Phishing, malware, and cryptojacking continue to increase in sophistication

Attackers are constantly trying new ways to get around established defenses. The data, collected throughout 2017 by Webroot, illustrates that attacks such as ransomware are becoming a worldwide threat and are seamlessly bypassing legacy security solutions because organizations are neglecting to patch, update, or replace their current products.

Yes, Even Elite Hackers Make Dumb Mistakes

On Thursday, a report from the Daily Beast alleged that the Guccifer 2.0 hacking persona—famous for leaking data stolen from the Democratic National Committee in 2016—has been linked to a GRU Russian intelligence agent. What appears to have given Guccifer away: The hacker once failed activate a VPN before logging into a social media account. This slip eventually allowed US investigators to link the persona to a Moscow IP address. In fact, they traced it directly to GRU headquarters.

Nvidia looks to the AI future

It’s about making the lives of scientists and researchers easier, Jensen Huang, CEO and co-founder of Nvidia tells TechCrunch. He’s speaking of the keynote address he intends to give at the company’s upcoming GTC conference. Held in San Jose, miles away from the company’s new imposing headquarters, Nvidia is set to host thousands of attendees from the world’s top artificial intelligence, automotive and gaming companies. To Huang, his address needs to inspire and entertain. That should be easy. He’s naturally inspiring and entertaining.

Five on-the-ground insights on implementing endpoint security in the cloud

By Rick McElroy, Security Strategist, Carbon Black

Today’s “access-everything-anywhere-anytime” mobile data environment is great news for business productivity and performance but on the flipside it’s also a huge opportunity for cybercriminals. The increasing multitude of endpoints represents an ever-expanding playground in which to develop new ways of infiltrating corporate networks and making off with the digital goods. Malware, ransomware and a rising incidence of fileless attacks all constantly chip away at the perimeter while security pros now have to secure an environment that can comprise thousands of potential attack points. So, it’s not surprising that getting smarter about endpoint security is high on the CISO agenda and we’re seeing many turning to the cloud to cope with the scale and complexity of the task.

Legacy Cybersecurity Defenses Won’t Keep Pace with New Ransomware and Cryptojacking Threats

Webroot, the Smarter Cybersecurity® company, revealed the results from the 2018 edition of its annual threat report, which demonstrated attackers are constantly trying new ways to get around established defenses. The data, collected throughout 2017 by Webroot, illustrates that attacks such as ransomware are becoming a worldwide threat and are seamlessly bypassing legacy security solutions because organizations are neglecting to patch, update, or replace their current products.

Malicious Apps in Global App Stores Decrease 37 Percent, Feral Apps Lose Ground to Third-Party Stores

Malicious mobile apps were on the decline in Q4 of 2017 largely due to a decrease in the inventory of AndroidAPKDescargar, the most prolific dealer of blacklisted apps, according to digital threat management leader RiskIQ in its Q4 mobile threat landscape report, which analysed 120 mobile app stores and more than 2 billion daily scanned resources. Listing and analysing the app stores hosting the most malicious mobile apps and the most prolific developers of potentially malicious apps, the report documents the return of familiar threats such as brand imitation, phishing, and malware—as well as the discovery of a bankbot network preying on cryptocurrency customers.

20 Critical Security Controls: Control 17 – Implement a Security Awareness and Training Program

Today, I will be going over Control 17 from version 7 of the CIS top 20 Critical Security Controls – Implement a Security Awareness and Training Program. I will go through the nine requirements and offer my thoughts on what I’ve found.Key Takeaways in Control 17Less focus on metrics. The previous security awareness control had multiple sections on metrics and improving the overall compliance score. This round of controls is focused more on just establishing a method to deliver continuous training while only highlighting a handful of the most common attack vectors.Outsourcing continues to be ideal. Security teams are already under-staffed, underfunded, and overworked. Establishing an awareness training program from scratch will be a time-consuming process that may be better suited for a third-party to develop and deliver.Requirement Listing in Control 171. Perform a Skills Gap AnalysisDescription: Perform a skills gap analysis to understand the skills and behaviors to which workforce members are not adhering, using this information to build a baseline education roadmap.Notes: Performing a true skills gap analysis across the organization is going to be a time-consuming process. If you are just starting out on your journey of security awareness training for the organization, it may be best to look for a third party for help.2. Deliver Training to Fill the Skills GapDescription: Deliver training to address the skills gap identified to positively impact workforce members’ security behavior.Notes: Delivering the training is just closing the loop from the first section. Delivering the training can be either in-person presentations or automated videos delivered through the web. The size and complexity of your organization will most likely determine which route you will want to go.3. Implement a Security Awareness ProgramDescription: Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. The organization’s security awareness program should be communicated in a continuous and engaging manner.Notes: There are a couple of bullet points to break down with this section. The first is that the training should be delivered on a regular basis. Security awareness, as well as information security as a whole, is not a one-time solution. Second is that employees need to exhibit the behavior and skills based on the training they receive. Showing employees 20 bullet pointed slides on the definitions of phishing isn’t going to cut it. You need to make it fun and engaging then test them on what they learned after they have consumed the information.4. Update Awareness Content FrequentlyDescription: Ensure that the organization’s security awareness program is updated frequently (at least annually) to address new technologies, threats, standards, and business requirements.Notes: The tactics, techniques, and procedures attackers use are changing constantly. The training should reflect new attacks which are gaining popularity. Circling back to the previous section, employees are going to tune out if they are receiving the same training every quarter. Providing new information will help make concepts stick.5. Train Workforce on Secure AuthenticationDescription: Train workforce members on the importance of enabling and utilizing secure authentication.Notes: Some of the most high-profile attacks we’ve seen over the years could have been prevented with secure authentication, which is covered in Control 16. Strong passwords and multi-factor authentication goes a long way in protecting your network.6. Train Workforce on Identifying Social Engineering AttacksDescription: Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams and impersonation calls.Notes: As with secure authentication, many attacks against enterprises have a component of social engineering. “The human is the weakest link in the security chain” is evidenced by how successful social engineering can be. This can be the first line of defense in your security organization and should be taken seriously.7. Train Workforce on Sensitive Data HandlingDescription: Train workforce on how to identify and properly store, transfer, archive and destroy sensitive information.Notes: Data is what attackers are most commonly after. As defenders, we take extra precautions to make sure that data is stored and transmitted in a secure manner. Having an employee copying sensitive data to an insecure location can undo the millions you’ve invested in security.8. Train Workforce on Causes of Unintentional Data ExposureDescription: Train workforce members to be aware of causes for unintentional data exposures such as losing their mobile devices or emailing the wrong person due to autocomplete in email.Notes: Insider threats can be caused by those with the best intentions. In some cases, a data loss prevention or mobile device management tool can prevent data exposure. However, there are going to be instances where a tool cannot detect something like a user putting in the wrong email in a web form. Training is going to be part of the two-pronged approach with data loss prevention to keep private data private.9. Train Workforce Members on Identifying and Reporting IncidentsDescription: Train employees to be able to identify the most common indicators of an incident and be able to report such an incident.Notes: As is discussed in Control 19, the security team may not be able to identify every incident. In today’s world, it’s better to teach end users to be overly cautious and to over-report rather than under-report security incidents.Read more about the 20 Critical Security Controls here:Control 20 – Penetration Tests and Red Team ExercisesControl 19 – Incident Response and ManagementControl 18 – Application Software SecurityControl 17 – Implement a Security Awareness and Training Program