now browsing by tag
#cybersecurity | #hackerspace | WhiteHat Provides Free Vulnerability Discovery Services to Gov’t Agencies
As part of an effort to help chronically underfunded government agencies combat state-sponsored cyberattacks, WhiteHat Security, a unit of NTT, has decided to offer free of charge two services it provides for discovering vulnerabilities before and after application code is deployed to federal, state and municipal agencies in North America.
Company CEO Craig Hinkley said the decision to make WhiteHat Sentinel Dynamic and Sentinel Source Essentials Edition available for free to government agencies is motivated by civic duty. A native of Australia, Hinkley moved to the U.S. 23 years ago and last year became a U.S. citizen. State-sponsored attacks against election systems are nothing less than an attack on democracy, he said.
Citing data compiled by the Center for Strategic & International Studies, recent examples of state-sponsored cyberattacks against applications and websites included are of increasing concern, with recent examples include the theft of login credentials from government agencies in 22 countries across Asia, Europe and North America and hacking campaign that kicked more than 2,000 websites offline in Georgia.
At the same time, North Dakota officials this week disclosed cyberattacks aimed at the state government nearly tripled last year. Shawn Riley, North Dakota’s chief information officer and head of the Information Technology department, disclosed there were more than 15 million cyberattacks against the state’s government per month in 2019, a 300% increase year over year.
The Texas Department of Information Resources revealed it has seen as many as 10,000 attempted attacks per minute from Iran over a 48-hour period on state agency networks, while the U.S. Coast Guard (USCG) issued a security bulletin after revealing that one of its bases had been knocked offline last month by a Ryuk ransomware attack. Even small school districts are being impacted by cybersecurity: Richmond, Michigan, a small city near Detroit, recently announced that students would be enjoying a few extra days of holiday break this year while its school system recovered from a ransomware attack.
A recent report published by Emisoft, a provider of endpoint security software, estimates attacks against roughly 966 government agencies, educational institutions and healthcare providers created costs in excess of $7.5 billion.
Clearly, a lot of focus on cybersecurity attacks is on state and local governments that are responsible for ensuring the integrity of elections. Just this week, a bipartisan bill was proposed calling for the director of the Cybersecurity and Infrastructure Security Agency to appoint a cybersecurity state coordinator in each U.S. state.
Hinkley said it’s apparent government agencies don’t have the resources required to thwart attacks being launched by states themselves or rogue organized groups acting to advance their interests. By making available cybersecurity vulnerability assessment services for free, WhiteHat Security is moving to help agencies identify vulnerabilities in websites and applications that could be easily exploited, he said.
Making that capability available as a service should make it easier for both application developers and cybersecurity teams to scan for vulnerabilities before and after an application is deployed. It may even help foster the adoption of best DevSecOps practices within government agencies, Hinkley noted.
State-sponsored cybersecurity attacks have become a global issue. Concerns about such attacks have risen sharply as tensions in the Middle East continue to rise. The challenge now is how best to thwart those attacks before they are launched by eliminating as many existing vulnerabilities as possible.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans In his recent CSO Online article, 7 Security Incidents That Cost CISOs Their Jobs, writer Dan Swinhoe looks at some of the most high profile breaches in recent history that resulted in the CISO either leaving or being fired. In the article, Swinhoe quotes Dr. Steve […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans The debate over who the CISO should report to is a hot topic among security professionals, and that shows no sign of changing soon. That’s because there is still no standard or clear-cut answer. Ask CISOs themselves for their opinion, and you will get a variety […] View full post on AmIHackerProof.com
#cybersecurity | #hackerspace | 2020 And Beyond: Idaptive’s Predictions and Expectations for the New Decade
The close of a year is a natural time for reflection, and when it also means turning the page on a new decade people are inspired to speculate on what the next ten years might hold. At Idaptive, of course, we’ve always got our minds on what’s new, what’s next, and what nascent idea is going to shake up and redefine our industry.
We expect to see so many of the seeds planted over the past few years sprout and bear fruit in the next decade, and old, antiquated systems finally replaced with more efficient, more secure, and more user-friendly ways of operating. Passwords will finally become as obsolete as CD-ROMs, and artificial intelligence, machine learning, and analytics will blossom to make security more nimble, automated and adaptable.
As we welcome in 2020, Idaptive has identified what we believe will be the primary catalysts for life-changing innovation, laying the groundwork for a period in which we collectively learn to think more holistically about digital identity, and come to understand that unchecked trust has no place in our online security.
Prediction: Identity, analytics, and passwords evolve.
Fittingly, for the year 2020, identity and access management will finally begin to feel as advanced and sophisticated as the sci-fi-worthy date suggests. Increased adoption of tools like on-device biometric authenticators and the FIDO2 standard will fold behavior patterns, contextual data, and even user idiosyncrasies into an enhanced authentication system that will eliminate passwords from applications and endpoints. You will be the key that unlocks your devices and apps, and password sharing, resetting, or hacking will be significantly less of a security threat.
Just as passwords will no longer be the dominant access management tool, so, too, will the IT world move towards reducing and even eliminating the concept of policies that govern identity and access management altogether. They will begin to more broadly leverage AI, machine learning, and contextual data of users, locations, and networks to drive more identity use cases in the next three to five years.
We’ve watched carefully over the past few years as point solution vendors have reached scale and become market leaders, thanks to the increased popularity of the cloud and mobile devices. This year we anticipate a consolidation of these point vendors, products, and technologies in the various sub-market segments of identity and access management to produce the next generation identity platform. At the same time, the next several years will see a wider proliferation of use cases related to identity that leverages blockchain technology such as self-sovereign identity for the purpose of identity verification and management, and for managing credentials, consents, and preferences.
Prediction: Zero Trust and multi-cloud environments become commonplace.
As for what we expect to see ripple across the identity and access management industry in the coming decade, it all comes down to Zero Trust.
We see 2020 as the year when investment in Zero Trust technologies (which has been slowly sown over the past few years) begins to bear real fruit. Conventional security systems like firewalls are disappearing, and more and more organizations are adopting technologies that allow them to access on-premises data center resources like apps, servers, and the cloud anytime, from anywhere.
On-premises user directories will be another technology that will find itself phased out and made obsolete in the new year, as more companies shift to the cloud. Being faster, more efficient, and more agile (not to mention more secure) will kick off a swell of momentum around quantum computing. IBM, Google, D-Wave and even AWS will push each other to bring commercial quantum computing to market, and its impact on cybersecurity will rise in line with that conversation.
As we at Idaptive raise a glass to the new year, we prepare for a decade of massive, impactful change in our industry, in technology, and in our collective understanding of all that cybersecurity is and can be. So cheers, and Happy New Year to you and yours!
Looking for more predictions? Check out the following:
Blog: Five Identity and Access Management Predictions for 2020 and Beyond
20 Predictions for 2020 @IdaptiveHQ on Twitter
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans When Ohio Attorney General Mike DeWine was elected as the 70th governor of Ohio in November, 2018, he appointed Ervan Rodgers II as the State’s chief information officer (CIO). Rodgers, who served as CIO at the Ohio Attorney General’s Office for more than four years under […] View full post on AmIHackerProof.com
via the respected information security capabilities of Robert M. Lee & the superlative illustration talents of Jeff Haas at Little Bobby Comics.
The post Robert M. Lee’s & Jeff Haas’ Little Bobby Comics – ‘Exclusively’ appeared first on Security Boulevard.
View full post on National Cyber Security
#cybersecurity | #hackerspace | NSA: Microsoft Releases Patch to Fix Latest Windows 10 Vulnerability
NSA discloses a Windows security flaw that leaves more than 900 million devices vulnerable to spoofed digital certificates
The National Security Agency (NSA) isn’t exactly known for wanting to share information about vulnerabilities they discover. In fact, they kept the Microsoft bug known as Eternal Blue a secret for at least five years to exploit it as part of their digital espionage. (At least, you know, until it was eventually discovered and released by hackers).
But maybe they’ve had a change of heart. (If you truly
believe that, I have a bridge to sell you.)
The NSA, in an uncharacteristic show of transparency, recently announced a major public key infrastructure (PKI) security issue that exists in Microsoft Windows operating systems that’s left more than 900 million PCs and servers worldwide vulnerable to spoofing cyberattacks. This vulnerability is one of many vulnerabilities Microsoft released as part of their January 2020 security updates. Maybe they didn’t want a repeat of the last incident. Whatever the reason, we’re just glad they decided to disclose the potential exploit.
This risk of this vulnerability boils down to a weakness in
the application programming interface of Microsoft’s widely used operating
systems. But what exactly is this Windows 10 vulnerability? How does it affect
your organization? And what can you do to fix it?
Let’s hash it out.
What’s the Situation with This Windows 10 Vulnerability?
Windows 10 has been having a rough go of things these past several months in terms of vulnerabilities. In the latest Window 10 vulnerability news, the NSA discovered a vulnerability (CVE-2020-0601) that affects the cryptographic functionality of Microsoft Windows 32- and 64-bit Windows 10 operating systems and specific versions of Windows Server. Basically, the vulnerability exists within the Windows 10 cryptographic application programming interface — what’s also known as CryptoAPI (or what you may know as the good ol’ Crypt32.dll module) — and affects how it validates elliptic curve cryptography (ECC) certificates.
What it does, in a nutshell, is allow users to create websites and software that masquerade as the “real deals” through the use of spoofed digital certificates. A great example of how it works was created by a security researcher, Saleem Rashid, who tweeted images of NSA.com and Github.com getting “Rickrolled.” Essentially, what he did was cause both the Edge and Chrome browsers to spoof the HTTPS verified websites.
Although humorous, Rashid’s simulated attacks are a great
demonstration of how serious the security flaw is. By spoofing a digital
certificate to exploit the security flaw in CryptoAPI, it means that anyone can
pretend to be anyone — even official authorities.
CryptoAPI is a critical component of Microsoft Windows operating systems. It’s what allows developers to secure their software applications through cryptographic solutions. It’s also what validates the legitimacy of software and secure website connections through the use of X.509 digital certificates (SSL/TLS certificates, code signing certificates, email signing certificates, etc.). So, basically, the vulnerability’s a bug in the OS’s appliance for determining whether software applications and emails are secure, and whether secure website connections are legitimate.
So, what the vulnerability does is allow actors to bypass
the trust store by using malicious software that are signed by forged/spoofed ECC
certificates (doing so makes them look like they’re signed by a trusted
organization). This means that users would unknowingly download malicious or
compromised software because the digital signature would appear to be from a
This vulnerability can cause other issues as well, according to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA):
This could deceive users or thwart malware detection methods such as antivirus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.”
Does This Mean ECC Is Not Secure?
No. This flaw in no way, shape, or form affects the
integrity of ECC certificates. It does, however, cast a negative light on
Windows’ cryptographic application programming interface by shining a spotlight
on the shortcomings of its validation process.
Let me reiterate: This is a flaw concerning Windows
CryptoAPI and does not affect the integrity of the ECC certificates themselves.
If you’re one of the few using ECC certificates (you know, since RSA is still
the more commonly used than ECC), this doesn’t impact the security of your certificates.
The patch from Microsoft addresses the vulnerability to
ensure that Windows CryptoAPI fully validates ECC certificates.
What This Windows 10 Vulnerability Means for Your Organization
Basically, this cryptographic validation security flaw
impacts both the SSL/TLS communication stream encryption and Windows
Authenticode file validation. Malicious actors who decide to exploit the CryptoAPI
vulnerability could use it to:
- defeat trusted network connections to carry out man-in-the-middle (MitM) attacks and compromise confidential information;
- deliver malicious executable code;
- prevent browsers that rely on CryptoAPI from validating malicious certificates that are crafted to appear from an unauthorized hostname; and
- appear as legitimate and trusted entities (through spoofing) to get users to engage with and download malicious content via email and phishing websites.
The NSA press release states:
NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”
Steps to Take to Mitigate This Bug
Wondering what you should do to mitigate the threat on your
network and devices? The NSA has a few recommendations:
Get to Patchin’ ASAP
The NSA recommends installing a newly-released patch from Microsoft for Windows 10 operating systems and Windows Server (versions 2016 and 2019) as soon as possible on all endpoints and systems. Like, right now. Get to it! As a best practice, you also can turn on automatic updates to ensure that you don’t miss key updates in the future.
According to Microsoft’s Security Update Guide:
After the applicable Windows update is applied, the system will generate Event ID 1 in the Event Viewer after each reboot under Windows Logs/Application when an attempt to exploit a known vulnerability ([CVE-2020-0601] cert validation) is detected.”
Here at The SSL Store, we’ve already rolled out the patch to ensure that all of our servers and endpoint devices are protected. (Thanks, Ross!) Rolling out these kinds of updates is something you don’t want to wait around to do because it leaves your operating systems — and everything else as a result — vulnerable to spoofing and phishing attacks using spoofed digital certificates.
Prioritize Your Patching Initiatives
But what if you’re a major enterprise that can’t just get it
done with a snap of the fingers? (Yeah, we know how you big businesses
sometimes like to do things.) In that case, they recommend prioritizing
patching your most critical endpoints and those that are most exposed to the
mission-critical systems and infrastructure, internet-facing systems, and
networked servers first.
Implement Network Prevention and Detection Measures
For those of you who route your traffic through proxy
devices, we have some good news. While your endpoints are getting patched, your
proxy devices can help you detect and isolate vulnerable endpoints. That’s
because you can use TLS inspection proxies to validate SSL/TLS certificates
from third parties and determine whether to trust or reject them.
You also can review logs and packet analysis to extract
additional data for analysis and check for malicious or suspicious properties.
*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store authored by Casey Crane. Read the original post at: https://www.thesslstore.com/blog/nsa-microsoft-releases-patch-to-fix-latest-windows-10-vulnerability/
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans Google Cloud Identity is free to some extent, but if interested in the broader features of Google Cloud Identity, it can be quite expensive over time. The post Google Cloud Identity Pricing appeared first on JumpCloud. *** This is a Security Bloggers Network syndicated blog from […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans When Clop was discovered by Jakub Kroustek in February 2019, all indicators showed that it was a new CryptoMix with the .CLOP, or in some circumstances .CIOP, extension tagged onto encrypted files. Since this discovery, the ransomware operators behind Clop have steadily been developing it to […] View full post on AmIHackerProof.com
In the age of GDPR and CCPA, there seems to be more conjecture about compliance and personal privacy than there is about the weather. It’s understandable, as predicting the conditions outside seems a lot easier than devising and implementing an effective data protection strategy.
With headlines about data breaches being far too frequent and substantial fines for non-compliance becoming a growing reality, pleading naivety to the issues and impacts is neither sympathetic nor sufficient for organizations of any size or type. The good news is there are a number of tools and solutions available that can automatically detect risks and protect personal data while reducing exposure to legal and financial risks.
Begin With People, Not Technology
But before jumping into any technology solutions, it’s imperative to start with an understanding of how it will impact all organizational stakeholders. Start by circling the wagons and enlisting the cooperation and insights of your business leaders as well as legal and compliance teams. Too often, chief information security officers (CISOs) face growing compliance challenges due to a lack of cohesive efforts across their companies. Resistance from employees is a tough hurdle to clear, especially if they believe that complying with new security policies will make their jobs more difficult.
C-level buy-in is a prerequisite to successful policy implementation. Unless these important influencers see and feel the element of risk, it’s going to be difficult to implement any sort of program. Consider a two-phase approach as a best-practices tactic. Start by identifying the lowest-hanging fruit and implement something that is relatively easy for everybody in the organization to leverage and get behind.
Making changes where they are easiest to leverage is a good way to build confidence and momentum. Even if this reduces only 15% of your risk, you’re on the road—so stay focused on achieving steady, incremental progress. At times, the process can be daunting, at least at first, but don’t be sidetracked by analysis paralysis. Instead, continue holding meetings on what will be implemented next and move forward.
Putting the Proper Rules in Place
Rolling out plans and policies to employees requires a foundation of proper rules to guide the entire process. While a mandatory compliance course is an admirable start, it’s important not to overwhelm employees out of the gate. However, believing that a 20-minute session provides sufficient preparation is shortsighted. Instead, it’s highly recommended to implement a policy that includes catching and educating employees whenever inappropriate or risky activity is detected.
It’s crucial for everyone to understand—and embrace—the big picture. Rules and policies regarding compliance and personal privacy are not meant to restrict personal productivity. Instead, they aim to protect employees, the business and customers. In short, it’s crucial to drive home the credo that the company cares about its employees and customers and doesn’t want to put anyone at undue risk. The best and most effective way for everyone to participate is to know the rules.
Think about this in the context that typical office workers send approximately 40 work-related emails and receive about 90, according to TechJury. Therefore, a company with 1,000 employees is dealing with 40,000 to 90,000 emails every day, many containing potentially private personal data. Bring the 80/20 Rule into play here: If 80% of the potential data risks are caused by 20% of the behavior, putting policies in place to safeguard personal data as it’s created in emails and files can deliver immediate and significant risk reductions.
Create a Technology Tool Framework
Once everyone knows and understands the rules, it will be easier to construct a technology framework of tools to help detect and mitigate risk. Balance is optimum, so avoid locking down too much data, as the result will stifle employees’ and customers’ ability to transact business. To minimize risk while maximizing reward, it’s important to select technologies and tools that balance the need to protect information with the ability to achieve widespread adoption.
Favor a crawl-walk-run approach, as it is not necessary to roll out the entire strategy on day one. Instead, identify the riskiest endpoints and focus initial efforts there. Then don’t be afraid to rely on test cases along the way. Tweak the process to align with how the organization functions and employees work. Going with solutions that have AI and machine learning capabilities can assist in training the solution to provide the best and most flexible fit while automating some processes to reduce the burden on employees.
Once up and running, continue the gradual rollout: “Walk” with a small group before you “run” with the entire organization. Remember, this is not a set-it-and-forget-it situation; expect to revisit and tweak policies and settings on a regular basis.
Think of your data protection solution as an engine. Once it’s in place, occasional tuning is required to maintain exceptional performance. It’s also important to choose an engine that permits interoperability with other solutions that may be worth adding and leveraging as business and company conditions, as well as regulations, emerge and evolve.
There’s No End and No ‘Compliance’ Button
A comprehensive and compliant data protection strategy is as necessary to businesses today as having a website. In measuring up to regulations such as GDPR and CCPA, as well as others, regulators aren’t expecting everything will be immediately perfect, but be assured they will be judging circumstances according to demonstrative and definitive steps taken. So get moving and keep moving—there’s no end and no easy button. Privacy and security are everybody’s business and everybody’s concern.
The post #cybersecurity | #hackerspace |<p> Compliance and Privacy in the GDPR Era <p> appeared first on National Cyber Security.
View full post on National Cyber Security