Daily Archives: April 25, 2019

TrustArc Partnering with IAPP to Benchmark Privacy Tech Adoption

As privacy tech continues to proliferate and embed itself in day-to-day privacy functions in the enterprise, the IAPP, together with TrustArc, seeks feedback to better understand how privacy pros are adopting the privacy tech tools outlined in our Privacy Tech Vendor Report. This year’s survey builds on a similar one we did last year looking at how privacy tools are acquired and deployed. Now, with obligations that both the EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are imposing on organizations, are we seeing a move toward greater tech adoption? The survey should only take about … Continue reading TrustArc Partnering with IAPP to Benchmark Privacy Tech Adoption

The post TrustArc Partnering with IAPP to Benchmark Privacy Tech Adoption appeared first on TrustArc Blog.

What Is Fix Rate, and Why Does It Matter?

Once your application security program is up and running, there are several metrics you can use to gauge your progress and optimize your program. For instance, companies typically measure their scan activity, flaw density, and policy compliance. However, very few include metrics for fix rate, despite the fact that it is an important indicator of a program’s success. Fix rate indicates how long it takes for a team to fix the vulnerabilities their scans find. Fix rate is calculated as follows:

Fix Rate = Fixed Flaws divided by (Fixed + Open Flaws)

Looking at fix rate over time measures the average velocity at which organizations are fixing flaws.

All the metrics mentioned above are important, but fix rate is especially critical. Ultimately, the most important function of an application security program effectively fixing flaws once they are discovered. In the end, you can’t scan your way to secure code.

What are the average fix rates?

For our most recent State of Software Security (SoSS) report, we analyzed the data compiled from the 700,000 scans we performed over a 12-month period between April 1, 2017 and March 31, 2018, and this reveals a pretty clear picture of the current state of fix rates.

When we look at the curve for the average fix velocity from the first day of discovery, we see that it takes organizations a troubling amount of time to address most of their flaws. One week after first discovery, organizations close out only about 15 percent of vulnerabilities. In the first month, that closure reaches just under 30 percent. By the three-month mark, organizations haven’t even made it halfway, closing only a little more than 45 percent of all flaws.

When we looked at fix rate by flaw type, we found that organizations are making a big push to fix their highest severity vulnerabilities first. Organizations managed to reach closure on 75 percent of these high-severity flaws more than 100 days sooner than the norm.

But the numbers aren’t so positive for other vulnerability rankings, such as exploitability or business criticality.

Why are fix rates important?

Speed matters when it comes to application security. The time it takes for attackers to come up with exploits for newly discovered vulnerabilities is measured in hours or days. Letting known vulnerabilities linger unfixed dramatically increases your risk. For instance, it was merely days between disclosure and exploitation of the vulnerability in the Apache Struts framework that led to the Equifax breach.

In addition, it’s important to address the most high-risk vulnerabilities the fastest. Our SoSS stats surrounding fix rate by flaw type (mentioned above) are important here. The fact that most organizations are solely focused on fixing high-severity flaws, but have troubling fix rates for flaws that are highly exploitable or business critical is problematic. Oftentimes, a low-severity flaw could be just as risky, if not more so, than a higher-severity flaw. For example, a low-severity information leakage flaw could provide just the right amount of system knowledge an attacker needs to leverage a vulnerability that might otherwise be difficult to exploit.

How can we improve our fix rate?

Here are some ways to give your fix rate a boost:

Prioritize more

Reconsider your application security policy to ensure you are taking steps to reduce your most high-risk vulnerabilities the fastest. The sheer volume of open flaws within enterprise applications is too staggering to tackle at once -- which means that organizations need to find effective ways to prioritize which flaws they fix first.

For instance, not all apps are created equal, so create different requirements for different apps. An application that has IP, is public facing, and has third-party components may require all medium to very critical flaws to be fixed. A one-page temporary marketing site may only require high/very high flaws to be fixed.

In addition, consider a flaw’s exploitability, not just its severity. As noted above, some low-severity flaws could be highly exploitable, while some high-severity flaws would never be exploitable.

Scan more

This year’s State of Software Security report also revealed that those organizations that scan most frequently have the highest fix rates. Our data shows that there is a very strong correlation between how many times a year an organization scans and how quickly they address their vulnerabilities.

When apps are tested fewer than three times a year, flaws persist more than 3.5x longer than when organizations can bump that up to seven to 12 scans annually. Each step up in scan rate results in shorter and shorter flaw persistence intervals. Once organizations are scanning more than 300 times per year, they’re able to shorten flaw persistence 11.5x across the intervals compared to applications that are only scanned one to three times per year.

Prevent more

The less flaws you have to tackle, the faster you can tackle them. If developers have the secure coding skills needed to avoid introducing flaws in the first place, they will put a big dent in the work needed to fix flaws later in the cycle. But most developers have had zero training on secure coding – either in school or on the job. Our research has shown that when developers do get training or coaching on secure coding, the organization’s fix rate gets a big boost. When our customers offer eLearning on secure coding for their development team, they improve their fix rate by 19 percent. When they take advantage of remediation coaching, they improve it by a whopping 88 percent.

Learn more

There’s more to AppSec than scanning. Get details in our new eBook, Application Security: Beyond Scanning.

Something’s Phishy With the Instagram “HotList”

Phishing scams have become incredibly popular these days. Cybercriminals have upped the ante with their tactics, making their phishing messages almost identical to the companies they attempt to spoof. We’ve all heard about phishing emails, SMiShing, and voice phishing, but cybercriminals are turning to social media for their schemes as well. Last week, the “Nasty List” phishing scam plagued Instagram users everywhere, leading victims to fake login pages as a means to steal their credentials. Now, cybercriminals are capitalizing on the success of the “Nasty List” campaign with a new Instagram phishing scam called “The HotList.”

This scam markets itself as a collection of pictures ranked according to attractiveness. Similar to the “Nasty List,” this scheme sends messages to victims through hacked accounts saying that the user has been spotted on this so-called “hot list.” The messages claim to have seen the recipient’s images on the profile @The_HotList_95. If the user goes to the profile and clicks the link in the bio, they are presented with what appears to be a legitimate Instagram login page. Users are tricked into entering their login credentials on the fake login pages, whose URL typically ends in .me domains. Once the cybercriminals acquire the victim’s login, they are able to use their account to further spread the campaign.

Images courtesy of Bleeping Computer. 

Luckily, there are steps users can take to help ensure that their Instagram account stays secure:

  • Be skeptical of messages from unknown users. If you receive a message from someone you don’t know, it’s best to ignore the message altogether or block the user. And if you think a friend’s social media account has been compromised, look out for spelling mistakes and grammatical errors in their message, which are common indicators of a potential scam at play.
  • Exercise caution when inspecting links sent to your messages. Always inspect a URL before you click on it. In the case of this scam, the URL that appears with the fake login page is clearly incorrect, as it ends in .me.
  • Reset your password. If your account was hacked by “The HotList” but you still have access to your account, reset your password to regain control of your page.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Something’s Phishy With the Instagram “HotList” appeared first on McAfee Blogs.

Facebook Braces for Multibillion Dollar Fine

Facebook announced that it was preparing for a massive fine from the Federal Trade Commission for its mishandling of user privacy. The fine could be as much as $5 billion.

The social media giant revealed the fine as a one-time expense in its annual earnings statement, explaining a 51% decline in income, “in connection with the inquiry of the FTC into our platform and user data practices.”

“We estimate that the range of loss in this matter is $3.0bn to $5.0bn,” the company’s statement explained. “The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome.”

Facebook has been the target of an FTC investigation to determine if it had violated a 2011 consent decree following the 2018 revelation that it improperly shared data with Cambridge Analytica.

Despite the size of the fine, the company showed continuous growth and an expansion of its ecosystem of apps.

Read more about the story here.

The post Facebook Braces for Multibillion Dollar Fine appeared first on Adam Levin.

ISO 27001 Lead Implementer, Lead Auditor and Internal Auditor – what’s the difference?

A version of this blog was originally published on 25 June 2018.

Anyone interested in getting into or advancing their career in cyber security probably knows that they will need training and qualifications. But given that the field is so broad, how are you supposed to decide which course is right for you?

This blog will help you make that decision. We take three of our most popular training courses – ISO27001 Certified ISMS Internal AuditorISO27001 Certified ISMS Lead Auditor and ISO27001 Certified ISMS Lead Implementer – and explain what they cover and who they are suitable for.

ISO 27001 Certified ISMS Lead Implementer

A lead implementer takes charge of an organisation’s ISO 27001 compliance project. They are responsible for the big decisions, such as setting out the ISMS’s scope, and for ensuring the Standard’s requirements have been addressed.

What you learn: The nine key steps involved in planning, implementing and maintaining an ISO 27001-compliant ISMS.

Who it’s for: This course should be attended by the person responsible for ISO 27001 compliance (typically the CISO) and the person leading the project (this might be the same person). You’ll need a solid understanding of ISO 27001’s risk assessment process, and should have already taken a foundation-level ISO 27001 course.

Length: Three days

ISO 27001 Certified ISMS Lead Auditor

A lead auditor can work internally or audit a second or third party’s ISMS. Their expertise is usually required when the organisation is seeking ISO 27001 certification, or if a partner organisation requests a supply chain audit.

What you learn: The first half of the course teaches you about auditing in general, and the second half covers best-practice advice for how to audit an ISMS.

Who it’s for: Anyone who wants the responsibility for implementing and maintaining their organisation’s ISMS. It’s also suitable for those who want to work for a specific auditing organisation, such as the BSI.

Length: Four and a half days

ISO 27001 Certified ISMS Internal Auditor

An internal auditor assesses the effectiveness of the organisation’s ISMS (information security management system) and whether it meets the requirements of ISO 27001, reporting their findings to senior management.

What you learn: The course begins with an introduction to ISO 27001 and how auditing fits into the compliance process, before explaining how to plan for and execute an internal audit.

Who it’s for: It’s ideal for compliance managers, but it’s obviously suitable for anyone interested in conducting internal audits. You should have a decent understanding of ISO 27001, but your main strengths should be in policy reviews.

Length: Two days

What are the differences between these courses?

Even though each of these courses cover similar areas, they are geared towards specific job roles. Take the internal and lead auditor courses as an example.

An internal auditor could be an employee within the organisation (hence ‘internal’), but they ideally wouldn’t have played a major role in the ISMS’s implementation. Otherwise they are being asked to find faults in their own work, which they might be reluctant to do.

Meanwhile, a lead auditor will have the specialist knowledge required to conduct second- or third-party audits. Although the tasks involved in these two roles are similar, the day-to-day work is very different. Whereas an internal auditor only has to be familiar with their organisation’s ISMS, a lead auditor that works for an auditing company deals with many organisations and interacts with even more people.

Then we come to the lead implementer course, which teaches you how to fulfil a completely different job role. Lead implementers are the heart of the team that puts the ISMS together. As with auditors, they need a strong understanding of ISO 27001’s compliance requirements, but their job focuses on how to meet those requirements, as opposed to reviewing whether they have been implemented correctly.

Of course, consultants will need to be implementation and auditing experts. They should therefore consider our ISO27001 Lead Implementer and Lead Auditor Combination Course, which covers everything you’d learn on each course separately. You’ll move straight from one topic to the other, helping you solidify your knowledge and understand how the two roles interact.

Interested in other ISO 27001 training courses?

These courses are just the beginning when it comes to ISO 27001 training, so if you’re not sure which course is right for you, why not take a look at IT Governance’s full range of training options?

With a variety of courses available in classroom, Live Online and distance learning format, we have you covered, whether you’re an information security beginner or looking for the right qualification to boost your career.

Find out more about our ISO 27001 training courses >>

The post ISO 27001 Lead Implementer, Lead Auditor and Internal Auditor – what’s the difference? appeared first on IT Governance Blog.

Privacy Shield Approaching Its 3 Year Anniversary in Operation

With data protection-related activity bustling around the world–from “Brexit” and GDPR enforcement to the approaching CCPA and exciting developments in the APAC region–it’s understandable to lose track of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. What follows are responses to the most frequent Privacy Shield inquiries TrustArc is hearing from our customers. Is Privacy Shield Still Valid? Yes – in fact, Privacy Shield is fast approaching its three year anniversary on July 12th. Since its 2016 adoption, Privacy Shield has remained a sound, scalable and steady legal transfer mechanism for U.S. entities seeking to receive personal data from the EU … Continue reading Privacy Shield Approaching Its 3 Year Anniversary in Operation

The post Privacy Shield Approaching Its 3 Year Anniversary in Operation appeared first on TrustArc Blog.

The Cybersecurity Dangers of the Dark Web and How to Protect Your Organization

Even as its top marketplace, Dream Market, prepares to close its doors, the dark web continues to thrive. In fact, Darkode, one of the most well-known hacking forums and black markets, has recently reopened. And what are some of the most common wares at these underground markets? Organizational data, and the tools needed to get more. As long as the dark web exists, organizations must learn more about the threat they pose, and how to protect themselves.

A One Stop Shop for Cyber Attack Tools

There are any number of ways attackers can use the dark web to find what they need to attack an organization. One of the most common items is ransomware, which has become worryingly affordable. For less than $1000, anyone can buy a malware strain that can be used again and again. While individuals are frequently ransomed, organizations are naturally a much more lucrative target. In fact, ransoms for organizations are rapidly increasing, with the average payment per incident going from around $7,000 in the final quarter of 2018 to almost $13,000 in the first quarter of 2019. 

The marketplace isn’t limited to digital purchases. Interested parties can also buy physical means of attack like credit card skimmers or USB drives loaded with malware. Recently, a former student managed to destroy 59 computers at a small college in New York in a single evening using a “USB Killer,” a USB thumb drive that discharges electrical current to fry any device to which it is connected. Though the “USB Killer” is shockingly legal to buy, such an item or similar is also available on the dark web to those who don’t want their purchase to be tracked. Such physical items would be particularly effective in the hands of a malicious insider who has access to workstations and servers.

The dark web is also a refuge for those who are inexperienced in digital attacks. Thousands of fraud guides are available to those eager to learn more about multiple different types of attacks like phishing, brute force, or even simple account takeovers. These guides are incredibly cheap, typically only running someone five to ten dollars. Hacking services are also readily available. The recent reopened Darkode, mentioned earlier, specializes in customized hacking jobs, as well as providing simpler services like renting a botnet to mount a DDoS attack.

An Underground Marketplace to Sell Your Breach Bounty

The goal for many types of malware is breaching systems to steal data. Attackers can utilize stolen credentials to use for themselves to commit identity fraud. However, oftentimes these breaches are so large that the amount of data stolen is more than an individual could use in a lifetime. Selling these credentials is even more lucrative than using the data for themselves. The dark web is the most natural and best place to sell these records. A hacker known as Gnosticsplayers has posted hundreds of millions of accounts for sale on the dark web, earning thousands of dollars in bitcoin.

Usernames and passwords are far from the only thing for sale. The dark web has someone’s entire identity for sale, from social security numbers to bank account numbers. For example, old tax returns stolen from accounting and legal firms are readily available for next to nothing. An old W2 can cost a few dollars or less, and makes it possible to file fraudulent returns, open accounts, and other identity scams.

Stolen information isn’t limited to human identities, either. Hackers are now trafficking in digital trust and machine identities as well, selling data like SSL and TLS certificates, which can be used to commit a number of different types of attacks. As more and more types of data come up for sale, the less confidence organizations and users can have in the security of the internet at large.

Not for Sale: Keeping Data Off the Dark Marketplace

With seemingly endless ways to perpetrate attacks, and a ready-made spot to sell the bounty of these attacks, it’s easy to feel daunted at the prospect of how to put up defenses. However, there are plenty of ways for your organization to prevent or remediate any threats from the dark web. 

Just as you keep locks on every door and window to your house, so should you protect every endpoint in your organization. While antivirus on workstations is routine, a high priority should also be placed on server specific, native antivirus for your servers, which are the key storage areas data attackers and threat actors are eager to exploit. Internet of Things (IoT) devices are becoming commonplace to the workplace, but preventative security specific to such devices is difficult to find. Given the prevalence of botnets on the dark web, it’s critical to ensure that your smart device is not part of such a network. Advanced threat detection solutions are the best way to find out if any IoT device, be it tablet or MRI machine, is infected with malware or being used for malicious purposes.

Insider threats should also be strongly considered when evaluating solutions. Insiders naturally have more access to data, and a simple purchase from the dark web could devastate an organization without proper monitoring and controls. Security solutions that enforce least privilege and detect anomalies within an organization can help defend against insider threats.

Monitoring can be provided by SIEM solutions, which filter numerous data sources and provide helpful insights through normalization and correlation. They can also identify suspicious behavior inside and outside of your organization   through real-time updates, threat prioritization, and reducing the number of interfaces in need of monitoring.

Control can be achieved with Identity and access management (IAM) solutions, which enable a robust approach to managing and governing access by utilizing the principle of least privilege, which highlights granting users only the access they need, when and how they need it. Employees require some access to complete their job, but not universal access, which can be all too tempting to exploit.

Finally, what better way to prevent being attacked than by thinking like the attackers? Penetration tests utilize ethical hacking to safely exploit security vulnerabilities, providing organizations insight and enabling remediation before an attack ever takes place. Regular penetration testing keeps organizations up to date on the latest strategies and tactics used by threat actors and the tools they provide on the dark web. Threat actors thrive in environments where individuals and organizations remain ignorant, hoping that their fear will overwhelm them into inaction. Staying vigilant and being proactive about building a strong security portfolio to set up barriers to your data is the best way to keep your information safe in their databases, and off the dark web.

Actionable Insight Identity and Access Management Network Insight Penetration testing
Big text: 
Resource type: 

Antivirus vs. VPN: Do You Need Both?

Reading Time: ~3 min.

Public concern about online privacy and security is rising, and not without reason. High-profile data breaches make headlines almost daily and tax season predictably increases instances of one of the most common types of identity theft, the fraudulent filings for tax returns known as tax-related identity theft

As a result, more than half of global internet users are more concerned about their safety than they were a year ago. Over 80% in that same survey, conducted annually by the Center for International Governance Innovation, believe cybercriminals are to blame for their unease.  

Individuals are right to wonder how much of their personally identifiable data (PII) has already leaked onto the dark web. Are their enough pieces of the puzzle to reconstruct their entire online identity?  

Questions like these are leading those with a healthy amount of concern to evaluate their options for enhancing their cybersecurity. And one of the most common questions Webroot receives concerns the use of antivirus vs. a VPN.  

Here we’ll explain what each does and why they work as compliments to each other. Essentially, antivirus solutions keep malware and other cyber threats at bay from your devices, while VPNs cloak your data by encrypting it on its journey to and from your device and the network it’s communicating with. One works at the device level and the other at the network level.  

Why You Need Device-Level Antivirus Security 

Antiviruses bear the primary responsibility for keeping your devices free from infection. By definition, malware is any software written for the purpose of doing damage. This is the category of threats attempting to undermine the antivirus (hopefully) installed on your PC, Mac, and yes, even smartphones like Apple and Android devices, too.  

In an ever-shifting threat landscape, cybercriminals are constantly tweaking their approached to getting your money and data. Banking Trojans designed specifically for lifting your financial details were among the most common examples we saw last year. Spyware known as keyloggers can surreptitiously surveil your keystrokes and use the data to steal passwords and PII. A new category of malware, known as cryptojackers, can even remotely hijack your computing power for its own purposes.  

But the right anti-malware tool guarding your devices can protect against these changing threats. This means that a single errant click or downloaded file doesn’t spell disaster. 

“The amazing thing about cloud-based antivirus solutions,” says Webroot threat analyst Tyler Moffit, “is that even if we’ve never seen a threat before, we can categorize it in real time based on the way it behaves. If it’s determined to be malicious on any single device, we can alert our entire network of users almost instantaneously. From detection to protection in only a few minutes.” 

Why You Need Network-Level VPN Security 

We’ve covered devices, but what about that invisible beam of data traveling between your computer and the network it’s speaking to? That’s where the network-level protection offered by a VPN comes into play.  

While convenient, public networks offering “free” WiFi can be a hotbed for criminal activity, precisely because they’re as easy for bad actors to access as they are for you and me. Packet sniffers, for instance, can be benign tools for helping network admins troubleshoot issues. In the wrong hands, however, they can easily be used to monitor network traffic on wireless networks. It’s also fairly easy, given the right technical abilities, for cybercriminals to compromise routers with man-in-the-middle attacks. Using this strategy, they’re able to commandeer routers for the purpose of seeing and copying all traffic traveling between a device and the network they now control.  

Even on home WiFi networks, where you might expect the protection of the internet service provider (ISP) you pay monthly, that same ISP may be snooping on your traffic with the intent to sell your data.  

With a VPN protecting your connection, though, data including instant messages, login information, social media, and the rest is encrypted. Even were a cybercriminal able to peek at your traffic, it would be unintelligible.  

“For things like checking account balances or paying bills online, an encrypted connection should be considered essential,” says Moffit. “Without a VPN, I wouldn’t even consider playing with such sensitive information on public networks.”  

How Webroot Can Help 

Comprehensive cybersecurity involves protecting both data and devices. Antivirus solutions to protect against known and unknown malware—like the kinds that can ruin a laptop, empty a bank account, or do a cybercriminals bidding from afar—are generally recognized as essential. But for complete protection, it’s best to pair your antivirus with a VPN—one that can shield your data from intrusions like ISP snooping, packet sniffers, and compromised routers.  

Click the links for more information about Webroot SecureAnywhere® antivirus solutions and the Webroot® WiFi Security VPN app.  

The post Antivirus vs. VPN: Do You Need Both? appeared first on Webroot Blog.

How important is it to test your cybersecurity incident response plan?

Estimated reading time: 2 minutes

With the incidents of cybercrime rising at an enormous rate, especially targeted attacks on organizations, many companies now have a cybersecurity incident response plan in place.

However, a major reason these organizations still fail to respond effectively to a cybersecurity incident is because, in spite of having an incident response plan, it is never frequently tested nor consistently applied across the organization.

Given the ever evolving nature of threat landscape, it is extremely important to test the response plan on a frequent basis to check for loopholes in the process. Failure to upgrade this plan, often leaves organizations vulnerable and less prepared to handle the cybersecurity incident response process in the wake of a sudden cyber-attack.

The need is to test the plan regularly by making effective investments in skilled resources, technologies and processes, so that they can work in sync with each other when the need arises.

Few things that can help organizations test and implement an effective cybersecurity incident response plan include:


Investing in automation can be a good and cost effective option in this regard and can help organizations save up on millions of dollars that may otherwise be compromised in the event of a breach.

Automation here refers to replacing or augmenting human intervention with artificial intelligence and machine learning, to enable easy & efficient identification of breaches and exploits, for necessary and timely actions to be taken.

Studies indicate that organizations that leverage automation extensively across their organization are in a better position to detect, prevent and respond to cyber-attacks and breaches than organizations that don’t.

Skilled Resources

The lack of enough skilled resources for handling cyber-attacks and managing incident response plan, comes as a big hurdle for organizations to achieve cyber resilience. The major problem lies not just in hiring resources but mostly in retaining cybersecurity professionals.

On the other hand, deploying too many processes and technologies at once to achieve cyber resilience, can make the overall process complex for cybersecurity personnel to understand and reduce the effectiveness of the plan.

Thus, what organizations need, is to have a perfect collaboration of technology, resources and processes, in order to effectively test and implement a robust cybersecurity incident response plan.

The post How important is it to test your cybersecurity incident response plan? appeared first on Seqrite Blog.

How do I buy a laptop with an encrypted hard drive?

Derek needs to find a laptop with Windows 10 Home’s device encryption to keep his data safe

I want to buy a new Windows 10 laptop for home use, and I want one with device encryption capability, so that the boot drive is encrypted. Until recently, this has only been possible with Windows Professional editions using BitLocker. I now see that if a laptop has the right specification, all versions of Windows 10 can have device encryption turned on.

The problem is that it’s difficult, if not impossible, to get information from mainstream laptop vendors as to whether a specific model supports device encryption. Recent MacBooks are capable of using FileVault and Apple spells out which models support it, so why is this information so hard to find for Windows laptops? Derek

I’m glad you asked because you’re right: there’s a shocking lack of information about device encryption on laptops, and this applies to Microsoft, to PC manufacturers, and to retailers. It’s also something that laptop PC reviewers rarely seem to mention, which makes it hard, if not impossible, to tell how many laptops are compatible with Windows 10’s device encryption.

Continue reading...