IT Security Guru

Security Advisory Used in Phishing Attack

Mon, 10 Aug 2020 08:05:39 GMT

According to BleepingComputer, bad actors are utilising fake security advisories to carry out phishing attacks on cPanel users. An administrative software typically installed on shared web hosting services, cPanel allows website owners to administer their site through a graphical user interface. However, last week, fake advisories were issued indicating “security concerns” that needed to be addressed. With these notifications, users are offered the ‘latest’, fraudulent updates, and urged to install them.

The post Security Advisory Used in Phishing Attack appeared first on IT Security Guru.

F5 BIG-IP Flaw Actively Exploited By Iranian Hackers, FBI Warns

Mon, 10 Aug 2020 07:37:33 GMT

In a Private Industry Notification (PIN) issued by the U.S domestic intelligence and security service, it was revealed that Iranian state-sponsored hackers are actively exploiting an F5 BIG-IP flaw. The flaw allows for unauthenticated remote code executions on devices used by Fortune 500 companies, government agencies and banks, shared BleepingComputer. The FBI have added further that these hackers may choose to collect or steal sensitive data from these organisations that could be shared either to other hackers or the Iranian government. Security patches were released on the 3rd of July 2020, by F5 Networks (F5) to fix this critical vulnerability.

The post F5 BIG-IP Flaw Actively Exploited By Iranian Hackers, FBI Warns appeared first on IT Security Guru.

Reddit Accounts Hacked Spreading Pro-Trump Messages

Mon, 10 Aug 2020 07:28:03 GMT

On Friday, moderators of over 70 groups on Reddit Inc. were hacked. Messages in support of Donald Trump were then posted in both English and Mandarin, reaching millions of subscribers. Among the subreddits defaced were r/space, r/food. r/Japan, r/nfl, r/cfb and r/podcasts, all popular subreddits. According to SiliconAngle, while it is yet unknown how these moderator accounts were hacked, Reddit has found that many have not been using two-factor authentication. The popular social news aggregation site has further notified users to remain vigilant for any signs of compromise such as emails suggesting a change in account password.

“The Reddit hack is just the latest hack to underscore the need for users to always use two-factor authentication when possible. Since it appears the hack may have been the result of a credential stuffing attack (where passwords are used that were obtained in previous data breaches), it also emphasizes the need to never use the same password for multiple websites and other online services,” shares Chris Hauk, Consumer Privacy Champion at Pixel Privacy. “I believe we will continue to see increased political hacks and attacks as we grow closer to election day in the United States. These attacks may even be considered a “normal” part of politicking in the near future.”

“Based on what limited evidence we have, Reddit’s breach looks like the result of a credential stuffing attack. The hackers used email and password combinations collected from other breaches and phishing campaigns to break into moderator accounts that use the same password on multiple other accounts. If true, that means Reddit isn’t really at fault, though it could have enforced the use of two-factor authentication for all reddit mods,” reiterates Paul Bischoff, Privacy Advocate at Comparitech.com. “The lessons to be learned from this hack are clear: use unique passwords for every account, and enable two-factor authentication wherever possible. This will prevent credential stuffing attacks and stop hackers who do manage to steal your password from being able to log in from unknown devices.”

The post Reddit Accounts Hacked Spreading Pro-Trump Messages appeared first on IT Security Guru.

Hospitals impacted after hackers target ventilator manufacture during Covid-19

Fri, 07 Aug 2020 13:45:40 GMT

A notorious ransomware gang has been hitting a key manufacturer of coronavirus ventilators in the US. The DoppelPaymer gang have threatened Boyce Technologies with releasing valuable data if the ransom is not paid – as it stands, the ransom amount has not been disclosed.

It’s unfortunate to hear Boyce Technologies, an FDA-approved ventilator manufacturer, has had critical information stolen given they produce low-cost ventilators in just 30 days. It is believed the data stolen includes sales, purchase orders, assignment forms and more.

The company is yet to release an official statement on the attack.

The post Hospitals impacted after hackers target ventilator manufacture during Covid-19 appeared first on IT Security Guru.

Intel data breach results in confidential info leaked

Fri, 07 Aug 2020 13:37:21 GMT

Intel, the U.S. based global chip provider is investigating a data breach after highly confidential and restricted information was leaked onto online sharing website, MEGA.

The data was uploaded to MEGA by software engineer, Till Kottman after receiving the documents from an anonymous hacker who allegedly hacked Intel earlier this year. After analysis, the information has been verified and authenticated and contained intellectual property including chip blueprints and product guides.

Till Kottman is no stranger to viewing leaked data and even manages a Telegram channel where he posts about exposed data from misconfigured cloud services, Git repositories and online web portals.

Commenting on the news, Michael Barragry, operations lead at Edgescan, stated: “This looks very bad on several fronts. The relative ease with which a massive body of intellectual property was compromised is somewhat startling. The hack appears to have involved a fairly minimal combination of nmap scanning, some custom automation and a little bit of guesswork.

The cherry on top is the multiple references to “backdoors” within the compromised material. As stated, this does not necessarily mean we can deduce the presence of backdoors within Intel products, but there are historical examples of intelligence agencies attempting to “guide” industry in this direction. The Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) example springs to mind, where it turned out that the NSA had paid RSA Security to implement a “possibly-backdoored” cryptographic algorithm within standard libraries to then be rolled out to industry.”

The post Intel data breach results in confidential info leaked appeared first on IT Security Guru.

Capital One hit with $80 million fine following 2019 data breach

Fri, 07 Aug 2020 13:32:57 GMT

It was announced yesterday that Capital One has been ordered by the Office of the Comptroller of the Currency (OCC) to pay an $80 million fine after the company suffered a massive data breach in 2019.

It is estimated that the breach impacted more than 100 million Capital One customers, with names and addresses of individuals from both the US and Canada. It is believed that the cybercriminals behind the attack were a former employee of Amazon Web Services which is the cloud provider Capital One used to transfer its data.

The fine is substantial and is punishment for the bank failing to adequately protect the data of its users when migrating to the cloud.

Commenting on the news is Mark Bower, senior vice-president at data security specialist comforte AG:

“The OCC’s Capital One order mirrors how we’ve seen industry regulators rip into ineffective controls over data protection. The signal is very clear: the often referenced shared responsibility cloud model means naught when it’s your data. You are responsible and accountable and will pay the price if gaps are exploited. This isn’t the first time either. The Equifax case was crystal clear in its FTC order, mandating “Implementing protections, such as encryption, tokenization, or other at least equivalent protections, for Personal Information collected, maintained, processed, or stored by Defendant, including in transit and at rest.”. What’s very surprising about this breach is, per Capital One’s prior announcements, only a fraction of the regulated data was properly tokenized (Credit card and SSN data), and the rest accessible under attack. Had tokenization been applied across the full regulated data set, this breach would have been a non-event.”

The $80M fine is the tip of the iceberg. The true cost of remediation, impact, and the reputational loss is likely to be a lot higher. This may also set the tone for secondary litigation, where cost impact can escalate.”

The post Capital One hit with $80 million fine following 2019 data breach appeared first on IT Security Guru.

The rise of Community-Powered Threat Hunting

Thu, 06 Aug 2020 15:38:34 GMT

Next-Gen SIEM provider, Securonix has announced availability of its SearchMore functionality that helps operations teams better detect and respond to threats that bypass preventative and detection controls. The company states that “SearchMore delivers the industry’s first Community-Powered Threat Hunting capability and provides the ability to search on real-time, streaming data, as well as long-term data.”

CEO Sachin Nayyar elaborated: “This is a huge step in cybersecurity monitoring. With a combination of cloud-native and big data architecture we are providing customers scalable search and threat hunting capabilities while reducing their operational costs. We strongly believe in a community-powered approach to cybersecurity and plan to incorporate it in all aspects of the Securonix Next-Gen SIEM platform.”

New updates to the platform include:

Community-Powered Threat Hunting

SOC teams who solely rely on their own threat hunting content are at a disadvantage when it comes to detecting continuously evolving threats. With a community-driven approach, Securonix creates collaborative threat hunting workbooks utilising contributions from the Securonix threat research team, commercial threat intelligence, and global user communities such as MITRE ATT&CK and Sigma.

Live Search Channel on Streaming Data

The legacy practice of indexing data to make it searchable introduces pipeline latency and impacts an organisation’s ability to act on threats in real-time.

Securonix live channel allows SOC teams to search and act on live streaming data with virtually zero latency. Security operations teams can set up multiple live channel searches that leverage Securonix threat content, or their own custom hypotheses.

Long-Term Search at One-Third of the Cost

Organisations are concerned about hidden threats existing in their environment. Finding these threats requires the ability to continuously run new searches and investigations on historical data. This creates challenges for legacy platforms with their lack of scalability and huge vendor costs for making long-term data searchable.

Securonix addresses this challenge by providing a rapid search capability at one-third of the price of comparable solutions. Leveraging its cloud-native, big data architecture, the Securonix platform decouples search and compute resources and scales on demand to deliver high-performance searches on long-term data.

Integrated SIEM and SOAR

Securonix search and threat hunting capabilities are embedded within the Securonix Next-Gen SIEM platform, providing SOC teams a single pane of glass to hunt for threats, take action with integrated SOAR, and automate future detection with SIEM.

Multi-Tenant Threat Hunting for MSSPs

With a multi-tenant architecture, Securonix live and long-term searches can be executed simultaneously across multiple tenants. This allows Securonix MSSP partners to deliver a centrally managed threat hunting service to their customers.

“Securonix is continuously raising the bar when it comes to advanced threat detection and response, which is the reason why we chose Securonix to power our managed security services,” said Kelly Hertel, Sr Director, ICS Managed Security Operations, NTT DATA Services. “The SearchMore multi-tenant search and threat hunting capabilities coupled with our co-managed services delivers a powerful augmentation solution for security teams.”

According to the company, other SearchMore benefits include:

Stopping threats that bypass latent detection with live search.
Discovering dormant threats with ongoing searches on historical data.
Increasing threat hunting strength with proactive community-powered content.
Reducing cost up to one-third for searching long-term data, compared to comparable solutions.

The post The rise of Community-Powered Threat Hunting appeared first on IT Security Guru.

Who are the new heads at NCSC and MI6?

Thu, 06 Aug 2020 15:37:24 GMT

Lindy Cameron, the first woman CEO of the National Cyber Security Centre – a public facing division of GCHQ and primary technical authority on cybersecurity – is replacing its first CEO, Ciaran Martin, when he steps down on 31 August. Cameron will then formally become CEO in October following a handover period.

Cameron has excellent credentials for the role with more than twenty years’ experience in national security policy and crisis management. These include responsibility for the Department for International Development’s programmes in Africa, Asia and the Middle East as its Director General, managing a £4 billion a year budget covering thirty plus country offices.

We’re not talking about a Whitehall desk job either. Cameron was born in Northern Ireland, and is moving from the Northern Ireland Office where she is number two to permanent secretary Sir Jonathan Stephens. Her father Craig was a founding member of Corrymeela Peace and Reconciliation Centre.

Following a stint in the private sector at McKinsey Cameron served overseas as a Governance specialist in Nigeria, Vietnam and the Balkans, then Head of DFID’s country offices in Iraq (2004-5) and Afghanistan (2006-7). She was seconded to the UK Cabinet Office (covering Africa, Trade, Development and International Institutions) and Foreign Office (as Head of the Helmand Provincial Reconstruction Team and NATO Senior Civilian for Regional Command South West) before returning to DFID in early September 2011 as Head of the Middle East and North Africa Department. She was then Director of the Stabilisation Unit until February 2014 when she became Director Middle East, Humanitarian and Conflict.

Cameron is a graduate of the Ministry of Defence’s Royal College of Defence Studies. She also has a BA in Modern History from Oxford, a Masters in Law and Diplomacy from the Fletcher School at Tufts University in the US. She was appointed CB (Companion of the Order of the Bath) in the 2020 New Year’s Honours List for her services to international development.

Her role will include overseeing the NCSC’s response to a wide variety of cyber incidents including those by hostile nation states, improving the UK’s cyber resilience, particularly critical national infrastructure such as power, water and the banking sectors, identifying the risks and opportunities for the UK in emerging technologies and leading the NCSC’s ongoing response to the coronavirus pandemic.

In a press statement Cameron commented: “Over the past four years, the NCSC has transformed the UK’s approach to cybersecurity and set a benchmark for other countries to follow. I am delighted to join the NCSC and relish the opportunity to take this world-leading organisation to the next level.”

The CEO of the NCSC is a Director-General level appointment within GCHQ and reports directly to director, Jeremy Fleming.

Fleming noted how Cameron was joining the NCSC and GCHQ, “… at a time when cybersecurity has never been more essential to the nation’s resilience and prosperity. Lindy’s unique blend of experience in Government, overseas and in security and policy issues make her the ideal leader to take NCSC into the next stage of its delivery.”

MI6 head – an old hand in this game

Somewhat less public-facing, the UK’s Secret Intelligence Service, MI6 – the foreign intelligence service responsible for gathering intelligence outside the UK – has appointed Richard Moore its new chief – known as “C”, taking over from Sir Alex Younger in Autumn.

The three main aims of MI6 are described as stopping terrorism, disrupting the activity of hostile states, and giving the UK a cyber advantage.

Like Cameron, Moore is no rookie. He was born in Libya. He joined MI6 in 1987 has been an MI6 director, a deputy national security adviser in the Cabinet Office and worked in Vietnam, Pakistan and Malaysia and is a former ambassador to Turkey and fluent Turkish speaker. He is moving from the post of political director at the Foreign Office.

In press statement Moore said: “I am pleased and honoured to be asked to return to lead my service. SIS plays a vital role – with MI5 and GCHQ – in keeping the British people safe and promoting UK interests overseas. I look forward to continuing that work alongside the brave and dedicated team at SIS.”

In comments to BBC security correspondent Gordon Corrrea, former MI6 head John Sawers, said that Moore “has the perfect blend of experience – running intelligence operations and holding senior positions in diplomacy and policy formation. He knows how intelligence is produced and how it is best used to protect our national security.”

The post Who are the new heads at NCSC and MI6? appeared first on IT Security Guru.

Maze ransomware strikes again at Canon

Thu, 06 Aug 2020 10:19:16 GMT

Optical and imaging giant Canon has been the latest business to be hit by the scourge of ransomware. The Maze strain of ransomware has brought operations to an effective standstill, hitting the Canon email servers as well as internal applications including their instant messaging services provided by Microsoft Teams.

Additionally, the US website was also affected by the attack. Maze is a ransomware strain which attempts to gain a foothold in a network by targeting human vulnerabilities at an enterprise. Once it has successfully compromised a user, it will move laterally through a network until it compromises an administrator account.

The post Maze ransomware strikes again at Canon appeared first on IT Security Guru.

UK council takes £10 million hit in cyberattack recovery

Thu, 06 Aug 2020 10:17:55 GMT

A small rural council in the North of England has suffered a staggering financial hit in recovering from a cyberattack. Redcar and Cleveland in Yorkshire were forced to spend £10 million in order to recover from a cyberattack which took online public services offline for a week in February.

Infrastructure and system recovery cost £2.4m, and individual council directorates needed £3.4 in recovery funds. This is a very significant number for a local council, already chronically underfunded and seeing its services stretched to breaking point by the pandemic. The NCSC has placed the council on a data-sharing pilot programme moving forward, which may help them to gain more detailed knowledge of security protocol and help them to be better prepared for security incidents in the future.

The post UK council takes £10 million hit in cyberattack recovery appeared first on IT Security Guru.

Google shuts down Chinese, Iranian and Russian influence campaigns ahead of US election

Thu, 06 Aug 2020 10:14:28 GMT

Ten influence campaigns emerging from hostile states such as China, Tunisia, Russia, and Iran have been discovered across Google platforms, and removed throughout Q2, Google’s Threat Analysis Group have announced.

The group is responsible within Google’s security department for keeping track of high-end cybercriminal activity, which includes nation-state influence campaigns detected. Although the group is run by Google, it also includes external data gained from other social media platforms and other security vendors such as FireEye.

The post Google shuts down Chinese, Iranian and Russian influence campaigns ahead of US election appeared first on IT Security Guru.

KnowBe4 Releases New Security Research Report "The Department of No”

Wed, 05 Aug 2020 12:46:46 GMT

KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, has released a new report that explores how and why the reputation of security departments have traditionally been perceived as “The Department of No.”

This new report, authored by Javvad Malik, security awareness advocate at KnowBe4, explains how many security teams face a reputational challenge within their organisations. Because they are responsible for the well-being of the organisation at large, they often receive unwarranted backlash from other departments that grow discouraged by the constant precautions that frequently shut down business operations that pose security concerns. The “Department of No” report provides key insights into how to establish a positive, effective and generally successful security team at the base of an organisation.

“I wanted to look further into why security departments are often perceived as barriers to business rather than vital partners,” said Malik. “This report walks through the habits of successful security teams and the secret sauce that makes them work. The methodologies they’ve deployed could work for your organisation as well and transform employees’ entire perception of security.”

Malik includes analysis of data from a soon to be released CLTRe (a KnowBe4 company) survey that provides information about security culture across more than 20 countries. The 2020 survey collected data from 120,050 employees working across 1107 organisations, and the responses have brought researchers closer to understanding employee relationships with IT departments in general.

To download “The Department of No” report, visit https://www.knowbe4.com/hubfs/The-Department-of-No-UK.pdf

The post KnowBe4 Releases New Security Research Report “The Department of No” appeared first on IT Security Guru.

Serious bug found in official Facebook WordPress chat plugin allows attackers to intercept messages

Wed, 05 Aug 2020 11:08:58 GMT

On June 26, 2020, Wordfence’s threat intelligence team discovered a vulnerability in The Official Facebook Chat Plugin, a WordPress plugin installed on over 80,000 sites. This flaw made it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors on affected sites.

Researchers initially reached out to Facebook on June 26, 2020 and included the full disclosure details at the time of reaching out. They initially responded on June 30, 2020, and after much back and forth, Facebook released a patch on July 28, 2020.

In their blog highlighting their findings, Wordfence’s researchers highly recommend updating to version 1.6 immediately to keep your site protected against any attacks attempting to exploit this vulnerability.

The post Serious bug found in official Facebook WordPress chat plugin allows attackers to intercept messages appeared first on IT Security Guru.

Nearly 300 Chrome extensions are loading malicious code

Wed, 05 Aug 2020 11:00:56 GMT

AdGuard has discovered 295 Chrome extensions that hijack and insert ads in Google and Bing search results. The extensions have been installed by more than 80 million users.

In a technical analysis shared with ZDNet, AdGuard said all extensions loaded malicious code from the fly-analytics.com domain, and then proceeded to quietly inject ads inside Google and Bing search results. The apps included utilities such as changing the background for Chrome’s ‘new tab’ page, as well as fake ad blockers and weather widgets.

The majority of these extensions are still available on the Chrome Web store – a full list is available on AdGuard’s blog.

When Google removes an extension from the Chrome Web Store for malicious activity, the extension is also disabled in users’ browsers and marked as “malware” in Chrome’s Extension section, but users still have to manually uninstall it from their browsers.

The post Nearly 300 Chrome extensions are loading malicious code appeared first on IT Security Guru.

Tweet Chat Roundup with KnowBe4

Wed, 05 Aug 2020 10:41:21 GMT

We are now more than halfway through the year, and what a crazy half it has been, both in terms of the global pandemic but also when you consider the volatile climate that the cybersecurity industry finds itself in.

We wanted to find out what trends had been seen, how organisations should go about ensuring security is being kept as a priority, the impact Covid-19 will have and the importance of having a strong security culture during this time of uncertainty. To help us answer these questions, we were joined by KnowBe4’s security awareness evangelists. KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform so they are best placed to give the necessary insight into the phishing trends which was where we started the Tweet Chat…the evangelists were certainly happy and eager to get started…

Current mood #AskKB4 https://t.co/lQk3tRfxp7 pic.twitter.com/27dNcNccMT

— Javvad Malik v2.0 (@J4vv4D) July 29, 2020

Noticeable trends and surprise tactics used by Hackers

A1: Ransomware, Data breaches have held steady. With the recent ShinyHunter data leaks due to phishing attacks. Phishing will not go away until more organizations provide training and this attack vector is no longer successful for the cybercriminals #AskKB4 #phishing https://t.co/fQL4mL11jJ

— James (@James_McQuiggan) July 29, 2020

Nearly every trend has been linked to the 'rona. The impromptu "digital transformation", wfh, attacks against home workers and home infrastructure, lots of misinformation. #AskKB4 https://t.co/WA4w1HKhaa

— Javvad Malik v2.0 (@J4vv4D) July 29, 2020

A2: I thought the android ransomware being spread as a Canadian COVID tracing app was interesting. The Canadian govt said they were making one and scammers fired up pages that looked legit and took advantage. Clever #AskKB4 https://t.co/MGDS5vdYv0 pic.twitter.com/kvo8LbbkNs

— Madsqu1rrel (@ErichKron) July 29, 2020

A2 Not a particular scam.. but I do notice the bad guys becoming more bold and blatant in their approach. And they don't really need to be inventive (unfortunately). BEC type scams, for instance, have been around for ages and are still the same #askkb4 https://t.co/QIrREaNmBn

— JellySandwich (@JelleWieringa) July 29, 2020

Will we see a rise in DeepFakes?

We then moved onto the impact the pandemic will have given that face-to-face contact will be limited for the time being and how criminals will leverage this for their own nefarious means…

A3a: #Deepfake attacks are still developing and take too much time and effort to be used in a commodity types of attacks, only high-value targets. Frankly those are still easier to get without all the deepfakery right now #AskKB4 https://t.co/PDlmy1qXDh

— Madsqu1rrel (@ErichKron) July 29, 2020

A3b: To avoid being impacted, make sure your processes are set up and people trained to require an out-of-band confirmation, such as calling someone on a known good phone number, before transferring money or sensitive info #AskKB4 https://t.co/PDlmy1qXDh

— Madsqu1rrel (@ErichKron) July 29, 2020

A3 As for voice and text phishing. This is far easier to set up and execute. And since a lot of users still find it hard to determine whether something is a fraudulent text or voice message, there is plenty of opportunities for the bad guys to be successful with this. #askkb4 https://t.co/yCzfyrbDxU

— JellySandwich (@JelleWieringa) July 29, 2020

A3: With their “hacker toolboxes”, cybercriminals vary attack vectors to get folks to be convinced of the event – #SMSing or #Vishing to convince people of bank changes,account passwords and click the link, phone the number #AskKB4 https://t.co/frJ0FMHJ1x pic.twitter.com/RfCgdkkaDE

— James (@James_McQuiggan) July 29, 2020

Humans will continue to be important

We then transferred the discussion to the vital role the human workforce plays in keeping organisations safe, especially when facing out of the ordinary threats seen today. Technology will always have its place in cybersecurity, but the importance of the human factor cannot be underestimated. Yet, this also begs the question: how much should be spent on technology vs training?

A4: Humans have always been a huge part and this has only highlighted that as they work form home with fewer technical controls and tools at their disposal. It’s important to realize that it is not their fault, but they ARE the ones targeted so often and get beat up #AskKB4 https://t.co/lI38Yf1nii pic.twitter.com/oCPql9qPtO

— Madsqu1rrel (@ErichKron) July 29, 2020

70% -90% of malicious breaches are due to social engineering humans, so helping the humans make better security decisions is THE best defense you can implement. #AskKB4 https://t.co/2LJ6JAx9lz

— Roger A. Grimes (@rogeragrimes) July 29, 2020

While I believe investing in the human workforce is vital.

Equally so, it's important for organisations to understand where tech controls are effective and appropriate, where procedures are needed and where and when to invest in humans and the limitations of each. #AskKb4 https://t.co/MPMNe2QA8d

— Javvad Malik v2.0 (@J4vv4D) July 29, 2020

A6: The money needed for annual training is a drop in the bucket compared to the money spent on technology. The training budget is the first cut when it comes to budget cuts for organizations. Provide education & training for the employees vs the cost of a new blinky box #AskKB4 https://t.co/4RHkC0lGDJ pic.twitter.com/9lQbLz6qeY

— James (@James_McQuiggan) July 29, 2020

A6: That depends on where they are now and how much ground they need to make up in one area or another. It also depends on the types of attacks they experience. I suggest using the approach @rogeragrimes takes in his Data-Driven defense book #AskKB4 https://t.co/Kv7RzhqSuy

— Madsqu1rrel (@ErichKron) July 29, 2020

Digging deeper into the training aspect of security, many may overlook the significance security awareness plays in the overall protection of an enterprise. Is there a perception that security awareness training is not necessary?

Yes. It may surprise some people, but we still get a small % of people questioning it's value at all. And we say just look at the data…anyone's data. Good security awareness training significantly reduces risk of compromise and I don't care who's data you use. #AskKB4 https://t.co/mXl3m0Ohpq

— Roger A. Grimes (@rogeragrimes) July 29, 2020

A7 I think a lot of organizations do value it. But find it hard to execute properly. Therefore, they go for the (easier?) technology angle. Showing them (through data) of the need AND the value in security awareness is the way to go to convince them. #AskKB4 https://t.co/KFNRvwro2I

— JellySandwich (@JelleWieringa) July 29, 2020

It also created a discussion amongst the evangelists as can be seen in this thread:

The money needed for annual training is a drop in the bucket: Not always

The training budget is the first cut when it comes to budget cuts for organizations: Any evidence to support this?#AskKb4

— Javvad Malik v2.0 (@J4vv4D) July 29, 2020

Surviving the current waves of cyberattacks requires the implementation of strong security culture – this should be paramount, but who within an organisation should be leading the way for this approach and how can one measure if they actually have a solid security culture foundation?

A8: It has not only to be talked about by leadership, but demonstrated as well. From the C-suite to line managers, it is important that leadership publicly demonstrate a proper security culture. #AskKB4 https://t.co/tdEjYWocMM

— Madsqu1rrel (@ErichKron) July 29, 2020

In an emergency or new event, most people revert to what they have been trained to do. So, training, no matter how you do it, is important to do. You just need to make sure the training is well done and relevant, however you do it. #AskKB4 https://t.co/rOU3MSE8c5

— Roger A. Grimes (@rogeragrimes) July 29, 2020

Use such metrics as "how many incidents have occurred or been prevented", using a Phish Prone Percentage of the employees. Create different scorecards for different roles, C-Suite, Finance, Developers, R&D, Service etc. #AskKB4 #scorecards https://t.co/WsFOO7pPFT

— James (@James_McQuiggan) July 29, 2020

Lastly, we moved onto password security.

We continuously read about poor password practises, whether its password reuse or sharing it with another person. So, has the password become obsolete or is there a future for this common layer of security?

A10: Every organisation needs to provide their employees with a password management application, just like applications for spreadsheets, email and databases. Add it to their corporate policies and require the use of it. People can learn it, like email and browsers. #AskKB4 https://t.co/WsFOO7pPFT

— James (@James_McQuiggan) July 29, 2020

If you agree or disagree or wish to continue the discussion, feel free to reach out to the Guru or any of the KnowBe4 evangelists on twitter with your thoughts.

The post Tweet Chat Roundup with KnowBe4 appeared first on IT Security Guru.

US and Australian government warn of critical vulnerabilities in Cisco, Microsoft and IBM ...

Wed, 05 Aug 2020 10:40:50 GMT

Security firm RiskIQ has published a report highlighting several critical vulnerabilities in 12 widely used remote access and perimeter devices. The findings show that the rapidly increasing adoption of these devices amid the COVID-19 pandemic is expanding digital attack surfaces outside the corporate firewall at incredible speed—and introducing a range of critical, rapidly proliferating vulnerabilities. Cybercriminals and nation-states are already taking advantage of these security flaws, including those in F5 Networks’ BIG-IP product and Cisco’s IOS XE devices, to attack organisations.

Recently, organisations have had to scramble to patch dangerous security flaws in dozens of remote access and perimeter devices. Already, there have been 18 high-to-critical vulnerabilities in these systems in 2020. The devices covered in the report include Palo Alto Global Protect, F5 BIG-IP, IBM WebSphere Application Server, Oracle WebLogic, Microsoft Remote Desktop Gateway, Citrix NetScaler Gateway, Citrix ADC, Cisco ASA & Firepower, Oracle iPlanet Web Server, and more.

The total amount of potential vulnerabilities in the findings include:

Palo Alto Global Protect – 61,869
F5 Big-IP – 967,437
IBM WebSphere Application Server – 7,496
Oracle WebLogic – 14,563
Microsoft Remote Desktop Gateway – 42,826
Citrix NetScaler Gateway – 86,773
Citrix ADC – 7,970
Cisco ASA & Firepower – 1,982
Oracle iPlanet Web Server 7.0 – 2,848
SAP NetWeaver – 2,629
Zoho Desktop Central – 1,988
Citrix ShareFile – 2,766

“This data in this report gives us a unique glimpse of the new reality facing the enterprise in the post-COVID world, which is that network controls are coming up dangerously short,” said Lou Manousos, RiskIQ’s CEO. “These IP-connected assets aren’t in the purview of most security controls, and dangerous flaws like those found in Cisco, Microsoft, Citrix, and IBM products will continue to be incredibly common.”

Both the US and Australian governments have advised companies to immediately address these critical vulnerabilities, with US Cyber Command recommending that organisations patch both the F5 and PAN-OS vulnerabilities. Both the United States National Security Agency (NSA) and Australian Signals Directorate (ASD) have warned state-sponsored actors that leverage a broad swath of vulnerabilities to deploy web shell malware on vulnerable devices. By doing so, they gain a foothold into target organisations’ networks.

The post US and Australian government warn of critical vulnerabilities in Cisco, Microsoft and IBM remote access and perimeter devices appeared first on IT Security Guru.

Dangerous flaws found in Cisco, Microsoft, Citrix and IBM Among Many Others

Tue, 04 Aug 2020 15:02:20 GMT

RiskIQ, released its Vulnerability Landscape report, a high-level view of critical vulnerabilities in twelve very widely used remote access and perimeter devices. The report shows that the rapidly increasing adoption of these devices throughout the COVID-19 pandemic is increasing digital attack surfaces outside the corporate firewall at incredible speed—and introducing a range of critical, rapidly proliferating vulnerabilities. Cybercriminals and nation-states are already taking advantage of these security flaws, including those in F5 Networks’ BIG-IP product and Cisco’s IOS XE devices, to attack organisations.

Many organisations are scrambling to patch dangerous security flaws in dozens of remote access and perimeter devices. Already, there have been 18 high-to-critical vulnerabilities in these systems in 2020. The devices covered in the report include Palo Alto Global Protect, F5 BIG-IP, IBM WebSphere Application Server, Oracle WebLogic, Microsoft Remote Desktop Gateway, Citrix NetScaler Gateway, Citrix ADC, Cisco ASA & Firepower, Oracle iPlanet Web Server, and more.

The report taps the company’s Internet Intelligence Graph, a global network that absorbs internet data to map the billions of relationships between IP-connected devices worldwide. Researchers deployed this telemetry to find the total number of these 12 potentially vulnerable devices online across the world that RiskIQ systems observed between 1 June, 2020, and August, 2020.

The total amount of potential vulnerabilities in the findings include:

Palo Alto Global Protect – 61,869
F5 Big-IP – 967,437
IBM WebSphere Application Server – 7,496
Oracle WebLogic – 14,563
Microsoft Remote Desktop Gateway – 42,826
Citrix NetScaler Gateway – 86,773
Citrix ADC – 7,970
Cisco ASA & Firepower – 1,982
Oracle iPlanet Web Server 7.0 – 2,848
SAP NetWeaver – 2,629
Zoho Desktop Central – 1,988
Citrix ShareFile – 2,766

“This data in this report gives us a unique glimpse of the new reality facing the enterprise in the post-COVID world, which is that network controls are coming up dangerously short,” said Lou Manousos, RiskIQ’s CEO. “These IP-connected assets aren’t in the purview of most security controls, and dangerous flaws like those found in Cisco, Microsoft, Citrix, and IBM products will continue to be incredibly common.”

The post Dangerous flaws found in Cisco, Microsoft, Citrix and IBM Among Many Others appeared first on IT Security Guru.

These 10 IoT devices pose the biggest risk to your organisation

Tue, 04 Aug 2020 14:36:30 GMT

By Richard Orange, Regional Director of UK&I at Forescout

Connected devices continue to transform the way organisations operate in every industry. From healthcare and retail to manufacturing and financial services, Internet of Things (IoT) devices are omnipresent and positively impact the bottom line of many organisations. But an increase in connected devices also means an increase in the potential attack surface for bad actors who are constantly on the lookout for vulnerabilities to exploit.

This threat is very real. Almost half of UK businesses reported a cyber security breach or attack between March 2019 and March 2020, the Department for Digital, Culture, Media & Sport has revealed. Organisations often focus their cyber security efforts on protecting well-known connected devices like laptops, mobile devices or tablets. But cyber defences are only ever as effective as their weakest link and all it takes is for one connected device to be compromised in order for bad actors to wreak havoc. The danger is particularly big around OT devices that are still running old operating systems, that are often not properly monitored and that were never intended to be connected to a network in the first place.

Some devices are much more susceptible to attacks than others. So, after analysing over 8 million connected devices, here are the 10 types of IoT devices that pose the biggest cyber security risk to organisations today:

Physical Access Control Solutions

These devices are used to open or close door locks in the presence of authorised badges. In our research, they were often found configured with open ports (including Telnet port 23), connected to other risky devices and containing serious reported vulnerabilities.

HVAC Systems

These devices were also found configured with critical open ports (including Telnet), connected to other risky devices and containing a couple of critical vulnerabilities that allow a complete takeover of a device (CVE-2015-2867 and CVE-2015-2868).

Network Cameras

These IP cameras have dozens of serious vulnerabilities associated with them (e.g., CVE-2018-10660), they are usually configured with critical ports such as SSH port 22 and FTP port 21 enabled, and they are connected to risky devices.

PLC

The PLCs identified have serious vulnerabilities associated with them (e.g., CVE-2018-16561) and their potential impact is very high, since PLCs control critical industrial processes. (The infamous Stuxnet malware, for instance, targeted S7 systems used for uranium enrichment.) Still, these devices are ranked lower than the first three since, in our sample, they have fewer ports open and reduced connectivity.

Radiotherapy Systems

There are no vulnerabilities reported for these devices, but they were found configured with many critical ports open (including Telnet) and connectivity to other risky medical devices. The impact of exploitation of these devices is inherently high.

Out-of-Band Controllers

This refers to an out-of-band controller for servers that are integrated into the main board, which provides an interface to manage and monitor server hardware. It contains its own processor, memory, network connection and access to the system bus. Relevant vulnerabilities have been found in these devices, such as CVE 2015-7272, which can be exploited via SSH (port 22 was open in all of these devices found in our dataset) to achieve a denial-of-service attack and CVE-2019-13131, which can be exploited via SNMP (port 161 was open in most iDRAC devices found in our dataset) to achieve remote code execution.

Radiology Workstations

This workstation is commonly connected to many peripheral systems in healthcare delivery organisations, such as Radiology Information Systems, PACS, Electronic Health Records systems and so on. As in the case of radiotherapy systems, there are no reported vulnerabilities. However, these devices were found configured with many critical ports open and connectivity to risky devices. The exploitation impact is also very high since it is a workstation where common attacker tools can be easily adapted to achieve persistence or to pivot within a healthcare network.

Picture Archiving and Communication Systems (PACS)

PACS are medical imaging systems that provide storage, retrieval, management, distribution and presentation of medical images. Our research found vulnerabilities associated with these systems (e.g., CVE-2017-14008 and CVE-2018-14789). They have a similar risk profile to other medical devices in our research sample due to their place in the network and their use context.

Wireless Access Points

These contain many critical vulnerabilities, including CVE-2017-3831 and CVE-2019-15261, and are often connected to multiple risky guest devices.

Network Management Cards

These cards are used to remotely monitor and control individual UPS devices. Besides the presence of known vulnerabilities (e.g., CVE-2018-7820), high connectivity and open ports, these devices have the interesting capability of supporting the BACnet/IP and Modbus/TCP protocols, which again highlights the convergence of smart building technology with IT infrastructure.

What is abundantly clear from this list is that these devices are typically unmanaged. Only if organisations achieve full visibility and control of all the devices connected to their networks can they adequately address and manage these vulnerabilities. On top of that, network segmentation offers an additional layer of protection, limiting the access devices have and preventing bad actors from moving laterally within a network in case of a breach. With these solutions in place, organisations will be able to reduce the risk of cyber attacks and, importantly, continue to reap the full benefits IoT devices have to offer.

The post These 10 IoT devices pose the biggest risk to your organisation appeared first on IT Security Guru.

70% of large businesses consider remote working a security hazards: The experts have their say

Tue, 04 Aug 2020 14:08:34 GMT

A survey conducted by AT&T found that 70% of large businesses think that their security posture is being damaged by remote working, leaving them more vulnerable to cyberattack- This is what the experts think.

Remote working has made us all ask difficult questions of ourselves. While the initial kneejerk decisions to deploy a remote workforce took place in order to make sure that the spread of Covid19 was curtailed, now we have been in a largely remote scenario for close 6 months now, enterprises have begun to consider other ways this unprecedented move towards remote working has impacted business function.

AT&T’s recent survey of 800 cybersecurity professionals across the UK, France and Germany is one such investigation of the impact of Covid. The survey found that while 88% initially felt well prepared for the migration, more than half (55%) now believe widespread remote working is making their companies more or much more vulnerable to cyberattacks. This figure jumps to 70% for large businesses with over 5,000 employees.

What the experts think

John Vladimir Slamecka, AT&T region president, EMEA

“Cybercriminals are opportunistic, taking advantage of the fear and uncertainty surrounding issues like the current global health and economic situation as well as sudden shifts and exposures in IT environments to launch attack campaigns. It can be a challenge for IT organisations to stay on top of emergent threat activity in the wild.”

Jamie Ahktar, co-founder and CEO at CyberSmart:

“This is not a surprising finding by any means. Most people are just not aware of the many security measures they take for granted working in an office environment. The best thing a business of any size can do right now is immediately take the time to educate their employees on the fundamentals of cyber security. Once educated, enterprises need to trust that their employees understand and prioritise security. A significant amount of their workforce is now likely to be working via home WiFi networks, or even public WiFi networks. Accessing the digital corporate environment from these networks is significantly less likely to be secure than the office-based ones, so employers need to exercise trust in their employees that they are taking the precautions necessary to keep the corporate network safe: Avoiding public WiFi where possible, changing the password on their home WiFi network regularly, as well as ensuring that any security tools their employers invest in are accurately installed and regularly updated on the device they are using for work. All of these activities, should they not be undertaken appropriately, could result in a breach and damage the trust relationship between employee and employer. The standard controls set out in government standards like the UK’s Cyber Essentials scheme protect against the majority of attacks and do not require expertise or large investment to implement.

The landscape for attack is much broader now and we have seen an increase in security breaches because hackers understand this and are taking advantage of the opportunity. This is a period of transition into what is likely to be a new norm for the workplace. It’s important to remember that remote working is not inherently insecure. It just needs to be approached correctly. “

Javvad Malik, security awareness advocate at KnowBe4:

“With remote working, many procedures need to be updated to ensure the security of home workers systems. There is the concern about keeping systems patched, technical controls such as VPNs and MFA are in place, that monitoring controls are effective across a remote workforce, and that all staff receive appropriate and timely security awareness and training so that they are aware of and can report any attacks.

Communication channels are one of the biggest challenges. While there is no shortage of tools to communicate, not being able to tap a colleague on the shoulder to ask a question can lead to its own set of problems. Criminals are well aware of this and have placed considerable efforts into social engineering remote employees through phishing scams which look like they originate from the IT departments, other colleagues, or from HR.

Therefore, it’s important for organisations to revisit their security controls and ensure they are still appropriate for the current working conditions.”

Niamh Muldoon, senior director of trust and security at OneLogin:

“As the workforce adjusts to remote working, organisations need to recognise that traditional security approaches are no longer sufficient. With employees outside the controlled environment of the office, organisations will inevitably struggle to ensure that their employees are complying with best practices such as separating personal devices from work devices. In fact, OneLogin recently conducted a study of 5000 respondents globally which found that almost 40% of employees utilised their corporate laptops for streaming; and 20.5% used it for online games and gambling. Identity is the most important aspect to this new hybrid operating model – understanding who and what device is trying to log into their business environment systems and associated applications. Streamlining identity with IDAAS technology solutions will support organisations continuing to deliver quality IT services while balancing cost and risk for the organisation.”

The post 70% of large businesses consider remote working a security hazards: The experts have their say appeared first on IT Security Guru.

It’s Official: COVID-19 Creates a Larger Surface Area for Cyberattacks

Tue, 04 Aug 2020 13:27:36 GMT

Ever since it was declared a global pandemic, experts have warned that COVID-19 will put increased strain on security teams by creating more variables and attack surfaces. Now, according to VMware Carbon Black, it is official. Their most recent Global Incident Response Report, revealed that COVID-19 continues to create a larger surface area for cyberattacks.

More than half (53%) of all respondents encountered or observed an increase related to the pandemic.

53% of IR professionals we surveyed encountered or observed an increase in cyberattacks exploiting COVID-19.
A third of respondents (33%) encountered instances of attempted counter IR in the 90 days before they took the survey – a 10% increase from the previous report.
51% of respondents saw attacks from China in the 90 days before this survey was held, followed by North America (40%) and Russia (38%).
More than half of attacks (51%) in the 90 days prior to this survey have been on the financial sector
33% of attacks shows signs of lateral movement

The post It’s Official: COVID-19 Creates a Larger Surface Area for Cyberattacks appeared first on IT Security Guru.