Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label IT Security. Show all posts
Security Issues
CISO CVE vulnerability CVEs Cyber Security Hacking News Information Security IT Security Security Issues

Cisco Fixes Critical CVE-2024-20418 Vulnerability in Industrial Wireless Access Points

 

Cisco recently disclosed a critical security vulnerability, tracked as CVE-2024-20418, that affects specific Ultra-Reliable Wireless Backhaul (URWB) access points used in industrial settings. These URWB access points are essential for maintaining robust wireless networks in environments like manufacturing plants, transportation systems, and other infrastructure-intensive industries. The vulnerability allows remote, unauthenticated attackers to perform command injection attacks with root privileges by exploiting the device’s web-based management interface. 

This vulnerability results from inadequate validation of input data within Cisco’s Unified Industrial Wireless Software, specifically affecting the web management interface of URWB access points. By sending specially crafted HTTP requests, attackers could exploit this flaw to execute arbitrary commands with root-level access, potentially leading to unauthorized control over the device. This level of access could compromise critical network infrastructure, posing serious risks to businesses relying on URWB technology for uninterrupted connectivity. The vulnerability specifically impacts Cisco Catalyst models IW9165D, IW9165E, and IW9167E when URWB mode is enabled. 

For users concerned about their device’s security, Cisco advises checking vulnerability status by using the “show mpls-config” command in the command-line interface (CLI). If the command confirms URWB mode is active, the device may be vulnerable to potential attacks. Cisco’s Product Security Incident Response Team (PSIRT) has stated that it is not aware of any instances of this vulnerability being actively exploited in real-world scenarios. However, given the nature of this vulnerability, Cisco urges users to update their devices promptly to mitigate the risk. Currently, Cisco has not issued workarounds for this issue. 

As a result, companies relying on these models are advised to stay alert for firmware updates or patches that Cisco may release to resolve the vulnerability. The lack of a temporary fix underlines the importance of applying any future updates immediately, especially as remote exploitation could have significant consequences for the affected systems. For organizations using these Cisco models, securing network access and strengthening device-level defenses can be critical in mitigating potential risks. Limiting access to the web-based management interface, monitoring device activity, and conducting frequent security audits are some proactive steps administrators can take. These actions may help limit exposure while waiting for Cisco’s permanent fix. This incident serves as a reminder of the evolving threat landscape in industrial and operational technology environments. 

As organizations adopt more wireless technologies to improve operational efficiencies, the need for robust cybersecurity practices is crucial. Regularly updating network devices and addressing vulnerabilities promptly are fundamental to protecting systems from cyber threats. Cisco’s disclosure of CVE-2024-20418 underscores the vulnerabilities that even the most reliable industrial-grade devices can exhibit. It also highlights the critical importance of proactive device management and security measures in preventing unauthorized access. Industrial environments should consider this a timely reminder to prioritize cybersecurity protocols across all network-connected devices.
Read more »
Vendors
Breaches Clean Energy Cyber Security Energy IT Security Ransomware resilience Risks Supply Chain Vendors

Energy Sector Faces Heightened Supply Chain Risks Amid Growing Dependence on IT and Software Vendors

 

The energy industry is experiencing a sharp increase in supply chain risks, largely driven by its growing reliance on external vendors. According to a recent report, two-thirds of security breaches in this sector now originate from software and IT vendors.

The study, conducted by SecurityScorecard and KPMG, titled "A Quantitative Analysis of Cyber Risks in the U.S. Energy Supply Chain," draws attention to frequent threats, including ransomware attacks targeting traditional IT systems.

Researchers have emphasized that as the transition to cleaner energy picks up pace, and as the grid becomes more interconnected and software-reliant, vulnerabilities in the energy sector are expected to increase.

Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard, stated, “The energy sector's rising dependence on third-party vendors exposes a significant vulnerability—its security is only as robust as its weakest link."

He added that this growing reliance on external vendors introduces considerable risks, urging the industry to strengthen cybersecurity defenses before a breach escalates into a national crisis.

The report highlighted that third-party risks account for nearly half of all breaches in the energy sector—significantly higher than the global average of 29%. Over 90% of organizations that experienced multiple breaches were attacked through third-party vendors.

Additionally, the report found that software and IT vendors were responsible for 67% of third-party breaches, while only a small number were linked to other energy companies. A notable portion of these incidents stemmed from the MOVEit file transfer software vulnerability, which was exploited by the Clop ransomware group last year.

The report also pointed out application security, DNS health, and network security as some of the most significant weaknesses in the sector.

The findings come at a time when the U.S. Department of Energy is convening with energy sector leaders to promote the Supply Chain Cybersecurity Principles, urging companies to focus on reducing risks posed by software and IT vendors, which represent the highest third-party threats.

As part of this effort, energy operators are encouraged to ensure new technology purchases are secure by incorporating initiatives like CISA’s "Secure by Design" and following the Department of Energy’s Supply Chain Cybersecurity Principles. The industry must also bolster security programs to defend against supply chain risks and geopolitical threats, especially from nation-state actors, and analyze ransomware attacks affecting foreign counterparts to improve resilience.

“The energy sector is a complex system undergoing a significant generational shift, heavily reliant on a stable supply chain," said Prasanna Govindankutty, KPMG's principal and cybersecurity leader for the U.S. sector.

He further explained that with rising geopolitical and technology-based threats, the industry is facing a level of risk exposure that could negatively impact both businesses and citizens. Organizations that can quantify these risks and implement mitigation strategies will be better equipped to navigate the energy transition.
Read more »
security measures
breach recovery CrowdStrike CrowdStrike outage Cyber Security IT Security ransomware restoration security measures

Lessons from the CrowdStrike Falcon Sensor Defect: Enhancing Ransomware Recovery and Business Continuity

 


In recent times, a significant IT disruption was caused by a defect in a content update for CrowdStrike’s Falcon sensor, affecting approximately 8.5 million PCs across diverse sectors. This issue, which disrupted organizations ranging from small businesses and global conglomerates to government agencies and hospitals, highlighted severe vulnerabilities in how entities handle large-scale IT failures. The impact was widespread, leading to delayed flights, transaction failures at gas stations and grocery stores, and significant delays in emergency services such as police and fire departments. 

The scale of this disruption serves as a critical reminder of the importance of robust ransomware recovery and business continuity plans (BCPs). Although the immediate cause of the disruption was not a ransomware attack, the parallels between handling this IT issue and responding to ransomware are striking. This event underscores the need for organizations to evaluate and improve their preparedness for various types of cyber threats. One of the key lessons from this incident is the importance of efficient detection. The mean time to detect (MTTD) is a crucial metric that measures how swiftly an organization can identify a security breach. 

The quick identification of the Falcon sensor defect was vital in managing its effects and preventing further damage. Organizations should focus on strengthening their detection systems to ensure they can quickly identify and respond to potential threats. This includes implementing advanced monitoring tools and refining alert mechanisms to reduce response times during a real cyber incident. Recovery and restoration processes are equally critical. After the Falcon sensor issue, organizations had to mobilize their BCPs to recover systems and restore normal operations from backups. This situation emphasizes the need for well-documented, regularly updated, and thoroughly tested recovery plans. 

Businesses must ensure their backup strategies are reliable and that they can quickly restore operations with minimal disruption. Effective recovery plans should include clear procedures for data restoration, system repairs, and communication with stakeholders during a crisis. The incident also highlights the importance of continuous assessment and improvement of an organization’s cybersecurity posture. By analyzing their response to the Falcon sensor defect, organizations can identify gaps in their strategies and address any weaknesses. This involves reviewing incident response plans, updating communication protocols, and enhancing overall resilience to cyber threats. 

Furthermore, the disruption reinforces the need for comprehensive risk management strategies. Organizations should regularly evaluate their exposure to various types of cyber threats, including ransomware, and implement measures to mitigate these risks. This includes investing in cybersecurity training for employees, conducting regular security audits, and staying informed about the latest threat intelligence. 

In conclusion, the CrowdStrike Falcon sensor defect offers valuable lessons for enhancing ransomware recovery and business continuity planning. By learning from this event, organizations can improve their ability to respond to and recover from cyberattacks, ensuring they are better prepared for future threats. Regular updates to BCPs, enhanced detection capabilities, and robust recovery processes are essential for safeguarding against disruptions and maintaining operational resilience in today’s increasingly complex digital landscape.
Read more »
supply chain attacks
cyber resilience Cyber Security Cybersecurity Threats Cyble research dark web breaches IT Security software vulnerabilities supply chain attacks

Cyble Research Reveals Near-Daily Surge in Supply Chain Attacks

 

The prevalence of software supply chain attacks is on the rise, posing significant threats due to the extensive impact and severity of such incidents, according to threat intelligence researchers at Cyble.

Within a six-month span from February to mid-August, Cyble identified 90 claims of supply chain breaches made by cybercriminals on the dark web. This averages nearly one breach every other day. Supply chain attacks are notably more costly and damaging than other types of cyber breaches, making even a small number of these attacks particularly detrimental.

Cyble’s blog highlights that while infiltrations of an IT supplier’s codebase—similar to the SolarWinds incident in 2020 and Kaseya in 2021—are relatively uncommon, the software supply chain’s various components, including code, dependencies, and applications, remain a continuous source of vulnerabilities. These persistent risks leave all organizations exposed to potential cyberattacks.

Even when supply chain breaches do not compromise codebases, they can still result in the exposure of sensitive data, which attackers can exploit to breach other environments through methods such as phishing, spoofing, and credential theft. The interconnected nature of the physical and digital supply chain means that any manufacturer or supplier involved in downstream distribution could be considered a potential cyber risk, according to the researchers.

In their 2024 analysis, Cyble researchers examined the frequency and characteristics of supply chain attacks and explored defenses that can mitigate these risks.

Increasing Frequency of Supply Chain Attacks

Cyble’s dark web monitoring revealed 90 instances of cybercriminals claiming successful supply chain breaches between February and mid-August 2024.

IT service providers were the primary targets, accounting for one-third of these breaches. Technology product companies were also significantly impacted, experiencing 14 breaches. The aerospace and defense, manufacturing, and healthcare sectors followed, each reporting between eight and nine breaches.

Despite the concentration of attacks in certain industries, Cyble’s data shows that 22 out of 25 sectors tracked have experienced supply chain attacks in 2024. The U.S. led in the number of breaches claimed on the dark web, with 31 incidents, followed by the UK with 10, and Germany and Australia with five each. Japan and India each reported four breaches.

Significant Supply Chain Attacks in 2024

Cyble’s blog detailed eight notable attacks, ranging from codebase hijacks affecting over 100,000 sites to disruptions of essential services. Examples include:

  • jQuery Attack: In July, a supply chain attack targeted the JavaScript npm package manager, using trojanized versions of jQuery to exfiltrate sensitive form data from websites. This attack impacted multiple platforms and highlighted the urgent need for developers and website owners to verify package authenticity and monitor code for suspicious modifications.
  • Polyfill Attack: In late June, a fake domain impersonated the Polyfill.js library, injecting malware into over 100,000 websites. This malware redirected users to unauthorized sites, underscoring the security risks associated with external code libraries and the importance of vigilant website security.
  • Programming Language Breach: The threat actor IntelBroker claimed unauthorized access to a node package manager (npm) and GitHub account related to an undisclosed programming language, including private repositories with privileges to push and clone commits.
  • CDK Global Inc. Attack: On June 19, a ransomware attack targeted CDK Global Inc., a provider of software to automotive dealerships, disrupting sales and inventory operations for weeks across North American auto dealers, including major networks like Group1 Automotive Inc. and AutoNation Inc.
  • Access to 400+ Companies: IntelBroker also claimed in June to have access to over 400 companies through a compromised third-party contractor, with data access to platforms like Jira, GitHub, and AWS, potentially affecting large organizations such as Lockheed Martin and Samsung.
Mitigating Supply Chain Risks through Zero Trust and Resilience

To counter supply chain attacks, Cyble researchers recommend adopting zero trust principles, enhancing cyber resilience, and improving code security. Key defenses include:

  1. Network microsegmentation
  2. Strong access controls
  3. Robust user and device identity authentication
  4. Encrypting data both at rest and in transit
  5. Ransomware-resistant backups that are “immutable, air-gapped, and isolated”
  6. Honeypots for early detection of breaches
  7. Secure configuration of API and cloud service connections
  8. Monitoring for unusual activity using tools like SIEM and DLP
  9. Regular audits, vulnerability scanning, and penetration testing are also essential for maintaining these controls.

Enhancing Secure Development and Third-Party Risk Management

Cyble also emphasizes best practices for code security, including developer audits and partner assessments. The use of threat intelligence services like Cyble’s can further aid in evaluating partner and vendor risks.

Cyble’s third-party risk intelligence module assesses partner security across various areas, such as cyber hygiene, dark web exposure, and network vulnerabilities, providing specific recommendations for improvement. Their AI-powered vulnerability scanning also helps organizations identify and prioritize their own web-facing vulnerabilities.

As security becomes a more critical factor in purchasing decisions, vendors will likely need to improve their security controls and documentation to meet these demands, the report concludes.
Read more »
Vulnerability Operations Center
CISO Cyber Security IT Security Operations Vulnerability Operations Center

The Need For A Vulnerability Operations Center (VOC) in Modern Cybersecurity


 

Many organisations tend to focus on immediate threats, prioritising the detection and mitigation of the latest vulnerabilities. However, this approach overlooks a broader issue: many cyberattacks exploit vulnerabilities that have existed for years. In fact, 76% of vulnerabilities targeted by ransomware were identified more than three years ago, highlighting a critical gap in long-term security strategies.

Why VOCs Matter

To effectively address this gap, organisations should adopt a more centralised and automated approach to vulnerability management. This is where a dedicated Vulnerability Operations Center (VOC) comes into play. A VOC serves as a specialised unit, either integrated within or operating alongside a Security Operations Center (SOC), with the primary task of managing security flaws within the IT infrastructure. Unlike a SOC, which focuses on real-time threat alerts and incidents, a VOC zeroes in on vulnerabilities—identifying, prioritising, and mitigating them before they escalate into serious security breaches.

What Is a VOC?

Creating a seamless connection between a SOC and a VOC is crucial for effective cybersecurity. This integration ensures that vulnerability data is quickly and efficiently passed to threat response teams. The process begins with appointing a team to set up the VOC, overseen by the Chief Information Security Officer (CISO) or another senior security leader. Given the scope of this initiative, it should be treated as a major security operations project, with clear roles and responsibilities outlined from the start.

Connecting VOC and SOC

The initial step involves using vulnerability assessment tools to evaluate the organisation’s current security posture. This assessment helps to identify existing vulnerabilities across all assets. The next phase is to aggregate, clean, and organise this data, making it actionable for further use. Once this dataset is established, it is integrated into the SOC’s security information and event management (SIEM) systems, thereby enhancing the SOC’s ability to monitor and respond to threats with greater context and clarity.

Focusing on Risk

An essential component of VOC operations is moving beyond just technical vulnerability assessments to a more risk-based prioritisation approach. This means evaluating vulnerabilities based on their potential impact on the business and addressing the most critical ones first. Automating routine SOC tasks—such as regular vulnerability scans, alert handling, and patch management—also plays a vital role. By implementing automation tools that leverage the VOC’s data, SOC teams can focus on more complex tasks that require human intervention, improving overall efficiency and effectiveness.

Continuous Improvement

Once the VOC is fully operational, the focus should shift to continuous improvement and adaptation. As new vulnerabilities and trends emerge, the SOC must update its monitoring and response strategies to keep pace. Establishing feedback loops between the SOC and VOC ensures that both teams are aligned and responsive to the incessant development of threats.

Building a Strong Policy

Moreover, a strong policy and governance framework is necessary to support the integration of the VOC and SOC. Security teams need to define clear schedules, rules, and Service Level Agreements (SLAs) for addressing vulnerabilities. For example, vulnerabilities like Log4j, which are widely exploited, should trigger immediate notifications to SOC teams to ensure a swift response.

The Future of Security

While setting up a VOC may seem challenging, it is a critical step towards addressing the persistent vulnerability issues. Unlike the current reactive approach, a VOC allows for a more proactive, risk-based management of vulnerabilities across IT and security teams. By moving beyond the outdated, piecemeal strategies of the past, organisations can achieve a higher level of security, protecting their assets from both old and new threats.


Read more »
IT Security
CrowdStrike CrowdStrike outage Cyber Attacks Cyber Security Vendor Digital Disaster Global IT Outage IT Security

Navigating the Impact of Major IT Outages: Lessons from the CrowdStrike Incident

 

On Friday, a critical software update by cybersecurity firm CrowdStrike led to a massive outage, affecting around 8.5 million Windows machines globally. This incident serves as a stark reminder of the importance of preparedness for IT disruptions. Experts from CIO Journal have shared their insights on how organizations can better prepare for similar scenarios in the future. Understanding vendor practices is crucial. 

IT leaders should hold vendors, like CrowdStrike, to high standards regarding development and testing. Neil MacDonald, a Gartner vice president, emphasizes the need for thorough regression testing of all Windows versions before any update is released. IT managers must ensure that vendors are transparent about their software development processes and offer options for phased updates. With automatic software updates becoming standard practice, the CrowdStrike incident highlights the need for caution. Paul Davis from JFrog suggests prioritizing testing for updates based on their potential impact. 

Although testing every update may not be feasible, automation and AI tools can assist in managing this process efficiently. Jack Hidary from SandboxAQ advocates for AI-driven error detection to enhance software reliability. Developing a robust disaster recovery plan is also essential. Gartner’s MacDonald likens a major IT outage to a natural disaster, advising businesses to prepare similar recovery strategies. Establishing a “clean room” environment for restoring critical systems and conducting regular tabletop exercises can help maintain operational resilience. Regular data backups also mitigate the impact of such outages, as noted by Victor Zyamzin from Qrator Labs. Reviewing vendor contracts and insurance coverage is another vital step. Companies should scrutinize their agreements for clauses that ensure vendor reliability and explore compensation options for outages. 

Peter Halprin from Haynes Boone underscores the importance of cyber insurance, which can provide financial protection against business income losses due to IT disruptions. Finally, organizations may need to reassess their reliance on specific platforms. The CrowdStrike update, which primarily affected Windows-based systems, raises questions about whether businesses should consider alternative operating systems like macOS or Linux. As Chirag Mehta of Constellation Research points out, evaluating the necessity of deeper access provided by Windows might lead some to adopt simpler systems like Chromebooks.

The CrowdStrike outage underscores the importance of rigorous testing, effective disaster recovery plans, careful vendor and insurance management, and a thoughtful approach to platform selection. By addressing these areas, businesses can better prepare for future IT challenges and safeguard their operations.
Read more »
IT Security
British Library Cyber Crime Data Breach Financial Exploit IT Security

British Library Braces for £7 Million Cyber Woes

 



The British Library faces a potential £7 million expenditure from a severe cyber attack that disrupted its website and internal WiFi in October. Perpetrated by the Rhysida group, the attackers demanded a £600,000 ransom, leading to the compromise of hundreds of thousands of files, including customer and personnel data, when the library refused to pay. 

Reports suggest the library plans to utilise approximately 40% of its reserves, around £6 to £7 million out of an unallocated £16.4 million, to rebuild its digital services. The final recovery costs are yet to be confirmed, and investigations are underway by the National Cyber Security Centre and cybersecurity specialists. 

In a recent post on social media, the library explained the ongoing challenges caused by the cyber attack. The incident affected the website, online systems, and some on-site services. The attack is confirmed as ransomware, raising concerns about the potential exposure of user data on the dark web. 

Working in conjunction with cybersecurity specialists and collaborating with the Metropolitan Police, the library anticipates a prolonged period for the thorough analysis of the breached data. Despite persistent issues with online systems, the library's physical locations remain accessible. To address user needs, a reference-only version of the primary catalogue is expected to be back online by January 15. 

Acknowledging the sustained patience and support from users and partners, Sir Roly Keating, the Chief Executive of the British Library, expressed gratitude. He highlighted the ongoing efforts to assess the impact of this criminal attack and implement measures for the secure and sustainable restoration of online systems. 

Providing a precise timeline for the restoration process is premature at this stage, but regular updates will be offered as progress is made in this critical endeavour. 

The primary motivation behind cyber attacks is financial gain. This criminal activity, aptly named ransomware, involves using malicious software to disrupt, damage, or gain unauthorised access to computer systems, compelling organisations and businesses to pay a ransom. 

While the Department for Digital, Culture, Media and Sport (DCMS) chose not to comment on the matter, a Government insider confirmed the expectation that the British Library would tap into its reserves for recovery. 

As the British Library deals with the consequences of this cyber attack, the challenges underscore the pervasive threat posed by ransomware, highlighting organisations must work on their resilience of digital fortifications and guard against the risks posed by such malevolent activities.


Read more »
ransom refusal
Cybersecurity Data Breach Data Theft Estes Express Lines FBI Investigation Freight shipping identity monitoring IT Security Personal Data Breach ransom refusal

Estes Declines Ransom Demand Amidst Personal Data Breach and Theft

 

Estes Express Lines, a major private freight shipping company in the United States, has notified over 20,000 customers about a security breach where their personal information was stolen by unknown hackers.

The company revealed that on October 1, 2023, unauthorized individuals gained access to a part of their IT network and deployed ransomware. Despite the standard advice from the FBI and financial regulators, Estes chose not to pay the ransom demanded by the attackers. 

Initially disclosed in early October as a "cyberattack" affecting their IT infrastructure, Estes later announced the full restoration of their system capabilities by October 24 through a video posted by their chief operating officer, Webb Estes.

A group known as Lockbit claimed responsibility for the breach a month later and disclosed that they leaked data taken from the company on November 13. On New Year's Eve, Estes filed a data breach notice with the Maine Attorney General, providing further insights into the digital intrusion, now confirmed to be a ransomware attack.

According to Estes, they are collaborating with the FBI in the investigation. While the forensic analysis confirmed that personal information was stolen, the specifics of the accessed data were not explicitly mentioned in the sample notification letter. 

However, the Maine filing indicated that it involved names or other personal identifiers combined with Social Security numbers, suggesting a broader scope of compromised information.

Estes has not provided immediate responses to inquiries regarding details about the breach, such as the stolen data specifics, the initial network access point for the hackers, the ransom amount demanded, and the rationale behind the decision to refrain from paying the ransom. 

This decision has sparked a contentious debate encompassing practical considerations like effective backups and financial implications, along with broader ethical concerns such as potential support for criminal activities like human trafficking, terrorism, or future cybercrimes through ransom payments.

Both paying and not paying ransoms have proven to be financially burdensome for affected entities. Caesars Entertainment allegedly paid $15 million to a ransomware group to decrypt their data and prevent customer information leakage after a September breach, while MGM Resorts, despite not paying the ransom in a similar attack, suffered losses surpassing $100 million.

While the US government advises against ransom payments, some voices advocate for a complete ban on such extortion payments. Despite the breach, Estes has stated that they are not currently aware of any instances of identity theft, fraud, or financial losses stemming from the incident. Additionally, they plan to offer affected individuals 12 months of free identity monitoring services through Kroll.
Read more »
Sensitive data
Compliance Cyber Essentials scheme Data Breach Data protection Electoral Commission email security government-backed schemes Hackers Information Security IT audit IT Security IT Systems Sensitive data

Electoral Commission Fails Cyber-Security Test Amidst Major Data Breach

 

The Electoral Commission has acknowledged its failure in a fundamental cyber-security assessment, which coincided with a breach by hackers gaining unauthorized access to the organization's systems. 

A whistleblower disclosed that the Commission received an automatic failure during a Cyber Essentials audit. Last month, it was revealed that "hostile actors" had infiltrated the Commission's emails, potentially compromising the data of 40 million voters.

According to a Commission spokesperson, the organization has not yet managed to pass this basic security test. In August of 2021, the election watchdog disclosed that hackers had infiltrated their IT systems, maintaining access to sensitive information until their detection and removal in October 2022. 

The unidentified attackers gained access to Electoral Commission email correspondence and potentially viewed databases containing the names and addresses of 40 million registered voters, including millions not on public registers.

The identity of the intruders and the method of breach have not yet been disclosed. However, it has now been revealed by a whistleblower that in the same month as the intrusion, the Commission received notification from cyber-security auditors that it was not in compliance with the government-backed Cyber Essentials scheme. 

Although participation in Cyber Essentials is voluntary, it is widely adopted by organizations to demonstrate their commitment to security to customers. For organizations bidding on contracts involving sensitive information, the government mandates holding an up-to-date Cyber Essentials certificate. In 2021, the Commission faced multiple deficiencies in their attempts to obtain certification. 

A Commission spokesperson acknowledged these shortcomings but asserted they were unrelated to the cyber-attack affecting email servers.

One of the contributing factors to the failed test was the operation of around 200 staff laptops with outdated and potentially vulnerable software. The Commission was advised to update its Windows 10 Enterprise operating system, which had become outdated for security updates months earlier. 

Auditors also cited the use of old, unsupported iPhones by staff for security updates as a reason for the failure. The National Cyber Security Centre (NCSC), an advocate for the Cyber Essentials scheme, advises all organizations to keep software up to date to prevent exploitation of known vulnerabilities by hackers.

Cyber-security consultant Daniel Card, who has assisted numerous organizations in achieving Cyber Essentials compliance, stated that it is premature to determine whether the identified failures in the audit facilitated the hackers' entry. 

He noted that initial signs suggest the hackers found an alternative method to access the email servers, but there is a possibility that these inadequately secured devices were part of the attack chain.

Regardless of whether these vulnerabilities played a role, Card emphasized that they indicate a broader issue of weak security posture and likely governance failures. The NCSC emphasizes the significance of Cyber Essentials certification, noting that vulnerability to basic attacks can make an organization a target for more sophisticated cyber-criminals.

The UK's Information Commissioner's Office, which holds both Cyber Essentials and Cyber Essentials Plus certifications, stated it is urgently investigating the cyber-attack. When the breach was disclosed, the Electoral Commission mentioned that data from the complete electoral register was largely public. 

However, less than half of the data on the open register, which can be purchased, is publicly available. Therefore, the hackers potentially accessed data of tens of millions who had opted out of the public list.

The Electoral Commission confirmed that it did not apply for Cyber Essentials in 2022 and asserted its commitment to ongoing improvements in cyber-security, drawing on the expertise of the National Cyber Security Centre, as is common practice among public bodies.
Read more »
OpenAI
Artificial Intelligence ChatGPT Cyber Security Cyberattacks CyberCrime IT Security OpenAI

Generative AI: A Catalyst for Enterprise IT & Security Challenges

 


Every day, new applications of artificial intelligence and machine learning are being explored and there is much to learn from them. Information and opinions are pouring out like a firehose, which is both inspiring and terrifying at the same time. 

Generally, AI tools, speaking, are algorithms that generate new content based on input data, such as text, images, audio files, video files, code, and simulations all derived from the input data. Typically, these machines are driven by machine learning models that are trained on large amounts of data to learn patterns and generate outputs that are a close replica of the original data. This gives them the power to revolutionize industries and domains, including entertainment, education, and healthcare, both of which are revolutionizing industries today. 

By using these tools, users can create new and engaging content, enhance existing content, optimize business processes, and solve complicated problems that can otherwise go unsolved. Within the next few months, the company will be able to significantly improve the quality, accuracy, and speed of response. 

A tectonic shift has taken place in technology adoption in the workplace: 

Over the last five years, top-down IT procurement has been usurped by business-led and employee-led IT adoption. This shift has made it difficult for technology governance leaders to keep tabs on what tools are being used, where sensitive data resides, and who (and what) has access to it.

In regards to governing the use and adoption of new cloud and SaaS technologies, IT and security leaders are facing a difficult balancing act when it comes to balancing various objectives. One technology leader put it like this: There's a fear of missing out, and there's also a fear of messing up. 

If you allow too much experimentation in SaaS without safeguards, you could result in increased risk, sprawl, and inefficiency in your organization. Attempting to block unsanctioned SaaS solutions too far will likely stifle an organization's ability to innovate and, possibly, employees will simply work around these controls and processes entirely and do not care about them at all. 

There is a critical time for enterprises' IT leaders, as well as their risk and security teams. In addition to affecting the perception and influence of the functions they perform within their organizations, how they address AI governance will play an important part in determining their continued success.

If they fail to do this, they will have to go hide in a corner and patch vulnerabilities while the business moves on without them, and it could be an unpleasant experience. By mastering it, they will be able to build the foundation for a modern, adaptable solution for IT security and governance that will allow the business to move forward quickly and with a minimum amount of risk. 

Proactively Take Action Detecting and mitigating security risks associated with generative AI is a complex issue that businesses should take a holistic approach to. Among these are the following: 

The key to using these tools effectively is to understand their basics, to understand what they can do, and to understand what they cannot do, and then to make decisions based on your budget and expertise on which tools users will use. 

Staff and stakeholders need to be educated and trained about the benefits and risks of these new technologies, as well as utilizing best practices and standards when it comes to developing, deploying, and managing these systems. 

Initially, making use of small-scale experiments before scaling up to a larger scale, ensuring that the generated outputs are of adequate quality and relevance, as well as checking for any errors or security issues before scaling. 

Testing, monitoring, and improving the security posture of an organization can be done by using tools and techniques. Adhering to legal and ethical guidelines, safeguarding the rights and privacy of other people by verifying and attributing user-generated content, collaborating with experts or peers, and respecting the rights of other people's data. 

For enterprise IT, risk, and security leaders to ensure that they avoid repeating the mistakes they have made in the past when it comes to securing and governing access to the new cloud-based technologies, they need to adopt a novel approach to balancing risks and rewards.
Read more »
Threat Landscape
Business Security Cyber Security Cyber Threats IT Security Online Safety Threat Landscape

How to Keep Up With a Shifting Threat Landscape

 

Cybercrime is a problem that is only escalating and is bad for business, as one might anticipate. Regardless of how you feel about it, it forces your business to take action in order to secure its infrastructure.

Current threat landscape

It's critical to understand the danger landscape in order to understand what you're up against. Studying this offers you a general idea of the kinds of problems you can anticipate seeing, and just like the environment, it is constantly changing—never remaining static for very long. Even the most creative security researchers and the developers backing them up constantly face numerous threats that aim to impede their work. What will you do to safeguard your company from these difficulties? 

We saw hacktivists launch disruptive assaults, steal technological source code, and utilise wiper malware last year, in addition to hacks on vital infrastructure (particularly rail).

A cyberattack that affected the websites and production lines of the Mobarakeh Steel Company (MSC), Khouzestan Steel Company (KSC), and Hormozgan Steel Company (HOSCO) occurred in June and July of 2022. The hacktivist collective Gonjeshke Darandehat, who earlier in the year used wiper malware to damage the Iranian train system, claimed responsibility for the attack. This incident proves that threat actors can attack key infrastructure, regardless of their intentions or affiliations. 

A number of disruptive attacks on businesses in the manufacturing, oil, water, and electric utility sectors occurred between the months of August and September. The fourth-largest U.S. health system with 140 associate hospitals, CommonSpirit Health, was the target of a ransomware attack in October. The attack caused delays in patient operations such as surgery. Moreover, there were numerous cyberattacks across Europe. A ransomware attack at the French hospital Corbeil-Essonnes in December led to a data loss and operational interruption. 

Additionally in November, a cyberattack targeted Continental, a major player in the automobile and rail industries that creates cutting-edge technologies including autonomous brake systems, vehicle monitoring systems, and navigational systems. Prior to the attack, the attackers had already broken into Continental's networks, giving them access to countless technical documents and source code relevant to Continental's cutting-edge technologies. The possibility of attackers gaining access to these technologies' source code is quite concerning. 

Mitigation tips

The most important thing you can do to safeguard your company is to make sure your staff are aware of the threats they pose and their own personal duty to keep your company safe. You should create a thorough cybersecurity training course that is updated on a regular basis, then give it to your workers.

You can give advice on how to make secure passwords, use two-factor authentication, recognise phishing scams, and other topics. People will behave more consciously throughout the day if you instruct them about security. 

Many software components make up your company, so be sure that all of them are updated to prevent the newest attacks from exploiting a flaw. This also applies to browser add-ons. Researchers advise putting a plan in place to periodically assess your IT assets to make sure they are patched, updated, and secured.
Read more »
XDR Tools
AI tools Cyber Security Cyberwarfare IT Security XDR Tools

How ChatGPT May Act as a Copilot for Security Experts

 

Security teams have been left to make assumptions about how generative AI will affect the threat landscape since ChatGPT-4 was released this week. Although it is now widely known that GPT-3 may be used to create malware and ransomware code, GPT-4 is 571X more potent, which could result in a large increase in threats. 

While the long-term effects of generative AI are yet unknown, a new study presented today by cybersecurity company Sophos reveals that GPT-3 can be used by security teams to thwart cyberattacks. 

Younghoo Lee, the principal data scientist for Sophos AI, and other Sophos researchers used the large language models from GPT-3 to create a natural language query interface for looking for malicious activity across the telemetry of the XDR security tool, detecting spam emails, and examining potential covert "living off the land" binary command lines. 

In general, Sophos' research suggests that generative AI has a crucial role to play in processing security events in the SOC, allowing defenders to better manage their workloads and identify threats more quickly. 

Detecting illegal activity 

The statement comes as security teams increasingly struggle to handle the volume of warnings generated by tools throughout the network, with 70% of SOC teams indicating that their work managing IT threat alerts is emotionally affecting their personal lives. 

According to Sean Gallagher, senior threat researcher at Sophos, one of the rising issues within security operation centres is the sheer amount of 'noise' streaming in. Many businesses are dealing with scarce resources, and there are just too many notifications and detections to look through. Using tools like GPT-3, we've demonstrated that it's possible to streamline some labor-intensive proxies and give defenders back vital time. 

Utilising ChatGPT as a cybersecurity co-pilot 

In the study, researchers used a natural language query interface where a security analyst may screen the data gathered by security technologies for harmful activities by typing queries in plain text English. 

For instance, the user may input a command like "show me all processes that were named powershelgl.exe and run by the root user" and produce XDR-SQL queries from them without having to be aware of the underlying database structure. 

This method gives defenders the ability to filter data without the usage of programming languages like SQL and offers a "co-pilot" to ease the effort of manually looking for threat data.

“We are already working on incorporating some of the prototypes into our products, and we’ve made the results of our efforts available on our GitHub for those interested in testing GPT-3 in their own analysis environments,” Gallagher stated. “In the future, we believe that GPT-3 may very well become a standard co-pilot for security experts.” 

It's important to note that researchers also discovered GPT-3 to filter threat data to be significantly more effective than utilising other substitute machine learning models. This would probably be faster with the upcoming version of generative AI given the availability of GPT-4 and its greater processing capabilities. Although these pilots are still in their early stages, Sophos has published the findings of the spam filtering and command line analysis experiments on the SophosAI GitHub website for other businesses to adapt.
Read more »
security goals
Cyber Security Exabeam IT Industry IT Security IT security experts Prevebtion over Detection Research security goals

A Majority of Security Experts Prioritize Prevention Over Detection


As per a recent report finding, a majority of organizations prefer prevention over detection when it comes to safeguarding their systems. However, a large number of businesses are consequently witnessing data breaches and other cyberattacks, with the severity of these incidents worsening day by day. 

In a survey of 500 IT security experts, Exabeam researchers discovered that nearly two-thirds of their respondents (65%) prioritize prevention over detection as their number one endpoint security objective. For the remaining third (33%), detection remained their utmost priority. 

Late to the Party 

To make the situation worse, the businesses actually act on this idea. The majority (59%) allocate the same amount to detection, investigation, and response, while nearly three-quarters (71%) spend between 21% and 50% of their IT security resources on prevention. 

According to Steve Moore, chief security strategist at Exabeam, the issue with this strategy is that the businesses concentrate on prevention while threat actors are already there, rendering their efforts useless. 

“As is well known, the real question is not whether attackers are on the network, but how many there are, how long they have had access and how far they have gone[…]Teams need to raise awareness of this question and treat it as an unwritten expectation to realign their investments and where they need to perform, paying due attention to adversary alignment and response to incidents. Prevention has failed,” says Moore. 

The majority of responders said yes when asked if they are confident, they can prevent attacks. In fact, 97% of respondents indicated they felt confident in the ability of their tools and processes to detect and stop attacks and data breaches. 

Only 62% of respondents agreed when asked if they could easily inform their boss that their networks were not compromised at the time, implying that over a third were still unsure. 

Exabeam explains that security teams are overconfident and have data to support it. The company claims that 83% of organizations experienced more than one data breach last year, citing industry reports. 

Among the many approaches implemented in order to combat security affairs, most organizations appear to be inclined towards the prevention-based strategy. The reason is, it strives to make systems more resistant to attack. Contrary to detection-based security, this approach is more effective in a variety of situations. 

Implementing a preventive approach could aid a company in significantly reducing the risk of falling prey to a potential cyberattack if it applies appropriate security solutions like firewalls and antivirus software and patches detected vulnerabilities.

Read more »
SEC
Cyber Security Cybersecurity Incident IT Security SEC

SEC Amends Cyber Incident Disclosure, Raises Concerns


SEC taking a tough stand on cyber threats 

Due to rise in breaches among its members and on its systems, the Security and Exchange Commission (SEC) is thinking how it can tackle the problem of cyber threats. 

The SEC suggested new amendments in March to supervise how investment firms and public companies under its purview should strengthen their IT security management and incident reporting. 

Throughout the years, SEC's disclosure regime has advanced to highlight evolving risks and investor needs. 

Current Cyber Security Landscape 

Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner, said SEC Chair Gary Gensler.

SEC being rough on incident reporting and identity theft programs

In July, the SEC thrashed JP Morgan & Co, UBS and online stock-trader TradeStation with having deficient customer identity programs, all these programs have violated the Identity Red Flag rules, or regular S-ID between between January 2017 and October 2019. 

Regulation S-ID aims to protect investors from identity threat risks. All the three financial organizations have agreed to: 1.Cease and desist from violations in future, 2. Getting censored, 3. Pay fines of $1.2 Million, $925,000, and $425,000, respectively. 

Besides these commitments, the SEC's proposed amendments will need the financial institutions to provide current report regarding material cybersecurity cases and periodic reporting to give updates about earlier reported cybersecurity incidents. 

The SEC in March issued that:  

“proposed rule defines a cybersecurity incident as an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”  Under the new rule, it considered "information systems" in a broad sense, especially when the financial firm made use of a cloud- or host based systems. 

SEC in the amendment says:

"The proposal also would require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks. The registrant’s board of directors' oversight of cybersecurity risk, and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures." 



Read more »
Ransomware
customer privacy Cyber Attacks IT Security Mobile Apps Ransomware

Car Rental Giant Sixt Hit by Cyberattack, Operations Shut Down

Rental car giant Sixt, a company based in Germany announced that it has been hit by a cyberattack that resulted in large-scale inconvenience in Sixt's global operations. In April, the company closed down some parts of its IT infrastructure to restrict a cyberattack. 

Only important systems were operating, like the company website and mobile applications. Sixt said that the disturbance for employees and customers was expected, it believes that the disruption was contained to great extent. 

According to the company, it has offered business continuity to its customers, but the temporary disruptions in customer care centers and few branches can be expected for some time. "As a standard precautionary measure, access to IT systems was immediately restricted and the pre-planned recovery processes were initiated. Many central Sixt systems, in particular, the website and apps were kept up and running," said Sixt in a statement. Sixt did most of the car bookings with pen and paper last week, and systems that were not important have been shut down after the cyberattack. 

Calling customers were provided an automated notification "due to a technical problem, we are currently unavailable." No more details are available as of now, Sixt said that it has launched an inquiry into the issue, however, didn't disclose any information on how the attack happened. Sixt is requesting its customers to be patient until the issue is resolved. No ransomware group has claimed the responsibility for the attack as of now, however, the chances of ransomware are highly likely. 

According to Bleeping Computer, ransomware groups are targeting companies like Sixt because of the upcoming tourism season. Vacations are easy money for car rental companies. Ransomware groups generally operate during high traffic periods to increase the chances of damage to the targets. 

The greater the damage, the easier the ransom payment. Sixt said "impacts on the company, its operations and services have been minimized to provide business continuity for customers. However, temporary disruptions, in particular in customer care centers and selective branches, are likely to occur in the short term."

Read more »
Vulnerabilities and Exploits
Cyber Security News Information Security risk IT Security Vulnerabilities Vulnerabilities and Exploits

About 84% of Russian companies have vulnerable IT system

More than 80% of companies in Russia neglect the basic means of protecting information systems and data, as a result of which 84% of companies have vulnerabilities in their IT systems that can be exploited, including by novice hackers who do not have a high level of programming skills.

According to Ekaterina Kilyusheva, head of the research group of the information security analytics department at Positive Technologies, companies suffer from inexperienced hackers in about 10% of cases.

Based on the testing of 19 large companies from different sectors of the economy, it turned out that in 58% of cases, companies have at least one security breach that can be hacked by publicly available software for hackers.

It is noted that most often in Russian companies, security gaps are associated with the use of outdated software, the vulnerabilities of which are already known.

As noted by ESET security specialist Tony Anscomb, in addition to outdated software, companies often have poorly configured network infrastructure and operating systems, lack of encryption and two-factor authentication, which also increases the likelihood of a system being compromised.

It is noted that the best protected are companies in the financial sector and energy industry, which process large amounts of personal information and where the high dependence of business development on the stability of the IT direction, explained the head of Analytics and special projects InfoWatch Andrey Arsentiev.

Read more »
Telegram
Apple Information Security News IT Security Pavel Durov Technology Technology News Telegram

Pavel Durov called on Apple to oblige to install different application stores


Apple should allow users to install apps not only from its own App Store. This opinion was expressed by the founder of Telegram messenger Pavel Durov. According to him, Tim Cook (CEO of Apple) should be obligated to this at the legislative level.

The day before, high-ranking Telegram Manager, Vice President of the company founded by Pavel Durov, Ilya Perekopsky, spoke at a panel discussion with Russian Prime Minister Mikhail Mishustin and representatives of the IT industry in Innopolis. He said that Apple and Google are holding back the development of startups by charging a tax of a 30 percent Commission from app developers. Almost simultaneously with Perekopsky's speech, Durov published an article in which he called for Apple to be legally obliged to install an alternative App Store on the iPhone.

Durov is sure that if this is not done, then app developers, in particular, from Russia, will be forced to sell their startups for little money. At the same time, Apple's capitalization will only grow.
“Preventing two supranational corporations from collecting taxes from all of humanity is not an easy task. Corporations employ thousands of lobbyists, lawyers, and PR agents, and their budgets are unlimited. At the same time, app developers are scattered and scared, as the fate of their projects depends entirely on the favor of Apple and Google," wrote Pavel Durov.

The head of the TelecomDaily information and analytical agency Denis Kuskov noted that changing the market is quite difficult because these two companies are leading it. Therefore, Durov needs to accept this fact.

Durov recalled that in 2016, Apple banned the Telegram team from launching its own game platform: "We had to remove the telegram games catalog that we had already created and almost the entire platform interface, otherwise Apple threatened to remove Telegram from the AppStore." According to Durov, in a similar way the iPhone manufacturer does with many other developers.
Read more »
IT Security
Coronavirus Cyber Security Information Security News IT Security

Coronavirus will double the number of leaks of personal data of users, says security experts


The coronavirus epidemic around the world has affected not only electronics factories, but many companies are also transferring their employees to remote mode. But, according to experts, such a measure will negatively affect the entire field of data storage. Following a four-fold increase in the number of phishing mailings in Russia, analysts predict a significant increase in the number of leaks of personal user information.

According to experts of the Russian company Internet search, the danger of data being leaked to third parties often comes from the company's own employees. Employees working at home are not monitored by either colleagues or CCTV cameras, and the effectiveness of special software is often not enough to prevent leaks.

"It's scary to imagine that banks or IT giants will be unprepared for a new threat — working from home. All last year we observed how weaknesses in building the information security of the largest companies in the country led to catastrophic leaks of user data and other protected information. Now we ask employees to work from home and give them all the necessary access," said Igor Bederov, head of the company.

The expert noted that employees of various organizations at home are not protected from spam attacks and phishing, as well as from hacking their work computers. According to him, cybercriminals have already flooded the e-mail of many users with messages containing malicious codes.

Earlier, experts warned of a sharp increase in the number of leaks of personal and corporate data due to the mass transition to remote work. According to experts, the number of leaks in the near future may grow at least twice.
Read more »
Russian Cyber Security
Cyber Security News IT Security Russian Cyber Security

The e-voting system in Moscow has passed the first tests


On Thursday, July 11, the first stage of testing the e-voting system was completed, which will be used during the experiment in the elections of deputies of the Moscow City Duma on September 8.

According to Artem Kostyrko, the head of the Information Technologies Department of the capital of the Russian Federation, 178 attempts were made to replace the bulletins.

“Several attempts were recorded to find a link to a unique anonymized bulletin during the test voting. The attacks were professional,” Kostyrko said.

Kostyrko explained that it was not a system failure, but a data output failure. However, it happened 3 hours before the end of the voting. By this time, 75% of all participants voted.

He noted that the system was ready for attacks and they were fixed to be sent to the e-voting monitoring group for study.

Moreover, 1253 students took part in the testing and pointed out the shortcomings. "We conducted the first testing with students for a reason, because they are advanced users of gadgets, they can compare with applications and point out shortcomings," Kostyrko added.

Kostyrko noted that several more public tests are planned. "IT professionals will test e-voting system next week. We will ask hackers to try to hack the system, put a fake voice and so on."

In addition, a hacker who can hack the electronic voting system will be offered a cash prize of 1.5 million rubles (23 800 $). He added, “if hackers manage to hack the system, it doesn't mean it's bad. This means that our colleagues gave us an opportunity that we did not see. And we will say thank you to them!”

Recall that the idea of conducting an experiment with the blockchain elections to the Moscow City Duma at the end of February was proposed by a group of Russian State Duma deputies representing United Russia and the Liberal Democratic Parties. The Russian State Duma supported the proposed bill, and on May 29, Russian President Vladimir Putin signed the relevant law. On September 8, electronic voting will be held in three electoral districts, and voters will be able to decide in what form they will vote in traditional or online.
Read more »
Yandex Security
IT Security Yandex Security

Yandex announced the prevention of a large and very dangerous cyber attack


Greg Abovskii, the operational and financial Director of Yandex, spoke about the prevention of planned and dangerous cyber attacks on the Internet company. According to him, it was planned for a very long time and was very dangerous.

Yandex specialists managed to find and suspend the actions of the attackers, working together with Kaspersky Lab specialists.

Abovskii said, "Only by working together we were able to prevent, identify, isolate a cyber attack."

According to him, it is important for the Department of Information Security that the experts work together, cooperate with each other.

The press service of Yandex reported, "Sometimes these attacks are well-prepared, but we care about the security of user data and use all available tools to protect, including cooperation with specialists. We can’t disclose details of this attack, but we can say that user data were not affected.”

It is worth noting that this week it became known that the Federal Security Service (FSB) demanded encryption keys of services Yandex.Disk and Yandex.Mail. This happened a few months ago, but Yandex still has not fulfilled the requirements of the security forces.

The Russian Deputy Prime Minister Maxim Akimov promised that the Government would protect Yandex from excessive administrative pressure. According to the official, the Government will do everything possible to ensure that Russian companies, which are global leaders in some important areas, are not affected. He noted that Yandex is important not only for the national but also for the global economy.

Yandex.Mail and Yandex.Disk are included in the register of organizers of information distribution. Under the law of the Russian Federation, special services can obtain data to decrypt messages from their users upon request. There are 10 days to fulfill such requirements.

On June 4, the press service of Yandex stated that the company is against the violation of data privacy.

Recall that in 2018, the Court blocked the Telegram Messenger on the territory of Russia for refusing to provide encryption keys to Russian security agencies.
Read more »
Subscribe to: Posts (Atom)