Aug 03 2023

OWASP Top 10 for LLM (Large Language Model) applications is out!

Category: owaspdisc7 @ 12:45 pm
OWASP Top 10 for LLM (Large Language Model) applications is out!

The OWASP Top 10 for LLM (Large Language Model) Applications version 1.0 is out, it focuses on the potential security risks when using LLMs.

OWASP released the OWASP Top 10 for LLM (Large Language Model) Applications project, which provides a list of the top 10 most critical vulnerabilities impacting LLM applications.

The project aims to educate developers, designers, architects, managers, and organizations about the security issues when deploying Large Language Models (LLMs).

The organization is committed to raising awareness of the vulnerabilities and providing recommendations for hardening LLM applications.

“The OWASP Top 10 for LLM Applications Working Group is dedicated to developing a Top 10 list of vulnerabilities specifically applicable to applications leveraging Large Language Models (LLMs).” reads the announcement of the Working Group. “This initiative aligns with the broader goals of the OWASP Foundation to foster a more secure cyberspace and is in line with the overarching intention behind all OWASP Top 10 lists.”

The organization states that the primary audience for its Top 10 is developers and security experts who design and implement LLM applications. However the project could be interest to other stakeholders in the LLM ecosystem, including scholars, legal professionals, compliance officers, and end users.

“The goal of this Working Group is to provide a foundation for developers to create applications that include LLMs, ensuring these can be used securely and safely by a wide range of entities, from individuals and companies to governments and other organizations.” continues the announcement.

The Top Ten is the result of the work of nearly 500 security specialists, AI researchers, developers, industry leaders, and academics. Over 130 of these experts actively contributed to this guide.

Clearly the project is a work in progress, LLM technology continues to evolve, and the research on security risk will need to keep pace.

Below is the Owasp Top 10 for LLM version 1.0

LLM01: Prompt Injection

This manipulates a large language model (LLM) through crafty inputs, causing unintended actions by the LLM. Direct injections overwrite system prompts, while indirect ones manipulate inputs from external sources.

LLM02: Insecure Output Handling

This vulnerability occurs when an LLM output is accepted without scrutiny, exposing backend systems. Misuse may lead to severe consequences like XSS, CSRF, SSRF, privilege escalation, or remote code execution.

LLM03: Training Data Poisoning

This occurs when LLM training data is tampered, introducing vulnerabilities or biases that compromise security, effectiveness, or ethical behavior. Sources include Common Crawl, WebText, OpenWebText, & books.

LLM04: Model Denial of Service

Attackers cause resource-heavy operations on LLMs, leading to service degradation or high costs. The vulnerability is magnified due to the resource-intensive nature of LLMs and unpredictability of user inputs.

LLM05: Supply Chain Vulnerabilities

LLM application lifecycle can be compromised by vulnerable components or services, leading to security attacks. Using third-party datasets, pre-trained models, and plugins can add vulnerabilities.

LLM06: Sensitive Information Disclosure

LLM’s may inadvertently reveal confidential data in its responses, leading to unauthorized data access, privacy violations, and security breaches. It’s crucial to implement data sanitization and strict user policies to mitigate this.

LLM07: Insecure Plugin Design

LLM plugins can have insecure inputs and insufficient access control. This lack of application control makes them easier to exploit and can result in consequences like remote code execution.

LLM08: Excessive Agency

LLM-based systems may undertake actions leading to unintended consequences. The issue arises from excessive functionality, permissions, or autonomy granted to the LLM-based systems.

LLM09: Overreliance

Systems or people overly depending on LLMs without oversight may face misinformation, miscommunication, legal issues, and security vulnerabilities due to incorrect or inappropriate content generated by LLMs.

LLM10: Model Theft

This involves unauthorized access, copying, or exfiltration of proprietary LLM models. The impact includes economic losses, compromised competitive advantage, and potential access to sensitive information.

The organization invites experts to join it and provide support to the project.

You can currently download version 1.0 in two formats.  The full PDF and the abridged slide format.

Web Application Security: Exploitation and Countermeasures for Modern Web Applications

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | AIMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

At DISC InfoSec, we help organizations navigate this landscape by aligning AI risk management, governance, security, and compliance into a single, practical roadmap. Whether you are experimenting with AI or deploying it at scale, we help you choose and operationalize the right frameworks to reduce risk and build trust. Learn more at DISC InfoSec.

InfoSec tools | InfoSec services | InfoSec books

Jul 30 2023

How can we solve cybersecurity talent issue?

Category: Cyber career,Security trainingdisc7 @ 11:18 am

The cybersecurity talent issue is a significant challenge faced by organizations worldwide. Solving this problem requires a combination of short-term and long-term strategies to attract, develop, and retain skilled cybersecurity professionals. Here are some steps that can help address the cybersecurity talent shortage:

  1. Education and Training: Invest in cybersecurity education and training programs at various levels, from primary education to advanced professional certifications. Collaborate with educational institutions and industry experts to design comprehensive and up-to-date curricula.
  2. Promote Cybersecurity as a Career Choice: Raise awareness about the importance of cybersecurity as a career option. Target students and professionals from diverse backgrounds to encourage them to pursue cybersecurity careers.
  3. Apprenticeships and Internships: Establish apprenticeship and internship programs to provide hands-on experience to aspiring cybersecurity professionals. This can help bridge the gap between theoretical knowledge and practical skills.
  4. Industry Collaboration: Foster collaboration between academic institutions and the private sector. Industry partnerships can help ensure that cybersecurity programs align with current industry needs and practices.
  5. Cyber Range and Simulations: Set up cyber ranges and simulations to provide a safe environment for individuals to practice and enhance their cybersecurity skills. These platforms allow trainees to learn through realistic scenarios without risking real-world systems.
  6. Mentorship Programs: Create mentorship programs where experienced cybersecurity professionals can guide and support newcomers in their career development. This can be especially helpful in retaining talent and promoting professional growth.
  7. Competitive Compensation and Benefits: Offer competitive salaries and benefits to attract skilled cybersecurity professionals. Recognize their value and contribution to the organization’s security posture.
  8. Continuous Professional Development: Encourage and facilitate continuous learning and professional development for existing cybersecurity teams. This can be achieved through regular training, attending conferences, and participating in workshops.
  9. Diversity and Inclusion: Promote diversity and inclusion within the cybersecurity workforce. A diverse team brings varied perspectives and problem-solving approaches, ultimately enhancing the overall security posture.
  10. Public-Private Partnerships: Encourage partnerships between government agencies, private companies, and non-profit organizations to address the talent shortage collectively. Collaboration can lead to resource-sharing and more comprehensive solutions.
  11. Automation and AI Solutions: Implement cybersecurity automation and AI technologies to augment the existing workforce. Automation can handle repetitive tasks, allowing professionals to focus on more complex issues.
  12. Retaining Talent: Focus on employee retention by providing a supportive and rewarding work environment. Recognize and celebrate cybersecurity achievements and milestones within the organization.
  13. Ethical Hacking Competitions and CTFs: Support and sponsor ethical hacking competitions and Capture The Flag (CTF) events. These challenges attract cybersecurity enthusiasts and offer valuable learning experiences.

By combining these strategies and adopting a long-term perspective, organizations can start making progress in solving the cybersecurity talent issue. Remember that cybersecurity is an ever-evolving field, and continuous efforts are needed to attract and retain skilled professionals.

Blended training course will give you what you need to develop your career and pass the challenging CISSP (Certified Information Systems Security Professional) exam first time.

Cybersecurity and information resilience – BSI Group

Computer Security

How Does Social Media Affect Teenagers, and Is It Positive?

InfoSec books | InfoSec tools | InfoSec services

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | AIMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

At DISC InfoSec, we help organizations navigate this landscape by aligning AI risk management, governance, security, and compliance into a single, practical roadmap. Whether you are experimenting with AI or deploying it at scale, we help you choose and operationalize the right frameworks to reduce risk and build trust. Learn more at DISC InfoSec.

Tags: CISSP, Computer security, Information resilience

Jul 07 2023

Chief Information Security Officer Handbook

Category: CISO,vCISOdisc7 @ 11:03 am
CISOs-Handbook-1Download

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: Chief Information Security Officer, CISO

Jun 08 2023

9 free cybersecurity whitepapers you should read

Category: cyber securitydisc7 @ 1:00 am
9 free cybersecurity whitepapers you should read

In today’s rapidly evolving digital landscape, organizations face constant cyber threats that can compromise their sensitive data, disrupt operations, and damage their reputation. Staying informed about the latest cyberattacks and understanding effective protection methods is crucial.

This list of free cybersecurity whitepapers that don’t require registration covers a wide range of common cyber risks (ransomware, DDoS attacks, social network account hijacking). It explores the possible risks that could originate from new technologies such as generative AI (GenAI) and large language models (LLMs).

MS-ISAC guide to DDoS attacks

The Multi-State Information Sharing and Analysis Center (MS-ISAC) has created a guide to shed light on denial of service (DoS) and distributed denial of service (DDoS) attacks. A DoS attack aims to overwhelm a system and hinder its intended users’ access, while a DDoS attack involves multiple sources working together towards the same goal.

These attacks deplete network, application, or system resources, leading to issues such as network slowdowns, application crashes, and server failures. The MS-ISAC guide examines various techniques employed by cyber threat actors (CTAs) to execute successful DDoS attacks. The guide also provides recommendations for defending against these types of attacks.

The Ultimate Guide to Everything You Need to Know about DDoS Attacks

Ransomware missteps that can cost you

Ransomware has become one of the most concerning types of attacks. To be able to effectively tackle these attacks, IT professionals and managed services providers need to be prepared to respond quickly and appropriately.

The first step towards readiness lies in acquiring a comprehensive understanding of the primary issues and possible pitfalls that can significantly impact the outcome.

This whitepaper from N-able gives insights on one of the most common and disastrous type of attack and what are the frequent mistakes organizations do when trying to limit the damaging effects.

Ransomware Protection Playbook

The five ICS cybersecurity critical controls

To establish a robust and successful security program for industrial control systems (ICS) or operational technology (OT), a combination of five cybersecurity controls can be employed.

This SANS whitepaper points out these controls, empowering organizations to customize and implement them according to their specific environment and risk factors.

Rather than being overly prescriptive, these controls prioritize outcomes, ensuring flexibility and adaptability. Moreover, they are informed by intelligence-driven insights derived from the analysis of recent breaches and cyberattacks in industrial companies worldwide.

NIST Framework for Improving Critical Infrastructure Cybersecurity: Whitepaper

How to identify the cybersecurity skills needed in the technical teams in your organization

To keep an organization safe from information security threats, it is essential to understand cybersecurity skills gaps within your IT and InfoSec teams. To enhance your company’s protection, it is crucial to pinpoint these deficiencies and give importance to skills according to specific job roles.

This whitepaper from Offensive Security concentrates on optimal methods for nurturing internal cybersecurity talent within your technical teams, such as IT, information security, DevOps, or engineering.

Building a Career in Cybersecurity: The Strategy and Skills You Need to Succeed 

Generative AI and ChatGPT enterprise risks

The increasing use of GenAI and LLMs in enterprises has prompted CISOs to assess the associated risks. While GenAI offers numerous benefits in improving various daily tasks, it also introduces security risks that organizations need to address.

This whitepaper from Team8 aims to provide information on these risks and recommended best practices for security teams and CISOs, as well as encourage community involvement and awareness on the subject.

The ChatGpt Revolution – Unlock the Potential of AI: Opportunities, Risks and Ways to Build an Automated Business in the Age of New Digital Media

Redefining browser isolation security

Traditional methods of data security and threat protection are inadequate in the face of evolving applications, users, and devices that extend beyond the corporate perimeter.

Legacy security approaches struggle to adapt to the hybrid work model, leading to visibility issues, conflicting configurations, and increased risks. To address these challenges, organizations need to update their risk mitigation strategies.

Remote browser isolation (RBI) technology offers a promising solution by separating internet browsing from local browsers and devices. However, traditional RBI approaches have limitations such as high costs, performance issues, and security vulnerabilities caused by deployment gaps.

This Cloudflare whitepaper examines the causes and consequences of these challenges, and shows how to approach browser isolation to tackle these common issues.

Browser Isolation Standard Requirements

S1 deload stealer: Exploring the economics of social network account hijacking

Social networks have become an essential part of our lives, but they have also been exploited by criminals. Threat actors have been using legitimate social media accounts to engage in illegal activities, such as extortion and manipulating public opinion for influencing elections.

Financially motivated groups have also employed malvertising and spam campaigns, as well as operated automated content-sharing platforms, to increase revenue or sell compromised accounts to other malicious individuals.

This whitepaper from Bitdefender highlights an ongoing malware distribution campaign that takes advantage of social media by hijacking users’ Facebook and YouTube accounts.

Building a budget for an insider threat program

To gain support from top-level executives when planning to implement a purpose-built insider threat solution, the value of the solution needs to be linked not just to reducing risks but also to providing additional business benefits.

The business case should show how an insider threat program can result in immediate cost savings, allow security resources to be allocated to other important projects in the future, and ultimately promote collaboration, productivity, and innovation.

This Code42 whitepaper provides a strategy for security teams to create a convincing business case.

The case for threat intelligence to defend against advanced persistent threats

Organizations are encountering an increasingly serious challenge posed by advanced persistent threats (APTs). Those responsible for managing business risk recognize that it is impossible to completely prevent such threats. Instead, the focus is on implementing defensive measures and utilizing threat intelligence to improve the chances of detecting attacks and reducing risk to an acceptable level.

Rather than fixating on the inevitability of being hacked, the emphasis is placed on minimizing the occurrence of attacks and efficiently identifying and responding to them, to mitigate their impact on the business.

This Cyberstash whitepaper examines the effectiveness and cost associated with threat intelligence in enhancing the security industry’s defensive capabilities against APTs.

InfoSec tools | InfoSec services | InfoSec books

Tags: cybersecurity whitepapers

Apr 17 2023

Lynis – Open Source Security Auditing & Pentesting Tool – 2023

Category: Pen Test,Security ToolsDISC @ 8:50 am
Lynis – Open Source Security Auditing & Pentesting Tool – 2023

Lynis is an open source security auditing tool. Its main goal is to audit and harden Unix and Linux based systems. It scans the system by performing many security control checks. Examples include searching for installed software and determine possible configuration flaws.

Many tests are part of common security guidelines and standards, with on top additional security tests. After the scan, a report will be displayed with all discovered findings. To provide you with initial guidance, a link is shared with the related Lynis control.

Lynis is one of the most trusted automated auditing tool for software patch management, malware scanning and vulnerability detecting in Unix/Linux based systems. This tool is useful for auditorsnetwork and system administratorssecurity specialists and penetration testers.

Intended audience:

Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOX (Sarbanes-Oxley) compliance audits.

Security specialists, Penetration Testers, System auditors, System/network managers, Security Engineers.

Lynis is compatible with many Operating Systems, such as:

  • AIX
  • Arch Linux
  • BackTrack Linux
  • CentOS
  • Debian, DragonFlyBSD
  • Fedora Core, FreeBSD
  • Gentoo
  • HPUX
  • Kali, Knoppix
  • Linux Mint
  • MacOS X, Mageia, Mandriva
  • NetBSD
  • OpenBSD, OpenSolaris, openSUSE, Oracle Linux
  • PcBSD, PCLinuxOS
  • Red Hat Enterprise Linux (RHEL) and derivatives
  • Sabayon, Scientific Linux, Slackware, Solaris 10, SuSE
  • TrueOS
  • Ubuntu and derivatives

Lynis can also be auditing software such as :

  • Database servers: MySQL, Oracle, PostgreSQL
  • Time daemons: dntpd, ntpd, timed
  • Web servers: Apache, Nginx

Once lynis starts scanning your system, it will perform auditing in a number of categories:

  • System tools: system binaries
  • Boot and services: boot loaders, startup services
  • Kernel: run level, loaded modules, kernel configuration, core dumps
  • Memory and processes: zombie processes, IO waiting processes
  • Users, groups and authentication: group IDs, sudoers, PAM configuration, password aging, default mask
  • Shells
  • File systems: mount points, /tmp files, root file system
  • Storage: usb-storage, firewire ohci
  • NFS
  • Software: name services: DNS search domain, BIND
  • Ports and packages: vulnerable/upgradable packages, security repository
  • Networking: nameservers, promiscuous interfaces, connections
  • Printers and spools: cups configuration
  • Software: e-mail and messaging
  • Software: firewalls: iptables, pf
  • Software: webserver: Apache, nginx
  • SSH support: SSH configuration
  • SNMP support
  • Databases: MySQL root password
  • LDAP services
  • Software: php: php options
  • Squid support
  • Logging and files: Syslog daemon, log directories
  • Insecure services: inetd
  • Banners and identification
  • Scheduled tasks: crontab/cronjob, atd
  • Accounting: sysstat data, auditd
  • Time and synchronization: ntp daemon
  • Cryptography: SSL certificate expiration
  • Virtualization
  • Security frameworks: AppArmor, SELinux, security status
  • Software: file integrity
  • Software: malware scanners
  • Home directories: shell history files

How Lynis works:

In this Kali Linux Tutorial , To run it for the first time, it is recommended to use -c paramater. -c parameter means doing all tests to check the systems. If you want to put the Auditor name, just add –auditor parameter there. Here’s some

Download and Install the Lynis from GitHub 

git clone https://github.com/CISOfy/lynis

$ cd lynis-2.7.3
# ./lynis

samples output :

Once Installed then Start with Auditor or Pentester name .

# lynis -c –auditor “BALAJI”

Figure 1. Initialize

Lynis – Open source security auditing tool

Figure 2. System Tools

Lynis – Open source security auditing tool

Figure 3. Boot & Services and Kernel

Lynis – Open source security auditing tool

Figure 4. Users and Group

Lynis – Open source security auditing tool

Figure 5. Shell and storage

Lynis – Open source security auditing tool

Figure 6. Software, Ports and Packages

6

Figure 7. Networking and Printer

7

Figure 8. Email, Firewalls and Web Server

8

Figure 9. SSH, SNMP and Databases

Lynis – Open source security auditing tool

Figure 10. PHP, Squid Proxy and Logging

10

Figure 11. Inetd, Banner and Cron

11

Figure 12. Accounting, NTP and Cryptography

12

Figure 13. Virtualization, Security Frameworks and File Integrity

13

Figure 14. Malware Scanners, System Tool and Home directory

14

Figure 15. Kernel Hardening

15

Figure 16. Hardening, Custom Tests and Result

lynis_16_hardening_customtests_result

Figure 17. Hardening Index

17

Run Lynis with Custom Tests

Your system may not need to run all the tests. If your server not running a web server, you don’t need to test it. For this purpose, we can use –tests parameter. The syntax is :

# lynis –tests “Test-IDs”

there are more than 100 tests that we can do. Here are some list of Lynis Tests-ID.

  • FILE-7502 (Check all system binaries)
  • BOOT-5121 (Check for GRUB boot loader presence).
  • BOOT-5139 (Check for LILO boot loader presence)
  • BOOT-5142 (Check SPARC Improved boot loader (SILO))
  • BOOT-5155 (Check for YABOOT boot loader configuration file)
  • BOOT-5159 (Check for OpenBSD i386 boot loader presence)
  • BOOT-5165 (Check for FreeBSD boot services)
  • BOOT-5177 (Check for Linux boot and running services)
  • BOOT-5180 (Check for Linux boot services (Debian style))
  • BOOT-5184 (Check permissions for boot files/scripts)
  • BOOT-5202 (Check uptime of system)
  • KRNL-5677 (Check CPU options and support)
  • KRNL-5695 (Determine Linux kernel version and release number)
  • KRNL-5723 (Determining if Linux kernel is monolithic)
  • KRNL-5726 (Checking Linux loaded kernel modules)
  • KRNL-5728 (Checking Linux kernel config)
  • KRNL-5745 (Checking FreeBSD loaded kernel modules)
  • [04:57:04] Reason to skip: Test not in list of tests to perform
  • KRNL-5770 (Checking active kernel modules)
  • KRNL-5788 (Checking availability new kernel)
  • KRNL-5820 (Checking core dumps configuration)

Below is a sample command to run Check uptime of system and Checking core dumps configuration tests. If you want to add more tests, just add more Test-ID separated by space.

# ./lynis –tests “BOOT-5202 KRNL-5820”

111111

To get more Tests-IDs, you can find it inside /var/log/lynis.log. Here’s a trick how to do it.

1. First, we need to run lynis with -c (check-all) parameter.

# ./lynis -c -Q

2. Then look at inside /var/log/lynis.log file. Use cat command and combine it with grep. Let say you want to search Test-ID which related to Kernel. Use keyword KRNL to find it.

# cat /var/log/lynis.log | grep KRNL

2222

Below is a complete keywords of Test-IDs that available in Lynis.

BOOT
KRNL (kernel)
PROC (processor)
AUTH (authentication)
SHLL (shell)
FILE
STRG (storage)
NAME (dns)
PKGS (packaging)
NETW (network)
PRNT (printer)
MAIL
FIRE (firewall)
HTTP (webserver)
SSH
SNMP
DBS (database)
PHP
LDAP
SQD (squid proxy)
LOGG (logging)
INSE (insecure services – inetd)
SCHD (scheduling – cron job)
ACCT (accounting)
TIME (time protocol – NTP)
CRYP (cryptography)
VIRT (virtualization)
MACF (AppArmor – SELINUX)
MALW (malware)
HOME
HRDN (hardening)

Run lynis with categories

If you feel that put a lot of Test-IDs is painful, you can use –test-category parameter. With this option, Lynis will run Test-IDs which are included inside a specific category. For example, you want to run Firewall and Kernel tests. Then you can do this :

# ./lynis –tests-category “firewalls kernel”

3333

Run Lynis as Cronjob

Since security needs consistency, you can automate Lynis to run periodically. Let’s say you want to run it every month to see if there is any improvement since the last Lynis run. To do this, we can run Lynis as a cronjob. Here’s a sample cronjob to run it every month.

#!/bin/sh

AUDITOR=”automated”
DATE=$(date +%Y%m%d)
HOST=$(hostname)
LOG_DIR=”/var/log/lynis”
REPORT=”$LOG_DIR/report-${HOST}.${DATE}”
DATA=”$LOG_DIR/report-data-${HOST}.${DATE}.txt”

cd /usr/local/lynis
./lynis -c –auditor “${AUDITOR}” –cronjob > ${REPORT}

mv /var/log/lynis-report.dat ${DATA}

# End

Save the script into /etc/cron.monthly/lynis. Don’t forget to add related paths (/usr/local/lynis and /var/log/lynis), otherwise the script will not work properly.


InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Lynis, Open source security

Mar 14 2023

Cyber Security Training Courses

Category: Security trainingDISC @ 7:55 am
Cyber Security Course Online – Fees, Syllabus, Eligibility

70+ Cyber Security Training Courses

“Security should be built in, not bolt-on.”

Cyber Security CoursesLinks
Finding your cybersecurity-career pathedx.sjv.io/BXm2G4  
MYCS computer science for beginnersedx.sjv.io/e4yQ5r  
IBM cybersecurity fundamentalsedx.sjv.io/gbMAjv
Ethical hacking essentials eheedx.sjv.io/e4yAJZ  
Online master science cybersecurity Georgia techedx.sjv.io/NK1QOP  
Usmx umgc cloud computingedx.sjv.io/LPAxb3
w3cx front end web developeredx.sjv.io/2rbQPM
Snhux data management with python and sqledx.sjv.io/qn5ERq
Python data scienceedx.sjv.io/AoqqJN
Introduction to python programmingedx.sjv.io/mgDDPy  
Online master of science computer science utaustinxedx.sjv.io/rnkzvj
Master of information and cybersecurityedx.sjv.io/5bXXzj  
Linux foundation x introduction to devops practices and toolsedx.sjv.io/LPAZZY
Uwashingtonx essentials cybersecurityedx.sjv.io/jWxOO0
Hecmontrealx ux design and evaluationedx.sjv.io/ORVmbn
Cybersecurity the cisos viewedx.sjv.io/MXGNbo
Ec council cybersecurity essentialsedx.sjv.io/9W4JE3
building-a-cybersecurity-toolkitedx.sjv.io/6b3gdG
Programming basicsedx.sjv.io/DV9ked  
Computer science 101edx.sjv.io/DV9ke2
Umd usmx agile project managementedx.sjv.io/Vyz6BO
Computer forensicedx.sjv.io/ORVm4W
Delftx inclusive and sustainable citiesedx.sjv.io/5b27Y2
Cybersecurity and privacy in the IoTedx.sjv.io/6b3gVN
Cybersecurity risk managementedx.sjv.io/YgEy2O  
Linuxfoundationx secure software development fundamentalsedx.sjv.io/QOZ60Y
Harvardx leadership and communicationedx.sjv.io/WDWGg3
AWS getting started with cloud securityedx.sjv.io/3P6dYv  
AWS cloud technical essentialsedx.sjv.io/kj7ZGn  
Building modern python applications on awsedx.sjv.io/DVjnzj  
Getting started with data analytics on awsedx.sjv.io/rnAOxQ  
Cyberwar surveillance and securityedx.sjv.io/7mRJd3  
Online master data science utausedx.sjv.io/jWxO5n  
Harvardx data scienceedx.sjv.io/KeooMv  
Uc san diego x data scienceedx.sjv.io/b3WWYg
Introduction to computer science and programmingedx.sjv.io/qn520O
Ritx cybersecurityedx.sjv.io/5b27qD  
Linux basics the command line interfaceedx.sjv.io/n1r2Aa  
Ibm full stack cloud application developmentedx.sjv.io/Ryg6Yy  
Basic network and database securityedx.sjv.io/qn52d5  
Scripting and programming foundationsedx.sjv.io/P0JAvz  
Application security for developersedx.sjv.io/zaZqxW  
Unlocking information security part 1edx.sjv.io/n1D1NX  
Unlocking information security part 2edx.sjv.io/kjDbBN  
Berkeleyx entrepreneurship for all the startup guide by silicon valley insidersedx.sjv.io/DV91Xd
Programming for everybody getting started with pytedx.sjv.io/e4yxkZ
Google cloud computing foundationsedx.sjv.io/15nkma  
Harvardx computer science for web programmingedx.sjv.io/MXGzQN
Mit sloan machine learning in business online programedx.sjv.io/AoxeKD
Cyber security basics a hands on approachedx.sjv.io/jWxEQ5  
Imd blockchain and the future of finance online programedx.sjv.io/zaZWD6
Introduction to linuxedx.sjv.io/yRJzPW  
Google power searching with googleedx.sjv.io/rnkVqv  
Basic network and database securityedx.sjv.io/BXqXKq  
AI chatbots without programmingedx.sjv.io/0J0jVV  
Imd cybersecurity risk and strategy online programedx.sjv.io/0JkGQO  
Network security protocolsedx.sjv.io/dobXWW
Digital forensics essentials dfeedx.sjv.io/7mWA6Y  
The quantum internet and quantum computers how w2edx.sjv.io/QORREP
Wharton strategic managementedx.sjv.io/5bXXvo  
Umd usmx agile project managementedx.sjv.io/e4OOL6  
tumx-lean-six-sigma-green-belt-certificationedx.sjv.io/x900gx  
Harvardx tiny machine learningedx.sjv.io/GjAA7n  
Berkeleyx science-of happiness at workedx.sjv.io/ZdPP7K  
Uqx business leadershipedx.sjv.io/0JkkVO  

Cyber-Security-Course-links-1Download

Professional Certificates, Bachelors & Masters Program

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Cyber Security Training Courses

Mar 12 2023

Security Risk Assessment Services

Category: Risk Assessment,Security Risk AssessmentDISC @ 11:16 pm

Security risk assessment services are crucial in the cybersecurity industry as they help organizations identify, analyze, and mitigate potential security risks to their systems, networks, and data. Here are some opportunities for providing security risk assessment services within the industry:

  1. Conducting Vulnerability Assessments: As a security risk assessment service provider, DISC can conduct vulnerability assessments to identify potential vulnerabilities in an organization’s systems, networks, and applications. You can then provide recommendations to mitigate these vulnerabilities and enhance the organization’s overall security posture.
  2. Performing Penetration Testing: Penetration testing involves simulating a real-world attack on an organization’s systems and networks to identify weaknesses and vulnerabilities. As a security risk assessment service provider, DISC can perform penetration testing to identify potential security gaps and provide recommendations to improve security.
  3. Risk Management: DISC can help organizations identify and manage risks associated with their information technology systems, data, and operations. This includes assessing potential threats, analyzing the impact of these threats, and developing plans to mitigate them.
  4. Compliance Assessment: DISC can help organizations comply with regulatory requirements by assessing their compliance with industry standards such as ISO 27001, HIPAA, or NIST-CSF. DISC can then provide recommendations to ensure that the organization remains compliant with these standards.
  5. Cloud Security Assessments: As more organizations move their operations to the cloud, there is a growing need for security risk assessment services to assess the security risks associated with cloud-based systems and applications. As a service provider, DISC can assess cloud security risks and provide recommendations to ensure the security of the organization’s cloud-based operations.
  6. Security Audit Services: DISC can provide security audit services to assess the overall security posture of an organization’s systems, networks, and applications. This includes reviewing security policies, processes, and procedures and providing recommendations to improve security.

By providing these services, DISC can help organizations identify potential security risks and develop plans to mitigate them, thereby enhancing their overall security posture.

In what situations would a vCISO Service be appropriate?

Transition plan from ISO 27001 2013 to ISO 27001 2022

We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form

Contact DISC InfoSec if you need further assistance in your ISO 27001 2022 transition Plan

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Security Risk Assessment

Mar 09 2023

Security Professionals Battle Burnout as Threat Landscape Evolves

Category: cyber securityDISC @ 11:14 am
Security Professionals Battle Burnout as Threat Landscape Evolves

A surge of cybersecurity incidents and a general feeling of work overload is leading to widespread burnout among IT security professionals, two surveys indicated.

A Cynet survey of chief information security officers (CISOs) of small to midsize businesses found nearly two-thirds (65%) said their ability to protect their organization is compromised due to an overwhelming workload–with nearly 100% admitting they needed additional resources.

The stress levels are affecting entire IT security teams, with nearly three-quarters (74%) of CISOs surveyed admitting they have lost team members because of work-related stress issues.

Nearly half (47%) of these CISOs have had more than one team member exit their role over the last 12 months.

Burning Out and Fading Away

Respondents to a Magnet Forensics survey said the rapid evolution of cybercrime is weighing on security teams substantially more than it did last year, leading to widespread burnout. Alert and investigation fatigue are twin contributing factors, the survey revealed.

The study also revealed that the evolving nature of threats is extending response times beyond what they feel is acceptable—43% of respondents said it takes them between one week and more than a month.

Nearly a third of respondents said that identifying the root cause of an incident requires either a “complete overhaul” or “major improvements” in the organization’s threat posture.

“We’re seeing a direct correlation between burnout and the increased activity of cybercriminals who are relying on more complex strategies and bombarding organizations with more attacks,” explained Adam Belsher, CEO of Magnet. “New cybersecurity regulations also impacted our respondents who said they’re now under increased pressure to get answers faster.”

He pointed out that a global talent shortage resulted in hiring challenges, and that digital forensics and incident response practitioners (DFIR) find themselves in a difficult situation.

“They need to respond to more incidents, get answers faster and do so while knowing no reinforcements are on the way,” Belsher noted. “It’s no surprise that they’re burned out.”

George Tubin, director of product marketing for Cynet, added that what stood out most is what a vicious cycle this work-related stress is. Their stress at work spills over into their personal lives, which increases their stress at work—and repeat.

“Because of their workload and stress, these CISOs said they’re missing vacations and private events and they’re also losing their tempers with family and friends. This only exacerbates their stress levels,” he says.

In addition, 80% of them have received complaints about how they handled security tasks and two-thirds said their ability to protect their organizations is compromised due to work overload and stress.

More Cybersecurity Staff Needed to Combat Burnout

The Cynet survey also asked CISOs whether they need more people, and the general consensus is that they could use 30% more staff.

They also said they’ve compromised on hiring decisions because it’s so hard to find good cybersecurity people.

“But, when we asked them what initiatives could help them reduce stress levels, rather than say hire more, more CISOs stated technology consolidation and automation, as well as outsourcing,” Turbin says. “Cybersecurity technology has become so complicated and so expensive that the cure is almost as bad as the disease.”

Belsher noted that each factor contributing to the burnout of DFIR practitioners is out of their hands.

“They can’t control how often cybercriminals attack their organizations or the methods they use,” he said. “Cybercriminals have continued to find new threat vectors and ways to scale the volume of their attacks. That won’t change in 2023.”

That means organizations must adapt to this threat landscape beyond trying to hire themselves out of this problem.

“If we maintain the status quo, burnout will only get worse,” he says. “Automation is essential to scaling the capacity of DFIR teams.”

Turbin agreed, noting a couple of the survey questions asked the respondents to compare the past year with previous years; the results were consistent or have become slightly worse.

“Unless these security leaders can somehow relieve their stress, mainly through simplifying and automating their cybersecurity technology, I expect the situation to get worse before it gets any better,” he said.

He added that CEOs and the board should be concerned about the threat of burnout, especially considering that this stress is leading to a degradation in security outcomes that increased risk for the organization.

“CEOs and board members should proactively reach out to their security leaders to discuss ways to reduce stress and improve the company’s security posture,” he advised.

Belsher pointed out that cybersecurity and IT personnel can’t tackle burnout alone.

“Mental health is a company-wide imperative that executives, HR departments and all people leaders should play an active role in addressing,” he said.

CISO Zoom burnout

7 Steps From Burnout to Happiness

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: cybersecurity burnout

Nov 29 2022

Strategies for closing the cybersecurity skills & leadership gap

Category: CISO,Cyber career,vCISODISC @ 11:33 am
arlington-research-nFLmPAf9dVc-unsplash.jpg

As organizations begin to address the risks of an increasingly complex digital landscape, they are recognizing that cybersecurity challenges are compounded by a lack of available talent and skills to mount a necessary defense. The digital skills shortage in the U.S. is at a critical point, highlighting a need for increased investment in workforce training. The Biden White House recently said that roughly 700,000 cyber-defense-related positions nationally are unfilled.

Clearly, CISOs and leaders across the C-suite are focused on the challenge, and many are investing heavily in shoring up gaps in their cybersecurity approach. In an age when a cyberattack can be an existential threat to any organization, cybersecurity engineers will serve as the first responders to such threats.

But organizations are struggling to fill these roles. Cyber professionals face ever-increasing pressure to keep up with more sophisticated and complex threats. The burnout in the profession is significant. What’s more, there hasn’t been a good understanding of the variety of jobs that there are in cybersecurity, and the various skills that can be leveraged for those jobs.

What complicates the effort to fill these roles are the demands placed on them. A strong cybersecurity professional must have advanced skills and experience in the following: meeting the immediate needs of securing the enterprise while also satisfying regulators and compliance officials; keeping a close eye on protections for customers and their personal data; and, if an incident occurs, navigating those interactions and coordinating with law enforcement. These are skills rarely found together.

In fact, not only is there a challenge in filling day-to-day roles within the cybersecurity portfolio, there is also a leadership gap. Many highly skilled cybersecurity professionals avoid taking leadership positions in the field precisely because they do not feel prepared to take on these multivariate tasks.

The solution rests in a two-pronged approach.

#1. Leverage cybersecurity frameworks and automation.

Organizations need to reduce the demand on crisis cyber defense by deploying automated platforms and technologies, such as zero trust security, to screen out threats and examine their entire value chain — including suppliers, vendors and others who may be the source of the greatest potential risks. As part of this effort, trained cybersecurity professionals should be deployed during the software development lifecycle and across business processes so that security and protections can be embedded by design rather than bolted on later.

#2. Migrate cybersecurity to the cloud.

https://www.securitymagazine.com/articles/98664-strategies-for-closing-the-cybersecurity-skills-and-leadership-gap

Navigating the Cybersecurity Career Path

Tags: cybersecurity skills, Navigating the Cybersecurity Career Path

Nov 29 2022

Why the updated ISO 27001 standard matters to every business’ security

Category: Information Security,ISO 27kDISC @ 10:13 am

On the morning of August 4, 2022, Advanced, a supplier for the UK’s National Health Service (NHS), was hit by a major cyberattack. Key services including NHS 111 (the NHS’s 24/7 health helpline) and urgent treatment centers were taken offline, causing widespread disruption. This attack served as a brutal reminder of what can happen without a standardized set of controls in place. To protect themselves, organizations should look to ISO 27001.

ISO 27001 is an internationally recognized Information Security Management System standard. It was first published in 2005 to help businesses implement and maintain a solid information security framework for managing risks such as cyberattacks, data leaks and theft. As of October 25, 2022, it has been updated in several important ways.

The standard is made up of a set of clauses (clauses 4 through 10) that define the management system, and Annex A which defines a set of controls. The clauses include risk management, scope and information security policy, while Annex A’s controls include patch management, antivirus and access control. It’s worth noting that not all of the controls are mandatory; businesses can choose to use those that suit them best.

Why is ISO 27001 being updated?

It’s been nine years since the standard was last updated, and in that time, the technology world has changed in profound ways. New technologies have grown to dominate the industry, and this has certainly left its mark on the cybersecurity landscape. 

With these changes in mind, the standard has been reviewed and revised to reflect the state of cyber- and information security today. We have already seen ISO 27002 (the guidance on applying the Annex A controls) updated. The number of controls has been reduced from 114 to 93, a process that combined several previously existing controls and added 11 new ones.

Many of the new controls were geared to bring the standard in line with modern technology. There is now, for example, a new control for cloud technology. When the controls were first created in 2013, cloud was still emerging. Today, cloud technology is a dominant force across the tech sector. The new controls thus help bring the standard up to date.

In October, ISO 27001 was updated and brought in line with the new version of ISO 27002. Businesses can now achieve compliance with the updated 2022 controls, certifying themselves as meeting this new standard, rather than the now-outdated list from 2013.

How can ISO 27001 certification benefit your business?

Implementing ISO 27001 brings a host of information security advantages that benefit companies from the outset.

Companies that have invested time in achieving ISO 27001 certification will be recognized by their customers as organizations that take information security seriously. Companies that are focused on the needs of their customers should want to address the general feeling of insecurity in their users’ minds.

Moreover, as part of the increasingly rigorous due-diligence processes that many companies are now undertaking, ISO 27001 is becoming mandatory. Therefore, organizations will benefit from taking the initiative early to avoid missing out commercially.

In the case of cyber-defense, prevention is always better than cure. Attacks mean disruption, which almost always proves costly for an organization, in regard to both reputation and finances. Therefore, we might view ISO 27001 as a form of cyber-insurance, where the correct steps are taken preemptively to save organizations money in the long term.

There’s also the matter of education. Often, an organization’s weakest point, and thus the point most often targeted, is the user. Compromised user credentials can lead to data breaches and compromised services. If users were more aware of the nature of the threats they face, the likelihood of their credentials being compromised would decrease significantly. ISO 27001 offers clear and cogent steps to educate users on the risks they face.

Ultimately, whatever causes a business to choose implementation of ISO 27001, the key to getting the most out of it is ingraining its processes and procedures in their everyday activity.

Overcoming the challenge of ISO 27001 certification

A lot of companies have already implemented many controls from ISO 27001, including access control, backup procedures and training. It might seem at first glance that, as a result, they’ve already achieved a higher standard of cybersecurity across their organization. However, what they continue to lack is a comprehensive management system to actually manage the organization’s information security, ensuring that it is aligned with business objectives, tied into a continuous improvement cycle, and part of business-as-usual activities.

While the benefits of ISO 27001 may be obvious to many in the tech industry, overcoming obstacles to certification is far from straightforward. Here are some steps to take to tackle two of the biggest issues that drag on organizations seeking ISO 27001 certification:

  • Resources — time, money, and manpower: Businesses will be asking themselves: How can we find the extra budget and dedicate the finite time of our employees to a project that could last six to nine months? The key here is to place trust in the industry experts within your business. They are the people who will be implementing the standard day-by-day, and they should be placed at the wheel.
  • Lack of in-house knowledge: How can businesses that have no prior experience implementing the standard get it right? In this case, we advise bringing in third-party expertise. External specialists have done this all before: They have already made the mistakes and learned from them, meaning they can come into your organization directly focused on implementing what works. In the long run, getting it right from the outset is a more cost-effective strategy because it will achieve certification in a shorter time.

Next steps toward a successful future

While making this all a reality for your business can seem daunting, with the right plan in place, businesses can rapidly benefit from all that ISO 27001 certification has to offer.

It’s also important to recognize that this October was not the cutoff point for businesses to achieve certification for the new version of the standard. Businesses will have a few months before certification bodies will be ready to offer certification, and there will likely then be a two-year transition period after the new standard’s publication before ISO 27001:2013 is fully retired.

Ultimately, it’s vital to remember that while implementation comes with challenges, ISO 27001 compliance is invaluable for businesses that want to build their reputations as trusted and secure partners in today’s hyper-connected world.

Source: https://wordpress.com/read/blogs/126020344/posts/2830377

ISO 27001 Risk Assessment and Gap Assessment

ISO 27001 Compliance and Certification

Tags: iso 27001, iso 27002

Nov 28 2022

Best practices for implementing a company-wide risk analysis program

Category: Risk Assessment,Security Risk AssessmentDISC @ 11:36 pm
Best practices for implementing a company-wide risk analysis program

The associated risk management programs are also constantly evolving, and that’s likely due to outside influences such as client contract requirements, board requests and/or specific security incidents that require security teams to rethink and strengthen their strategy. Not surprisingly, CISO’s today face several dilemmas: How do I define the business impact of a cyber event? How much will it cost to protect our company’s most valuable assets? Which investments will make the business most secure? How do we avoid getting sidetracked by the latest cyber breach headline?

A mature risk analysis program can be thought of as a pyramid. Customer-driven framework compliance forms the base (PCI/ISO frameworks required for revenue generation); then incident-driven infrastructure security in the middle (system-focused security based on known common threats and vulnerabilities); with analysis-driven comprehensive coverage at the pinnacle (identification of assets, valuations, and assessment of threat/vulnerability risk).

risk analysis

How do you kickstart that program? Here are five steps that I’ve found effective for getting risk analysis off the ground.

Determine enterprise-specific assets

The first step is determining what is critical to protect. Unlike accounting assets (e.g., servers, laptops, etc.), in cybersecurity terms this would include things that are typically of broader business value. Often the quickest path is to talk with the leads for different departments. You need to understand what data is critical to the functioning of each group, what information they hold that would be valuable to competitors (pricing, customers, etc.) and what information disclosures would hurt customer relationships (contract data, for instance).

Also assess whether each department handles trade secrets, or holds patents, trademarks, and copyrights. Finally, assess who handles personally identifiable information (PII) and whether the group and its data are subject to regulatory requirements such as GDPR, PCI DSS, CCPA, Sarbanes Oxley, etc.

When making these assessments, keep three factors in mind: what needs to be safe and can’t be stolen, what must remain accessible for continued function of a given department or the organization, and what data/information must be reliable (i.e., that which can’t be altered without your knowledge) for people to do their jobs.

Value the assets

Once you’ve identified these assets, the next step is to attach a value. Again, I make three recommendations: keep it simple, make (informed) assumptions, and err on the side of overestimating. The reason for these recommendations is that completing a full asset valuation for an enterprise would take years and wouldn’t ever be finished (because assets constantly change).

Efficient risk analysis requires a more practical approach that uses broad categories, which can then be prioritized to understand where deeper analysis is needed. For instance, you might use the following categories, and assign values based on informed assumptions:

  • Competitive advantage – the items/processes/data that are unique to your company and based on experience. These are items that would be of value to a competitor to build on. To determine value, consider the cost of growing a legitimate competitor in your dominant market from scratch, including technology and overhead.
  • Client relationships – what directly impacts customer relationships, and therefore revenue. This includes “availability” impacts from outages, SLAs, etc. Value determination will likely be your annual EBIT goal, and impact could be adjusted by a Single Loss Exposure.
  • Third-party partnerships – relating to your ability to initiate, maintain or grow partner networks, such as contractors, ISPs or other providers. When valuing, consider the employee labor cost needed to recruit and maintain those partners.
  • Financial performance – items that impact your company’s ability to achieve financial goals. Again, valuation might equate to annual EBIT.
  • Employee relations – the assets that impact your ability to recruit and retain employees. Valuation should consider the volume of potential losses and associated backfill needs, including base salaries, bonuses, benefit equivalencies, etc.

Determine relevant threats, assess vulnerability, and identify exposures

When it comes to analyzing risk from threats, vulnerabilities and exposures, start with the common security triad model for information security. The three pillars – Confidentiality, Integrity and Availability (CIA) – help guide and focus security teams as they assess the different ways to address each concern.

Confidentiality touches on data security and privacy; it entails not only keeping data safe, but also making sure only those who need access, have it.

Integrity reflects the need to make sure data is trustworthy and tamper-free. While data accuracy can be compromised by simple mistakes, what the security team is more concerned with is intentional compromise that’s designed to harm the organization.

Availability is just what it sounds like – making sure that information can be accessed where and when needed. Availability is an aspect of the triad where security teams need to coordinate closely with IT on backup, redundancy, failover, etc. That said, it also involves everything from secure remote access to timely patches and updates to preventing acts of sabotage like denial of service or ransomware attacks.

In undertaking this part of the risk assessment, you’re using this security triad to determine threats, and then identifying exposure and assessing vulnerability to better estimate both the potential impact and probability of occurrence. Once these determinations are made, you’re ready for the next step.

Define risk

AV = assigned Asset Value (quantitative/qualitative) as identified above.
EF = the Exposure Factor, a subjective assessment of the potential percentage loss to the asset if a specific threat is realized. For example, an asset may be degraded by half, giving an EF of 0.50.

From this we can calculate the Single Loss Expectancy (SLE) – the monetary value from one-time risk to an asset – by multiplying AV and EF. As an example, if the asset value is $1M, and the exposure factor from a threat is a 50% loss (0.50) then the SLE will be $500,000.

Risk definition also takes this one step further by using this SLE and multiplying it by a potential Annualized Rate of Occurrence (ARO) to come up with the Annualized Loss Expectancy (ALE). This helps us understand the potential risk over time.

When working through these figures, it’s important to recognize that potential loss and probability of occurrence are hard to define, and thus the potential for error is high. That’s why I encourage keeping it simple and overestimating when valuing assets – the goal is to broadly assess the likelihood and impact of risk so that we can better focus resources, not to get the equations themselves perfectly accurate.

Implement and monitor safeguards (controls)

Now that we have a better handle on the organizational risks, the final steps are more familiar territory for many security teams: implementing and monitoring the necessary and appropriate controls.

You’re likely already very familiar with these controls. They are the countermeasures – policies, procedures, plans, devices, etc. – to mitigate risk.

Controls fall into three categories: preventative (before an event), detective (during) and corrective (after). The goal is to try to stop an event before it happens, quickly react once it does, and efficiently get the organization back on its feet afterward.

Implementing and monitoring controls are where the rubber hits the road from a security standpoint. And that’s the whole point of the risk analysis, so that security professionals can best focus efforts where and how appropriate to mitigate overall organizational risk.

Security Risk Management: Building an Information Security Risk Management Program from the Ground Up

Tags: risk analysis program

Nov 16 2022

5 Kali Linux tools you should learn how to use

Category: Linux SecurityDISC @ 11:03 am
5 Kali Linux tools you should learn how to use

Kali Linux is a specialized Linux distribution developed by Offensive Security, designed for experienced Linux users who need a customized platform for penetration testing.

Kali Linux also comes with several hundred specialized tools for carrying out penetration testing, security research, computer forensics, reverse engineering, vulnerability management, and red team testing. Here are 5 you should learn how to use.

Aircrack-ng

Aircrack-ng is a complete suite of tools to assess Wi-Fi network security, focusing on:

  • Monitoring: Packet capture and export of data to text files for further processing by third-party tools
  • Attacking: Replay attacks, deauthentication, fake access points and others via packet injection
  • Testing: Checking WiFi cards and driver capabilities (capture and injection)
  • Cracking: WEP and WPA PSK (WPA 1 and 2)
Aircrack-ng

John the Ripper

John the Ripper is an open-source password security auditing and password recovery tool. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos/AFS and Windows LM hashes, as well as DES-based tripcodes, plus hundreds of additional hashes and ciphers in “-jumbo” versions.

Kali Linux tools

Lynis

Lynis performs an extensive health scan of your systems to support system hardening and compliance testing. Lynis is open-source and flexible, and used for several different purposes. Typical use cases include:

  • Security auditing
  • Compliance testing (e.g. PCI, HIPAA, SOx)
  • Penetration testing
  • Vulnerability detection
  • System hardening
Kali Linux tools

Metasploit

Metasploit is the world’s most used penetration testing framework. A collaboration between the open source community and Rapid7, Metasploit helps security teams do more than just verify vulnerabilities, manage security assessments, and improve security awareness; it empowers and arms defenders to always stay one step (or two) ahead of the game.

For more information about the past, present and future of Metasploit, watch our video with Spencer McIntyre, Lead Security Researcher at Rapid7.

Metasploit

Nmap

Nmap is a free and open-source utility for network discovery and security auditing. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

Kali Linux tools

More Kali Linux content to check out:

Checkout our previous posts on Linux Security

Kali Linux tools

Tags: Kali Linux

Oct 20 2022

Why chasing risk assessments will have you chasing your tail

Category: Risk Assessment,Security Risk AssessmentDISC @ 10:07 am
Why chasing risk assessments will have you chasing your tail

Third-party risk assessments are often described as time-consuming, repetitive, overwhelming, and outdated. Think about it: organizations, on average, have over 5,000 third parties, meaning they may feel the need to conduct over 5,000 risk assessments. In the old school method, that’s 5,000 redundant questionnaires. 5,000 long-winded Excel sheets. No wonder they feel this way.

The reason why risk assessments have become so dreaded is that it has always been a process of individual inspection and evaluation. For perspective, that’s roughly 14 risk assessments completed per day in the span of one year. How can we expect security, risk, and procurement professionals to get any other work done with this type of task on their plate? With the state of today’s threat landscape, wouldn’t you rather your security team be focused on actual analysis and mitigation, rather than just assessing? And, not to mention the fact that a tedious risk assessment process will contribute to burnout that can lead to poor employee retention within your security team. With how the cybersecurity job market is looking now, this isn’t a position any organization wants to be in.

So, now that you know how the people actually with their ‘hands in the pot’ feel about risk assessments, let’s take a look at why this approach is flawed and what organizations can do to build a better risk assessment process.

The never-ending risk assessment carousel ride

The key to defeating cybercriminals is to be vigilant and proactive. Not much can be done when you’re reacting to a security incident as the damage is already done. Unfortunately, the current approach to risk management is reactive, and full of gaps that do not provide an accurate view into overall risk levels. How so? Current processes only measure a point-in-time and do not account for the period while the assessment is being completed–or any breaches that occurred after the assessment was submitted. In other words, assessments will need to be routinely refilled out, a never-ending carousel ride, which is not feasible.

It should come to no surprise that assessments are not updated nearly as much as they should be, and that’s to no one’s fault. No one has the time to continually fill out long, redundant Excel sheets. And, not to mention, unless the data collected is standardized, very little can be done with it from an analysis point of view. As a result, assessments are basically thrown in a drawer and never see the light of day.

Every time a third-party breach occurs there is a groundswell of concern and company executives and board members immediately turn to their security team to order risk assessments, sending them on a wild goose chase. What they don’t realize is that ordering assessments after a third-party breach has occurred is already too late. And the organizations that are chosen for a deeper assessment are most likely not the ones with the highest risk. Like a never-ending carousel ride, the chase for risk assessments will never stop unless you hop off the ride now.

Show me the data!

The secret ingredient for developing a better risk management collection process is standardized data. You can’t make bread without flour, and you can’t have a robust risk management program without standardized data. Standardized data is the process of gathering data in a common format, making it easier to conduct an analysis and determine necessary next steps. Think of it this way, if you were looking at a chart comparing student test grades and they were all listed in various formats (0.75, 68%, 3/16, etc.), you would have a difficult time comparing these data points. However, if all the data is listed in percentages (80%, 67%, 92%, etc.), you could easily identify who is failing and needs more support in the classroom. This is the way using standardized data in the risk assessment process works. All data collected from assessments would be in the same format and you can understand which third parties are high risk and require prioritized mitigation.

CISOs who are still focused on point-in-time assessments are not getting it right. Organizations need to understand that risk assessment collection alone does not in fact equal reduced risk. While risk assessments are important, what you do with the risk assessment after it is complete is what really matters. Use it as a catalyst to create a larger, more contextual risk profile. Integrate threat intelligence, security ratings, machine learning, and other data sources and you’ll find yourself with all the data and insights you need and more to proactively reduce risk. You’ll be armed with the necessary information to mitigate risk and implement controls before the breach occurs, not the rushed patchwork after. A data-driven approach to third-party risk assessment will provide a more robust picture of risk and put an end to chasing assessments once and for all.

risk assessment

Security Risk Assessment

How to do an information security risk assessment for ISO27001

Tags: data breach, Risk Assessment, Third Party Risk

Oct 19 2022

Upgrade your security awareness efforts: Here’s how to start

Category: Security AwarenessDISC @ 11:34 am
Upgrade your security awareness efforts: Here’s how to start

October is Security Awareness Month, an exciting time as organizations around the world train people how to be cyber secure, both at work and at home. But what exactly is security awareness and, more importantly, why should we care about it?

The traditional approach does not work

Organizations, cybersecurity leaders and the cybersecurity community will all tell you the same thing: People represent the greatest security risk in today’s highly connected world. Organizations see it in their own incidents, and we see it in global data sets.

The most recent Verizon Data Breach Investigations Report (DBIR)- one of the industry’s most trusted reports – has pointed out that people were involved in over 80% of breaches globally. These incidents may involve people being targeted with phishing emails or smishing attacks, or people making mistakes (e.g., IT admins misconfiguring their cloud accounts and accidentally sharing sensitive data with the entire world).

If people represent such a high risk, what should we be doing about it?

The traditional approach has been (and often continues to be) to throw more technology at the problem. If cyber attackers are successfully phishing people with email, we will deploy security technologies that filter and stop phishing email attacks. If cyber attackers are compromising people’s passwords, we will implement multi-factor authentication. The problem is that cyber attackers bypass these technologies by targeting people.

As we get better at identifying and stopping phishing email attacks, cyber attackers target people’s mobile phones with smishing (SMS or message-based) attacks. As more and more organizations deploy MFA, cyber attackers began pestering people with MFA requests until they approve one (as recently happened at Uber).

This is where we also run into our second challenge: Security teams far too often blame people as the root cause of the human risk problem – as evidenced in often used phrases such as “People are the weakest link,” and “If our employees did what we told them to do, they and we would be secure.”

But when we look at cybersecurity from the average employee’s perspective, it turns out that the security community is often to blame. We have made cybersecurity so confusing, scary, and overwhelming that we have set people up for failure. People often have no idea what to do or, if they do know what to do, doing the right thing has become so difficult that they get it wrong or simply choose another option.

Just look at passwords, one of the biggest drivers of breaches. We’ve been saying for years that people continue to use weak passwords in an insecure manner, but the problem persists because the password policies we teach are confusing and constantly changing. For example, many organizations or websites have policies requiring complex passwords of 15 characters, including having upper and lower case letters, symbols, and numbers. Then we require people to change those passwords every ninety days but don’t provide a secure way to secure all those long, complex, and changing passwords.

Then we roll out MFA to help secure people but, once again, this is extremely confusing (even for me!). First, we have multiple different names for MFA, including two-factor authentication, two-step verification, strong authentication, or one-time passwords. Then we have multiple different ways to implement it including push notification, text messaging, FIDO token-based, authentication apps, etc. Every website you go to has a different name and implementation of this technology, and then we once again blame people for not using it.

From security awareness to managing human risk

Security awareness training has been the traditional approach, and it involves communicating to and training your workforce on how to be cyber secure. While a step in the right direction, we need to take this one step further: We need to manage human risk.

Managing human risk requires a far more strategic approach. It builds on security awareness, to include:

  • Risks: The security awareness team needs to be an integrated part of the security team, even reporting directly to the CISO. Their job should include working closely with other security elements (such as the security operations center, the cyber threat intelligence analysts, and the incident responders) to clearly identify the top human risks to the organization and the key behaviors that manage those risks. Once those key risks and behaviors have been identified and prioritized, then we can communicate with and train our workforce on those behaviors.
  • Policies: We need to start creating security policies, processes, and procedures that are far simpler for people to follow, we should be designing policies (and the tools that support them) with people in mind. If we want people to use strong authentication, we must focus on something that will be easy for people to learn and use. The more confusing and manual the process, the easier it is for cyber attackers to take advantage of that.
  • Security team: We need security teams to communicate to their workforce in simple, “human” terms that everyone can understand, including explaining the WHY of their requirements: Why are password managers important, what value does MFA have to them, and why enabling automatic updating is good for them. We must change the employees’ perception of the security team: from arrogant to approachable.

Managing human risk is becoming a fundamental part of every security leader’s strategy. Security awareness is the first step in the right direction as we attempt to communicate to, engage and train our workforce, but we need a more dedicated, strategic effort to truly manage human risk. Perhaps one day we will even grow and replace the role of the Security Awareness Officer with the Human Risk Officer.

security awareness

The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer

Tags: Security Awareness, Security Culture Playbook

Oct 13 2022

What You Need for a Strong Security Posture

Category: Attack Matrix,cyber security,Information SecurityDISC @ 12:40 pm

From the basics to advanced techniques, here’s what you should know.

Cybersecurity concept art
Source: Rancz Andrei via Alamy Stock Photo

Cybersecurity has been compared to a never-ending game of whack-a-mole, with an ever-changing cast of threats and threat actors. While the attacks that make headlines may change from year to year, the basic fact remains: Any network, no matter how obscure the organization it supports, most likely will come under attack at some point. Thus, attaining and maintaining a strong security posture is of critical importance for organizations of any size.

An organization’s security posture, however, is constantly changing. Employees join or leave the company; endpoints are added and discarded; and network and security technologies are deployed, decommissioned, configured, and updated. Each change in network elements can represent a potential attack vector for malware and other threats.

That’s why security teams should review their security processes periodically and keep aligned with new developments in defensive and offensive testing and modeling. Doing so can help move the needle on security maturity from the most basic to an advanced, much stronger security posture, and from a reactive to a proactive model.

The Basics: Vulnerability Scanning

The first step most IT organizations undertake is vulnerability scanning, which seeks out potential weaknesses in the network and endpoints that could be exploited by attackers. There’s a wide variety of scanners available as open source or commercial software, as managed services, and on cloud platforms like AWS and Alibaba. Some of the more popular scanners include Nessus, Burp Suite, Nmap, and Qualys, though each has its own area of focus. Several offer automatic patch remediation, as well.

Another consideration is whether to perform an external scan — which can discover potential vulnerabilities that hackers can exploit — or internal scanning that can find potential paths attackers would take once inside the network. Many, if not most, IT teams will do both.

While vulnerability scanning is relatively easy to use, it’s not the end-all, be-all of a security strategy. For example, scanning might not detect subtle misconfigurations or the more complicated attack paths that advanced persistent threats (APTs) might take. They’re also often prone to false positives and must be updated consistently.

Overall, though, vulnerability scanning is an important baseline step. Once it’s running well, the next step is penetration testing.

Penetration Testing

Penetration testing typically entails human ethical hackers who attempt to gain access to the network interior, much as an outside hacker would. Here, too, there’s a wide variety of tools and services available — many of the aforementioned vulnerability scanners offer tools that can be used in pen testing. Others include Metasploit, Kali Linux, Cobalt.io, and Acunetix.

Run periodically, pen testing can uncover weaknesses that aren’t found by vulnerability scanners. Furthermore, human-managed pen testing can explore more complex pathways and technique combinations that hackers increasingly leverage to exploit victims, such as phishing.

Not surprisingly, the biggest trends impacting networking and cybersecurity are essentially the same trends noted in penetration testing this year: rampant ransomware attacks, the newly distributed workforce, and the rise of Web applications and cloud usage to support remote workers. Each of these trends will require thoughtful consideration in choosing tools and designing plans for penetration testing.

While penetration testing can provide a great deal of benefit, it’s a good idea to periodically review the wealth of information on best practices available online.

Red Team/Purple Team

The third step in the quest for security maturity is usually the establishment of a red team that will manually attempt to attack and penetrate the organization’s security defenses. This may be a completely separate team, or it may be closely allied with the blue team (the defenders) in a combination called a purple team. As another option, some vendors offer red-team services on a subscription or one-off basis.

A red team will imitate the tactics, techniques, and procedures (TTPs) that attackers use — which usually turns up more points of vulnerability than penetration testing can reveal. The blue team can then begin to resolve these weaknesses, further hardening the network against attack.

But too often, red and blue teams devolve into an adversarial relationship that’s counterproductive. It’s also quite expensive to set up a red team, and given the shortage of cybersecurity professionals, it may not be feasible. Therefore, many CISOs are investigating two newer trends: adversary emulation and adversary simulation.

Using Adversary TTPs for Good

There are vast, freely available libraries of common tactics, techniques, and procedures used during attacks, such as MITRE’s ATT&CK framework. Adversary emulation and simulation leverage these libraries to evaluate security based on intelligence for specific attacks and then simulating the TTPs used.

For example, MITRE developed a sample adversary emulation plan for APT3, an advanced persistent threat that previously targeted mostly US entities. The emulation plan covers three phases from command-and-control setup to initial access; from host compromise through to execution; and data collection through exfiltration. The Center for Threat-Informed Defense has posted other emulation plans.

Adversary emulation lets security teams assess their defenses against real-world attacks. It can also be used to test the security infrastructure’s detection and response rates.

Looking Ahead

Security vendors are moving beyond simply advocating the concept of MITRE’s ATT&CK and MITRE Shield. Many vendors are leveraging one or both to improve their own products and services. For example, some security vendors map anomalies and events to the ATT&CK framework, making it easier for security teams to respond.

MITRE’s CALDERA also deserves attention. It provides an intelligent, automated adversary emulation system that can be programmed for a specific attack profile and launched into the network to test its defenses. Caldera can also be used to train blue teams on detecting and remediating specific attacks.

There are also open source projects for adversary behavior simulation in development. A few of them of note include Uber’s Metta, Nextron Systems’ APT Simulator, Elastic/Endgame’s Red Team Automation, CyberMonitor’s Invoke-Adversary, and Red Canary’s Atomic Red Team.

Conclusion

Keeping abreast of developments in key security processes is important for security teams as they strive to defend the network against changing threats. By so doing, they can move the organization closer to a far stronger security posture.

Source:

https://www.darkreading.com/vulnerabilities-threats/what-you-need-for-a-strong-security-posture

Tags: Security Posture

Oct 02 2022

White House Releases Software Supply Chain Security Guidance

Category: Vendor AssessmentDISC @ 1:39 pm
White House Releases Software Supply Chain Security Guidance

The White House published a memo requiring agencies to comply with guidance from the Office of Management and Budget (OMB) which aims to improve software supply chain integrity and security. 

Signed by OMB Director Shalanda Young, the memo builds on Executive Order (EO) 14028, Improving the Nation’s Cybersecurity from May 2021, which is focused on the security and integrity of the software supply chain.

That EO emphasized the importance of secure software development environments and directed the National Institute of Standards and Technology (NIST) to issue guidance identifying practices that enhance the security of the software supply chain.

The recent memo, published on September 14, requires each federal agency to comply with the NIST guidance when using third-party software on the agency’s information systems or otherwise affecting the agency’s information.

Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, said it is heartening to see the memo establish a desire for consistency in the process by which they obtain self-attestations from suppliers.

“Such consistency and any eventually-centralized repository should help minimize the burden suppliers have in complying with the requirements of this memo,” he explained. “This is the first point where we have a directive for agencies to comply with guidance emerging from EO 14028.”

Software Supply Chain Security: A Challenging Space

Mackey said the single most important thing to realize is that software security is a problem space and that there is no silver bullet.

“No single action will prevent the next ransomware attack and the execution of tools doesn’t inherently fix vulnerabilities,” he said. “This is a highly technical space that is rather complex and nuanced. Well-intentioned humans will always make some mistakes and perfection isn’t attainable.”

That means the IT security industry needs to accept that software will always have weaknesses that can be exploited in certain circumstances.

“The moment you combine software into a supply chain, the potential for weaknesses increases and the potential for the authors of components within the supply chain to know the circumstances of how their software is used goes down,” Mackey said. 

Rick Holland, CISO and vice president of strategy at Digital Shadows, a provider of digital risk protection solutions, said from his perspective, the White House’s EO on improving the nation’s cybersecurity was a step in the right direction.

He said the OMB guidance is another good step; however, he added that this is a very long journey that will be measured not in months, but in years and, possibly, decades.

“The guidance focuses on vendor self-attestations and not independent validation,” he pointed out. “A government software supplier could claim to comply with NIST standards, but without third-party confirmation, the agency won’t know for sure. Zero-trust principles should apply here, too; don’t trust that a supplier is compliant—confirm it.”

He argued that the biggest threat to supply chain security is the complexity in defending against supply chain threats.

“Point-in-time security questionnaires are a legal requirement, not a preventive control. The number of third-party providers can be staggering, with security teams having to assess hundreds of providers,” he said.

Holland pointed out that security teams often don’t know the sensitive data their suppliers can access or the attack paths coming from their partners.

“Adversaries often do a better job of data discovery than defenders,” he added. 

A Plan For Moving Forward

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cybersecurity risk remediation, said the idea behind the government’s plan is good and the NIST guidelines are solid.

“What remains to be seen is how vendors will implement the guidance and whether it is enough to deal with a very dynamic threat space,” he added. 

He said while zero-day vulnerabilities still get the biggest headlines, the fact remains that users represent the broadest threat surface.

“Phishing, social engineering and other attacks against personnel remain consistent threat vectors and will almost certainly remain so,” he explained. “Having the most secure application code and supply chain won’t help when users are still giving up their passwords.”

Parkin said by requiring third-party vendors to adhere to the NIST standards, they can encourage them to develop software that is more secure and more robust—but that only really applies to vendors that want to work in the government space.

“They can’t necessarily push those standards on the public sector,” he noted. “And without a robust testing scheme to assure that when a vendor says ‘We comply’, that they actually do, some risks will remain.”

Mackey said mitigating software supply chain threats requires an understanding of the risk such threats pose to both the production of software and its associated operation and communicating the nature of those risks from producers to operators.

Properly managing software supply risk requires teams to move from a paradigm where tools are run and teams “do security” to one where the impact of findings from tools are understood and mitigations are made based on the context of how the given application runs.

“Solving this problem requires teams to think in terms of risk analysis first and then identify which tooling is best positioned to provide data supporting the analysis,” he explained.

Parkin added that threat actors have always adapted to the defenses put in place to stop them, and it’s difficult to say what technique they’ll shift to next.

“They will continue to look for vulnerabilities in the software, and they will continue to go after the users using whatever technique they find works,” he warned.

white house supply chain

Tags: Software Supply Chain Security Guidance

Aug 09 2022

Buying Cyber Insurance Gets Trickier as Attacks Proliferate, Costs Rise

Category: Cyber InsuranceDISC @ 11:00 pm

Security chiefs should shop early for coverage and prepare for long questionnaires about their companies’ cyber defenses, industry professionals say


Insurers are scrutinizing prospective clients’ cybersecurity practices more closely than in past years, when underwriting was less strict.
PHOTO: GETTY IMAGES/ISTOCKPHOTO

For many businesses, obtaining or renewing cyber insurance has become expensive and arduous.

The price of cyber insurance has soared in the past year amid a rise in ransomware hacks and other cyberattacks. Given these realities, insurers are taking a harder line before renewing or granting new or additional coverage. They are asking for more in-depth information about companies’ cyber policies and procedures, and businesses that can’t satisfy this greater level of scrutiny could face higher premiums, be offered limited coverage or be refused coverage altogether, industry professionals said.

“Underwriting scrutiny has really tightened up over the past 18 months or so,” said Judith Selby, a partner in the New York office of Kennedys Law LLP.

In the second quarter, U.S. cyber-insurance prices increased 79% from a year earlier, after more than doubling in each of the preceding two quarters, according to the Global Insurance Market Index from professional-services firm Marsh & McLennan Cos.

Direct-written premiums for cyber coverage collected by the largest U.S. insurance carriers—the amounts insurers charge to clients, excluding premiums earned from acting as a reinsurer—climbed to $3.15 billion last year, up 92% from 2020, according to information submitted to the National Association of Insurance Commissioners, an industry watchdog, and compiled by ratings firms. Analysts attribute the increase primarily to higher rates, as opposed to insurers significantly expanding coverage limits.

Companies buying insurance are subject to tight scrutiny of internal cyber practices. This is different from past years, when carriers poured into the cyber market and competition produced less-stringent underwriting, Ms. Selby said.

Now, insurers aiming to limit their risk are putting corporate security chiefs through lengthy lists of questions about how they defend their companies, said Chris Castaldo, chief information security officer at Crossbeam Inc., a Philadelphia-based tech firm that helps companies find new business partners and customers.

“Prior to the questionnaires, you just gave them the coverage amount you wanted and the industry you were in, and that was it,” Mr. Castaldo said, referring to interactions with cyber insurers.

Discover Financial Services has a third party validate the robustness of its cybersecurity program, which helps with insurance, said CISO Shaun Khalfan. “Insurers want to have confidence that you are making the right investments and are building and maintaining a robust cybersecurity program,” Mr. Khalfan said.

Some of the questions insurers ask—and the level of detail required—can depend on the carrier, the size and type of the business seeking coverage and the amount of coverage desired.

Around 18 months ago, underwriters asked companies whether they required multifactor authentication when administrators accessed their system, said Tom Reagan, cyber practice leader in Marsh McLennan’s financial and professional products specialty practice. Today there’s an expectation that multifactor authentication is used throughout the organization, not just by administrators, he said.

Insurers also expect organizations to have planned and tested for a cyber event, such as through tabletop exercises, Mr. Reagan said: “They are not just interested in your smoke alarms, they want to hear about the fire drills.”

Carriers want to know what kind of backup plans companies have if a ransomware attack strikes and how those plans are tested. Insurers also diving deeper into whether a company’s networks are segregated to limit the spread of malware, Ms. Selby said. Other important criteria some insurers consider, she said, include endpoint protection, or monitoring and protecting devices against cyber threats, and incident-response exercises.

Some companies will need to work with more carriers than in the past to get the desired level of coverage because no single insurer wants to carry so much risk, Ms. Selby said.

Amid the changing landscape, Mr. Reagan recommended that companies start to re-evaluate their cyber-insurance needs as early as six months before a policy comes up for renewal. Starting earlier to identify possible holes allows businesses to make changes to their cyber defenses, if necessary, and gather information that carriers require, he said.

https://www.wsj.com/articles/buying-cyber-insurance-gets-trickier-as-attacks-proliferate-costs-rise-11659951000?tpl=cs

Demystifying Cyber Insurance

Tags: Cyber Insurance

Aug 02 2022

1 in 3 employees don’t understand why cybersecurity is important

Category: Security AwarenessDISC @ 8:57 am
1 in 3 employees don’t understand why cybersecurity is important

According to a new Tessian report, 30% employees do not think they personally play a role in maintaining their company’s cybersecurity posture.

What’s more, only 39% of employees say they’re very likely to report a security incident, making investigation and remediation even more challenging and time-consuming for security teams. When asked why, 42% of employees said they wouldn’t know if they had caused an incident in the first place, and 25% say they just don’t care enough about cybersecurity to mention it.

Virtually all IT and security leaders agreed that a strong security culture is important in maintaining a strong security posture. Yet, despite rating their organization’s security 8 out 10, on average, three-quarters of organizations experienced a security incident in the last 12 months.

The report suggests this could stem from a reliance on traditional training programs; 48% of security leaders say training is one the most important influences on building a positive security posture. But the reality is that employees aren’t engaged; just 28% of UK and US workers say security awareness training is engaging and only 36% say they’re paying full attention. Of those who are, only half say it’s helpful, while another 50% have had a negative experience with a phishing simulation. With recent headlines depicting how phishing simulations can go awry, negative experiences like these further alienate employees and decrease engagement.

The report also reveals a disconnect when it comes to reporting security risks. Eighty percent of security leaders believe robust feedback loops are in place to report incidents, but less than half of employees feel the same, suggesting clearer processes are needed so that security teams have greater visibility of risk in their organization.

why cybersecurity is important

Transformational Security Awareness

Tags: Security Awareness

Jul 26 2022

AWS Adds More Tools to Secure Cloud Workloads

Category: AWS SecurityDISC @ 2:16 pm
AWS Adds More Tools to Secure Cloud Workloads

Amazon Web Services (AWS) today expanded its portfolio of cloud security tools as part of an ongoing effort to make it simpler to secure application environments running on its infrastructure.

The additional services, announced at the AWS re:Inforce event, include support for Amazon EBS Volumes within the Amazon GuardDuty Malware Protection service and the ability to automatically share security findings between Amazon GuardDuty and AWS Security Hub.

In addition, the Amazon Macie data security service can now review and validate sensitive data found in an Amazon S3 cloud storage service, while Amazon Detective can now analyze logs generated by the Amazon Elastic Kubernetes Service (EKS).

AWS is also making it possible to assign a numeric compliance measurement value to Conformance Packs to make it easier to identify major deviations in security posture and is making available in preview an encrypted collaboration service dubbed AWS Wickr.

Finally, AWS is making available in preview tools to assess the security of third-party applications in its marketplace and revealed that the AWS Single Sign-On service (AWS SSO) has been rebranded AWS IAM Identity Center to better reflect the expanded role of the platform.

CJ Moses, CISO and vice president of security engineering for AWS, reminded conference attendees that they should be encrypting everything in the cloud and that they should only be providing external access to data and applications when required. Organizations should especially block access to cloud storage services, he noted.

The rollout of the latest AWS security services comes at a time of intense focus on cloud security as part of a larger effort to better secure software supply chains after a series of high-profile breaches. In general, cloud platforms are more secure than on-premises IT environments; however, the processes used to build and deploy cloud applications are often problematic and can introduce risk. Developers routinely employ open source tools like Terraform to provision cloud infrastructure and accelerate application development. Most of those developers have limited cybersecurity expertise so, inevitably, mistakes are made. The chronic shortage of cybersecurity expertise means most organizations are not able to keep pace with the rate at which workloads are being deployed in the cloud.

AWS contends its platform is more secure than rival platforms because of what it describes as automated reasoning technology that employs mathematical logic to, for example, detect entire classes of misconfigurations. As a result, AWS said it is able to empirically prove a cloud environment is secure. The issue that organizations encounter is that every cloud service provider assumes the organization using its service assumes responsibility for both configuring the infrastructure correctly and then securing the applications deployed on it. Developers, unfortunately, tend to assume more automation is being applied to secure workloads.

On the plus side, more organizations are also starting to embrace DevSecOps best practices to make software supply chains more secure. The challenge is that no matter how much time and effort is made to educate developers, there will always be a development team that makes a mistake— and cybercriminals will find a way to exploit it.

AWS Spring4Shell flaws vulnerabilities WhiteSource Python

AWS Security Cookbook: Practical solutions for managing security policies, monitoring, auditing, and compliance with AWS

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Ask DISC an InfoSec & compliance related question

Tags: AWS security, AWS Security Cookbook, AWS tools

Apr 29 2022

3 Ways to Boost Pentesting ROI

Category: Pen TestDISC @ 7:23 am
3 Ways to Boost Pentesting ROI

If you’re a car owner, it can be tempting to put off an oil change, tire rotation or other recommended vehicle tune-up. But reality becomes all too clear when you’re sitting on the side of the highway waiting for AAA. And it’s even more painful when you’re hit with a massive repair bill a few days later that far exceeds any short-lived savings. 

Like many frustrated drivers, businesses are currently learning this lesson the hard way with cybersecurity. Last year, data breaches at organizations increased by 68% to reach their highest volume ever, according to Identity Theft Resource Center’s 2021 Data Breach Report

Even as data breaches become more prevalent and costly, many organizations continue to hold off on vital cybersecurity measures, as well as neglect routine pentesting and provisioning maintenance. This short-sighted approach costs organizations more in the long run. 

In order to prevent hacks and breaches, businesses must act quickly and treat cybersecurity as a long-term investment; learning how to drive the most value from security testing instead of waiting for a cyberattack to occur.  

Pentesting: A Proactive Approach to Cybersecurity

One of the most effective ways to increase your cybersecurity readiness is penetration testing (pentesting, for short)—a simulated cyberattack designed to discover vulnerabilities in an organization’s IT systems. 

Pentesting involves stepping into hackers’ shoes to identify weak spots. By role-playing how a hacker might breach your security configurations, this process helps identify potential vulnerabilities and threats, test security responses and capabilities and measure ongoing improvements to your cybersecurity system. 

Your pentesters can come from either your internal security experts or from a third-party team. They dig into your security systems one by one, starting with a set of objectives to carry out an attack. Most teams combine black-box and white-box testing: For black, the pentester acts as a true external hacker with little or no knowledge of the IT landscape; for white, the pentester acts as an internal developer with complete knowledge of the landscape. 

Here’s what the process typically looks like:

  • Pentesters begin with low-privilege identity credentials from someone in a network, but they also look for vulnerabilities from any unauthenticated perspectives. After gaining remote access, pentesters explore your system and search for exploitable security gaps.
  • Based on what they find, pentesters develop and carry out a cyberattack. The aim is to gain escalating privileges and a greater ability to modify your systems, which packs a bigger punch than stealing data alone.
  • Once an attack commences, pentesters report their findings, rank vulnerabilities in terms of severity and advise you on remedies. After changes are implemented, pentesters test again to ensure you’ve properly closed all gaps. 

How to Get the Most out of Pentesting

For most organizations, reservations about pentesting aren’t rooted in a lack of understanding about the strategy’s benefits; instead, it comes down to time and money. In fact, 74% of IT professionals and security leaders said they would test their systems more frequently if it wasn’t so cumbersome, while 71% said it was too expensive.

So, how can you ensure your investment pays off? 

Here are three ways to achieve greater ROI on pentesting that are worth your resources: 

  1. Don’t skimp on scope or substance. On average, a high-quality pentest costs between $30,000 and $60,000 depending on the size and complexity of your organization. Large enterprises, for example, may spend closer to $100,000.  While it’s tempting to choose the cheapest option available on the market, low-cost alternatives often sacrifice test quality and deliver results that are far too narrow to provide meaningful remedies. Pay for a test that looks at your cybersecurity system comprehensively and is capable of producing results that benefit your security team in the long term.
  2. Set clear objectives and test cases. Most CISOs have a laundry list of security concerns that keeps them up at night. Pentesting is a great way to put those scenarios to rest. You can assemble a detailed list of top security concerns for pentesters to target first, which ensures that testing is specific to your industry, your company and your security framework.
  3. Incorporate testing (and retesting) as part of your cybersecurity routine. Security systems—and threats that aim to compromise them—are constantly changing. Routine testing on an annual or semiannual basis ensures your cybersecurity remains up-to-date and provides a metric for constant improvement. In fact, 85% of cybersecurity pros reported conducting such tests at least once a year. Retesting verifies that issues you’ve identified in the past have been fixed. 

The consequences of a cyberattack are more devastating than ever: In 2021, the average cost of a data breach reached a record $4.24 million, according to IBM’s annual Cost of a Data Breach Report.

Yet the average cybersecurity budget only constitutes 15% of a business’s overall IT budget. It often takes a catastrophe to galvanize organizations to update and improve cybersecurity measures. But by that time, the damage is done—loss of business, broken trust with customers, damage to your reputation and even regulatory fines.

Rather than waiting for a security incident, incorporate routine pentesting to ensure your cybersecurity defenses are ready for a potential attack. For cars, every 5,000 miles is a good rule of thumb for an oil change or tire rotation. For cybersecurity teams, an annual pentest is a solid start to boost your organization’s cybersecurity maintenance and drive sustained improvements that are well worth the cost. 

The Pentester BluePrint: Starting a Career as an Ethical Hacker

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

« Previous PageNext Page »