A selection of the top articles and videos from the last week on SecuritySenses.com. Don't forget to check back regularly for daily updates from around the globe.
If you like SecurityBuzz, why not forward it to some friends or share the online version?
The processing of data is a long-standing debate among governments, businesses, and tech giants alike. Major corporations are identifying data privacy violations and sharing how personal data should be handled and shared ethically. Government entities have framed their own laws on data protection and privacy to protect the personal data of their residents. Examples include the GDPR, developed by legislative branches of the European Union, and the CCPA, developed by the state legislature to protect residents of California in the United States. Now, Saudi Arabia is joining the list of around 80 countries that have data protection laws.
By now, we’re all likely tired of talking about Log4j and nodding our heads over Zoom when we all discuss the ramifications of exploitation of this small, but very pervasive and powerful vulnerability. At the risk of adding another layer of complexity to the information we have learned about Log4j, I think we are remiss not to mention IT-OT (Information Technology-Operational Technology) convergence and how it could be an enabler for Log4j to impact our critical infrastructure.
Cybersecurity incidents aren’t rare for businesses now. In fact, in the first 6 months of 2021, around 1767 data breach incidents rocked the business world and exposed more than 18 billion records. And one of the hardest-hit industry verticals from threatening cyber-attacks is the financial industry. As per research conducted by ImmuniWeb, more than 98% of the top-notch fintech businesses are vulnerable to severe cyberattacks, including app security attacks on mobile and web, ransomware and phishing among others.
This article explores how you can locate Insecure direct object references (IDORs) using Burp Suite. Primarily, there are two ways to test the IDOR flaw, manual and semi-automated. For automation, this article focuses on the Autorize Plugin in Burp Suite.
Digital signatures are increasingly used in companies and public administrations. However, without adequate cybersecurity measures, this method can be a vector for cybercriminals and fraudsters: through social engineering they can dupe signer victims into believing a document is legitimate and, through their signature, obtain authorization to carry out other operations without their consent, among many other malicious activities. So, how can we avoid this?
Use of misused or stolen credentials is the number one cause of data breaches. Using Password123 is worthy of a good laugh, but there are other passwords that are used everyday: SSH keys and other tokens used to access critical infrastructure. Teleport recently commissioned a survey of 1000 IT, DevOps and Security professionals and found that passwords are the number one way of managing access to infrastructure.
Most car purchases start with a test drive. Increasingly, enterprise software purchases (including security software) are made the same way. These evaluations are often called a Proof of Concept or PoC. This term is a great fit for lots of situations, especially when the solution evolves a novel way of combining established tools or a hard-to-define use case that can only be judged in practice. But for more established solutions used in production by hundreds or thousands of organizations, Proof of Concept as a name is not a great fit. Instead, we should talk in terms of a Proof of Value.
2021 was a busy year for the cybersecurity industry. It began in January, as we were just beginning to understand the impact and massive scope of the SolarWinds attack. Then Kaseya happened. Then the Colonial Pipeline was breached. And now, as 2021 comes to a close, we’re in the early days of the Log4j crisis that will take all of next year—if not longer—to fully unpack, understand and mitigate.
Most organizations, especially those in the defense trade, are finding themselves on the spot when their prime contractors ask them whether they are ITAR Certified and ITAR Compliant. Some contractors even want to know the steps you're taking to meet this regulation. As a chief information security officer, you've probably heard of CPA and GDPR compliance and their role in consumer data. But, how well are you versed with International Traffic in Arms Regulations (ITAR)? We have compiled this ultimate guide to ITAR Compliance, including what you should do to get a certification, the penalties for violating ITAR, and an ITAR compliance checklist.
Looking to 2022, cybersecurity and business leaders are looking forward to digital and in-person conferences. Cybersecurity conferences offer everyone a way to connect, learn, and share. We’ve compiled a comprehensive, chronological list of cybersecurity conferences that you want to attend in 2022.
The cybersecurity market offers excellent solutions and services to combat the threats that are exploited by cybercriminals. However, are these tools enough to fully protect an organization? It is clear that human error is a strong attack vector for many popular cybercrimes, so the best way to augment any security program is to create a cyber-aware workforce. After all, with the correct training and education, the front-line staff can become one of the most effective allies in preventing an attack.
This blog contains a discussion about stress, trauma, and domestic violence. This may be difficult for some readers, and given the alarming figures around Post-Traumatic Stress Disorder (PTSD), trauma, and early life experiences (ACEs), this will likely concern at least a small population of readers. Please take care of yourself when reading this and break off from reading if you feel the need to. If you do not suffer from PTSD, the following information can also be helpful, as you will certainly encounter someone with this condition in your cybersecurity career.
The announcement of Log4j vulnerability cve-2021-44228 sent security and development teams into a tailspin and highlights the one of biggest challenges of open source security: dependency management. The open source libraries that make up up to 80% of our applications are often a tangled web of dependencies. If tracking all of the open source components in our codebase is a challenge, tracking the direct and indirect dependencies that make up an open source library is impossible to do without smart automation.
You’ve seen suspicious ads. Some were obvious — ads that claim your browser is infected with malware and you need to click immediately to remedy the situation — but likely, some weren’t obvious at all. They just looked like regular ads, and might have appeared on a site you trust. You didn’t know it (and hopefully didn’t click) but some of the ads you see regularly are malvertising.
DLP ensures confidential or sensitive information (like credit card numbers, PII, and API keys) isn’t shared outside of Slack by scanning for content within messages and files that break predefined policies. DLP is important for both security and compliance reasons. With DLP in place, you’ll be able to.
Five months ago, we decided to release a posture management solution for K8s and make it open source for everyone to enjoy it. Today, I can proudly say that it is more successful than I ever expected it to be when we launched it – we have hundreds of registered users, thousands of runs each day, and almost 5K git stars, and it's growing every day Kubescape, which started as a tool that scans K8s clusters, YAML files, and HELM Charts for misconfiguration, now offers more capabilities: It scans worker nodes and control nodes (API server, managed and unmanaged). It offers image scanning and RBAC visualization.
For over a century we have seen voice communication being made over Public Switched Telephone Network (PSTN), but since the past decade or two Voice over IP (VoIP) has been introduced and quickly adopted throughout the world for making business phone calls.
Protecting our critical infrastructure against the threat of ransomware remains a top priority for both the private sector and the federal government. In fact, a recent survey from Tripwire found that security professionals in both sectors still identify ransomware as a top security concern. More than half (53%) of respondents in that study said they were most concerned about ransomware, for instance. This was followed by vulnerability exploits, phishing, and social engineering at 35%, 34%, and 24%, respectively.
As technology continues to change rapidly, and so do the tactics cybercriminals use. Responding to these changes requires adapting your security operations center (SOC), or eventually, you may encounter a security incident. Security is a journey, not a destination. You don’t just become secure and move on to another project. Instead, you continuously observe, adapt, and improve.
I am writing this from my home office in Texas. Texas isn’t just my home. It is the home of the best brisket on the planet, some of the most iconic high tech brands in the world, and energy production that powers the global economy. In the morning, I might meet with one of the fastest growing SaaS companies in the country about achieving the rigorous FedRAMP certification so they can sell to federal agencies. In the afternoon, I might meet with the systems engineering team of an energy company who are rolling out a new Kubernetes-powered analytics platform that needs to be protected from unauthorized access.
This past year was a banner year for cybercriminals. By the end of September, the Identity Theft Resource Center (ITCR) reported that the number of breaches that had taken place over the first three quarters of 2021 had exceeded the total number of breaches in 2020. Among those breaches were some big ones, most notably the Colonial Pipeline ransomware attack which took place in May, causing gas shortages throughout parts of the U.S., a LinkedIn breach that impacted 700 million users, and a state-sponsored attack on Microsoft in early spring.
In part one of our 2022 cybersecurity predictions series, Devo CSO Gunter Ollmann explained the rise of XDR, the detection-as-code and response-as-code movement, and the growing interest in security tools with built-in, on-demand expertise. In this second installment of our series, I share my take on how the cybersecurity landscape will evolve. Let’s dive into it.
Most enterprises, as well as small organizations globally are now painfully familiar with the Log4j2 vulnerability (CVE-2021-44228). It has taken over the lives of all cybersecurity professionals and it appears it is here to stay for a while. Most enterprises are scrambling for solutions, applying patches if they can find the vulnerability, and trying to implement mitigation strategies. But unfortunately what security teams are doing to tackle the Log4j beast is not always enough. Log4j is further complicated by four factors.
It’s not just about the big name companies who are vulnerable to the Apache Log4j2 vulnerability (CVE-2021-44228). Tech small businesses – which offer customers digital products but which often have tight budgets and understaffed security teams – are an important story when it comes to the implications for Log4j exploits. Research now finds that almost all environments have vulnerable Log4j libraries. Small businesses comprise 99.9% of all US employer firms – but are currently far less visible in the story.
Malicious actors always try to be creative and find new ways to trick people into a scam. In this case a new website is offering 75% discount on all Timberland shoes. The information looks almost identical to the original page, but when looking closer questions start to pop.
The last week has been a wild ride for just about everyone in the technology world due to the public disclosure of the Log4Shell vulnerability. As a developer security company, Snyk has built our business around proactive automation to identify and fix security issues in applications. To say we’ve been busy this week would be an understatement. With that being said, however, one of the narratives we’ve seen over this past week in relation to Log4Shell is that open source is fundamentally broken: there aren’t enough contributors to build “reliable” software, there aren’t enough security checks, and there isn’t enough funding to ensure open source software is sustainable.
The notorious Log4Shell vulnerability CVE-2021-45046, has put Log4j in the spotlight, and grabbed the entire Java community’s attention over the last couple of weeks. Maintainers of Java projects that use Log4j have most probably addressed the issue. Meanwhile, non-java developers are enjoying relative peace of mind, knowing that they are unaffected by one of the major vulnerabilities found in recent years. Unfortunately, this is an incorrect assumption. Log4j is such a popular library, that non-java developers also use it as their logging system. And when a need for a library becomes high, it is distributed as a package to ease the supply chain process.