CIS Control 4: Secure Configuration of Enterprise Assets and Software

Key Takeaways for Control 4

Most fresh installs of operating systems or applications come with pre-configured settings that are usually insecure or not properly configured with security in mind. Use the leverage provided by multiple frameworks such as CIS Benchmarks or NIST NCP to find out if your organization needs to augment or adjust any baselines to become better aligned with policies your organization is trying to adhere to.

How to Deliver Safe Files to Your Employees at Scale…Proactively Avoiding CVE-2021-40444

Zero-day vulnerabilities by design have always been a thorn in the side of the security team that’s trying to balance allowing employees to continue working productively with ensuring that they are protected from threats while waiting for a patch. Recently, a new zero-day threat was discovered called CVE-2021-40444 that adds risk for any employee that opens a file containing this vulnerability.

Why Preventing Financial Account Takeover Attacks is Important for Banks and Fintechs

Financial account takeover is a form of identity fraud where fraudsters use stolen credentials to break into digital financial accounts of genuine customers. An exponential increase in the number of consumers using fintech services and digital channels for banking needs during the pandemic has opened up the attack surface like never before, leading to a greater risk to financial institutions.

Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability

In August, Microsoft Threat Intelligence Center (MSTIC) identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML using specially crafted Microsoft Office documents. These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders. These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware.

The responsibilities of AI-first investors

Ash Fontana, a managing director at Zetta Ventures, is the author of “The AI-First Company: How to Compete and Win with Artificial Intelligence.” More posts by this contributor

Investors in AI-first technology companies serving the defense industry, such as Palantir, Primer and Anduril, are doing well. Anduril, for one, reached a valuation of over $4 billion in less than four years. Many other companies that build general-purpose, AI-first technologies — such as image labeling — receive large (undisclosed) portions of their revenue from the defense industry.

Emergency Software Patches Are on the Rise

Emergency software patches, in which users are pushed to immediately update phones and computers because hackers have figured out some novel way to break in, are becoming more common. From a report: Researchers raised the alarm Monday about a big one: The Israeli spyware company NSO Group, which sells programs for governments to remotely take over people’s smartphones and computers, had figured out a new way into practically any Apple device by sending a fake GIF through iMessage. The only way to guard against it is to install Apple’s emergency software update. Such emergency vulnerabilities are called “zero days” — a reference to the fact that they’re such an urgent vulnerability in a program that software engineers have zero days to write a patch for it. Against a hacker with the right zero day, there is nothing consumers can do other than wait for software updates or ditch devices altogether.

Once considered highly valuable cyberweapons held mostly by elite government hackers, publicly disclosed zero-day exploits are on a sharp rise. Project Zero, a Google team devoted to identifying and cataloging zero days, has tallied 44 this year alone where hackers had likely discovered them before researchers did. That’s already a sharp rise from last year, which saw 25. The number has increased every year since 2018. Katie Moussouris, founder and CEO of Luta Security, a company that connects cybersecurity researchers and companies with vulnerabilities, said that the rise in zero days is thanks to the ad hoc way that software is usually programmed, which often treats security as an afterthought. “It was absolutely inevitable,” she said. “We’ve never addressed the root cause of all of these vulnerabilities, which is not building security in from the ground up.” But almost paradoxically, the rise in zero days reflects an online world in which certain individuals are more vulnerable, but most are actually safer from hackers.

How Many Words is a Picture Actually Worth? What Images Mean in Intelligence Analysis

September 15, 2021 • Jake Munroe

In intelligence analysis, a picture is worth a thousand words… but could it be worth even more? Traditionally, intelligence analysis has been text-centric. Intelligence analysts in the private and public sector spend hours collecting and reading documents, social media posts, news sites, classified reporting, and more all to get a full picture of what is happening with the topic or event they are digging into. While text has and will always give powerful insights for analysts, they  can often gain more insights from images or images married with text, and understand the broader picture (no pun intended!) of what’s happening.