Secure

now browsing by tag

 
 

#cybersecurity | #hackerspace | Secure Developer Workstations Without Slowing Them Down

Source: National Cyber Security – Produced By Gregory Evans

Fueled by automation, the adoption of DevOps processes and more, the role of the developer has become increasingly important and widespread for enterprises going through digital transformation. Developers need access to privileged credentials in order to access key developer tools like Kubernetes or Jenkins admin console. These credentials can be saved locally, making developers’ workstations — whether they are Macs or PCs — high-value targets for hackers.

These workstations are often vulnerable to something as simple as a phishing email, which attackers can use as an entry point to get access to the developer’s credentials. Because of these vulnerabilities, developers’ workstations are extremely important to secure. However, developers are famous for prizing speed above all else — and seeing security as little more than a speed bump.  So how to ensure that developers take security seriously?

Securing privileged access through the principle of least privilege needs to be a top security priority. It is no secret that no-one should have full-time admin rights. But, what does that mean for developers?

Security teams face a difficult dilemma. They need to better secure developer workstations while still providing them the elevated permissions and privileges—and freedom—they need to get their job done. And they need to do all that without impacting velocity.

I recently encountered this comment on the Stackoverflow forum:

 “There is almost no legitimate operational reason for restricting admin access to local PCs for staff that need it to do their job.”

Is that true?

Developers, DevOps and other engineers all perform administrative tasks as part of their job responsibilities, so they also have “full control” of their environment. Furthermore, because of the work developers do, there are extra challenges involved in hardening and restraining their workstations regardless of whether they are using Windows or macOS.

Developers install and uninstall software, drivers and system updates. They change operating system internals and use debugging programs on a regular basis. Without full control, developers often can’t do their jobs.

However, developers have access to source code, API keys and other shared secrets – usually more access than the standard user. Compromising a developer is a quick way for attackers to gain immediate elevated access to the most essential, mission-critical information an organization has. Consequently, developers have the kind of access that attackers want, which makes them the type of user who needs the highest levels of protection – whether they like it or not.

Want to take over a company or cause reputational damage quickly? Compromise a developer endpoint.

There are even specific types of attacks designed to target developers.  For instance, “watering hole” attacks where cyber attackers will compromise common, popular developer web sites known to be good places to share code and get help troubleshooting programming issues. For example, four of the largest software developer companies in the world were compromised during a single cyber attack campaign that placed a zero-day Java exploit on an iOS developer web site.

Rights and Responsibilities

One way to deal with developers’ requests for full admin rights would be to provide them with virtual machines dedicated to programming, which could be perfectly patched and thoroughly hardened. This is doable with the right amount of monitoring and alerting, antimalware and IPS.

However, a workaround like this has a huge management overhead. It requires more budget, additional machines and another user to manage those machines.  It’s not a comfortable situation for the IT team or the developer – and let’s not forget the cost of such a solution.

Additionally, while using their development tools, developers consume a lot of computer resources (e.g. generating millions of temporary files during code compilation). This leaves the security team with the job of ensuring that no significant performance impact occurs while implementing endpoint security products – not an easy task.

Conventional attempts to counter this typically require system administrators or security staff to perform manual inspections and craft security policies in response. As application complexity and development velocity increase, it becomes impractical to determine least privilege ahead of time manually. Furthermore, a central policy gatekeeper won’t scale efficiently and is likely to negatively impact delivery velocity.

Cutting the Gordian Knot

There has to be a better way to balance the needs of the developer with security concerns. Organizations need to be able to remove administrative privileges from developers without preventing them from doing their jobs, reducing velocity or overburdening security teams.

CyberArk Endpoint Privilege Manager can overcome these obstacles, allowing organizations to remove privileged credential rights on Windows workstations, servers and MacOS. It provides privileged access management (PAM), allowing enterprises to easily remove local Admin users – including developers. For instance, CyberArk Endpoint Privilege Manager can elevate specific applications used by the developer on a day-to-day basis or provide just-in-time user elevation for a specified time while recording and logging all user activity.

In addition, since developers may save credentials to their development environments, Endpoint Privilege Manager protects those repositories from credential theft while allowing trusted applications to use the credential stores.

Another key feature for the developers use-case is the out-of-the-box predefined policies for different developer tools like visual studio, Eclipse, Git and others.

Final Thought – The Developer Resistance

Each new security-driven restriction impacts the developer productivity throughout the entire software development process. Consequently, developers may fight the rules and restrictions necessary to maintain a strong security posture. What makes Endpoint Privilege Manager any different?

Endpoint Privilege Manager minimizes interference in the developer workflow. Developers – and other users – don’t need to go through the extra step of involving an administrator when they need access to certain applications. For a predefined, approved set of applications, users can seamlessly gain access through an automated process.

Furthermore, Endpoint Privilege Manager allows users to elevate privileges to access these approved applications while continuing to access other, unapproved applications as non-privileged users. This means that developers can continue to access the majority of the applications they use on a  daily basis without having to slow down – without losing out on the benefits of application security.

Developers are like builders constructing a house on an empty lot. They need to be armed with the best tools to do their best work. If you give them old equipment, they will spend more time working around it than actually building. Endpoint Privilege Manager lets developers do what they do best – without interrupting their workflow with compliance and security requirements – so that they can write code faster.

Developers don’t need to be the last hold out for administrator rights within an organization. Learn how this is possible today.

The post Secure Developer Workstations Without Slowing Them Down appeared first on CyberArk.

*** This is a Security Bloggers Network syndicated blog from CyberArk authored by Vadim Sedletsky. Read the original post at: https://www.cyberark.com/blog/secure-developer-workstations-without-slowing-them-down/

Source link

The post #cybersecurity | #hackerspace |<p> Secure Developer Workstations Without Slowing Them Down <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cyberfraud | #cybercriminals | FBI gives tips on how to keep your information secure

Source: National Cyber Security – Produced By Gregory Evans

JACKSON, Tenn.– Internet-enabled theft, fraud and exploitation were responsible for $2.7 billion in losses in 2018. The victim could be anyone who uses a connected device, including you.

The Federal Bureau of Investigation says its Internet Crime Complaint Center took in a an average of 900 complaints every day last year, ranging from non-payment scams to pyramid schemes.

Jeremy Baker is one of the people investigating these crimes. To prevent them, he has some tips you can do right at home.

“Just like your personal hygiene, you want to shower every day, you want to bathe, want to smell good, your cyber hygiene is the same thing. Just be in good shape,” Assistant Special Agent-in-Charge Jeremy Baker told WBBJ 7 Eyewitness News.

The first thing he said was to have multi-layer authentication.

“If you log into your email and give your username and password, it won’t let you in just yet. It’ll do at least one other step like text you a code or email a different account a code and you put that in and go in,” he said.

To set that up, go to your email account, click security, and turn on the two-step verification.

Also, check your passwords.

“Think about somebody sitting in their mother’s basement all day trying to guess what your password is. Make it hard for that person to do it,” Baker said.

He said the passwords should be long and unpredictable.

“So, if I’m a Green Bay Packers fan, I shouldn’t make it ‘Green Bay Packers Fan,’” Baker said.

And if you post about the Packers all over social media, hackers might be able to use that.

“I’ve actually seen some huge cases where some industrious and creative criminals tracked executives on social media,” he said. “That is exactly how they got millions of dollars out of these large companies. Because they knew exactly what to say and when to say it and when to hit, based on the executive’s availability or lack-of availability.”

Keeping that safe is as easy as changing the privacy setting on social media from public to private.

But, most importantly, trust your gut. If you see a website or email that doesn’t look secure, don’t click or open it.

“Because those are actually the two biggest things we still see, even as complicated as technology gets, it’s usually caused by people opening or clicking things they shouldn’t,” Baker said.

And, the FBI says give the computer a break and turn it off. If the computer isn’t on, hackers can’t get into it.

“Make it hard for the bad guys to make you a victim,” he said.

Baker also offers a few other tips:

Use different computers for internet use and private use.

Install and keep up with anti-virus protection and software.

Keep your computer, tablet and phones up-to-date with the latest software, as the makers are constantly researching and updating.

And, back up your data.

Source link

The post #cyberfraud | #cybercriminals | FBI gives tips on how to keep your information secure appeared first on National Cyber Security.

View full post on National Cyber Security

A #15-year-old #hacked the #secure Ledger #crypto #wallet

A 15-year-old programmer named Saleem Rashid discovered a flaw in the popular Ledger hardware wallet that allowed hackers to grab secret PINs before or after the device was shipped. The holes, which Rashid described on his blog, allowed for both a “supply chain attack” – meaning a hack that could compromise the device before it was shipped to the customer – and another attack that could allow a hacker to steal private keys after the device was initialized.

Rashid is not affiliated directly with any Ledger competitors although there was some suggestion that he did some work on Trezor and other competing hardware wallets. His response:

International Workshop on Secure Software Engineering in DevOps and Agile Development (SecSE)

General Cybersecurity Conference

 May 25, 2018 | Porto, Portugal

Cybersecurity Conference Description

Software security is about protecting information and ensuring that systems continue to function correctly even when under malicious attack. The traditional approach of securing a system has been to create defensive walls such as intrusion detection systems and firewalls around it, but there are always cracks in these walls, and thus such measures are no longer sufficient by themselves. We need to be able to build better, more robust and more “inherently secure” systems, and we should strive to achieve these qualities in all software systems, not just in the ones that “obviously” need special protection.

This workshop will focus on techniques, experiences and lessons learned for engineering secure and dependable software using the DevOps paradigm, as well as other forms of agile development.

Read More….

advertisement:

The post International Workshop on Secure Software Engineering in DevOps and Agile Development (SecSE) appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cyber Secure Nigeria

Source: National Cyber Security News

General Cybersecurity Conference

 May 9 – 10, 2018 | Lagos, Nigeria

Cybersecurity Conference Description 

Cyber Secure Nigeria 2018 will focus on the ‘core’ aspects of cyber security. We are currently calling for papers from prospective speakers. The Call for Papers invites submissions that will increase understanding of the most critical cyber security issues in our digitally connected world.

Read More….

advertisement:

View full post on National Cyber Security Ventures

Russian group #hacked German #government’s secure #computer #networks

Source: National Cyber Security News

A Russian-backed hacker group known for many high-level cyber attacks was able to infiltrate the German government’s secure computer networks, the dpa news agency reported Wednesday.

Dpa cited unidentified security sources saying the group APT28 hacked into Germany’s foreign and defence ministries and managed to steal data.

The attack was noticed in December and may have lasted a year, dpa reported.

The Interior Ministry said in a statement that “within the federal administration the attack was isolated and brought under control.” The ministry said it was investigating.

A spokesman wouldn’t give further details, citing the ongoing analysis and security measures being taken.

“This case is being worked on with the highest priority and considerable resources,” the ministry statement said.

APT28, which has been linked to Russian military intelligence, has previously been identified as the likely source of an attack on the German Parliament in 2015, as well as on NATO and governments in eastern Europe.

Also known by other names including “Fancy Bear,” APT28 has also been blamed for hacks of the U.S. election campaign, anti-doping agencies and other targets.

Read More….

advertisement:

View full post on National Cyber Security Ventures

(ISC)² Secure Summit Phoenix

Source: National Cyber Security – Produced By Gregory Evans

General Cybersecurity Conference

 March 9, 2018 | Phoenix, Arizona, United States

Cybersecurity Conference Description [Submitted by Organizer/ Or Written By Us]

It’s the same old story. Ransomware and phishing still dominate the headlines. Why are these tactics so successful? Why are organizations still falling victim to the same old tricks?

Read More….

The post (ISC)² Secure Summit Phoenix appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Smart #cars need #smart and #secure #IT/OT #Infrastructures

Source: National Cyber Security – Produced By Gregory Evans

IT can fail. It often does. We restart IT, and life goes on. Hackers can also compromise these same IT systems creating disruptions and causing theft of credentials. All manners of serious consequences result from these compromises.

When Operations Technology (OT) fails, the consequence is of a different nature – arguably far more significant and far more serious. Decades of safety systems developed to keep OT from failing work – most of the time. That’s the good news. The bad news is that these OT systems and their parallel safety systems were not designed to stop the present threat of hackers whose intent would be to make them fail in catastrophic ways – including task 1 to turn off the safety systems.

A state of geopolitical competition
Consider also that we are now in the time of cyber as a tool of geopolitical competition. That is a nice way to say “nation-state” attacks – the same thing. It is time to consider, with utmost urgency, the cyber protections needed for the installed base (legacy) of OT systems and the future base of innovations that will surely bring more of this kind of automation into our daily lives. The installed base of OT is a much longer topic – for another time. The future base of OT is the topic of this piece.

About smart cars
Smart cars make sense when we also consider smart roads and a smart IT/OT infrastructure. We are at the start of the age of smart transportation, roads filled with sensors to interact with autonomous cars in ways to control flow and enhance safety. Smart cars and smart roads go together. They connect by means of a computer network.

For smart transportation to succeed, it will need all three parts: autonomous capabilities in cars + smart roads + an IT infrastructure that connects them together. Together, they combine to make smart transportation. That is the future. 2018 will serve as the year where this future accelerates.

We should make them secure from the start – all parts. Consider this scenario. Someone hacks a car. It makes the news. The impact was – a hacked car and possibly a traffic accident. The sale of cars vulnerable to these hacks is undiminished. We’ve seen this scenario already. But accidents happen all the time. Now consider if it were the “smart road” that is hacked, and the hacker navigates up the network into the applications and the databases. This can’t happen – right? For those who make their living doing ethical hacking, the question is typically, how much time do I have?

OT failure paired malicious intent
Coupled with other malicious intentions in this geopolitically motivated time we are in, the scenario just described takes on far more significant importance. We don’t have to think too hard to know what can happen when OT fails.

The failures of the Deepwater Horizon oil spill into the Gulf in 2010 did incalculable damage. It is a manifestation of this OT failure in an extreme case where the combination of failed processes, sensors plus human error created this perfect storm. It is prudent to ask the question, can these kinds of events be intentionally perpetrated by human actors working to hack the system, allowing them to learn enough of the control processes to orchestrate this kind of catastrophic failure? In the year just starting and the years to come, we are likely to find that the answer is the same – how much time do I have?

What do we do? We start to recognize these very possible issues and become skilled in cybersecurity for both IT and OT systems, for smart transportation and all the other OT industries. That is the start – with urgency.

The post Smart #cars need #smart and #secure #IT/OT #Infrastructures appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cybersecurity #Tips to Help #Retailers and #Consumers Stay #Secure During the #Holiday Season

Source: National Cyber Security – Produced By Gregory Evans

It’s time to take advantage of all those holiday specials and spend all your hard-earned bitcoin — er, I mean money — buying gifts for friends, family and, of course, yourself. Many retailers, large and small, online and brick-and-mortar, run holiday promotions as early as September. Gone are the days of waiting until Black Friday or Cyber Monday to take advantage of sales and specials.

The bad guys will be shopping, too — just not for the same items you are. Instead, they will be shopping for your wallet.

It’s true that some cyber Grinches ramp up their malicious activities during the holiday season, perhaps in the form of holiday-specific spam, spear phishing or compromised sites. While increased vigilance is encouraged during this time, there are a number of cybersecurity tips and best practices consumers and retailers should follow throughout the year to help mitigate threats. Having the right controls and awareness in place before the holidays can go a long way during the busy shopping season.

For Retailers: Vigilance Encouraged Throughout the Year

Black Friday and Cyber Monday are heavy shopping days and are likely to remain so for the foreseeable future. However, IBM X-Force research conducted over the past few years revealed that there was no significant uptick in network attacks targeting X-Force-monitored retailers during the traditional holiday shopping period in late November. In fact, last year, the volume of attacks for those two days fell below the daily attack average for retailers.

However, now that the shopping extravaganza lasts for two or more months, it’s possible that this four-day window is too short of a time period to identify notable network attack trends.

So far in 2017, network attacks targeting retail networks were highest in Q2, with June being the most-targeted month. Attacks dropped notably beginning in August and have been steadily declining, with the volume of attacks monitored for October below the monthly average for the year.

Time to celebrate? Not necessarily. In 2016, we observed a notable surge in the volume of attacks targeting retailers in mid to late December. Additionally, malware compromises occurring earlier in the year that have gone undetected can wreak havoc once the busy season commences. In December 2016, a security researcher discovered that nearly 7,000 online stores running Magento shopping cart software were infected with data-stealing skimmer malware capable of logging credit cards and passwords and making them available to attackers as image files for exfiltration.

Furthermore, bad actors do not have to steal anything to wreak havoc on the retail industry. A distributed denial-of-service (DDoS) attack is enough to cost the sector millions. In fact, the average cost of DDoS attack for organizations across all industries rose to over $2.5 million in 2016.

Retailers are encouraged to monitor their networks with increased vigilance during this holiday season. Vulnerable point-of-sale (POS) systems, compromised websites, and targeted spam and phishing campaigns can be costly.

To help keep your security posture strong over this holiday shopping season and all year long, review and implement the recommendations outlined in the IBM report, “Security Trends in the Retail Industry.”

For Consumers: What Cybersecurity Tips Are Missing From Your Repertoire?

Many online consumers have improved their security awareness as media coverage and education opportunities have increased. However, below are a few cybersecurity tips that many consumers likely haven’t thought of.

Assess Convenience Versus Risk

Our digital interactions leave data trails. Finding the right balance between personalization and privacy is the consumer’s responsibility, not just the retailer’s. Many sites have the option to save your card data for future use. While this feature offers convenience to the consumer, the stored data can be stolen via SQL injection attacks or other database compromises — after all, there are billions of leaked records due to misconfigured servers. Always look for the green lock icon in the browser address bar to ensure a secure connection to websites.

Be Wary of Unsuspicious Emails

Criminals have gotten really good at devising phishing lures that are extremely difficult to recognize as fraudulent. Receive an attachment from someone that appears to be in your contact list? Call them to confirm. Order something online? Before clicking the “track package” link in the confirmation email, ensure that it is actually an item you purchased from the correct vendor.

Use Passphrases and Multifactor Authentication

Exercise strong password hygiene by choosing to use a long, easy-to-remember passphrase, such as “ipreferpassphrasesoverpasswords,” instead of complex passwords containing a combination of letters, numbers and special characters. Unfortunately, this is not always an option since many websites now require a password that contains this combination. Use different passphrases for each site. If this seems too daunting, use a password manager. Rather than managing dozens of passphrases on your own, you’ll just have to remember the one key to your digital vault.

Always opt for multifactor authentication when available, and figure out which option is the most secure when choosing a real-time short message service (SMS) text message, an email message or an automated phone call.

Get Creative With Security Questions

When setting up new accounts, opt for security and password reset questions that aren’t public to make it harder for fraudsters to get their hands on your information. For example, don’t use your mother’s maiden name, which could be easily found online. Even answers to opinion-based questions, such as favorite movie, food, etc., can be found on social media. For increased security, lie about your answers or use passphrases as the answers.

Skimmers Abound

By now, you have most likely heard of skimmers being placed on the card readers at gas stations and bank ATMs. A skimmer is a hidden device placed inside the mouth of a payment card reader that is designed to copy your card data for criminals to user later. But what about in-store POS systems? Be on the lookout for suspicious-looking card swiping terminals that could be skimmers, or cash register attendants who seem to swipe your card on two different readers. Maintain this vigilance not only during the holiday season, but all the time, especially if you travel to other countries.

Know Your Card Security Features

Banks and credit card companies have implemented some great security features, such as being able to set limits on the number of times the card can be used within an hour or on the amount that can be spent on one purchase. However, if you’re unaware of these limits for your personal accounts or your phone number is not up to date in your bank profile, you may end up with a declined card.

Cover Your Card

Is the person in line behind you taking a selfie, or is he or she taking a picture of your card as you make a purchase? By obtaining the credit card number, name, expiration date and the card security code or card verification value on the back, an attacker may be able to use the information to make online purchases.

Keep Your Guard Up Year-Round

The holiday season is a great time to take stock of the past year while relaxing and spending time with loved ones, but it’s no time to let your guard down, especially given the increasing sophistication of cybercriminal tactics targeting holiday shoppers and sellers alike. We encourage retailers and consumers to follow best practices not only this holiday season, but also all year long to help mitigate attacks and compromise.

The post Cybersecurity #Tips to Help #Retailers and #Consumers Stay #Secure During the #Holiday Season appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

15 Tips to Staying Secure While Staying Connected

Source: National Cyber Security – Produced By Gregory Evans

National Cybersecurity Security Awareness Month brings to light what you already know – cruising the internet can be harmful if you don’t follow best security practices. The good news is you don’t need to be a cybersecurity pro to employ smart online safety habits that can go a long way…

The post 15 Tips to Staying Secure While Staying Connected appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures