A selection of the top articles and videos from the last week on SecuritySenses.com. Don't forget to check back regularly for daily updates from around the globe.
If you like SecurityBuzz, why not forward it to some friends or share the online version?
Moving into 2022, looking back at the plentiful year of 2021, regarding security, we at the Cyberint Research Team will try and shed some light on the upcoming year: the key security risks and threats, and what we feel will change in the coming year. We will focus on the actions required to be as vigilant and protected as possible. Although we foresee that Deep-Fake news will rise and mobile applications will also be in danger, thanks to the increased use of mobile wallets, we chose to focus on the lowest common denominator relevant to most companies, as well as our customers.
At times, the quest to stay on top of web application security can seem futile. It seems as though the adversaries are always a step ahead, and all we can do is try our best to contain the breaches. In this blog, we’ll look at the root causes of concern for today's CISO and share some practical strategies to deter cybercriminals.
In November of 2021, we described several techniques used by attackers to deliver malware through infected Microsoft Office files. In addition to exploits like CVE-2021-40444, these infected documents frequently abuse VBA (Visual Basic for Applications) to execute their techniques, regardless of the final payload. Attackers also often use extra layers of protection to evade signature-based detections, like constructing PowerShell scripts and WMI namespaces at runtime, as done by Emotet. In addition to code obfuscation, attackers use other techniques to evade detection like non-standard file types in Microsoft Word.
In the early days of 2022, two extremely popular JavaScript open source packages, colors.js, and faker.js, were modified to the point of being unusable. The reason for this event can be traced to various motivations, but what is worth mentioning is that several applications that employed those dependencies were involved. The two impacted packages can be used for different purposes in JavaScript applications. colors.js enables color and style customization in the node.js console. faker.js is widely used for testing purposes, generating massive amounts of fake data. Both of them were downloaded hundreds of millions of times throughout their lifetime, and this is why the impact is huge.
2022 feels a little different, doesn’t it? Every day I’m prepared to hear something new, something scary, or something exciting. These last couple of years have made it seem like we just never know what is coming next. It’s no different for financial services companies who have to be prepared for the unexpected, including disruptive technologies that can challenge their core businesses. McKinsey recently pointed out seven innovations driving the financial services industry such as AI, blockchain, and open-source software and SaaS which have the advantage of lowering barriers to entry for fintech startups competing with the established players.
You can't do business without your vendors. They support critical elements of your organization, from cloud storage services to payment processing to physical items like office supplies or physical components. Your vendors make your organization run more efficiently – but sometimes at a risk to your financial, reputational and operational resiliency.
The idea of converging cyber intelligence, AML, and fraud prevention activities to eliminate the gaps between these silos of financial crime risk management has been discussed for years. However, recent developments in global real-time payments, open banking, and booming digital transactions have escalated the need for this convergence. In this era of instant payments and CNP transactions, traditional siloed approaches to financial crime prevention are loosing their effectiveness. In 2022, fragmented data management and data loss at a certain point in the payment journey can give criminals the advantage they are looking for.
Jira and Confluence house high volumes of customer information, tickets, notes, wiki articles, and more. To scan Jira and Confluence Data Center or Server editions, you can use Nightfall’s APIs to scan data at-rest in these silos. In this article, we’ll walk through how you can run a full historical scan on your Jira and Confluence data to discover sensitive data, like API keys and PII. The output will be a report detailing the sensitive findings discovered in your environment.
Securing your Windows servers and Windows 10 running is vital, especially given today’s sophisticated threat landscape. These are usually the first machines to be compromised in an attack through exploitation of the weakest link in the chain — the user. Through trickery and social engineering, threat actors gain access to these machines and then seek to move laterally and elevate their privileges. Therefore, enhancing endpoint and server security can significantly reduce your risk of a security breach.
The oil and gas industry’s global supply chain uses a vast array of information technology (IT) and operational technology (OT) systems. These systems require constant cybersecurity protection to ensure energy flows efficiently and productively around the world to meet global needs. Hackers know that IT and OT systems are often interdependent and closely linked. In fact, the recent Colonial Pipeline attack resulted from the successful breach of Colonial’s IT network. This caused major damage to the OT system, forcing the company to shut down its pipelines—leading to costly downtime, expensive remediation efforts, and lost profits.
In some ways, IT teams had a great life in the early 2000s. Data was stored inside data centers and accessed through known ingress and egress points like a castle with a limited number of gates. As a result, organizations had control over exactly whom and what devices could access company data. This is no longer the case. With users accessing cloud applications with whatever networks and devices are at their disposal, those defense mechanisms have become inadequate. To ensure their sensitive data is secure, organizations have to rethink their security model — including the way Data Loss Prevention (DLP) technology is implemented.
Enterprises know they need defenses integrated into each aspect of their network while not being an inhibitor to innovation. Digital transformation realized through new 5G-enabled IoT, Operational Technologies (OT) and IT use cases are no exception. Therefore, security teams need to take a closer look at the best technology to support this innovation. Next-generation firewalls from Palo Alto Networks with AT&T Multi-Access Edge Computing (MEC) solutions are designed to help protect enterprises while optimizing security performance for these new use cases.
Microsoft recently published two critical CVEs related to Active Directory (CVE-2021-42278 and CVE-2021-42287), which when combined by a malicious actor could lead to privilege escalation with a direct path to a compromised domain. In mid-December 2021, a public exploit that combined these two Microsoft Active Directory design flaws (referred also as “noPac”) was released. The exploit allowed the escalation of privileges of a regular domain user to domain administrator, which enables a malicious actor to launch multiple attacks such as domain takeover or a ransomware attack.
In recent weeks a critical vulnerability (CVE-2021-44228) has been discovered in Log4j2, a popular logging library for Java applications. Attackers can exploit this flaw by performing Remote Code Execution (RCE) on any systems where it is implemented.
IDOR is a broken access control vulnerability where invalidated user input can be used to perform unauthorized access to application functions. IDOR can result in sensitive information disclosure, information tampering etc. This issue was previously part of OWASP top 10 2007, later it was merged with OWASP top 10 A5 Broken Access control vulnerability. For proper exploitation of the vulnerability, IDOR is usually paired with a Broken Access control vulnerability, as it is the access control issue that allows an attacker to directly access the object. IDOR occurs in HTTP methods like GET, POST, PUT, and DELETE.
In my first blog in this series, we discussed the importance of data to the modern SOC, and the unique approach of ThreatQ DataLinq Engine to connect the dots across all data sources, tools and teams to accelerate detection, investigation and response. We developed the DataLinq Engine with the specific goal of optimizing the process of making sense out of data in order to reduce the unnecessary volume and resulting burden.
As the frequency of new products released rises and as the attack surface keeps growing, most companies are faced with a common problem – a growing vulnerability workload. Their vulnerability scanners report countless vulnerabilities and there is simply not enough resources or time to fix all of these vulnerabilities, leaving their networks vulnerable and exploitable. What security leaders need is a solution that is able to validate and prioritize these vulnerabilities specific to their environment. This will help determine which vulnerabilities have the highest risk of exploitation.
Many market-leading companies who have dominated their respective sectors with hardware or on-prem/installable software solutions are turning to SaaS offerings to fuel the next phase of their growth. Why? Simple. Market valuations are much higher for SaaS companies than they are for traditional software and hardware companies. The median multiple on earnings for a SaaS company is 12.7x as of Q3 2021 according to venture capitalist Jamin Ball who tracks the Public Cloud Software (e.g. SaaS) market in an excellent Substack.
Every functioning security team has an incident response plan. Advance strategizing and preparation are absolutely imperative to ensure a quick response to data breaches, ransomware, and numerous other challenges, but most companies first developed that plan years, if not decades, ago and now only revisit it periodically. This is a problem. How many organizations have developed a separate incident response plan to address the unique risks of the software-as-a-service (SaaS) era? Far too few.
It’s always frustrating when your laptop starts to slow down. The more you click, the more it seems to stutter and have a good think about everything you ask it to do. Joining video calls and even opening documents becomes a chore. Normally, this is a sign to free up some storage space or request a new device/component from the IT department. However, an unusually slow laptop can also be the sign of something more sinister – cryptojacking.
In part two of our 2022 cybersecurity predictions series, Devo Security Engineering Director Sebastien Tricaud explained Web3 and new security testing trends. While cybersecurity tools and approaches are certainly evolving quickly, so are cybercriminals. Here are my insights on cyberthreats and attacks we should expect to see more of this year.
What can data security and privacy leaders expect from the year ahead? How will key trends shape the industry? Our team looks at three key trends that will impact security and privacy in 2022, and what leaders can do to get ahead of the curve.
With our recent 7.16 Elastic Security product release, we improved our existing Linux malware feature by adding memory protection. In this blog, brought to you by Elastic’s Engineering Security Team, we lean into this recent advancement to show how we are protecting the world’s data from attack.
Data leaks are a type of data loss threat that often fly under the radar — making them potentially more damaging than a malware or ransomware attack. Compared to data breaches, data leaks put customer information at risk accidentally. Data leaks can lead to credit card fraud, extortion, stolen IP, and further attacks by cybercriminals who seek to take advantage of security misconfigurations.
Security operations centers (SOCs) exist to deliver sustained monitoring and response capabilities. Staff members are a core pillar of this mission. Each SOC should have clearly articulated roles and levels for its personnel. This helps to establish fair practices for hiring, training, promotion, compensation and performance expectations. E-Book Download: The Blueprint of Modern Security Operations In many SOCs, the level (or tier) of a staff member is also articulated by their area of responsibility: for example, SOC monitoring analyst, incident responder, forensic analyst, penetration tester and vulnerability management evangelist.
For the next interview in our series speaking to technology and IT leaders around the world, we’ve welcomed Co-chair of Cybersecurity, Data Protection & Privacy at Clark Hill, Jeffrey R. Wells to share his views on the state of cybersecurity today. Jeffrey has over 25 years of global experience leading cybersecurity engagement, he has also led a Joint Inter-Agency Task Force countering transregional organized cyber-crime and violent extremism while addressing current and emerging risks impacting national security, commerce and critical infrastructure.
I was logging into one of my favorite online shopping sites the other day, and, as with all my other sites, I was presented with the multi-factor authentication prompt to complete the login process. Anyone who knows me, knows that I have been a long-time supporter of multi-factor, or 2-step verification of any kind.
URLs have forever changed the way we interact with computers. Conceptualized in 1992 and defined in 1994, the Uniform Resource Locator (URL) continues to be a critical component of the internet, allowing people to navigate the web via descriptive, human-understandable addresses. But with the need for human readability came the need for breaking them into machine-usable components; this is handled with URL parsers.
Software composition analysis (SCA) tools provide automated visibility throughout the software development life cycle (SDLC) for more efficient risk management, security, and license compliance. As organizations accelerate their digital initiatives, they rely on development teams both internally and externally to build the applications that will help them move forward. But applications are also a popular target for criminals. The recent “State of Cybersecurity Resilience 2021″ study from Accenture found that successful breaches — which include unauthorized access to data, applications, services, networks, or devices — jumped 31% over the previous year to an average of 270 per company.
In this second of a five-part series of posts on why strong vulnerability management is so vital for cybersecurity programs, we look at the need for effective vulnerability management in the healthcare sector. Like financial services, healthcare is a highly-regulated industry and it’s also among the most common targets of cybercriminals. Healthcare institutions have to deal with a multitude of security threats, with hackers and other cybercriminals constantly looking for ways to exploit software vulnerabilities so they can steal critical data such as patient records.
By 2025, there will be more than 100 zettabytes of data stored in the cloud – that’s a lot of data! With more applications needing to process a significant amount of data in real-time, there is a shift in demand for distributed cloud and edge computing. Fortunately, the distributed cloud brings many impressive benefits to organizations – generating immense cost savings, greater scalability, and reaching resource-intensive business demands.
Everyone’s development is different, it stands to reason everyone’s perfect security toolkit will also be different. But finding the right tools to suit your project, and making the most out of those tools shouldn’t have to be a headache. In the field of application security, there are literally thousands of security tools to choose from that may help the development, security and longevity of your projects. But, as you might imagine, there are also thousands of tools out there that will do nothing to help you on your journey—and it’s not always easy to work out one from the other.
As a thorn in the side of marketing teams of all sizes, awareness of ad fraud has grown in recent years due to the sheer amount of money it can cost advertisers. In one famous case, Uber discovered fraudulent app installs attributed to its ads had cost the company $100 million. But it’s not just overtly malicious activity like ad fraud that marketing budget-setters need to be concerned about. Marketers must be aware of the potential damage bots of all kinds can do, intentionally or otherwise. Here’s why marketers need to get educated about bots in 2022.
Traditionally, most organizations have had siloed departments wherein teams’ activities are highly separated and the objectives within organizational structures are divided. This operational methodology has brought about friction – especially within the IT department, where developers and ITOps lack collaboration. In an attempt to streamline IT operations and reduce this friction, most IT managers are adopting new methodologies such as SecOps, DevOps, and DevSecOps to promote process integration and increase collaboration between departments.
Companies today face increasing pressure to implement strong cybersecurity controls. While the U.S. has no comprehensive cybersecurity law, many organizations still fall under state, international, or industry regulations. Two of the most prominent controlling publications are the General Data Protection Regulation (GDPR), and the ISO 27701 standard. One has the force of law, and the other is a guiding framework, respectively. Both of these documents apply to an increasing number of businesses. As the world grows more interconnected and reliant on digital data, the reach of these documents is expanding as well. It becomes critically important to understand how each might affect one’s organization.
Phishing emails are a serious problem for both businesses and consumers. Phishers use phishing emails to steal users’ personal information, like usernames, passwords, credit card numbers, social security numbers and other sensitive data.
Security researchers say they have seen a “massive wave” of malicious hackers exploiting the comment feature in Google Docs to spread malicious content into the inboxes of unsuspecting targeted users. According to a blog post published by Avanan, the comments functionality of Google Docs, as well as its fellow Google Workplace web-based applications Google Sheets and Google Slides, is being exploited to send out malicious links. The flaw can be exploited by cybercriminals to send messages to just about any email address, and yet the emails are actually sent from Google and so may appear trustworthy.
One way to enhance SSH login security is by using two-factor authentication (2FA). This approach forces an administrator to self-identify with an additional security verification in addition to the local admin credentials. This tutorial guides you through setting up Google Authenticator PAM to enable 2FA for users connecting to SSH on a Linux server. We’ll use nano as our editor in examples.
Things tend to slow down for many businesses at the end of the year. As the holidays roll in and employees take time off with their families, December is generally a time to take stock of what transpired over the year and start looking ahead to the next one. Unfortunately, that’s not how cybercriminals operate. While December was relatively quiet on the cybercrime front compared to some other recent months, it still brought news of a spate of attacks that run the gamut from insider data breaches to political espionage to good old-fashioned ransomware. Let’s look at some of the attacks that kept security experts on their toes to close out the year.
As one large, global financial institution prepared for employees to return to the office, its IT team identified a significant issue with the company's more than 8,000 access switches. The switches in question were used to provide connectivity to IP Phones – a crucial part of people's work across virtually all areas of the company. In many cases, the 8,000 phones in question had essentially been unused for almost two years, as the pandemic forced people to work from home using alternate communication devices.
For the newest instalment in our series of interviews asking leading technology specialists about their achievements in their field, we’ve welcomed Kathleen Moriarty, Chief Technology Officer at the Center for Internet Security. During her tenure in the Dell EMC Office of the CTO, Kathleen had the honour of being appointed and serving two terms as the Internet Engineering Task Force (IETF) Security Area Director and as a member of the Internet Engineering Steering Group from March 2014-2018. Named in CyberSecurity Ventures, Top 100 Women Fighting Cybercrime. She is also a 2020 Tropaia Award Winner, Outstanding Faculty, Georgetown SCS.
As organizations look to take their 2022 security concerns head-on, they need to create resilient cybersecurity programs that help them make smarter, faster, informed decisions. In our recent webinar, I had the pleasure of chatting with security professionals Mike Wilkes from SecurityScorecard, Scott Fuller from Access Health, and John Beal from St. Charles Health. They discuss the challenges they face and how their security plans for 2022 to mitigate risk across their entire ecosystem. Here’s a recap of what we learned and what they’re predicting for 2022.
Creativity can be fickle. One day, your brain is full of bright ideas you’re keen to jot down, develop, and share with others. The next day, you have nothing. Zilch. Not even a flicker of an idea. You suddenly feel like a world-class restaurant that’s run out of ingredients.
With just about everything delivered from the cloud these days, employees can now collaborate and access what they need from anywhere and on any device. While this newfound flexibility has changed the way we think about productivity, it has also created new cybersecurity challenges for organizations. Historically, enterprise data was stored inside data centers and guarded by perimeter-based security tools. But with users using endpoints and networks your IT teams don’t manage, this approach has become antiquated.
This blog was written by an independent guest blogger. Online transactions are essential for every modern business. From online shopping to banking, transferring funds, and sending invoices, online transactions ensure utter convenience and efficiency. However, the familiarity of making financial transactions online can make people forget about security and all the dangers that they may be facing. On top of that, new cybersecurity threats keep popping up constantly. That’s why it’s crucial to have a robust IT security strategy in place.
SSH client configuration files allow us to connect to servers with pre-configured commands. This saves typing each SSH command parameter when logging into a remote machine and executing commands on a remote device. This article will examine secure shell (SSH) client configuration (config) files and their functions. Specifically, we will show an example of an SSH client config file to learn how to use these files before creating an example config file that connects to a fictitious server. Then, we’ll use Teleport’s tsh client to communicate with a cluster because of tsh’s ability to consolidate identity-based server access in all environments, meet compliance requirements, and provide visibility into access and behavior.
For many organizations, cybersecurity is an overwhelming challenge. New threats emerge seemingly in the blink of an eye, and IT and security teams are constantly reacting to the moves of bad actors who always remain one or two steps ahead and get to dictate where and when their attacks are carried out. As you might expect, a reactionary approach to cybersecurity is not ideal. It’s typically borne of necessity due to undermanned teams or inadequate resources. Ultimately, it is destined to fail.
In recent blogs, we’ve explored the role of Security Service Edge (SSE) technologies as part of a SASE architecture, and the key differences between SSE and SASE. But so far, we’ve focused more on overall functionality than on its realization and what SSE means from a cloud design and implementation perspective. In this post, we shift gears to put a spotlight on networking and infrastructure as it relates to security clouds. Let’s start by stepping back and looking at legacy enterprise networking.
Most organizations use at least some (and perhaps many) external vendors in their daily operations, sometimes even to provide mission-critical services or supplies; we’ve discussed them before as third-party vendors and the risks they bring. Indeed, most businesses today already consider third-party risk management in their overall cybersecurity protocols. An equally pressing concern, however, is fourth-party risk – that is, the vendors that your vendors use, and the risks that those fourth parties might pass along to you.
Amazon Web Services (AWS) is a cloud platform designed to meet the growing demand for cloud computing worldwide. AWS provides a set of cloud services such as storage, analytics, blockchain, business applications, security, and machine learning. Within this cloud environment is Amazon Simple Storage Services (S3), a cloud storage solution bringing scalability, data availability, security, and performance to companies of any size through so-called “buckets” or data containers.
