InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
OWASP Top 10 vulnerabilities is a list of the 10 most common security vulnerabilities in applications. The Top 10 OWASP web application security vulnerabilities are updated every 3-4 years. Last updated in 2017, the vulnerabilities featuring on the list are:
Injection
Broken Authentication
Sensitive Data Exposure
XML External Entities (XXE)
Broken Access Control
Security Misconfigurations
Cross-Site Scripting (XSS)
Insecure Deserialization
Using Components with Known Vulnerabilities
Insufficient Logging and Monitoring
OWASP Top 10 vulnerabilities help raise awareness of the latest threats facing websites and web applications. Organizations and developers can leverage this list to ensure secure coding, tune up security and keep their security posture fortified.
Windows “hives” contain registry data, some of it secret. The nightmare is that these files aren’t properly protected against snooping.
As if one Windows Nightmare dogging all our printers were not enough…
…here’s another bug, disclosed by Microsoft on 2021-07-20, that could expose critical secrets from the Windows registry.
Denoted CVE-2021-36934, this one has variously been nicknamed HiveNightmare and SeriousSAM.
The moniker HiveNightmare comes from the fact that Windows stores its registry data in a small number of proprietary database files, known in Microsoft jargon as hives or hive files.
These hive files include a trio called SAM, SECURITY and SYSTEM, which between them include secret data including passwords and security tokens that regular users aren’t supposed to be able to access.
They’re kept in a special, and supposedly secure, folder under the Windows directory called C:\Windows\System32\config, as you see here:
C:\Windows\System32\config> dir
[. . .]
Directory of C:\Windows\System32\config
[. . .]
21/07/2021 12:57 524,288 BBI
25/06/2021 06:21 28,672 BCD-Template
21/07/2021 14:45 32,768,000 COMPONENTS
21/07/2021 12:57 786,432 DEFAULT
21/07/2021 12:32 4,194,304 DRIVERS
[. . .]
21/07/2021 12:57 65,536 SAM <--some system secrets included
21/07/2021 12:57 32,768 SECURITY <--some system secrets included
21/07/2021 12:57 87,556,096 SOFTWARE
21/07/2021 12:57 11,272,192 SYSTEM <--some system secrets included
[. . .]
The moniker SeriousSAM comes from the filename SAM, which is short for Security Account Manager, a name that sounds as serious as the file’s content’s are.
The revelation that Israeli company NSO Group’s spy software Pegasus was targeting the smartphones of activists, journalists and business executives sent a shockwave through the international press.
The spyware successfully infiltrated the mobile devices of more than 50,000 people, from Mexican president Andrés Manuel López Obrador to reporters from CNN to Claude Mangin, the French wife of a political activist jailed in Morocco.
Simply put: if spyware can infect and infiltrate the world’s elite on every corner of the planet, that means the threat to organizations and individuals must be taken seriously. Spyware impacts everyone.
Moreover, in today’s work-from-anywhere world, mobile devices are critical to any job, and the ability to access email, customer information and proprietary data while on the go is non-negotiable.
Mobile Devices are Mission-Critical
Because of the wealth of data that can be accessed from a mobile device, companies must treat these devices as mission-critical to business continuity.
This means having control and visibility into what is happening on a mobile device, so they can prevent spyware attacks from compromising critical data.
Shawn Smith, director of infrastructure at application security provider nVisium, pointed out that the transition to a remote work style has changed the attack vector for spyware slightly.
“For example, in the past, all the networking gear in an office would be tightly controlled, monitored and patched for security issues as needed,” he said. “However, in a world where employees can work from anywhere, their home networking equipment becomes a new security issue.”
Smith said with such a wide variety of equipment that can be used, often in an unmaintained and unsecured state, this makes the issue of spyware much harder to defend against.
“You have to double your efforts on the security and encryption of the devices you can control, such as the employee’s corporate computer, and rely less on the network monitoring approach that was used in the past,” he said.
Most interesting is a list of over 50,000 phone numbers that were being spied on by NSO Group’s software. Why does NSO Group have that list? The obvious answer is that NSO Group provides spyware-as-a-service, and centralizes operations somehow. Nicholas Weaver postulates that “part of the reason that NSO keeps a master list of targeting…is they hand it off to Israeli intelligence.”
This isn’t the first time NSO Group has been in the news. Citizen Lab has been researching and reporting on its actions since 2016. It’s been linked to the Saudi murder of Jamal Khashoggi. It is extensively used by Mexico to spy on — among others — supporters of that country’s soda tax.
here’s a tool that you can use to test if your iPhone or Android is infected with Pegasus. (Note: it’s not easy to use.)
For the thirdtime in the past four months, LinkedIn seems to have experienced another massive data scrape conducted by a malicious actor. Once again, an archive of data collected from hundreds of millions of LinkedIn user profiles surfaced on a hacker forum, where it’s currently being sold for an undisclosed sum.
Whether employees have been with the company for seven years or seven months, when they return to the office they should be treated as if it’s their first day at the company. All members of the team, no matter how veteran, should go through a refresher on security practices.
Your security team can do this by teaching or reminding staff how to properly manage and move data within its appropriate environment to minimize possible data exposure. This promotes healthy security practices and provides regular and customized training for the entire team.
If your company is moving to a hybrid workforce approach, ensure your employees are set up with the right knowledge and/or equipment they need for dual offices to minimize data loss. For instance, encourage use of company drives to access data from both locations rather than porting data via thumb drives.
When Pindrop surveyed security and fraud professionals across vital sectors including banking and healthcare, we discovered hundreds of teams that had made heroic efforts to continue operating in the face of huge obstacles. We were also reminded of the many ways that fraud threatens businesses and individuals facing turmoil.
Spikes in call volume left contact center agents overextended while lockdown protocols forced reorganizations and remote work; well-intentioned and generally beneficial programs like PPP loans provided new avenues for fraud; and fraud attempts shifted to new venues, like banks’ prepaid card divisions.
Today, we live our lives—and conduct our business—online. Our data is in the cloud and in our pockets on our smartphones, shuttled over public Wi-Fi and company networks. To keep it safe, we rely on passwords and encryption and private servers, IT departments and best practices. But as you read this, there is a 70 percent chance that your data is compromised . . . you just don’t know it yet.
Cybersecurity attacks have increased exponentially, but because they’re stealthy and often invisible, many underplay, ignore, or simply don’t realize the danger. By the time they discover a breach, most individuals and businesses have been compromised for over three years. Instead of waiting until a problem surfaces, avoiding a data disaster means acting now to prevent one.
No matter who you are or where you work, cybersecurity should be a top priority. The information infrastructure we rely on in every sector of our lives—in healthcare and finance, for governments and private citizens—is both critical and vulnerable, and sooner or later, you or your company will be a target. This book is your guide to understanding the threat and putting together a proactive plan to minimize exposure and damage, and ensure the security of your business, your family, and your future.
A threat actor that goes online with the name “integra” has deposited 26.99 Bitcoins on one of the cybercrime forums with the intent to purchase zero-day Exploits from other forum members, researchers from threat intelligence firm Cyble.
According to the experts, the member “integra” has joined the cybercrime forum in September 2012 and has gained a high reputation over the course of time. The threat actor is also a member of another cybercrime forum since October 2012.
The threat actor aims at buying malware with zero detection,
The TA is willing to buy the following things with the deposited money zero-day exploits for RCE and LPE, in the latter case the member is offering up to $3 Million.
“The TA is willing to buy the following things with the deposited money.” states Cyble.
1. Buy the best Remote Access Trojan (RAT) that has not yet been flagged as malicious by any of the security products.
2. Buy unused startup methods in Windows 10 such as living off the land (LotL) malware and hiding in the registry evasion technique. The TA is willing to offer up to USD 150K for the original solution.
3. Buy Zero Day Exploit for Remote Code Executions and Local Privileges Escalations. The TA has mentioned that the budget for this particular exploit is USD 3Million.
The significant amount deposited as an escrow by the threat actor is concerning, the circumstance suggests that the threat actor is going to use the exploits for attacks or to resell them.
“Organizations should patch all known security updates and conduct timely internal Security Audits, in addition to being prepared for such attacks in the future.” concludes Cyble.
Capitalizing on the urgency companies have to launch new digital businesses, cybersecurity vendors create partnerships to close product gaps quickly. An understanding of how the new alliances can deliver results must be part of every CISO’s purchasing decision process. But partnerships can be something of a slippery slope.
Today, CISOs face the conflicting problem of securing operations while supporting business growth. IT and cybersecurity teams are stretched thin attempting to scale endpoint security for virtual workforces, while securing their customer identities and transactions. CIOs and CISOs are turning to vendors they rely on for immediate help. In turn, cybersecurity vendors’ quick fix is to create as many partnerships as possible to close product gaps and close the upsell or new sale.
What’s driving market demand is the pressure CIOs and CISOs have to deliver results. Companies’ boards of directors are willing to double down on digital business plan investments and accelerate them. According to the 2021 Gartner Board of Directors’ survey, 60% of the boards rely on digital business initiatives to improve operations performance, and 50% want to see technology investments deliver improved cost optimization.
Company boards have a high level of enthusiasm for technology spending in general and cybersecurity especially. As a result, Gartner predicts the combined endpoint security and network access market will be a $111 billion opportunity. For such cybersecurity companies, partnerships are a quick path to lucrative deals and higher profits.
Partnerships alone will not solve the conflicting demands for IT resources to secure a business while driving new business growth. They are not a panacea for the biggest challenges facing IT today. Trusting the wrong partnerships can cost millions of dollars, lose months of productive time, and even cause a new digital venture to fail. Due diligence of nascent cybersecurity partnerships needs to go beyond comparing partners’ financial statements and into the specifics of how multiple technologies are performing in actual, live scenarios today. Ten ways stand out as means to guide decision making.
During COVID-19, threat actors used fear of the virus and hope of a vaccine to trick unwitting victims into downloading malware or giving up their credentials. It was a master class in social engineering, one that put an organization’s security posture at risk. Social engineering attacks like phishing take advantage of an employee’s awareness of basic cybersecurity best practices (or lack thereof), and the harder an employee falls for the scams, the greater the skepticism about the entire organization’s cybersecurity culture.
Although no one has come up with an industry standard definition of cybersecurity culture yet, Infosec explains that “a strong cybersecurity culture is based on employees willingly embracing and proactively using security best practices both professionally and personally.” And Infosec developed a framework, and fielded a survey, to help organizations quantify their cybersecurity culture, track changes over time and systematically measure results.
The study polled 1,000 working individuals to examine the collective approach of an organization’s security awareness and behaviors toward cybersecurity. “The results show employee beliefs toward cybersecurity vary widely, which can have a major impact on an organization’s security posture,” said Jack Koziol, CEO and founder at Infosec, in a formal statement.
The growing reliance on public cloud services as both a source and repository of mission-critical information means data owners are under pressure to deliver effective protection for cloud-resident applications and data. Indeed, cloud is now front of mind for many IT organisations. According to recent research by Enterprise Strategy Group (ESG) cloud is “very well-perceived by data protection decision makers”, with 87% of saying it has made a positive impact on their data protection strategies.
However, many organisations are unclear about what levels of data protection are provided by public cloud infrastructure and SaaS solutions, increasing the risk of potential data loss and compliance breach. At the same time, on-premises backup and disaster recovery strategies are increasingly leveraging cloud infrastructure, resulting in hybrid data protection strategies that deliver inconsistent service levels.
Despite these challenges, there are a significant number of organizations that still don’t use a third-party data protection solution or service. This should be cause for concern considering that everything an organization stores in the cloud, from emails and files to chat history and sales data (among many other datasets) is its responsibility and is subject to the same recoverability challenges and requirements as traditional data. In fact, only 13% of survey respondents see themselves as solely responsible for protecting all their SaaS-resident application data.
By 2027, the global online casino market is predicted to be worth $127.3 billion, growing at a CAGR of 11.5%. The increase in market size is largely due to the growing popularity of not just smartphones and mobile gaming, but also of social platforms that are transforming online games.
Already, providers like Tapinator are developing more social casino experiences for mobile phone users. And in the next few years, Gala Casino predicts that mobile gaming is set to overtake desktop casino experiences. This is thanks to people being more on-the-go and the technology in the mobile space improving consistently.
But the question is, with the overwhelming gaming options available, how can you stay safe while playing online casino games?
Look for reputable online casinos
There are countless casino apps available on the Internet, but before you start downloading a random app, be sure to do your research. Check if the casino is licensed through gambling registers, which can easily be found online. Although licensing bodies vary from state to state, most of the time, brick-and-mortar casinos offer online counterparts, and these apps are also heavily regulated to ensure fairness and safety for players.
Here is a quick tip: Usually, when casino apps only ask for just a username and password, odds are they are not legitimately safe. Trusted online casinos will ask for a way to verify your identity, like a copy of your ID or a recent utility bill.
Now Rodriguez has built an Android app that allows his smartphone to mimic those credit card radio communications and exploit flaws in the NFC systems’ firmware. With a wave of his phone, he can exploit a variety of bugs to crash point-of-sale devices, hack them to collect and transmit credit card data, invisibly change the value of transactions, and even lock the devices while displaying a ransomware message. Rodriguez says he can even force at least one brand of ATMs to dispense cash though that “jackpotting” hack only works in combination with additional bugs he says he’s found in the ATMs’ software. He declined to specify or disclose those flaws publicly due to nondisclosure agreements with the ATM vendors.
![OWASP A Complete Guide - 2021 Edition by [Gerardus Blokdyk]](https://m.media-amazon.com/images/I/515gPJ3zTgL.jpg)
![OWASP Testing Guide v4 by [OWASP OWASP]](https://m.media-amazon.com/images/I/419Ozw6vGtL.jpg)
