IT Security Guru

Nationwide survey of workers shows they’re losing the will to Zoom

Tue, 20 Oct 2020 14:11:48 GMT

A little over 7 months ago barely any of us had heard of Zoom, but since the pandemic, its users have jumped from 10 million to 300 million at its peak. Yet with Zoom calls becoming part of our everyday workplace routine, you may be surprised at the habits that many Brits have adopted. A survey of 1000 people working from home due to COVID-19 and commissioned by Eskenzi PR, a global tech PR agency, has found that workplace etiquette is becoming more lax, with almost half of those surveyed saying that colleagues have turned up late to virtual meetings and over half have been interrupted by colleagues on calls. The survey also found that 47% of people felt that their colleagues were distracted on video calls, with 91% of Brits admitting that they look at themselves or have seen someone else look at themselves while on work calls! It seems that there is a lot more happening behind the camera than you might think…

The survey reveals some on the concerning habits Brits have displayed on Zooms calls as:

91% admit they’ve been distracted by their own image on screen and can’t help looking at themselves.

85% have slyly worked on emails or have seen others who have.
- Millennials were the highest generation slyly emailing
77% are sneakily texting
- More females reported doing this (81%) than males (70%)
66% have munched their way through a Zoom meeting
- 88% of Gen Z’s have reported eating on a call
18% have enjoyed an alcoholic drink
- 25% of males reported drinking alcohol over 14% of women
17% have smoked or vaped
- More men (20%) than women (15%) are smoking on calls
12% have picked their spots and 11% have picked their teeth on video calls
- 16% of Gen Z’s reported doing this, the highest amongst all generations

As the work environment has changed and Zoom has become our lifeline for communicating with colleagues, many of us are grappling with Zoom fatigue. Clearly, these numbers are showing that instead of concentrating during a work call, employees are distracted, finding it hard to remain engaged and harming their productivity. In fact, only 27% of Brits working from home claimed they were productive, the Eskenzi PR survey found.

But it’s not all doom and gloom. Over 40% of respondents stated that they have got to know their colleagues better in this new work environment, helping to improve colleague relationships.

Yvonne Eskenzi, Director and Founder of Eskenzi PR says “Our survey has shown that people tend to let their guard down during Zoom meetings at home, which can be detrimental to their careers as they are still being judged on these calls. Many have seen colleagues turn up late, speak over others, drink, eat and even smoke on calls. There is a certain etiquette to Zoom calls, which would be sensible to follow if you’re hoping for a promotion or want to be looked at favourably by your colleagues and superiors.”

If you want to brush up on your own public relations, then here are some tips from Eskenzi PR on Zoom etiquette in the workplace that could just get you that pay rise you’re looking for:

Take calls in a quiet place, or use a headset to block out background noise.
Check your microphone and camera works properly before starting a call, and be aware of their settings while on a call.
Ensure you have a clear, work-appropriate background, with any unprofessional items tidied away.
Limit distractions by turning off other devices and notification before calls. Maybe write a call agenda so you stay on track.
Make sure you look presentable. Treat it like a normal face-to-face meeting – dress to impress or use the Zoom ‘Touchup My Appearance’ feature.
Look at the camera when talking – you need to be engaged and engaging!
Do not eat, drink or text during calls. You wouldn’t do this in a physical meeting.
Do not be late for your calls – try to join calls early, especially if you’re the host.
Try not to do other work tasks while on video calls, like answering emails, as people will notice.
Do not get distracted by your own image, start flicking your hair, picking your teeth or spots which is what the Eskenzi PR survey has found people have done!

The post Nationwide survey of workers shows they’re losing the will to Zoom appeared first on IT Security Guru.

People who have WOWED us over 25 years

Tue, 20 Oct 2020 11:12:20 GMT

Yvonne Eskenzi, founder and director of Eskenzi PR & Marketing celebrates 25 years in business with a series of discussions with experts and trailblazers of the cybersecurity industry.

Episode 4: Yvonne talks with Teresa Cottam, chief analyst at Omnisperience, and expert in the Digital Economy. Cottam is renowned for helping companies create compelling experiences that transform their businesses, and in this episode, Teresa talks about what key skills you need to be an analyst, how the telecoms industry has changed and everything inbetween!

The post People who have WOWED us over 25 years appeared first on IT Security Guru.

Google to remove location sharing app

Tue, 20 Oct 2020 10:25:24 GMT

Google is removing the Trusted Contacts app from the Play store. This app allowed users to nominate certain contacts to track their location as well as providing their location when they didn’t respond. Instead of this app, Google has integrated a similar software into Google Maps. However, in this reimagined version, users need to have location sharing on at all times or for an allocated amount of time for sharing to be possible.

https://www.bbc.co.uk/news/technology-54600095

The post Google to remove location sharing app appeared first on IT Security Guru.

Bitcoin mixer fined $60 million

Tue, 20 Oct 2020 10:20:54 GMT

The US Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) has issued its first penalty to a cryptocurrency mixing service. Both Helix and Coin Ninja have been fined $60 million by the US Treasury. The FinCEN fine was issued to Larry Deam Harmon, the founder of Coin Ninja and Helix cryptocurrency mixers. The fines were issued after Coin Ninja and Helix violated the Bank Secrecy Act (BSA) while operating their services as unregistered money services businesses (MSB).

FinCEN said that the investigation “revealed that Mr. Harmon willfully violated the BSA’s registration, program, and reporting requirements by failing to register as a MSB, failing to implement and maintain an effective anti-money laundering program, and failing to report suspicious activities.” This was after Harmon advertised his services as an anonymous and secure way to “pay for things like drugs, guns, and child pornography.”

The post Bitcoin mixer fined $60 million appeared first on IT Security Guru.

Russia set to attack the Olympics, again

Tue, 20 Oct 2020 10:08:05 GMT

The UK government has released a statement outlining how Russian hackers were intending to attack the Tokyo Olympics. Their plans were to target the organisers, logistics and sponsors. Such attacks have already been carried out on previous Olympic Games, including the Winter Olympics in 2018. During this cyberattack, hackers released malware called OlympicDestoryer that attacked the server during the open ceremony. It is believed that a similar attack was planned for the Tokyo Games, which have been postponed until next year.

https://www.zdnet.com/article/uk-says-russia-was-preparing-cyber-attacks-against-the-tokyo-olympics/

The post Russia set to attack the Olympics, again appeared first on IT Security Guru.

Twitter updates policy following Biden article block

Mon, 19 Oct 2020 10:58:17 GMT

Twitter has recently updated their ‘Hacked Materials’ policy which resulted in users being blocked after sharing a link to a New York Post article regarding Joe Biden and his son, Hunter Biden.

The policy was blocking Twitter users from sharing the news article as the content of the article has been acquired following a hack. Twitter’s Legal, Policy and Trust & Safety Lead, Vijaya Gadde, said that the posts will be flagged as containing materials acquired through a hack, rather than simply blocked. Material shared directly by hackers, however, will still be removed.

The New York Post article contained screenshots of emails supposedly sent and received by Hunter Biden, Joe Biden’s son. It also used personal photos of Hunter Biden, which were allegedly removed from a laptop which was undergoing repairs. Twitter’s CEO, Jack Dorsey, described the lack of clarity behind removing the posts as “not great”, especially following accusations from Republican’s that Twitter was censoring the Right.

The post Twitter updates policy following Biden article block appeared first on IT Security Guru.

Study reveals the psychological tricks used in political emails

Mon, 19 Oct 2020 10:51:28 GMT

Researchers at Princeton University have conducted a study looking into the psychological tricks and dark patterns used by US political candidates. The aim of the study was to understand how these tactics were used in emails and whether they were successful in getting voters to sign up for rallies, donate or vote. The study analysed over 100,000 emails sent from December 2019 to June 2020. A preliminary analysis has been published however, the full report will be published after the election in November.

Some of the findings include the use of sensationalism like clickbait email headlines and creating a sense of urgency. See more of the results here.

The post Study reveals the psychological tricks used in political emails appeared first on IT Security Guru.

British Airways fined £20 million for data breach

Mon, 19 Oct 2020 10:39:06 GMT

British Airways have been fined £20 million by the Information Commissioner’s Office (ICO) following a data breach from 2018 which affected 400,000 customers. The 2018 breach affected customers confidential personal and credit card data. The incident happen when British Airway’s systems were compromised by attackers, who modified customer details when they were inputted in order to harvest them.

ICO originally intended to fine British Airways £183 million in 2019 over this issue, however, they have revoked this, and reduced the fine to £20m ($26m). ICO said that they have taken the ‘economic impact of Covid-19’ into consideration which has lead to the reduction in the fine. However, despite these reductions, this fine British Airways has been faced with is the largest penalty the ICO has ever issued.

The post British Airways fined £20 million for data breach appeared first on IT Security Guru.

Outpost24 Announce Matilda Tidlund, CSO of Telia as new board member

Fri, 16 Oct 2020 11:12:29 GMT

Outpost24, the vulnerability, security assessment and cybersecurity exposure company, has recently revealed the appointment of Matilda Tidlund as a new board member. Tidlund brings a wealth of cybersecurity knowledge and experience from her tenure as Chief Security Officer (CSO) at Telia Company, one of the biggest multinational telecommunications and mobile network operator in the Nordics and Baltics. Mrs. Tidlund will join the existing directors, including chairman of the board from leading software investment firm Monterro, to advance Outpost24 through its continued growth and expansion of its offering and services to customers worldwide.

“Matilda has led a truly illustrious careers as a security leader in the telco industry, and her contribution to the board will help ensure Outpost24 is ready to deliver upon the tremendous opportunity ahead,” said Peter Larsson, Chairman of the Board, Outpost24.

Matilda Tidlund brings over 20 years of change management and leadership from the telecoms industry, with deep knowledge in technical design and security operations. As the CSO of Telia, she led teams of security professionals across 6 European countries to ensure effective security controls were in place for Telia’s business operations and 20,000+ employees. Her responsibilities spanned from corporate governance, IT security, physical security and security operations center all the way to assisting in national security matters specifically for Sweden and the countries that Telia operates in.

Martin Henricson, CEO of Outpost24 stated that “having Matilda on board will give us further insights into what modern enterprises require when managing their evolving cybersecurity environments. As we look at the next evolution of Outpost24, we are squarely focused on continuing to help our customers strengthen their security posture and reduce attack surface, and Matilda will be a valuable resource in helping us achieve that”.

“I am delighted to join Outpost24 as a board member,” Tidlund announced. “It is a great honour to work with one of the most innovative cybersecurity assessment providers. I am excited to help grow Outpost24 as it innovates their full stack cyber security assessment offering around the world to help companies improve their security posture. Enterprises today are under a lot of strain and with new threats appearing daily, security assessment and analytics need to be efficient, effective and actionable; something which Outpost24 understands and delivers on implicitly.”

The appointment of a cybersecurity veteran to the ranks of Outpost24’s boardroom will provide exceptional experience and technical knowledge for the cyber assessment company, promising exciting offerings in the near future

The post Outpost24 Announce Matilda Tidlund, CSO of Telia as new board member appeared first on IT Security Guru.

Google Adds list of New Partners to BeyondCorp Alliance

Fri, 16 Oct 2020 11:00:22 GMT

This week, Google has added a wave of new cybersecurity vendors to its BeyondCorp Alliance to add Zero Trust to its security model for mobile devices.

With digital transformation and cloud being swiftly adopted by organisations, smartphones, tables and laptops have become integral for the everyday working individual. For mobile devices, this is extremely critical given that they have replaced more traditional devices as our main productivity tool which has meant there is now a heavy reliance on Android and iOS devices. A Zero Trust model had now become a necessity and so the BeyondCorp Remote Access was created by Google to help make access to internal Google applications easier and more secure.

In a statement released this week, Google announced the names of the partners added to the roster and the capabilities expected to be used in the BeyondCorp Alliance:

Device Management: Enterprise Mobility Management (EMM) vendors can provide device context and telemetry such as whether a device is managed or corporate-owned to aid in policy evaluation.

Endpoint Security: Endpoint Detection and Response Vendors (EDR) or Mobile Threat Defense (MTD) vendors can provide device posture information, such as whether a device is compromised to aid in policy evaluation.

Gateways: Infrastructure vendors can provide more secure access to hosted infrastructure (e.g., virtual desktops, etc.) via BeyondCorp.

Vendors:

Lookout continuously assesses a smartphone, tablet or Chromebook’s risk level and provides it to Cloud Identity and BeyondCorp from the Lookout Security Graph. Device risk levels of “high, moderate or low” are set based on the organization’s security policies. When Lookout detects a threat on a mobile device, the risk level is changed accordingly and delivered in real-time to Cloud Identity via API. This integration enables Google Workspace to block risky or non-compliant devices from accessing applications and data. This functionality is now available in preview via the Google Admin console. Learn more by reading Lookout’s blog.

Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Mobile (SEP Mobile) report on the security posture of an organization’s traditional and mobile endpoints, including both managed and unmanaged devices. With the upcoming integration, customers can leverage Symantec’s endpoint signals such as indications of compromise, operating system configuration risks, app risks, anomalous network behavior, and more, to create more granular and customized access policies for Google Workspace, web apps, and Google Cloud infrastructure.

Citrix and Google Cloud are extending our deep collaboration to include BeyondCorp. Google Cloud has always been one of the best places to run Citrix Workspace, and the first step, bringing together Citrix Workspace and BeyondCorp, is coming soon. It will allow customer applications, whether they are deployed on-premises, on GCP, or delivered as a service (SaaS), to be exposed through Citrix Workspace with BeyondCorp’s access controls and policy enforcement. Users get a single pane of glass for all of their applications, which can now be accessed from BYOD and non-corporate devices without the need for a VPN. We’re also exploring the sharing of endpoint signals and further extending policy enforcement to virtual desktops.

CrowdStrike will deliver real-time endpoint posture assessments from endpoints regardless of location, network, or user so that BeyondCorp adopters can prohibit access from untrusted or compromised hosts as part of conditional access policies, reducing risk for users and the organization. This integration is coming soon.

Tanium and Google Cloud recently announced a strategic partnership with the goal of delivering security transformation for the distributed IT era. As part of the BeyondCorp Alliance, Tanium will be providing device identity information through Tanium Endpoint Identity, which is available today. Tanium monitors and evaluates the health of endpoints in real-time, providing comprehensive visibility and control from a single platform no matter where the device is located. Through the combined solution, coming soon, organizations will be able to ensure that devices connecting to network resources and applications are authorized, secured, and up-to-date.

VMware is working to bring Workspace ONE and Google Cloud’s BeyondCorp solution together to keep devices under control and compliant with policies that protect corporate data. Workspace ONE will continually feed device compliance status information to Google Cloud’s context-aware access engine, allowing access to be revoked at any time if a device becomes non-compliant. This integration is coming soon.

Check Point SandBlast Mobile is a mobile threat defense solution that detects and stops attacks on iOS and Android devices before they start. Integration with the Google Admin console can be used to selectively prevent compromised devices from accessing applications and resources, helping to keep sensitive data secure. The integration is now available to customers in preview in the Google Admin console.

Jamf is working to extend its device compliance capabilities for organizations leveraging Google Cloud and BeyondCorp. In the past, organizations have expressed concerns about unprotected Mac devices accessing cloud and on-premises resources. Now, through a unique Jamf preview, customers can ensure that only trusted users, from managed devices, using approved apps, are accessing company data.

The post Google Adds list of New Partners to BeyondCorp Alliance appeared first on IT Security Guru.

Zoom introduces End-to-End Encryption

Fri, 16 Oct 2020 10:53:16 GMT

Zoom has recently announced it will be making it’s end-to-end encryption capabilities available to all users, which will enhance the security of both voice and video calls immensely. Zoom’s head of security engineering, Max Krohn, revealed that the first of the four-phase security roll-out will start next week.

Zoom has previously been criticised for only making end-to-end encryption available to paying customers. The latest capabilities will be available to free and paying users and can host up to 200 participants on a Zoom meeting. The first rollout of end-to-end encryption will be part of a ‘technical preview’ where users can provide the company with feedback for the first 30 days. However, in the first phase, many features will not have end-to-end encryption available for them, such as Breakout Rooms, polling, streaming, cloud recording, joining before the host, live transcriptions, 1:1 private chat and meeting reactions.

Zooms end-to-end encryption will be based off the same AES 256-bit GCM encryption which adds an extra level of security to calls. However, the keys are not stored by Zoom themselves, but instead by their China-based engineering team. Zoom’s CEO Eric S. Yuan, belives that “end-to-end encryption is another stride toward making Zoom the most secure communications platform in the world”. He said that “this phase of our E2EE offering provides the same security as existing end-to-end-encrypted messaging platforms, but with the video quality and scale that has made Zoom the communications solution of choice for hundreds of millions of people and the world’s largest enterprises.”

The platforms end-to-end encryption will be available to use next week, and customers must enable end-to-end encryption for their meetings at the account level, and also opt-in to end-to-end encryption every meeting.

The post Zoom introduces End-to-End Encryption appeared first on IT Security Guru.

Dickey’s hack leaks information of 3 million customers

Fri, 16 Oct 2020 10:52:28 GMT

One of the biggest BBQ chain restaurants in America, Dickey’s has suffered a huge breach, leaking the card details of more than 3 million customers. This information was posted on Joker’s Stash, a carding and fraud forum. A cybersecurity firm called Gemini Advisory, who track financial fraud made the initial discovery of the breach.

The company was made aware of this breach earlier in the week when cybercriminals began advertising the mass collection of customer data, calling it ‘Bleeding Sun’.

After some analysis on the data, it was clear that hacker had obtained it through gaining access to the in-store Point of Sale (POS) system used in the restaurants.

https://www.zdnet.com/article/card-details-for-3-million-dickeys-customers-posted-on-carding-forum/

The post Dickey’s hack leaks information of 3 million customers appeared first on IT Security Guru.

Twitter suffers a major outage affecting users worldwide

Fri, 16 Oct 2020 10:28:09 GMT

Twitter experienced a major outage on Thursday caused by an ‘inadvertent change’ made to their internal systems. The outage affected users worldwide as they were unable to use the platform for over an hour, while many also received error messages.

Reports of the issues began at around 21:30 GMT on Thursday night. The website’s service was restored later on Thursday night, with Twitter announcing that the website should be running as normal for all users. There were reported problems by users globally, including in Argentina, Australia, Japan and France, as users were unable to access the platform, with tens of thousands of users reporting problems in the United States.

The post Twitter suffers a major outage affecting users worldwide appeared first on IT Security Guru.

Security Serious Unsung Heroes Awards 2020 Winners Announced

Thu, 15 Oct 2020 14:44:19 GMT

The fifth annual Security Serious Unsung Heroes Awards winners were revealed last night during a socially distanced virtual awards ceremony. The awards celebrate the people, not products, of the cybersecurity industry. From the best ethical hackers and cybersecurity’s rising stars to the best security awareness campaign and the coveted Godparent of Security, the categories recognise individuals and teams working hard to protect Britain from cybercrime while raising awareness of security issues.    

The free event was a chance for the UK cybersecurity industry to come together, catch up with familiar faces and meet new ones while enjoying a short awards ceremony compèred by Brian Higgins, security specialist at Comparitech and diversity advocate, as well as Yvonne Eskenzi, co-founder of Eskenzi PR. To liven up the event, there was also a cocktail masterclass provided by Stir Crazy and the winners were awarded trophies they can display proudly at home or at work.    

“It is perhaps more important this year than ever before to honour the cybersecurity professionals who have kept us all up and running during lockdown,” said lead organiser of Security Serious Week, Yvonne Eskenzi and co-founder of Eskenzi PR. “The cyber skills gap is a huge issue for this country and an event like this really shows off what a great industry it is to be a part of and the wonderful people that make it. Our fantastic virtual awards night was all made possible by our wonderful sponsors, so we could throw the best party at no charge to enter or attend the awards.”    

The Unsung Heroes Awards, started by Eskenzi PR, Smile on Fridays and the IT Security Guru, are supported by sponsors KnowBe4, Protiviti and Qualys, who made it possible to hold this totally free event.   

The full list of winners, who were first nominated by their peers and then judged by a panel of experts including Dan Raywood, deputy editor atInfosecurity Magazine, Sue Milton, SheLeadsTech ambassador at ISACA, Brian Higgins and Yvonne Eskenzi, are:    

Security Leader/Mentor

Winner: David Chan – entrepreneur in residence at CyLon

Cyber Writer

Winner: Davey Winder – freelance tech writer

Highly Commended: Raef Meeuwisse – author at Cyber Simplicity

Best Security Awareness Campaign

Winner: Cygenta for CV-19

Apprentice/Rising Star

Winner: Ben Chater – junior security analyst at Pinsent Masons

Highly Commended: Madeline Howard – Cygenta/Cynam

Best Educator

Winner: Toni Scullion – founder of dressCode

Godparent of Security

Winner: Pat Ryan – founder of Cyber Girls First

Best Ethical Hacker / Pen Tester

Winner: James Mullen – senior security consultant at Edgescan

Data Guardian

Winner: Dominic Hartley – DPO at the Department of Works and Pensions

DevSecOps Trailblazer

Winner: Didar Gelici – data privacy and cybersecurity risk professional

Captain Compliance

Winner: Ian Bernhardt – head of governance and compliance at Sprout IT

Security Avengers

Winner: Chani Simms and the SHe CISO Bootcamp Team

CISO Supremo

Winner: Emma Leith – CISO at Santander

COVID Hero (new this year)

Winner: Lisa Forte – CEO of Red Goat Cyber Security

The post Security Serious Unsung Heroes Awards 2020 Winners Announced appeared first on IT Security Guru.

Hackers begin to attack universities again

Thu, 15 Oct 2020 10:39:42 GMT

An Iranian hacking group have resurfaced just in time for the start of the new term, unleashing phishing scams on academic institutions. These attacks are aimed at both staff and students as the activity within university portals picks up again.

The attacks are sent to the victim’s email and contain a link to a website that is made to look official. Some links are also redirecting victims to associated apps like library portals. Once the link is opened, it collects the users login creditals.

https://www.zdnet.com/article/iranian-hackers-restart-attacks-on-universities-as-the-new-school-year-begins/

The post Hackers begin to attack universities again appeared first on IT Security Guru.

Survey reveals that compliance activities cost companies $3.5 million per annum

Thu, 15 Oct 2020 10:39:27 GMT

A Telso survey has recently found that organizations are finding it difficult to meet current IT security and compliance regulations. The survey of 300 IT security professionals taking place between July and August 2020 discovered that organizations are having to comply to 13 different IT security and privacy regulations which results in them having to spend $3.5 million on compliance activities per year. They also found that in order to try to meet these regulations IT security professionals are spending around 58 working days per quarter in order to complete the compliance audits.

The survey also found that in the last 2 years organizations have been discovered to be non-compliant on an average of six times by auditors which has resulted in an average of eight fines, and a cost of $460,000 in fines. The pressure for IT security professionals to meet compliance standards is increasing as companies move to the cloud due to a rise in remote working. It was reported by Teslo that 86 per cent of the organizations involved in the survey believed that compliance would be an issue as more companies move to the cloud, with 94 per cent believing that there would be IT security and/or privacy regulation challenges as companies move systems to the cloud due to remote working.

The post Survey reveals that compliance activities cost companies $3.5 million per annum appeared first on IT Security Guru.

Barnes and Nobles’ customer data stolen

Thu, 15 Oct 2020 10:26:21 GMT

Popular US book store Barnes and Nobles is the latest establishment to suffer from a cyber attack. Although no financial information was stolen during the breach, the hackers could have gotten away with customer emails, addresses and phone numbers if they were provided.

This incident follows on from a system failure the company reported on Monday. However, they have not said the two incidents are linked.

https://www.slashgear.com/barnes-noble-hack-exposes-customers-email-purchase-history-14642679/

The post Barnes and Nobles’ customer data stolen appeared first on IT Security Guru.

Qualys VMDR Product Review

Wed, 14 Oct 2020 16:11:05 GMT

Supplier: Qualys

Website: www.qualys.com

Price: Based on size of organisation

Scores

Performance 5/5

Features 5/5

Value for Money 4/5

Ease of Use 4/5

Overall 5/5

Verdict

Qualys VMDR is a smart modular security solution that delivers joined-up vulnerability assessment, management and remediation services with full visibility of global assets.

As cyber-attacks get ever more sophisticated and deadly, businesses need to stay one step ahead of the criminals as their very survival could be on the line. In this increasingly hostile environment, they must comply with data protection regulations to avoid potentially punitive fines and keep their brand reputation untarnished.

Vulnerability assessment and management are essential weapons in the war against hackers but many solutions are fragmented and complex to deploy. The Qualys VMDR (vulnerability management, detection and response) cloud-based SaaS suite brings order to chaos and looks to have every security angle covered as it provides a wealth of extra features including patch management, asset inventory, endpoint detection and response, web app scanning and file integrity monitoring.

Some products take a distributed approach requiring security functions such as vulnerability assessment, asset inventory, patch management and reporting to be handled by multiple point solutions and even different departments. Furthermore, some vendors have merely added vulnerability management as an extra add-on feature that provides little or no threat intelligence

VMDR is designed from the ground up to provide a centralised solution that can manage the entire vulnerability lifecycle. It doesn’t just identify a problem and drop it on your desk to sort out later but seamlessly integrates full visibility of all on-premises and cloud assets, real-time categorization and prioritization of vulnerabilities, based on real-time threat indicators and multiple attack surface options.

VMDR dashboards are infinitely customizable and can present a wealth of valuable information on vulnerabilities

VMDR deployment

Scanner appliances, Qualys cloud agents and a comprehensive array of sensors are fundamental to VMDR operations as these sensors discover all assets in the network environment and pass this information to the cloud service for vulnerability assessment. Using hardened Linux kernels, Qualys offers physical and virtual options and for testing, we installed a Hyper-V version in the lab in a matter of minutes.

The appliances are managed from the cloud console using schedules and option profiles that determine what you want them to look for. You can also use virtual appliances for scanning EC2 instances making VMDR perfect for hybrid environments with a mix of cloud and on-premises services.

For real-time security updates, missing patch detection and detailed inventory, Qualys provides lightweight cloud agents for Windows, Linux, Unix, BSD and Mac hosts. When creating agent installable packages, you can enable any or all of the seven available VMDR apps and for easier management, have hosts automatically placed in specific groups when they come online.

Qualys also provides passive sensors that detect and profile all devices connecting to the network and can be deployed as physical or virtual appliances attached to a switch span port. We found it much easier to use VMware as the Hyper-V version has very limited support for network adapters that support promiscuous mode and despite lengthy support sessions, we were unable to get it to work.

The portal provides full visibility of all global assets and detailed reports on the VMDR components running on each one

The VMDR console

The VMDR cloud portal gets straight down to business as its console dashboard opens with a detailed graphical readout of your vulnerability posture in real-time. The dashboard uses dynamic widgets so it’s easy to customise the visualization to your liking, create as many views as you want and preview each widget prior to adding it to a dashboard.

Menus across the top provide swift access to detailed views of vulnerabilities identified by the cloud agents, scanners and sensors. It’s easy to drill down for more detail as a sidebar listing sorts them into areas such as severity, category, affected operating systems plus CVSS ratings and views can be fine-tuned further using complex search queries.

A valuable feature is the ability to assign tags to assets and organize them into groups showing their impact on business operations. These can be assigned during cloud agent creation or you can use dynamic rules and automatically assign tags based on queries such as IP address ranges or specific inventory details.

VMDR’s prioritization reports get you quickly to the active threats that matter and tags play an important part as they are used to identify critical systems at risk. The reports show what happens if a vulnerability is exploited so you can see their potential impact and choosing between detection date and vulnerability age will show the effectiveness of your remediation efforts.

VMDR Prioritization Reports provide essential information on the most critical vulnerabilities and quick access to remediation tasks

Remediation and more

VMDR is a modular solution and all licensed components are neatly integrated into the same cloud portal. Patch management services are outstanding as you can select a vulnerability, see affected assets, view the required patches and create on-demand or scheduled deployment jobs.

More importantly, patches can be deployed directly from a VMDR prioritization report which provides a view of affected assets, the prioritized vulnerabilities and available patches. Attack surface filters can be applied to show the most critical business threats and the report provides facilities to immediately run a patch job.

You can set up continuous monitoring of your network perimeter and hosts to identify events such as new vulnerabilities, open ports, software added or removed and expiring certificates. Ruleset creation uses a simple drag and drop operations and once again, tags come into play as they can be used to assign continuous monitoring profiles to asset groups.

The certificate view provides a central location for discovering and managing your SSL/TLS certificates while the container security add-on uses sensors to keep a close eye on your Docker environment. The Policy Compliance module streamlines risk management as you can use predefined and custom policies to ensure assets meet your business security standards and swiftly remediate those that don’t.

The EDR (endpoint detection and response) component extends your security umbrella even further as it actively monitors assets for suspicious activities and malware. Nothing extra needs to be deployed as it leverages the standard cloud agent with EDR activated in its profile.

The widget-based EDR dashboard provides a complete overview of your asset security posture and you can drill down to view threats by asset or detected malware. The hunting section offers an event search facility while for automated remedial actions, you can instruct the agent to kill a suspect process, quarantine a dubious file or delete it.

The Unified Dashboard allows you to amalgamate widgets from all VMDR modules into a single view

Conclusion

The sheer range of features offered by VMDR meant it took us a while to familiarize ourselves with the cloud portal to be able to confidently navigate it. That said, it’s clear from the outset that VMDR is a very powerful vulnerability assessment and management platform that meets the security challenges presented by hybrid network environments.

Its modular design allows organisations to choose only the features they need and still manage them all from a single centralised console. Furthermore, with many companies now forced to adopt new working practises, VMDR is perfectly placed to extend its protection services to home and remote workers.

The post Qualys VMDR Product Review appeared first on IT Security Guru.

Repeat victimisation: the threat of double extortion ransomware attacks

Wed, 14 Oct 2020 14:56:46 GMT

Ransomware has already proven itself to be a powerfully profitable weapon in the cybercriminal arsenal. According to Emsisoft, in 2019, ransomware incidents could have had a combined cost of more than $7.5 billion (£5.65 billion). That’s just for US-based incidents too.

As cybersecurity professionals and the public at large have come to realise, cybercrime is now a huge business, with organised threat groups sharing resources and techniques to boost profitability. Despite ransomware’s stellar ROI, cybercriminal groups have recently decided there is more to be made from this brand of malware, and have switched up their tactics, employing a new double extortion model.

Double trouble

In the last year or so, double extortion attacks have picked up the pace and made headlines, with the operators of Maze ransomware leading the way in utilising them. In the double extortion model, not only do ransomware attackers encrypt data and demand a ransom to regain access, but also threaten to publish any exfiltrated data online if their terms are not met.

This has proven successful for a number of reasons. Firstly, businesses are already highly aware of ransomware. The operational down-time that ransomware can force upon a company is of course damaging and rather difficult to conceal, leading to negative media attention. Even if a ransomware-afflicted business ultimately rids itself of the ransomware through the efforts of security professionals, there may still exist a public perception (even if erroneous) that a company paid the ransom, leading to more negative sentiment.

Clearly, the ransomware groups like the organisation behind Maze have realised that the damage caused by ransomware extends far beyond the locking of systems. After all, even the knowledge an attacker is in the network, and the threat of an encrypt button being pressed is enough to make some companies payout.

Ransomware groups are additionally diversifying their approach by taking copies of data before performing the encryption. This gives them a number of options, each of which has been seen played out in the wild.

Firstly, it proves to the victim and/or the wider world that they really have breached the organisation. It also adds a second layer of extortion – i.e. pay or we will leak the data. What’s particularly threatening about this approach is that, even if a company decides to restore from backup rather than pay up, that data is still valuable, and the threat of leakage is not diminished. In the cases where a company does pay the ransom, the cybercriminals can provide worthless assurance that they have deleted their copy of the data. This data could end up leaked later on or used again to leverage yet another payout.

Clearly, these are unscrupulous criminals seeking to exploit any opportunity they have for financial gain. The Maze gang, when referring to the attack on LG’s network earlier in the year, presented a veneer of ethicality to their actions, claiming they didn’t execute the ransomware as LG’s clients are “socially significant and we do not want to create disruption for their operations.” Instead, they leaked over 50GB of stolen data.

Doubling down on security

Fortunately for would-be victims, there are a number of ways in which ransomware attacks can be prevented, or at least mitigated. In many cases, the intruders have been in the network for what may be an extended period of time prior to initiating the actual malware attack – and a critical goal of any cybersecurity programme is minimising the time intruders remain undetected in the corporate network.

Minimising the time attackers spend within the company network relies upon being informed towards the process by which ransomware attacks are executed. There are five distinct stages that define a ransomware attack, and by being familiar with each phase – and its indicators of compromise (IOC) – security teams can quickly respond to an intrusion. This allows for companies to limit or even prevent entirely threat actors from accessing data that can then lead to a double extortion ransomware attack.

The five phases of a ransomware attack are:

Exploitation and infection
Delivery and execution
Backup spoliation
File encryption
User notification and clean-up

To meet this threat, there are also five phases of defence against ransomware, which are preparation, detection, containment, eradication, and recovery. Large scale outbreaks result from inadequate containment – where the local host needs to be immediately blocked and isolated from the network, which prevents additional files on the network from being encrypted.

An organisation’s ability to recognise IOCs pointing to the five phases of attack and then employing the five phases of defence, lies in effective monitoring of company networks. It is crucial that companies recognise the stark nature of the ransomware threat and acquire the necessary technological solutions and security teams to ensure this comprehensive monitoring.

Contributed by Andrew Hollister, head of LogRhythm labs

The post Repeat victimisation: the threat of double extortion ransomware attacks appeared first on IT Security Guru.

The click of death: Why ecommerce must work extra hard to thwart attackers

Wed, 14 Oct 2020 14:48:07 GMT

What’s behind the simple click of a computer mouse for a shopping purchase on a web page? For most, it’s the last step of buying an item and is innocuous enough to do on autopilot. Just buy and forget about it until the item arrives at your front door. But what happens when that final step has something untoward going on in the background that could be hugely damaging to both the consumer and the brand they’re buying from? It’s a risk we must all be aware of and take steps to counter.

Ecommerce is expected to be responsible for $6.5 trillion in sales globally by 2023 – more than double the revenue compared to 2018. But when it comes to online shopping, vendors need to be aware of the security risks posed by supply chain attacks. Of course, these don’t always come from the shopping sites – indeed that’s part of the problem. Even the most watertight ecommerce platforms can be let down by a ‘leaking tap’ elsewhere, whether that’s the logistics, warehousing, or order fulfilment platform that plugs into it.

There are countless potential opportunities for attackers to steal personal details. These details can be sold on for profit, used to commit acts of fraud, or used to purchase items without the consumer’s consent or knowledge. And all of this can be perpetrated on the online shops that consumers trust.

Investigating an attack

Here’s an example I discovered in late 2019. Someone I know received a notification from their credit card company that they were about to process a payment of a substantial amount of money. It wasn’t a sum that my acquaintance was expecting to see on their bill because it wasn’t a payment they had initiated. Thankfully, the transaction hadn’t yet been settled and the person was able to contact their credit card company to stop the transaction going through. The end of the story was that the card was blocked, a replacement card was sent out in the mail, and the potential disaster was averted.

Well, that would have been the end of the story if it hadn’t piqued my curiosity so much as a cybersecurity professional. I wanted to know what happened, why it happened, and uncover any potential trends that could help other people.

After looking back through the online stores the person had shopped with recently, I stumbled across one outlier – a major camera and optics retailer. Our friend had indeed made a legitimate purchase with the site, but just once. They weren’t a regular shopper there. The store is a legitimate, established store in the States, with a high street presence and popular online shop. They weren’t known to us in the cybersecurity community for having been a victim of any recent breaches.

So, I started digging, focusing my attention on the checkout page of the website. Since the infamous MageCart hacker consortium has already broken into many high profile sites by injecting a JavaScript code to submit all credit card details to a command and control (C&C) server of their own as clients are checking out, I wanted to see if this was the case here.

Eventually, I found what I was looking for, and it took little more than a combination of Chrome’s developer tools and Wireshark captures.

Having gone through the network connections, I found that online shoppers’ credit card details were being submitted to two different sites. One of these sites was the legitimate site of the webstore, while the other was more sinister. It was fraudulent and was from a domain that was mocked up to look like a legitimate domain for the customer service software company Zendesk. It was through this domain that credit card details were being skimmed and used without the knowledge of either the customer or the retailer. And because this C&C domain had been resolved 905 times, it’s possible that there were almost a thousand victims.

Of course, Juniper Threat Labs alerted the site owners to the threat and they quickly removed the malicious code from the site.

Safer shopper

There are several concerns at play here. In addition to potential financial theft, there’s also a reputational risk to bear in mind when thinking about supply chain attacks. Companies of any size can fall victim and the loss of shoppers’ trust because of such attacks could be far reaching. Therefore, it’s in the best interests of a business and its customers to ensure that everyone’s details are kept safe.

Fortunately, it is possible to avoid these attacks and prevent them from taking hold of a business. The answer lies in ensuring the integrity of the site’s source code. Once that is fully protected, it makes it incredibly difficult for bad actors to infiltrate the site and cause chaos. That’s because it’s through tampering with the source code that attackers can inject malicious JavaScript code to ‘skim’ information, either by exploiting a server’s vulnerability or by compromising a third-party library.

A useful tool in the arsenal is file hash monitoring. It’s a simple solution that could be the saviour of an online retail site because it raises an alarm when unexpected changes are made to the site’s source code. It’s worth investigating and using as a vital layer of protection.

MageCart continues to pose a significant threat to online shopping and with online shopping so prevalent as Covid-19 forces people to avoid the high street, it could be a major concern for the rest of 2020. However, it isn’t the only way ecommerce sites can be compromised so there has to be vigilance in every aspect from the companies creating and operating the sites. Consumers expect their payment details to be kept safe and they put the highest level of trust in the site they shop with every time they hit ‘buy’. By maintaining a high level of security, you are more likely to maintain their trust, which translates to continued loyalty. After all, that loyalty is hard enough to achieve in the first place and even harder to regain.

Contributed by Mounir Hahad, head of threat research labs, Juniper Networks

The post The click of death: Why ecommerce must work extra hard to thwart attackers appeared first on IT Security Guru.