Major cyber-incidents are a good reason to improve things not only in information security, but also in IT. Management is willing to commit resources and genuinely wants positive change, but you need to be realistic about scope and budget. What measures will make the greatest contribution to preventing and minimizing show more ...
the impact of new incidents? Being prepared for future cyberattacks is called cyber-resilience. And its not just about beefing up defenses. For a company, cyber-resilience is the ability to operate in the face of a cyberattack or other cyber-incident. It means having the technical and organizational measures in place to detect, respond to and recover from incidents, then adapt and learn from them. The concept is set forth in the ISO/IEC 27001 standard. Or, as organizations often say themselves: how can a company stop ransomware from getting in, and if it does get in, prevent it from doing harm? Thats the question well try to answer. Where to start? The list of attack prevention and mitigation technologies is almost endless. You should prioritize by assessing the risks and damage from various cybersecurity incidents, preventing the most likely attacks from the ATT&CK framework, and applying one of the many playbooks to mitigate specific risks (example 1, example 2). But there are some important first steps. Firstly, is not to spread your efforts too thin we recommend focusing on a handful of core solutions that will produce an effect so impactful that all other projects are best postponed until these fundamentals are implemented. All of the solutions on the list significantly reduce the risk of the most common attacks, simplify incident response and reduce damage if an intrusion does occur. So, if your company lacks something from this list, implement it today. We cannot overstress the importance of implementing these technologies on ALL computers in your company. That means all endpoints (including all corporate and personal laptops and smartphones), all servers and all virtual and containerized workloads. Theres a major pitfall here: shadow IT. Despite your best efforts, you may not be aware of the existence of some computers and servers. So, start with an inventory of all IT assets to ensure that security policies cover the entire corporate infrastructure. Endpoint Detection and Response All computers, including servers and virtual machines, must have an EDR agent installed, with threat-blocking features enabled. EDR is a core protection technology that combines malware protection with monitoring and response for more complex information security systems. Make sure you can receive telemetry from all computers, since any internal or external security expert will need it to quickly analyze potential incidents. Leading vendors, such as Kaspersky, automatically block the vast majority of common cyberthreats, so make sure that all features for blocking known malicious activity are enabled on all computers under a unified policy. Multifactor Authentication By various estimates, 60–80% of cyberattacks begin with account theft. Thats why its considered inadmissible to protect access to computer systems with a password alone: its too easy to guess, steal or brute-force. User login must be performed with MFA. The most common form employs two factors (password and one-time code), hence its known as two-factor authentication, or 2FA. The most cost-effective solutions use an authenticator app, but, depending on the specifics of the organization and the position of the employee, it can be any combination of an app, USB token, biometrics, etc. In general, MFA is recommended for all company systems, but its deployment should be prioritized for services that are accessible externally, such as email and VPN. Protected backups Backups have long protected companies against more than just fires and hardware failure. They also guard against a number of cyberattacks. Ransomware operators are well aware of this, so just about every ransomware attack involves the targeted deletion of backup copies of information. For this reason, a backup strategy must account for all scenarios, such as rapid recovery from an easily accessible copy in case of hardware failure or other IT incident, as well as guaranteed recovery in the event of a ransomware attack. Its very likely that two separate backups will be required. Ransomware-resistant backups are ones stored on media that are physically disconnected from the network (not very convenient, but reliable), as well as in immutable cloud storage, where data can be added but not replaced or deleted (convenient, reliable and potentially expensive). Having created your immutable backup, conduct a data-recovery training to (a) make sure it can be done, and (b) estimate the time required (plus this will speed up your teams response in the event of a real attack). Application and patch management All computers in the company, be it a desktop, a virtual server or the laptop of an employee on a business trip, must have tools installed that allow administrators to manage the machine remotely. Critical actions include computer diagnostics (checking for availability of necessary apps, checking network status, VPN health, EDR updates, etc.), installing applications and updates, testing for vulnerabilities, and so on. Such capabilities are vital, both for everyday work and during incident response. In day-to-day operations, they ensure cyber-hygiene, such as the prompt installation of important security updates on all computers. During incidents, it may be necessary to run, say, a specialized utility or install a certificate — and only administration systems should be allowed to perform this within a reasonable timeframe, including for remote employees. Best suited for this task are UEM systems that allow you to manage a variety of devices, including work and personal computers and smartphones, and apply company policies to them. You also have the option to arm yourself with highly specialized solutions, such as patch management, VNC/RDP and other systems. Unique passwords Privileged access management and identify security is a very broad topic. Well-built identity security both increases the companys level of protection and simplifies the lives of employees. But full implementation can be a lengthy project, so the initial focus should be on the essentials, the first being to ensure that each computer in the company is protected by a unique local administrator password. Use the free LAPS tool to implement this measure. This simple precaution will prevent attackers from moving quickly through the network, compromising computers one by one using the same password. Minimizing vulnerable services Regularly scan your companys IP addresses from the internet to make sure that servers and services that should only be available on the local network are not globally exposed. If such a service ever pops up on the internet, take prompt action to block outside access to it. If for some reason it needs to be accessible from the internet, apply regular security updates and protect it with MFA. These measures are especially important for favorite hacker targets such as: web management consoles, RDP, Telnet/SSH, SMB, SNMP and FTP. Its best to assume that all services are visible from the internet, and scan them for vulnerabilities, weak passwords and other defects regularly.
The latest edition of the Transatlantic Cable podcast focuses mostly on AI, with an opening salvo of stories, the first is news that the FTC are opening an investigation into Open AI and ChatGPT. From there, discussion moves to a worrying story around artificial intelligence and the recent writers and actors strikes. show more ...
To wrap up, there are two stories, the first dedicated to AI and the growing voices raised against it and, would you use a facial recognition service if it meant less time waiting in line to board a train? If you liked what you heard, please consider subscribing. FTC investigates OpenAI over data leak and ChatGPTs inaccuracy The Black Mirror plot about AI that worries actors The Last Word on AI and the Atom Bomb Eurostar launches worlds first walk-through biometric corridor for rail travel
The new independent exam track at Black Hat USA will feature an opportunity for attendees to take a practical exam to be certified in penetration testing.
The models powering generative AI like ChatGPT are open to several common attack vectors that organizations need to understand and get ready for, according to Google's dedicated AI Red Team.
Attackers are apparently trying to exploit two path traversal vulnerabilities in the ‘Stagil navigation for Jira – Menus & Themes’ plugin, the SANS Internet Storm Center warns.
Researchers have discovered a rising trend of .zip domains in phishing campaigns that criminals are utilizing to boost their phishing attacks and improve their effectiveness. Many anti-phishing solutions are designed to scan URLs for suspicious keywords or patterns, but they may not adequately detect zip domains. Stay informed about evolving phishing tactics and invest in robust anti-phishing solutions.
"P2PInfect exploits Redis servers running on both Linux and Windows Operating Systems making it more scalable and potent than other worms," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said.
A joint letter by a group of industry experts urges CISA to go further in integrating and advocating threat modeling in the document, which aims to help manufacturers prioritize cybersecurity practices while designing technology products.
In his first public speech, Graeme Biggar, the new chief of the UK's National Crime Agency (NCA), highlighted the emerging links between serious crime groups and nation-state operations in cyberspace.
Over 200,000 OpenAI credentials are available for sale on the dark web, indicating that cybercriminals see potential in using AI tools like ChatGPT for malicious activities.
Over a dozen vulnerabilities patched recently by GE in its Cimplicity product are reminiscent of industrial control system (ICS) attacks conducted by a notorious Russian hacker group.
In an era where cyber threats continue to evolve, healthcare organizations are increasingly targeted by malicious actors employing multiple attack vectors, according to Trustwave.
Successful exploitation of some of these vulnerabilities may lead to complete application or system compromise, Oracle says. Many of the updates also include additional third-party patches.
Symantec's Threat Hunter Team found a new variant of the FIN8’s Sardonic backdoor used to deliver the Noberus ransomware. In this new version, the group behind Sardonic has reworked most of its code, most likely to avoid detection. Organizations are recommended to monitor the networks and the latest versions of PowerShell logged into systems.
The threat actors used email lures, posing as bioscience and health organizations, to entice recipients. The emails contained attached PDFs with information about the organization and the job, as well as salary and equipment specifications.
DeliveryCheck is distributed via email with malicious macros and can breach Microsoft Exchange servers to install a server-side component, turning a legitimate server into a malware C2 server.
U.S. cybersecurity and intelligence agencies have released a set of recommendations to address security concerns with 5G standalone network slicing and harden them against possible threats.
Customers of the Russian medical laboratory Helix have been unable to receive their test results for several days due to a “serious” cyberattack that crippled the company's systems over the weekend.
The ALPHV group claims Estée Lauder has not responded and listed the company on its leak site Tuesday, according to activity observed by Emsisoft Threat Analyst Brett Callow.
Microsoft said in a blog post on Wednesday that it will include “access to wider cloud security logs for our worldwide customers at no additional cost” starting in September and that it would increase default log retention from 90 to 180 days.
The leak, which initially occurred in 2021 but gained more attention after being re-published on a public hacking forum, has led to high-profile users receiving malicious calls, texts, and emails.
Technologies that underpin solar and wind energy storage systems, which are central to transferring renewable power to the grid, are potential hacking risks, experts noted at a congressional hearing Tuesday.
Hackers are using URL redirects within Google ads to lead users to malicious sites, leveraging the trust and legitimacy of Google Ads. This technique, known as BEC 3.0, involves referencing legitimate sites instead of spoofed ones.
Distributed Denial of Service (DDoS) botnets have been used to actively exploit a critical vulnerability found in Zyxel firewall models. The flaw, identified by Fortinet security researchers as CVE-2023-28771, explicitly affects Linux platforms.
A security breach was detected on May 31, 2023, when suspicious activity was identified within its network. The affected systems were immediately taken offline to prevent further unauthorized access.
Debian Linux Security Advisory 5456-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.
Ubuntu Security Notice 6239-1 - It was discovered that ECDSA Util did not properly verify certain signature values. An attacker could possibly use this issue to bypass signature verification.
The PKCS#11 feature in ssh-agent in OpenSSH versions prior to 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system.
Red Hat Security Advisory 2023-4158-01 - The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Issues addressed include denial of service and integer overflow vulnerabilities.
jSQL Injection is a lightweight application used to find database information from a distant server. jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in various other distributions like Pentest Box, Parrot Security OS, ArchStrike and BlackArch Linux. This is the source code release.
Ubuntu Security Notice 6237-2 - USN-6237-1 fixed vulnerabilities in curl. The update caused a certificate wildcard handling regression on Ubuntu 22.04 LTS. This update fixes the problem. Hiroki Kurosawa discovered that curl incorrectly handled validating certain certificate wildcards. A remote attacker could possibly show more ...
use this issue to spoof certain website certificates using IDN hosts. Hiroki Kurosawa discovered that curl incorrectly handled callbacks when certain options are set by applications. This could cause applications using curl to misbehave, resulting in information disclosure, or a denial of service. It was discovered that curl incorrectly handled saving cookies to files. A local attacker could possibly use this issue to create or overwrite files. This issue only affected Ubuntu 22.10, and Ubuntu 23.04.
Red Hat Security Advisory 2023-4210-01 - The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. This release of the Red Hat build of OpenJDK 17 for portable Linux serves as a replacement for the Red Hat build of OpenJDK 17 and includes security and bug show more ...
fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include denial of service and integer overflow vulnerabilities.
Red Hat Security Advisory 2023-4177-01 - The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. Issues addressed include denial of service and integer overflow vulnerabilities.
Red Hat Security Advisory 2023-4211-01 - The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. This release of the Red Hat build of OpenJDK 17 for Windows serves as a replacement for the Red Hat build of OpenJDK 17 and includes security and bug fixes, show more ...
and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include denial of service and integer overflow vulnerabilities.
Red Hat Security Advisory 2023-4175-01 - The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Issues addressed include denial of service and integer overflow vulnerabilities.
Red Hat Security Advisory 2023-4176-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Issues addressed include an integer overflow vulnerability.
Red Hat Security Advisory 2023-4208-01 - The OpenJDK 11 packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. This release of the Red Hat build of OpenJDK 11 for portable Linux serves as a replacement for the Red Hat build of OpenJDK 11 and includes security and bug show more ...
fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include denial of service and integer overflow vulnerabilities.
Red Hat Security Advisory 2023-4209-01 - The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. This release of the Red Hat build of OpenJDK 8 for portable Linux serves as a replacement for Red Hat build of OpenJDK 8 and includes security and bug fixes as show more ...
well as enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include an integer overflow vulnerability.
Red Hat Security Advisory 2023-4212-01 - The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. This release of the Red Hat build of OpenJDK 8 for Windows serves as a replacement for the Red Hat build of OpenJDK 8 and includes security and bug fixes, and show more ...
enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include an integer overflow vulnerability.
Red Hat Security Advisory 2023-4161-01 - The OpenJDK 11 packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. This release of the Red Hat build of OpenJDK 11 for Windows serves as a replacement for the Red Hat build of OpenJDK 11 and includes security and bug fixes, show more ...
and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include denial of service and integer overflow vulnerabilities.
Red Hat Security Advisory 2023-4230-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include a use-after-free vulnerability.
Egress also launches adaptive security architecture, which dynamically adjusts email security controls based on aggregated data including KnowBe4's user risk score.
The SaaS product is available under the Company's early access program as a closed, invitation-only beta experience, as part of the Plurilock AI platform.
US Air Force veteran and Mandiant CEO discussed dwell time and state-sponsored attacks at the Military Cyber Professionals Association's HammerCon conference.
Cybersecurity researchers have uncovered a new cloud targeting, peer-to-peer (P2P) worm called P2PInfect that targets vulnerable Redis instances for follow-on exploitation. "P2PInfect exploits Redis servers running on both Linux and Windows Operating Systems making it more scalable and potent than other worms," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said. "This
Microsoft on Wednesday announced that it's expanding cloud logging capabilities to help organizations investigate cybersecurity incidents and gain more visibility after facing criticism in the wake of a recent espionage attack campaign aimed at its email infrastructure. The tech giant said it's making the change in direct response to increasing frequency and evolution of nation-state cyber
Adobe has released a fresh round of updates to address an incomplete fix for a recently disclosed ColdFusion flaw that has come under active exploitation in the wild. The critical shortcoming, tracked as CVE-2023-38205 (CVSS score: 7.5), has been described as an instance of improper access control that could result in a security bypass. It impacts the following versions: ColdFusion 2023 (Update
The defense sector in Ukraine and Eastern Europe has been targeted by a novel .NET-based backdoor called DeliveryCheck (aka CAPIBAR or GAMEDAY) that's capable of delivering next-stage payloads. The Microsoft threat intelligence team, in collaboration with the Computer Emergency Response Team of Ukraine (CERT-UA), attributed the attacks to a Russian nation-state actor known as Turla, which is
Two more security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software that, if successfully exploited, could allow threat actors to remotely commandeer vulnerable servers and deploy malware. "These new vulnerabilities range in severity from High to Critical, including unauthenticated remote code execution and unauthorized device access with superuser
Mallox ransomware activities in 2023 have witnessed a 174% increase when compared to the previous year, new findings from Palo Alto Networks Unit 42 reveal. "Mallox ransomware, like many other ransomware threat actors, follows the double extortion trend: stealing data before encrypting an organization's files, and then threatening to publish the stolen data on a leak site as leverage to convince
Multiple security flaws have been disclosed in Apache OpenMeetings, a web conferencing solution, that could be potentially exploited by malicious actors to seize control of admin accounts and run malicious code on susceptible servers. "Attackers can bring the application into an unexpected state, which allows them to take over any user account, including the admin account," Sonar vulnerability
An analysis of the indicators of compromise (IoCs) associated with the JumpCloud hack has uncovered evidence pointing to the involvement of North Korean state-sponsored groups, in a style that's reminiscent of the supply chain attack targeting 3CX. The findings come from SentinelOne, which mapped out the infrastructure pertaining to the intrusion to uncover underlying patterns. It's worth noting
If it seems like Remote Desktop Protocol (RDP) has been around forever, it's because it has (at least compared to the many technologies that rise and fall within just a few years.) The initial version, known as "Remote Desktop Protocol 4.0," was released in 1996 as part of the Windows NT 4.0 Terminal Server edition and allowed users to remotely access and control Windows-based computers over a
Former Prime Minister Boris Johnson wants to hand over his WhatsApp messages - or does he? And a couple of fun-loving girls from Aberdeen have come up with a sinister twist on sextortion scams. All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley (from a mystery location) and Carole Theriault.
The FBI warns that tech support scammers are increasingly telling their victims to send actual cash, concealed in newspaper or a magazine, rather than wiring funds. But why? Read more in my article on the Tripwire State of Security blog.
If you thought hackers might be causing your company a few headaches, pity the folks at Estée Lauder. Two different ransomware groups have listed the cosmetics maker on their leak sites on the dark web, as a result of seemingly separate attacks. Read more in my article on the Hot for Security blog.