The ever-growing list of cybersecurity threats looks like something out of a 21st century version of “The Wizard of Oz” — but instead of lions and tigers and bears (oh my!), today’s security professionals must contend with Internet of Things (IoT) data leaks, fragmented cloud infrastructures due to regulations, augmented intelligence (AI)-powered malware and trusted professionals creating a new type of insider threat. This is just a small sample of the emerging threats looming in the shadows of cybersecurity.
By The Recorded Future Team on April 10, 2018
- Recorded Future research shows that seven of the top 10 vulnerabilities exploited in 2017 targeted Microsoft products.
- At least two of these, CVE-2017-0199 and CVE-2017-0189, were critical vulnerabilities — their exploitation allowed threat actors to arbitrarily execute code or access and change data.
- Despite being aware of at least some of these vulnerabilities for many months, Microsoft did not immediately patch them, leaving users exposed. Patches were not released until after exploits targeting those vulnerabilities appeared for sale on the dark web.
- The pattern and timeline of vulnerability recognition and response shows that proprietors like Microsoft do not always disclose information about existing cybersecurity threats, illustrating the usefulness of third-party threat intelligence in providing another measure of your organization’s vulnerabilities.
According to Recorded Future’s research, seven of the top 10 most exploited vulnerabilities in 2017 targeted Microsoft products. This represents a shift from past years, where vulnerabilities in Adobe products consistently topped the list. The more troubling news, however, was Microsoft’s slow response to these vulnerabilities. Despite being identified by both Microsoft and cybersecurity companies like McAfee, some of these vulnerabilities were not patched for many months, leaving users dangerously exposed to exploitation.
Splunk has always been known as a company that can sift through oodles of log or security data and help customers surface the important bits. Today, it announced it was going to try to apply that same skill set to Industrial Internet of Things data.
“Dealing with risk is part of governance and leadership, and is fundamental to how an organization is managed at all levels.” — International Organization for Standardization
Making information security a priority within an organization isn’t easy. Security is usually seen as a specialized technical function within the organization and often isn’t aligned with organizational strategy or even day-to-day business tactics. Instead, information security teams are often siloed from the effects of their decisions and hyper-focused on detection, defense and mitigation. This is why companies’ security strategies often conflict with business operations. Does that new two-factor authentication system leave your sales team hanging out in the cold when they get locked out of your system in the middle of a demo? Too bad. The “S” in “IS” is for security, not sales.
A recent survey shows 64 percent of organisations have deployed some level of IoT technology, and another 20 percent plan to do so within the next 12 months. This means that by the end of 2018, five out of six organisations will be using at least a minimal level of IoT technology within their businesses.
Within ten years your medical check-up could involve more interaction with sensors, cameras and robotic scanning devices than human doctors and nurses, as healthcare organisations re-build services around the Internet of Things (IoT), according to a new report by Aruba, a Hewlett Packard Enterprise company.
Ever wondered what the role of a Chief Information Security Officer (CISO) encompasses? To put it simply, they are the guardians and protectors of everything information security related to a business. However, the tasks are far from simple as their teams work around the clock to respond to incidences that directly affect the safety of the company and its data. As the issues in cyber have evolved, so too has the role of the CISO, which also involves consulting to boardroom level executives about the multitude of potential risks that threaten their business and being prepared for an eventual attack.
DARPA is launching a program aimed at vulnerability discovery via human-assisted AI. The new DARPA program is called CHESS (Computers and Humans Exploring Software Security), and they’re holding a proposers day in a week and a half.
Verizon released its Data Breach Investigations Report (DBIR) this morning, the massive, in-depth analysis of last year’s security breaches, based on 53,000 security incidents from 67 contributing organizations around the world, including security researchers and law enforcement agencies.
Soon, it will be much easier to log into more websites using a hardware key plugged into your laptop, a dedicated app, or even the fingerprint scanner on your phone. On Tuesday, a spread of organizations and businesses, including top browser vendors such as Microsoft and Google, announced a new standards milestone that will streamline the process for web developers to add extra login methods to their sites, potentially keeping consumers’ accounts and data more secure.
Today, I will be going over Control 9 from version 7 of the CIS top 20 Critical Security Controls – Limitation and Control of Network Ports, Protocols, and Services. I will go through the five requirements and offer my thoughts on what I’ve found.Key Takeaways for Control 9Reduce your attack surface. So much of control 9 is about limiting the external attack surface of a system. This is always the first step in securing an endpoint.Duplication with other controls. Everything being done in control 9 is going to be accomplished by completing other controls elsewhere. I would probably leave this one for last as it’s the least impactful (due to duplication) out of any of the controls.Requirement Listing for Control 91. Associate Active Ports, Services and Protocols to Asset InventoryDescription: Associate active ports, services, and protocols to the hardware assets in the asset inventory.Notes: Utilize the same technology, or at least the same asset database which you are using in Control 2 (specifically 2.5). A more advanced integration would be to tie the ports and protocols to the applications and then associate the applications with a business unit if possible. This would also relate to control 11.2, which asks to associate traffic configuration rules on the network to a business unit.2. Ensure Only Approved Ports, Protocols and Services Are RunningDescription: Ensure that only network ports, protocols, and services listening on a system with validated business needs are running on each system.Notes: Create the baseline of what is listening on the systems. Over time, you can comb through the results and make sure nothing is out of the ordinary. As you are going through that process, new ports should trigger an investigation if they are not expected. Using a vulnerability scanner such as IP360 or a tool like Tripwire Enterprise to list out ports will make this much easier on the security teams.3. Perform Regular Automated Port ScansDescription: Perform automated port scans on a regular basis against all systems and alert if unauthorized ports are detected on a system.Notes: Performing these scans will feed the previous sections. For smaller environments, a simple NMAP scan could suffice. However, larger organizations will want to take advantage of more robust scanning tools, such as IP360, that can tackle thousands of endpoints in a shorter period of time.4. Apply Host-based Firewalls or Port FilteringDescription: Apply host-based firewalls or port filtering tools on end systems with a default-deny rule that drops all traffic except those services and ports which are explicitly allowed.Notes: Don’t fall for the trap that only applying a network-based firewall is going to protect you as traffic on the same subnet can bypass network firewall configurations. When implementing, don’t forget that limiting outbound traffic is just as important as restricting inbound communications.5. Implement Application FirewallsDescription: Place application firewalls in front of any critical service to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.Notes: Any firewall or IDS/IPS that can understand the application layer traffic is going to be more effective than just blocking ports and protocols. I would expect to see this requirement dropped in favor of combining it with requirement 18.10 (Deploy Web Application Firewalls). However, a four requirement control would be a little light, so maybe we need to move the remaining controls elsewhere as well in favor of a more impactful control? See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.Read more about the 20 Critical Security Controls here:Control 20 – Penetration Tests and Red Team ExercisesControl 19 – Incident Response and ManagementControl 18 – Application Software SecurityControl 17 – Implement a Security Awareness and Training ProgramControl 16 – Account Monitoring and ControlControl 15 – Wireless Access ControlControl 14 – Controlled Access Based on the Need to KnowControl 13 – Data ProtectionControl 12 – Boundary DefenseControl 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and SwitchesControl 10 – Data Recovery CapabilitiesControl 9 – Limitation and Control of Network Ports, Protocols, and Services
When talk of Russian interference in U.S. elections comes up, much of the focus has been on state-sponsored trolls on Facebook and Twitter — special counsel Robert Mueller recently indicted a number of these actors, and Congress has taken Silicon Valley to task for allowing such accounts to flourish. But there’s another side of Russian meddling in American democracy: attacks on our election systems themselves.
Businesses are embracing the public cloud at an accelerated pace — and for good reason. By tapping hosted services, companies of all sizes and in all verticals are finding fresh, dynamic ways to engage with employees, suppliers, partners and customers.
Oculus says there are some types of data it either doesn’t share or doesn’t retain at all. The platform collects physical information like height to calibrate VR experiences, but apparently, it doesn’t share any of it with Facebook. It stores posts that are made on the Oculus forums, but not voice communications between users in VR, although it may retain records of connections between them. The company also offers a few examples of when it would share data with Facebook or vice versa. Most obviously, if you’re using a Facebook-created VR app like Spaces, Facebook gets information about what you’re doing there, much in the same way that any third-party app developer would. You can optionally link your Facebook account to your Oculus ID, in which case, Oculus will use your Facebook interests to suggest specific apps or games. If you’ve linked the accounts, any friend you add on Facebook will also become your friend on Oculus, if they’re on the platform.
When you think of mainframes, chances are you are thinking about some massive piece of hardware that costs millions and can be used as furniture. Now, IBM wants to change that perception with the launch of its latest additions to its Z-series machines, the IBM z14 Model ZR1, that’s basically a standard 19-inch server rack. With its single-frame design, this new mainframe easily fits into any standard cloud data center or private cloud environment. In addition to the new z14, IBM is also launching an update to the similarly sized Rockhopper server.
In my last interview, I had the pleasure of speaking with Senior Security Analyst and Brakeing Down Security podcast host Amanda Berlin. Defensive security and blue teams are cool, and it’s about time that the area gets the recognition it deserves.This time, I spoke with Sorene Assefa. She’s the founder of Cyber Czar, a cybersecurity firm based in South Africa.Kim Crawley: What is your cybersecurity role?Sorene Assefa: I am the founder and Managing Director of Cyber Czar, an organization focused on creating a culture of cybersecurity in South Africa, advocating the advancement of women in the tech sector, and working towards empowering young African women to play an active role in the field of cybersecurity.KC: Please tell me a bit about what Cyber Czar has been doing lately.SA: Cyber Czar is an emerging and vibrant firm. Our slogan is ”ignite a culture of cybersecurity,” which follows a multidimensional and multidisciplinary approach.We have a number of services and initiatives designed to build an ecosystem around South Africa’s cybersecurityHere are some of our current initiatives and projects:Cyber Aware aims to drive behavioral change among all stakeholders, so that they adopt simple, secure online behaviors that help protect themselves from cyber criminals.Privacy Aware aims to empower individuals and enable businesses to respect privacy, safeguard data and build trust.Despite the growing demand and tremendous opportunities in the job market, cybersecurity remains an area where there is a significant shortage of skilled professionals regionally, nationally and internationally. Even worse, women’s representation in this male-dominated field is alarmingly low.Cyber Czar thus aims to guide, inspire and raise awareness about the importance of women’s partaking in cybersecurity careers by providing training and creating networking platforms and mentorship programs.More than half of all civil servants provide services to the public directly. It’s important to create an understanding of their roles and responsibilities in cybersecurity. Cyber Czar aims to prepare and train civil servants on the need for vigilance and awareness, about the data they share, the digital footprint that everyone now has.Cybersecurity is our shared responsibility, and Cyber Czar stresses the Importance of a multi-stakeholder approach to address cybersecurity challenges. We have forged a strong partnership with the National Cybersecurity Alliance (NCSA), which is the public-private partnership working with the Department of Homeland Security (DHS), NGOs, and major private sector players to promote cybersecurity awareness.KC: Wow, that’s amazing! Well, how did you get started in cybersecurity in the first place? What drew you to the field?SA: I have always been fascinated by mathematical studies and technology. Having a flair for the subjects, I pursued my educational qualification for a Degree in Computer Science. During my BSc Honours Class, I was fortunate to be exposed to Information Security Governance and Computer Forensics classes, which intrigued me much that I decided to further my studies in Information Security. Some time later, I earned my MSc in Computer Science after majoring in Information Security.In addition, I had an opportunity to join the UN Specialized Agency – the International Telecommunication Union (ITU), HQs, in Geneva, Switzerland, where I served as an Information Systems Officer and Technology Analyst for the Office of the Secretary General. I worked on Emerging Technologies, specifically on Digital Object (DO) Architecture Integration, Internet Governance and Cybersecurity. Substantial parts of my work focused on assisting member states, mainly developing countries, to build their cybersecurity capabilities (CIRT) and ultimately create a culture of cybersecurity.KC: That’s impressive. Through your various academic and professional pursuits, have you ever felt that you had to push back against sexism?SA: During my higher academic life, I felt I was sometimes treated as the odd one out, for being a young girl studying Computer Sciences in a university who enjoys advanced concepts such as compiler construction and assembly programming. In my opinion, the hardest part is not getting the necessary educational qualification and professional certification but entering into the job market, getting decision-making positions, or even just serving as a professional in cybersecurity.Cybersecurity has traditionally been a male-dominated field. Even if no company sets out to discriminate women, though there have been improvements recently, there is still apparent and noticeable systemic discrimination in the industry, such as pay gaps, biases, lack of career progressions, stereotypes and myths around gender.KC: What do you think the biggest problems in cybersecurity are these days?SA: The biggest challenge of cybersecurity is its innovative, cross-border and evolving nature where new threats appear at an alarming rate every day.Moreover, there is an overwhelming growth in high volume data and business systems, and thus there is the need for automated decision-making, as well putting in place security systems to protect these businesses. Acquiring the budget needed for a proper and comprehensive cybersecurity program is another challenge.The shortage of skilled cybersecurity personnel that can respond to emerging needs of the cybersecurity industry is also a huge challenge.Cyber initiatives are not strategy-driven. Most organizations do not have formal training programs on cybersecurity and monitoring employee behavior.Viewing cybersecurity merely in technical terms instead of considering all its multidimensional features limits us from putting in place the necessary policy and legal frameworks. As the saying goes, “We are as strong as the weakest link.” People are often cited as the weakest link in the cybersecurity chain. The lack of awareness and of educating people about their roles and responsibilities for helping to create a secure environment are other issues that for the most part get neglected.Cybersecurity is a global problem and thus needs a global solution. No one government or company can solve the issue of cybersecurity alone. There needs to be a collective effort. Cybersecurity is thus a shared responsibility where governments around the world or industries need to collaborate to make a significant impact.KC: It was great chatting with you. Thank you, Sorene!
News is breaking that hacked social media accounts are being sold online, sometimes to promote hate speech, for menial sums. One site is selling UK-based Facebook accounts “with real Sim cards, birthday and location information included”, according to The Sunday Telegraph. On another, a single UK account is on sale for $1.50 (£1.07), discounted from $5. Ryan Wilk, Vice President at NuData Security, a Mastercard Company commented below.
When it comes to cybersecurity, it’s no secret that the human aspect of any organisation is its weakest link. From bad password sharing practices to falling victim to phishing emails, these challenges are any CISO’s nightmare. After all, the holes in network security that are created by the people on the front line of an enterprise can’t be plugged with a simple software patch. And despite efforts to train staff, employees are still the easiest route for a hacker to exploit. Particularly when it comes to USB-based security.
From leaked passwords to identity theft, cybersecurity issues are constantly in the news. Few issues, though, are as important — or as under-reported by the media — as the security of America’s industrial control infrastructure. Oil rigs, power plants, water treatment facilities and other critical infrastructure are increasingly connecting to the internet, but often without the kinds of foolproof security systems in place to ensure bad actors can’t gain access or disrupt service delivery.