than never basis. On the assumption, then, that August is better than never, below are your RedMonk Q3 language rankings.
As always, these are a continuation of the work originally performed by Drew Conway and John Myles White late in 2010. While the specific means of collection has changed, the basic process remains the same: we extract language rankings from GitHub and Stack Overflow, and combine them for a ranking that attempts to reflect both code (GitHub) and discussion (Stack Overflow) traction. The idea is not to offer a statistically valid representation of current usage, but rather to correlate language discussion and usage in an effort to extract insights into potential future adoption trends.
The data source used for the GitHub portion of the analysis is the GitHub Archive. We query languages by pull request in a manner similar to the one GitHub used to assemble the State of the Octoverse. Our query is designed to be as comparable as possible to the previous process.
For Stack Overflow, we simply collect the required metrics using their useful data explorer tool.
With that description out of the way, please keep in mind the other usual caveats.
Aug 06 2021
By 2022, API abuses will become the most frequent attack vector, predicts Gartner. We’re already witnessing new API exploits reach the headlines on a near-daily basis. Most infamous was the Equifax breach, an attack that exposed 147 million accounts in 2017. Since then, many more API breaches and major vulnerabilities have been detected at Experian, Geico, Facebook, Peleton and other organizations.
So, why are API attacks suddenly becoming so prevalent? Well, several factors are contributing to the rise in API exploits. As I’ve covered before, the use of RESTful web APIs is becoming more widespread through digital transformation initiatives and SaaS productization. And, the data these touchpoints transmit can carry a hefty price tag. Unfortunately, cybersecurity has not sufficiently progressed, making APIs ripe for the hacker’s picking.
I recently met with Roey Eliyahu, CEO of Salt Security, to better understand why more and more APIs hacks are making headlines. According to Eliyahu, a general lack of security awareness means these integration points are a low-effort, high-reward attack target. Establishing protection against zero-day threats means increasing the visibility of API holdings, testing for broken authorization and instigating ongoing monitoring of runtime environments.
Below, I’ll review the top factors contributing to the rise in API exploits. We’ll explore some of the top reasons why API attacks are increasing and consider how a zero-day protection mindset can mitigate common API vulnerabilities.
API Security in Action
Aug 06 2021
Considering that OT environments are increasingly in the crosshairs of attackers, the 14 vulnerabilities that JFrog and Forescout Research Labs recently discovered in NicheStack should make the likes of Siemens, Schneider Electric and Rockwell Automation take notice–and action.
Millions of programmable logic controllers (PLCs) and controllers from more than 200 device makers use NicheStack, a common, proprietary TCP/IP stack. NicheStack is employed in a wide array of critical infrastructure sectors globally like manufacturing plants, water treatment and power generation and transmission and distribution. It is the basis for numerous TCP/IP stacks and used by OEMS like Altera, Microchip, STMicroelectronics and Freescale.
“These vulnerabilities are very common in OT environments, as many major device vendors are listed as NicheStack customers,” said JFrog CTO Asaf Karas. “For instance, the stack is used in the Siemens S7 PLC, which is one of the most popular PLCs.”
The raft of flaws, dubbed INFRA:HALT, cover a wide gamut of threats–from remote code execution and denial of service (DoS) to TCP spoofing, information leak and DNS cache poisoning. The worst of the flaws, 2020-25928 and 2021-31226 logged CVSSv3.1 scores of 9.8 and 9.1, respectively.
At least for now, there’s a positive take: It seems adversaries have yet to stumble across the flaws. “We didn’t see any sign of exploitation,” said Karas.
He expressed surprise that the vulnerabilities had gone undiscovered. “The biggest surprise is that these kinds of vulnerabilities, that can be automatically detected, were not discovered for such a long time, especially given how critical they are and how common NicheStack is,” said Karas.
InterNiche Technologies has released patches for the vulnerabilities. Still, guarding against them is a thorny matter because, not surprisingly, patching across the supply chain is incredibly challenging from a logistics perspective and OT devices are critical in the environments that use them. So, while the best option for taking the teeth out of these flaws is upgrading to NicheStack v4.3, it might not be the route that many OT-driven businesses take.
14 Flaws in NicheStack Leave PLCs, OT Controllers Vulnerable
Hacking Exposed Industrial Control Systems: ICS and SCADA Security Secrets & Solutions
Aug 06 2021
If you like a touch of irony in your cybersecurity news, then this has been the week for it.
Yesterday, we wrote about an exploitable security hole…
…inside a hacking tool that helps you exploit security holes.
Today, we’re writing about a ransomware-related data breach that leaked organisational information…
…from inside a ransomware group.
And if that’s not enough to bring a wry smile to your lips, then there’s more.
Today’s data breach includes a bunch of hacking tools that ransomware crooks love to use…
…including a buggy and exploitable pirated version of the very attack tool that we wrote about yesterday!
More on: Conti ransomware affiliate goes rogue, leaks “gang data”
FBI Flash: Conti Ransomware Attacks Impact Healthcare and First Responder Networks
Aug 05 2021
The cloud broadens an organization’s attack surface to the point that CISOs must guard data across multiple clouds, tools, and on-premises locations. This further complicates their main objective of minimizing the risk of unauthorized data access and makes their job of ensuring information assets and technologies are adequately protected an arduous task.
Even worse, traditional security and governance models are ineffective for cloud architecture, partly because each cloud vendor has unique mechanisms for accessing data, which increases the chance of administrators making costly mistakes.
Conventional, centralized, or dictated approaches secure data by routing requests, access, and policies through IT – which limits the speed that a user could leverage the information. The array of clouds and cloud resources requires a more fluid approach to secure access.
Decentralized methods don’t work either, because business units have too much freedom in implementing policies about how data is used and with what tools. This creates silos and conflicts across business units and platforms, as cloud architectures need more uniformity across settings, tools, and departments.
The delegated governance model is becoming the more appropriate style, as it is ideal for streamlining multi-cloud security by combining the best of the above methods. It leverages IT’s uniform, top down policies (customized by line of business data stewards) and is based on IT’s provisioning of a secure platform for the business to access their tools of choice. The platform then distributes these central policies—configured by data stewards—into any repository or tool across clouds and on-premises for zero trust security.
Aug 05 2021
Forgot the Kali Linux root password? Stress not! This tutorial discusses the steps to reset Kali Linux system password. Follow the steps, and you will get it done within minutes.
Table of Contents
Aug 05 2021
Creation of the Joint Cyber Defense Collaborative follows high-profile cyberattacks on critical U.S. infrastructure
The U.S. government is enlisting the help of tech companies, including Amazon.com Inc., Microsoft Corp. and Google, to bolster the country’s critical infrastructure defenses against cyber threats after a string of high-profile attacks.
The Department of Homeland Security, on Thursday, is formally unveiling the initiative called the Joint Cyber Defense Collaborative. The effort will initially focus on combating ransomware and cyberattacks on cloud-computing providers, said Jen Easterly, director of the DHS’s Cybersecurity and Infrastructure Security Agency. Ultimately, she said, it aims to improve defense planning and information sharing between government and the private sector.
“This will uniquely bring people together in peacetime, so that we can plan for how we’re going to respond in wartime,” she said in an interview. Ms. Easterly was sworn in as CISA’s director last month. She was previously a counterterrorism official in the Obama White House, and the commander of the Army’s first cyber operations unit at the National Security Agency, America’s cyberspy agency.
‘This will uniquely bring people together in peacetime, so that we can plan for how we’re going to respond in wartime.’— Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency
U.S. Taps Amazon, Google, Microsoft, Others to Help Fight Ransomware, Cyber Threats
Department of Homeland Security and Information Sharing: Is It Working?
![Department of Homeland Security and Information Sharing: Is It Working? by [United State Army War College, U.S Army U.S Army]](https://m.media-amazon.com/images/I/417d4jwJrTS.jpg)
Aug 04 2021
Paragon’s product will also likely get spyware critics and surveillance experts alike rubbernecking: It claims to give police the power to remotely break into encrypted instant messaging communications, whether that’s WhatsApp, Signal, Facebook Messenger or Gmail, the industry sources said. One other spyware industry executive said it also promises to get longer-lasting access to a device, even when it’s rebooted.
Aug 04 2021
In our latest video, we demonstrate an attack scenario that can occur within any organization – hacking a smart TV. The video shows an insider plugging a USB Rubber Ducky into a smart TV in a company meeting room. Within less than a minute, a payload is executed to set up a Wi-Fi network for data exfiltration (called kitty3) and instructs the TV to connect to it. The payload then uploads a utility that captures the screen before the insider removes the rogue device.
Smart TV Security: Media Playback and Digital Video Broadcast
Aug 04 2021
It guides system administrators and developers of National Security Systems on how to deploy Kubernetes with example configurations for the recommended hardening measures and mitigations.
Below is the list of mitigations provided by the US agencies:
Learn Kubernetes Security: Securely orchestrate, scale, and manage your microservices in Kubernetes deployments
Aug 03 2021
Anyone with an interest in information security will have encountered ISO 27001, the international standard that describes best practice for an ISMS (information security management system).
However, you might not be as familiar with ISO 27002. It’s a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001.
Although ISO 27001 is the more well-known standard – and the one that organisations certify to – neither can be considered in isolation. This blog explains why that’s the case, helping you understand how each standard works and the differences between them.
ISO 27001 is the central framework of the ISO 27000 series, which is a series of documents relating to various parts of information security management.
The Standard contains the implementation requirements for an ISMS. These are essentially an overview of everything you must do achieve compliance.
This is particularly useful at the start of your project, or if you’re looking for general advice but can’t commit to a full-scale implementation project.
To meet these requirements, organisations must:
ISO 27002 is a supplementary standard that focuses on the information security controls that organisations might choose to implement.
These controls are listed in Annex A of ISO 27001, which is what you’ll often see information security experts refer to when discussing information security controls. However, whereas Annex A simply outlines each control in one or two sentences, ISO 27002 dedicates an average of one page per control.
This is because the Standard explains how each control works, what its objective is, and how you can implement it.
There are three main differences between ISO 27001 and ISO 27001:
If ISO 27001 went into as much detail as ISO 27002, it would be unnecessarily long and complicated.
Instead, it provides an outline of each aspect of an ISMS, with specific advice being found in additional standards. ISO 27002 is only one of these. For example, ISO 27003 covers ISMS implementation guidance and ISO 27004 covers the monitoring, measurement, analysis and evaluation of the ISMS.
You can certify to ISO 27001 but not to ISO 27002. That’s because ISO 27001 is a management standard that provides a full list of compliance requirements, whereas supplementary standards such as ISO 27002 address one specific aspect of an ISMS.
A key thing to consider when implementing an ISMS is that not all information security controls will apply to your organisation.
ISO 27001 makes that clear, specifying that organisations conduct a risk assessment to identify and prioritise information security threats. ISO 27002 doesn’t mention this, so if you were to pick up the Standard by itself, it would be practically impossible to figure out which controls you should adopt.
ISO 27001 and ISO 27002 have different objectives and will be helpful in different circumstances.
If you’re starting out with the Standard or are planning your ISMS implementation framework, then ISO 27001 is ideal. You should refer to ISO 27002 once you’ve identified the controls that you’ll be implementing to learn more about how each one works.
You can find out more about how to implement a best-practice ISMS by enrolling on our ISO27001 Certified ISMS Foundation Training Course.
This one-day course provides a comprehensive introduction to the key elements required to comply with ISO 27001. You’ll learn from expert information security consultants and have the chance to review case studies and participate in group discussions and practical exercises.
Developed by the team that led the world’s first successful ISO 27001 implementation project, this one-day course provides a comprehensive introduction to Standard.
You’ll learn from expert information security consultants, as they explain:
Source: ISO 27001 vs. ISO 27002
Previous blog posts on ISO27k
Pentests are required for ISO 27001 or SOC2 audits
With ISO27001 how you should choose the controls needed to manage the risks
The importance of the Statement of Applicability in ISO 27001 – with template
Steps to implement ISMS (ISO 27001)
How FAIR & ISO 27001 Work Together
ISO 27001 Handbook: Implementing and auditing an Information Security Management System in small and medium-sized businesses
Aug 03 2021
You’re almost certainly familiar with vishing, a phone-based scam in which cybercriminals leave messages on your voicemail in the hope that you’ll call them back later to find out what’s going on.
In fact, if you have a long-standing phone number, like we do, you may well get more of these scam calls (perhaps even many more of them) than genuine calls, so you’ll know the sort of angle they take, which often goes along these lines:
[Synthetic voice] Your Amazon Prime subscription will auto-renew. Your card will be billed for [several tens of dollars]. To cancel your subscription or to discuss this renewal, press 1 now.
Sometimes, they’ll read out the number to call them back on, to re-iterate not only that it matches the number that shows up in your call history, but also that it’s a local number, right there in your own town or country.
The crooks do this to “prove” that caller is local too, rather than sitting overseas in some scammy boiler-room call centre, far from the reach of law enforcement and the regulators in your part of the world.
BazarCaller – the malware gang that talks you into infecting yourself
Scam Me If You Can
