InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Households across the country are using their home broadband more than ever, to work, educate their children or keep in touch with loved ones.
But many are unaware that old equipment provided by internet service providers (ISPs), including EE, Sky, TalkTalk, Virgin Media and Vodafone, could be putting them at risk of hackers spying on what they are browsing online or even directing them to malicious websites used by scammers.
Which? investigated 13 old router models and found more than two-thirds – nine of them – had flaws that would likely see them fail to meet requirements proposed in upcoming government laws to tackle the security of connected devices.
The legislation is not yet in force and so the ISPs aren’t currently breaking any laws or regulations.
one of the most popular and mediatic trojan bankers active since 2007.
The malware QakBot, also known as Qbot, Pinkslipbot, and Quakbot is a banking trojan that has been made headlines since 2007. This piece of malware is focused on stealing banking credentials and victim’s secrets using different techniques tactics and procedures (TTP) which have evolved over the years, including its delivery mechanisms, C2 techniques, and anti-analysis and reversing features.
Emotet is known as the most popular threat distributing QakBot in the wild, nonetheless, Emotet has been taken down recently, and QakBot operators are using specially target campaigns to disseminate this threat around the globe.
Does your organization process, transmit or store payment card data? If your answer is yes, then you need to comply with the PCI DSS (Payment Card Industry Data Security Standard). The payment Standard helps to ensure the security of transactions and protect your business from potential data breaches and fines.
The PCI DSS places a significant emphasis on documentation with all 12 sections of the Standard requiring documented policies and procedures. The more payment channels your organization accepts, the greater the need for documented policies and procedures to support the applicable requirements. Unsurprisingly, it can all get a little complicated and you may find yourself unsure of what you need to do and how to develop policies and procedures that best reflect your environment.
Covering PCI DSS v3.2.1 the PCI DSS Documentation Toolkit provides guidance documents, tools and templates to help you identify what is required of your organization and develop the documentation you need.
A security expert released technical details and proof-of-concept exploit (PoC) code for the high-severity vulnerability CVE-2021-28482 in Microsoft Exchange that could be exploited by remote attackers to execute arbitrary code on vulnerable systems.
April 2021 Microsoft Patch Tuesday security updates addressed four critical and high severity vulnerabilities in Exchange Server (CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483), some of these flaws were reported by the U.S. National Security Agency (NSA).
All the vulnerabilities are remote code execution that could allow attacks to compromise vulnerable installs, for this reason, the IT giant urges its customers to install the latest updates.
The NSA confirmed that the critical vulnerabilities in the Microsoft Exchange server were recent discovered by its experts that immediately reported them to Microsoft.
“After we disclosed these vulnerabilities to Microsoft, they promptly created a patch. NSA values partnership in the cybersecurity community. No one organization can secure their networks alone” states the NSA.
List of data breaches and cyber attacks in April 2021 – 1 billion records breached – It was another busy month in the cyber security sector, as we discovered 143 incidents that resulted in 1,098,897,134 breached records.
Ransomware was again one of the biggest contributors to that total, accounting for almost one in three data breaches.
As always, you can find the full list of incidents below, with those affecting UK organizations listed in bold.
It includes year-on-year comparisons in the number of incidents that were detected, a review of the most frequently breached sectors and a running total of incidents for the year.
In a climate where remote work became more prevalent—and in some cases, mandatory—those citing “limited remote work possibilities” as a reason for leaving their cybersecurity role saw a six-percentage point decline (45%) compared to the year before.
Though the cybersecurity workforce was mainly spared the pandemic devastation experienced by other sectors, the survey found that longstanding issues persist, including:
61 percent of respondents indicate that their cybersecurity teams are understaffed.
55 percent say they have unfilled cybersecurity positions.
50 percent say their cybersecurity applicants are not well qualified.
Only 31 percent say HR regularly understands their cybersecurity hiring needs.
The term “extended detection and response” (or XDR) was coined back in 2018, but definitions continue to vary significantly (see one, two, or three, and tell me what XDR actually is -:). There was no reliable, unbiased explanation for what XDR is and how it differs from a security analytics platform, which has led to confusion and disregard from clients who dismiss it as nothing more than yet another cybersecurity marketing buzzword.
Researchers at SentinelLabs say that they found various exploitable bugs in one of Dell’s Windows kernel drivers, which they reported back in December 2020.
There were five related bugs, now collectively dubbed CVE-2021-21551.
Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.
A Californian hospital operator has made the move to take is network offline after it was hit by a major cyberattack.
Reports state that the Scripps Health computer network that operates across half a dozen hospitals and a number of outpatient facilities in the San Diego, California area was forced to move to offline procedures after hackers launched a major cyberattack.
The Californian hospital operator says it has contacted law enforcement and government agencies of the cyberattack, but failed to mention specifics of the departments it has informed of the potential data breach.
A strong case can be made that shoring up defenses requires “automating out” the weakest link – i.e., humans – from any cloud that companies are entrusting with their data. This applies to their internal, on-premise clouds as well as to the external cloud vendors that they choose to engage with.
In “automating out the weak link,” the ability of superusers or IT administrators – or of bad actors who have gained access to valid admin credentials – to manually interfere with sensitive data becomes non-existent, because human interaction is eliminated.
Trust no one
The zero-trust model, which has gained favor in recent years among many cloud vendors, serves as a starting point for making this happen.
The zero-trust security framework challenges the idea of trust in any form, whether that’s trust of networks, trust between host and applications, or even trust of super users or administrators. The best way to secure a network, according to the zero trust framework, is to assume absolutely no level of trust.
America’s most urgent infrastructure vulnerability is largely invisible and unlikely to be fixed by the Biden administration’s $2 trillion American Jobs Plan.
I’m thinking about vulnerabilities that lurk in your garage (your car), your house (your computer), and even your pocket (your phone). Like those devices of yours, all connected to the Internet and so hackable, American businesses, hospitals, and public utilities can also be hijacked from a distance thanks to the software that helps run their systems. And don’t think that the American military and even cybersecurity agencies and firms aren’t seriously at risk, too.
Such vulnerabilities stem from bugs in the programs — and sometimes even the hardware — that run our increasingly wired society. Beware “zero-day” exploits — so named because you have zero days to fix them once they’re discovered — that can attract top-dollar investments from corporations, governments, and even black-market operators. Zero days allow backdoor access to iPhones, personal email programs, corporate personnel files, even the computers that run dams, voting systems, and nuclear power plants.
It’s as if all of America were now protected by nothing but a few old padlocks, the keys to which have been made available to anyone with enough money to buy them (or enough ingenuity to make a set for themselves). And as if that weren’t bad enough, it was America that inadvertently made these keys available to allies, adversaries, and potential blackmailers alike.
The recent SolarWinds hack of federal agencies, as well as companies like Microsoft, for which the Biden administration recently sanctioned Russia and expelled several of its embassy staff, is only the latest example of how other countries can hack basic American infrastructure. Such intrusions, which actually date back to the early 2000s, are often still little more than tests, ways of getting a sense of how easy it might be to break into that infrastructure in more serious ways later. Occasionally, however, the intruders do damage by vacuuming up data or wiping out systems, especially if the targets fail to pay cyber-ransoms. More insidiously, hackers can also plant “time bombs” capable of going off at some future moment.
Apple has released iOS 14.5.1, which provides a memory corruption bug fix and patches an arbitrary code execution (ACE) vulnerability in WebKit — a web browser engine. Arbitrary code execution refers to an attacker executing code that they should not be able to execute.
A malicious website could theoretically execute harmful code on your iPhone, or iPad if they exploited that vulnerability. Browsers are designed to limit the ability of websites to execute code that could be harmful to your device. However, hackers do sometimes find a way around that — and this is one such case.
Apple says that the vulnerability (CVE-2021-30663) may have been actively exploited and classifies it as important (which it is). The update (iOS 14.5.1) is now available, and you can look for it by going to Settings > General > Software Update.
The vulnerability also affects Macs, Apple Watches, and Apple TVs. There are updates for those as well.
Risk-based vulnerability management doesn’t ask “How do we fix everything?” It merely asks, “What do we actually need to fix?” A series of research reports from the Cyentia Institute have answered that question in a number of ways, finding for example, that attackers are more likely to develop exploits for some vulnerabilities than others.
Research has shown that, on average, about 5 percent of vulnerabilities actually pose a serious security risk. Common triage strategies, like patching every vulnerability with a CVSS score above 7 were, in fact, no better than chance at reducing risk.
But now we can say that companies using RBVM programs are patching a higher percentage of their high-risk vulnerabilities. That means they are doing more, and there’s less wasted effort. (Which is especially good because patch management is resource constrained.)
The time it took companies to patch half of their high-risk vulnerabilities was 158 days in 2019. This year, it was 27 days.
And then there is another measure of success. Companies start vulnerability management programs with massive backlogs of vulnerabilities, and the number of vulnerabilities only grows each year. Last year, about two-thirds of companies using a risk-based system reduced their vulnerability debt or were at least treading water. This year, that number rose to 71 percent.
When a company discloses that their networks have been breached and that their data has been stolen or encrypted for ransom, there is a steady drumbeat of critics. The company, these critics contend, is somehow at fault. Its security team didn’t do EVERYTHING it could have to prevent the breach. The proof of this doesn’t lie in knowledge of what preventative steps the security team did, but in the fact that it got breached. Victim blaming was alive and well in cybersecurity.
Thankfully, this mindset is fading away. But when cybersecurity companies with risk-based approaches began entering the market, they faced headwinds from the security nihilism crowd who thought if you can’t fix everything, then “why bother?”
We can now say that, when it comes to vulnerability management – a complex, yet fundamental cybersecurity discipline – the risk-based approach has produced clear results. The proof is in the data.
Enterprises that use risk-based approaches to vulnerability management are getting faster and smarter at this foundational cybersecurity discipline. They are doing less work and seeing more impactful security improvements. It’s encouraging to see these year-over-year improvements and we believe this trend is likely to continue.
If cybersecurity is a new concept for the business, first take the necessary steps to follow best practises, as set out by the NIST Cybersecurity framework, as a minimum. Furthermore, to enhance the organisation’s overall security maturity, there are 4 key categories that need to be addressed: cyber strategy and risk, network security, endpoint security, and threat detection and response capabilities.
What is the current level of the cyber strategy and risk?
Small business owners are focussed on running their business with cybersecurity often a secondary concern. To begin with, businesses should seek consultation from industry experts to provide an assessment of the infrastructure to determine areas of concern. This will help the business plan, adapt and grow to stay competitive. It also will provide insight into how the business’ security measures stack up to the needs of the business currently and for the future.
An assessment by an external consultant can also examine whether the business is meeting compliance and regulatory requirements, which can be weaved into the security strategy. This guidance not only helps to improve the overall security posture, but also saves costs in the long run.
The role of a Data Protection Officer (DPO) is a fairly new one in many companies. What’s more, the need to hire a DPO often comes as a response to the General Data Protection Regulations (GDPR) which were implemented back in 2018. As such, the responsibilities, reporting and structure of the role are primarily defined by GDPR guidelines.
But though it might be a fairly new role, it can be a very exciting and rewarding one. So if you’re considering a career as a data protection officer, this guide is for you. Below, we’ll take a look at what the role entails and what you need to do to get a job as a DPO.
What is a Data Protection Officer and What Do They Do?
In a nutshell, a data protection officer is a steward for data protection and privacy within a business. They must implement effective data protection strategies and facilitate a culture of data protection throughout the company. This is to ensure companywide compliance with GDPR. The appointment of a DPO is mandatory in some businesses, particularly those in the public sector or those that process a large amount of personal data. That being said, some businesses choose to appoint a DPO even though they are not legally required to as it pays to have someone in charge of compliance and data privacy.
In the general data protection regulations, it is stated that the DPO should report directly to the highest management level. As a DPO, some of the key responsibilities include:
Ensuring that a business applies the laws of data protection appropriately and effectively, as well as following these regulations and legislations.
Educating and training management and all other employees about GDPR and other data protection statutes as well as about compliance and demonstrating effective measures and strategies for data handling and processing.
Conducting regular security audits.
Acting as the point of contact between the company and any supervisory authorities (SAs). For example, if there is a data breach, it is the job of the DPO to report this to the relevant authorities.
With this in mind, here’s how you can tailor your career path to lead to the role of a data protection officer.
In order to become a DPO, What skills you may need…
But Faïd’s true mentors were the criminals he’d grown up idolizing onscreen. “He had a phenomenal memory,” his brother Abdeslam tells me. “And he was completely immersed in movies.” Abdeslam recalls an eight-year-old Rédoine returning home from a matinee of the 1975 French crime film Peur Sur la Ville (released in the U.S. as The Night Caller), starring Jean-Paul Belmondo, and enchanting their mother and his siblings with a scene-by-scene reenactment. “I’d seen the film,” Abdeslam says, “and his version was just as I remembered it.”
his former lawyer, Raphael Chiche, explained on French television in a documentary about Faïd. “He had to create his own methodology. What better way than movies to get inspired and learn the operational modes of criminality?”
The foresight with which Faïd planned these robberies led his associates to give him a nickname—Doc, after Doc McCoy, Steve McQueen’s character in 1972’s The Getaway, a bank robber on the run who, like Faïd, has a preternatural ability to visualize how jobs will play out. McCoy also made a habit of carrying out “thoughtful hits,” Faïd explains to me. “He had to rob in a precise and neat way.” Faïd likewise stresses the neatness of his own robberies. As he puts it, he executed his hits “as gentlemanly as possible.” He wants to be known as a master thief who took careful precautions to avoid acts of violence.
In this entertaining story of French serial criminal Rédoine Faïd and his jailbreaking ways, there’s this bit about cell phone surveillance:
“One of the biggest challenges we have in cybersecurity is an acute lack of market awareness about what cybersecurity jobs entail,” said Clar Rosso, CEO of (ISC)². “There are wide variations in the kinds of tasks entry-level and junior staff can expect. Hiring organizations and their cybersecurity leadership need to adopt more mature strategies for building teams.
“Many organizations still default to job descriptions that rely on cybersecurity ‘all stars’ who can do it all. The reality is that there are not enough of those individuals to go around, and the smart bet is to hire and invest in people with an ability to learn, who fit your culture and who can be a catalyst for robust, resilient teams for years to come.”
A task force of more than 60 experts from industry, government, nonprofits and academia is urging the U.S. government and global allies to take immediate steps to stem a growing global crisis of cyberattacks in which hackers seize computer systems and data in exchange for a ransom.
The group, which issued a report today, says swift, coordinated action can disrupt and deter the growing threat of cyberattacks that use ransomware, a malicious software that locks up computer systems so that criminals can demand ransom in exchange for access.
“We’re seeing critical parts of the economy being hit by ransomware, including, for example, health care in particular,” says task force co-chair Megan Stifel, executive director of Americas at the Global Cyber Alliance. “When you start to see a broad scale of victims across multiple elements of the economy being hit there can ultimately, if not abated, be catastrophic consequences.”
We’re excited to announce the official release of ATT&CK for Containers! This release marks the culmination of a Center for Threat-Informed Defense (Center) research project sponsored by Citigroup, JPMorgan Chase, and Microsoft that investigated the viability of adding container-related techniques into ATT&CK. This investigation led to developing a draft of an ATT&CK for Containers matrix, which we contributed to ATT&CK. Our contribution was accepted and is now live in ATT&CK version 9.0! We want to give a special thank you to the community for all of your feedback and help in developing this content. Creating ATT&CK for Containers has been a fun journey for us, with a lot of new faces and names along the way. You’ll notice a lot of new contributors in ATT&CK with this release, which is in part a testament to how many folks helped us scope and create this new platform in ATT&CK!
![Risk Based Vulnerability Management A Complete Guide - 2019 Edition by [Gerardus Blokdyk]](https://m.media-amazon.com/images/I/41MHiFnHHML.jpg)
