- What do you do in the area of X
- Tell me about X
- Show me the policies and procedures relating to X
- Show me the documentation arising from or relating to X
- Show me the X system from the perspectives of a user, manager and administrator
- Who are the users, managers and admins for X
- Who else can access or interact or change X
- Who supports X and how good are they
- Show me what happens if X
- What might happen if X
- What else might cause X
- Who might benefit or be harmed if X
- What else might happen, or has ever happened, after X
- Show me how X works
- Show me what’s broken with X
- Show me how to break X
- What stops X from breaking
- Explain the controls relating to X
- What are the most important controls relating to X, and why is that
- Talk me through your training in X
- Does X matter
- In the grand scheme of things, is X important relative to, say, Y and Z
- Is X an issue for the business, or could it be
- Could X become an issue for the business if Y
- Under what circumstances might X be a major problem
- When might X be most problematic, and why
- How big is X - how wide, how heavy, how numerous, how often ...
- Is X right, in your opinion
- Is X sufficient and appropriate, in your opinion
- What else can you tell me about X
- Talk me through X
- Pretend I am clueless: how would you explain X
- What causes X
- What are the drivers for X
- What are the objectives and constraints relating to X
- What are the obligations, requirements and goals for X
- What should or must X not do
- What has X achieved to date
- What could or should X have achieved to date
- What led to the situation involving X
- What’s the best/worst thing about X
- What’s the most/least successful or effective thing within, about or without X
- Walk or talk me through the information/business risks relating to X
- What are X’s strengths and weaknesses, opportunities and threats
- What are the most concerning vulnerabilities in X
- Who or what might threaten X
- How many changes have been made in X
- Why and how is X changed
- What is the most important thing about X
- What is the most valuable information in X
- What is the most voluminous information in X
- How accurate is X …
- How complete is X …
- How up-to-date is X …
- … and how do you know that (show me)
- Under exceptional or emergency conditions, what are the workarounds for X
- Over the past X months/years, how many Ys have happened … how and why
- If X was compromised in some way, or failed, or didn’t perform as expected etc., what would/might happen
- Who might benefit from or be harmed by X
- What has happened in the past when X failed, or didn’t perform as expected etc.
- Why hasn’t X been addressed already
- Why didn’t previous efforts fix X
- Why does X keep coming up
- What might be done to improve X
- What have you personally tried to address X
- What about your team, department or business unit: what have they done about X
- If you were the Chief Exec, Managing Director or god, what would you do about X
- Have there been any incidents caused by or involving X and how serious were they
- What was done in response – what changed and why
- Who was involved in the incidents
- Who knew about the incidents
- How would we cope without X
- If X was to be replaced, what would be on your wishlist for the replacement
- Who designed/built/tested/approved/owns X
- What is X made of: what are the components, platforms, prerequisites etc.
- What versions of X are in use
- Show me the configuration parameters for X
- Show me the logs, alarms and alerts for X
- What does X depend on
- What depends on X
- If X was preceded by W or followed by Y, what would happen to Z
- Who told you to do ... and why do you think they did that
- How could X be done more efficiently/effectively
- What would be the likely or possible consequences of X
- What would happen if X wasn’t done at all, or not properly
- Can I have a read-only account on system X to conduct some enquiries
- Can I have a full-access account on test system X to do some audit tests
- Can I see your test plans, cases, data and results
- Can someone please restore the X backup from last Tuesday
- Please retrieve tape X from the store, show me the label and lend me a test system on which I can explore the data content
- If X was so inclined, how could he/she cause chaos, or benefit from his/her access, or commit fraud/theft, or otherwise exploit things
- If someone was utterly determined to exploit, compromise or harm X, highly capable and well resourced, what might happen, and how might we prevent them succeeding
- If someone did exploit X, how might they cover their tracks and hide their shenanigans
- If X had been exploited, how would we find out about it
- How can you prove to me that X is working properly
- Would you say X is top quality or perfect, and if not why not
- What else is relevant to X
- What has happened recently in X
- What else is going on now in X
- What are you thinking about or planning for the mid to long term in relation to X
- How could X be linked or integrated with other things
- Are there any other business processes, links, network connections, data sources etc. relating to X
- Who else should I contact about X
- Who else ought to know about the issues with X
- A moment ago you/someone else told me about X: so what about Y
- I heard a rumour that Y might be a concern: what can you tell me about Y
- If you were me, what aspects of X would concern you the most
- If you were me, what else would you ask, explore or conclude about X
- What is odd or stands out about X
- Is X good practice
- What is it about X that makes you most uncomfortable
- What is it about this audit that makes you most uncomfortable
- What is it about me that makes you most uncomfortable
- What is it about this situation that makes you most uncomfortable
- What is it about you that makes me most uncomfortable
- Is there anything else you’d like to say
Recently, the World Economic Forum revealed it will take 202 years for women to achieve economic gender parity at our current rate. Two hundred and two. Let that sink in for a moment. Doesn’t quite seem right does it? At McAfee, we believe every single employee should be compensated fairly and equally for their individual contribution and impact to the company, regardless of gender. Which is why we’re committed to acting now to address any gender pay parity discrepancy in the first half of 2019.
This announcement underlines our unwavering commitment to inclusion and diversity. When McAfee reaches global pay parity in 2019, we will be the first pure-play cybersecurity company to do so. And while study after study reinforces the simple fact that diversity drives prosperity, we’re still falling short with just 11% female representation in cybersecurity.
Making significant progress is not going to happen overnight. It also won’t happen on its own. We need greater collaboration to help drive the actions that will change the conversation. So in the spirit of transparency and sharing best practice, here are four steps McAfee is undertaking to achieve gender pay parity:
- We define pay parity. At McAfee, pay parity means fair and equal pay for employees in the same job, level and location, controlling for pay differentiators such as performance, tenure and experience, regardless of gender.
- We complete our inaugural review. Create job groups by role, level and location to evaluate any discrepancies outside of the predetermined controlling factors.
- We adjust pay. If a gap is found between females and males within the group, our purpose is to ensure nothing about a person’s gender is causing the discrepancy and to make adjustments if needed.
- We uphold pay parity. This will not be just a point in time review, but an annual analysis to stay the course. But maintaining pay parity also means keeping it at the forefront throughout the year—from our hiring practices to how we promote and reward our employees.
In these four steps lies a momentous promise to equality. Each day, I’m proud to work alongside a team dedicated to creating a workplace where all voices, perspectives and experiences are welcomed, where everyone can belong. But our investment in pay parity is among the most important steps in showing our people we value them, equally.
With this commitment, we continue to live our values, build an inclusive culture, create better workplaces and build stronger communities. I’m honored to join companies beyond the world of cyber already striving towards pay parity and I hope more will join us in reaching this milestone in equality.
Ready to work for a company committed to equality? McAfee is hiring!
Disclaimer: This blog was originally published on LinkedIn
The post Championing Equality: McAfee to Achieve Gender Pay Parity in 2019 appeared first on McAfee Blogs.
Marriott has confirmed that the number of guests affected in the breach of Starwood’s guest reservation database is down from the originally estimated 500 million to “fewer than 383 million unique guests.” At this time, the hotel giant is unable to confirm an exact number of guests impacted.
According to the statement, approximately 5.25 million unique unencrypted passport numbers and 20.3 million encrypted passport numbers were stolen. Attackers also accessed 8.6 million unique payment card numbers, all of which were encrypted, but only 354,000 cards were active and unexpired at the time of the breach. In its earlier notice in November of last year, the hotel giant confirmed that there had been unauthorized access to the Starwood network since 2014.
Marriott said that it has completed the phase out of Starwood’s reservation database, and now runs guest bookings through its Marriott database, which wasn’t accessed in the breach.
A Breach of Immense Scale and Scope
According to an initial report from the BBC, for roughly 327 million guests, the attacker was able to access personally identifiable information including a combination of name, address, phone number, email address, passport number, account information, date of birth, and gender. In some cases, the compromised records also included encrypted credit card information. At this time, the company was still trying to determine whether the encryption keys had also been stolen.
In a statement published on Nov. 30, Marriott said that it received an alert from an internal security tool that an unauthorized user had attempted to access the Starwood database in the US on Sept. 8, 2018. An investigation into the incident confirmed that an attacker had copied and encrypted the information. Marriott was able to decrypt the information to confirm that the contents were from the Starwood guest reservation database.
Marriott reported the incident to both law enforcement and regulatory authorities, and the UK's data regulator is investigating. While Marriott’s headquarters are in the US, it works with and hosts European citizens, so it must ensure that it meets GDPR compliance. It’s anticipated that Marriott International will receive a substantial penalty because of the size and scale of the breach.
To read initial coverage of this story, with commentary from Veracode Co-Founder and CTO Chris Wysopal, click here.
When you make an investment in an application security program, you’re expecting to derive value from the initiative; in other words, you’re expecting to get some kind of return on your investment. After more than 10 years working with organizations to implement and build out application security programs, we have a pretty clear sense of what that value is. We find that the value derived from an AppSec program stems from:
- Cost-effectively scaling secure software delivery
- Rapidly reducing the risk of breach from insecure software
- Making security a competitive advantage
- Meeting the compliance requirements of customers and regulators
But you won’t reap these benefits unless you follow best practices and implement certain facets of an application security program. Those who simply plug in a tool and focus on scanning only will not derive the value listed above, but might in fact hinder the progress and productivity of their development teams.
You won’t get a solid return on your AppSec investment unless you consider application security a program, not a tool, and work to incorporate several best practices that go beyond simply scanning your code. Those best practices include:
Secure coding education: Prevention is key to deriving value from application security, and the best way to prevent security-related defects in your code is to train your developers to identify and avoid them. Even better, provide targeted training that hones in on specific defects emerging in your code. This is especially important because the reality is that most developers simply don’t have the skills or experience to code securely. We recently conducted a survey that found that the vast majority of developers don’t get security training either in school or on the job. And we’ve seen first-hand the effects of educating developers on secure coding – our customers who take advantage of eLearning on secure coding improve their fix rates by 20 percent.
Integrated and automated testing: You will lessen the value derived from application security testing if it hinders and slows your development process. And human intervention will slow you down. True value lies in maintaining your development speed while producing high-quality, secure code. You won’t achieve this unless security testing is integrated into development processes, and automated as much as possible. For instance, embed testing into the development process as developers are writing code. In addition, automate testing in the CI/CD pipeline, and automatically open and close tickets related to security issues. The more you can automate and integrate, the more value you will see.
Remediation guidance: Ultimately, application security offers very little value if you aren’t fixing the defects you find and reducing your risk of breach. But, as mentioned above, most developers are not trained to identify or remediate security-related defects. With remediation guidance, developers will efficiently and effectively fix what they find, and learn to do so going forward. With this know-how, you’ll derive both real risk reduction and a real boost to your bottom line. We’ve found that our customers that take advantage of remediation coaching see a 70 percent improvement in fix rates over those that don’t.
Security champions: Security skills are hard to come by, application security skills even harder. Leverage your security team and its skills without adding headcount by creating security champions. A security champion is a developer with an interest in security who helps amplify the security message at the team level. Security champions don’t need to be security pros; they just need to act as the security conscience of the team, keeping their eyes and ears open for potential issues. Once the team is aware of these issues, it can then either ﬁx the issues in development or call in your organization’s security experts to provide guidance. In the end, security champions will help you derive more value from your application security program without incurring significant costs.
For more information
We know application security can produce a solid return on investment, but only if you understand what that return looks like and the best ways to achieve it. Get more details on boosting the ROI from your AppSec program, and measuring that ROI, in our eBook, Making Application Security Pay.
If we remember one thing from 2018, it is that we are all victims now through one breach or another. Every day, we hear more news about another data breach affecting millions of users with significant financial and reputational consequences to its victims. With massive breaches like Equifax, Facebook, Deloitte, Quora and Yahoo, it is clear that breach notification services and multi-factor authentication (MFA) are not enough to prevent the next data breach headline from appearing in tomorrow’s newspapers.
Organizations have started thinking holistically, and rightly so, about risk and approaches to security using frameworks such as CARTA, Zero Trust, NIST SP 800 and IDSA. These frameworks offer progressive thinking and valuable approaches to modern identity strategy, but there is no one size fits all. These frameworks are akin to buying furniture from IKEA; assembly required, but with a lot more complexity and a lot more at stake.
Posted under: Firestarter
In this year-end/start firestarter the gang jumps into our expectations for the coming year. Spoiler alert- the odds are some consolidation and contraction in security markets are impending… and not just because the Chinese are buying fewer iPhones.
Watch or listen:
- Rich (0) Comments Subscribe to our daily email digest
Talks you should watch if you are interested in Kubernetes:
https://github.com/bgeesaman/hhkbe [demos for the talk above]
https://schd.ws/hosted_files/kccncna17/d8/Hacking%20and%20Hardening%20Kubernetes%20By%20Example%20v2.pdf [slide deck]
Blog posts by others:
Open Etcd: http://carnal0wnage.attackresearch.com/2019/01/kubernetes-open-etcd.html
Etcd with kube-hunter: http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kube-hunterpy-etcd.html
Kubernetes ports: https://carnal0wnage.attackresearch.com/2019/01/kubernetes-list-of-ports.html
Kubernetes dashboards: http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kubernetes-dashboard.html
Kublet 10255: https://carnal0wnage.attackresearch.com/2019/01/kubernetes-kube-hunter-10255.html
- Container Logs: http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kubelet-api-containerlogs.html
- Getting shellz 1: https://carnal0wnage.attackresearch.com/2019/01/kubernetes-unauth-kublet-api-10250.html
- Getting shellz 2: https://carnal0wnage.attackresearch.com/2019/01/kubernetes-unauth-kublet-api-10250_16.html
Cloud Metadata Urls and Kubernetes
-I'll update as they get posted
Today, we at McAfee are announcing some exciting new security solutions and integrations at CES in Las Vegas. For those of you who are unfamiliar with CES, it is the global stage for innovators to showcase the next generation of consumer technologies. McAfee now delivers protection to more than 500 million customers worldwide, and we understand the importance of creating new solutions for those who want to live their connected lives with confidence. To help empower our customers to do this, we’ve added to our security lineup and are working with other tech innovators who understand the importance of protecting users’ online safety.
One addition to our lineup of security solutions is McAfee Gamer Security. In a recent gaming survey, we discovered that 75% of gamers are worried about the security of gaming as online threats continue to rise. To help combat these threats, we developed McAfee Gamer Security, which protects gamers while optimizing their gaming experience. Some of the product’s key features include Game Mode, a gamer-centric interface, and minimal security resource consumption. These features help optimize gamers’ computing resources, provide system status updates, and equip users with lightweight security protection.
In addition to our latest product advancements, we’ve also teamed up with other companies looking to better the cybersecurity landscape for consumers. The first is Google. In order to further simplify the process of securing today’s connected home, McAfee will provide McAfee Secure Home Platform voice commands for the Google Assistant. McAfee Secure Home Platform provides an extra layer of security to help automatically protect all of the connected devices on the user’s home network. Soon, Google Assistant users can easily manage their connected home security by just using their voice.
While it’s important to secure the connected home, it is also important to protect your mobile and IoT devices as well. According to McAfee Labs 2019 predictions, cybercriminals will leverage trusted devices like smartphones and tablets to try and access users’ IoT devices in the upcoming year. To help customers stay safeguarded from this threat, we’ve teamed up with Verizon to protect their home networks through Verizon Home Network Protection. This McAfee-powered solution helps Verizon Fios customers stay secured against malicious websites, provide parental controls, and protect all devices connected to their home network.
Furthermore, we at McAfee and Dell have teamed up to protect consumers and small businesses as they enjoy the benefits of today’s technology. To do this, we’ve expanded our collaboration to provide pre-installed McAfee software on PCs and laptops globally to both consumer and small business customers. Customers who purchase a new laptop or PC will also have the option to extend McAfee protection beyond their Dell device to their smartphones and tablets. This allows users to have a more robust security shield around all of their connected devices, creating a safer overall online experience. Dell consumer and small business customers who purchase Dell Inspiron, XPS, Vostro, and G-Series laptops will receive a 30-day or 1-year subscription. Customers who purchase Alienware, OptiPlex, Latitude, and Precision will have the option of adding a 30-day free subscription or purchasing a 1-year subscription.
Another one of our latest innovations is the addition of Cryptojacking Blocker to McAfee WebAdvisor. As we observed in our latest McAfee Labs report, coin mining malware is on the rise, growing more than 4000% in the last year. Cryptojacking Blocker helps protect users from having their devices hijacked without their knowledge or permission. The tool helps prevents websites from mining for cryptocurrency and is included in all McAfee suites that include McAfee WebAdvisor. Users can update their existing WebAdvisor software to get Cryptojacking Blocker or download WebAdvisor for free.
So far, CES 2019 has proven that innovation will continue to evolve, just as the cybersecurity landscape will continue to mature. By working together to improve the technology that protects connected devices, we can help users optimize their digital life without compromising their online safety.
The post Kicking off CES 2019 with New Security Solutions and Collaborations appeared first on McAfee Blogs.
|principal domain names with SLQi|
|Domain Names Geographically Distributed|
|Percentage of WebServer Technology in front of vulnerable websites|
|Percentage of DataBase Technology in of vulnerable websites backend|