Daily Archives: April 30, 2019

Tripwire Patch Priority Index for April 2019

Tripwire’s April 2019 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft, Adobe, and Oracle. First on the patch priority list this month are patches for Microsoft’s Browser and Scripting Engine. These patches resolve 13 vulnerabilities, including fixes for Memory Corruption, Browser Tampering, and Information Disclosure vulnerabilities. Next on the list are patches for […]… Read More

The post Tripwire Patch Priority Index for April 2019 appeared first on The State of Security.

Data: E-Retail Hacks More Lucrative Than Ever

For many years and until quite recently, credit card data stolen from online merchants has been worth far less in the cybercrime underground than cards pilfered from hacked brick-and-mortar stores. But new data suggests that over the past year, the economics of supply-and-demand have helped to double the average price fetched by card-not-present data, meaning cybercrooks now have far more incentive than ever to target e-commerce stores.

Traditionally, the average price for card data nabbed from online retailers — referred to in the underground as “CVVs” — has ranged somewhere between $2 and $8 per account. CVVs are are almost exclusively purchased by criminals looking to make unauthorized purchases at online stores, a form of thievery known as “card not present” fraud.

In contrast, the value of “dumps” — hacker slang for card data swiped from compromised retail stores, hotels and restaurants with the help of malware installed on point-of-sale systems — has long hovered around $15-$20 per card. Dumps allow street thieves to create physical clones of debit and credit cards, which are then used to perpetrate so-called “card present” fraud at brick and mortar stores.

But according to Gemini Advisory, a New York-based company that works with financial institutions to monitor dozens of underground markets trafficking in both types of data, over the past year the demand for CVVs has far outstripped supply, bringing prices for both CVVs and dumps roughly in line with each other.

Median price of card not present (CNP) vs. card-present (CP) over the past year. Image: Gemini

Stas Alforov, director of research and development at Gemini, says his company is currently monitoring most underground stores that peddle stolen card data — including such heavy hitters as Joker’s Stash, Trump’s Dumps, and BriansDump.

Contrary to popular belief, when these shops sell a CVV or dump, that record is then removed from the inventory of items for sale, allowing companies that track such activity to determine roughly how many new cards are put up for sale and how many have sold. Underground markets that do otherwise quickly earn a reputation among criminals for selling unreliable card data and are soon forced out of business.

“We can see in pretty much real-time what’s being sold and which marketplaces are the most active or have the highest number of records and where the bad guys shop the most,” Alforov said. “The biggest trend we’ve seen recently is there appears to be a much greater demand than there is supply of card not present data being uploaded to these markets.”

Alforov said dumps are still way ahead in terms of the overall number of compromised records for sale. For example, over the past year Gemini has seen some 66 million new dumps show up on underground markets, and roughly half as many CVVs.

“The demand for card not present data remains strong while the supply is not as great as the bad guys need it to be, which means prices have been steadily going up,” Alforov said. “A lot of the bad guys who used to do card present fraud are now shifting to card-not-present fraud.”

One likely reason for that shift is the United States is the last of the G20 nations to make the transition to more secure chip-based payment cards, which is slowly making it more difficult and expensive for thieves to turn dumps into cold hard cash. This same increase in card-not-present fraud has occurred in virtually every other country that long ago made the chip card transition, including AustraliaCanadaFrance and the United Kingdom.

The increasing value of CVV data may help explain why we’ve seen such a huge uptick over the past year in e-commerce sites getting hacked. In a typical online retailer intrusion, the attackers will use vulnerabilities in content management systems, shopping cart software, or third-party hosted scripts to upload malicious code that snarfs customer payment details directly from the site before it can be encrypted and sent to card processors.

Research released last year by Thales eSecurity found that 50 percent of all medium and large online retailers it surveyed acknowledged they’d been hacked. That figure was more than two and a half times higher than a year earlier.


Much of the media’s attention has been focused on recent hacks against larger online retailers, such those at the Web sites of British Airways, Ticketmaster, and electronics giant NewEgg. But these incidents tend to overshadow a great number of “low-and-slow” compromises at much smaller online retailers — which often take far longer to realize they’ve been hacked.

For example, in March 2019 an analysis of Gemini’s data strongly suggested that criminals had compromised Ticketstorm.com, an Oklahoma-based business that sells tickets to a range of sporting events and concerts. Going back many months through its data, Gemini determined that the site has likely been hacked for more than two years — allowing intruders to extract around 4,000 CVVs from the site’s customers each month, and approximately 35,000 accounts in total since February 2017.

Ticketstorm.com did not respond to requests for comment, but an individual at the company who answered a call from KrebsOnSecurity confirmed Ticketstorm had recently heard from Gemini and from card fraud investigators with the U.S. Secret Service.

“It’s not just large sites getting popped, it’s mostly small to mid-sized organizations that are being compromised for long periods of time,” Alforov said. “Ticketstorm is just one of ten or twenty different breaches we’ve seen where the fraudsters sell what they collected and then come back and collect more over several years.”

In some ways, CVVs are more versatile for fraudsters than dumps. That’s because about 90 percent of dumps for sale in the underground do not come with other consumer data points needed to complete a various online transactions — such as the cardholder’s name or billing address, Gemini found.

This is particularly true when CVV data is collected or amended by phishing sites, which often ask unwitting consumers to give up other personal information that can aid in identity theft and new account fraud — including Social Security number, date of birth and mother’s maiden name.

All of which means e-commerce retailers need to be stepping up their game when it comes to staving off card thieves. This in-depth report from Trustwave contains a number of useful suggestions that sites can consider for a defense-in-depth approach to combating an increasingly crowded field of criminal groups turning more of their attention toward stealing CVV data.

“There is a lot more incentive now than ever before for thieves to compromise e-commerce sites,” Alforov said.

Updates for Microsoft 365 help strengthen data privacy

As data continues to grow exponentially and travel across organizational boundaries, privacy and compliance professionals play an increasingly strategic role within organizations. Several updates—announced today—for Microsoft 365 provide organizations with more control and options to strengthen their data privacy practices, including:

  • New capabilities for Microsoft 365 E5 and E5 Compliance, such as the new Office 365 Advanced Message Encryption feature, data investigation capabilities, Microsoft Teams compliance features, and a new Advanced eDiscovery experience.
  • The ability to use Compliance Manager to get automated updates of security controls and create your own assessments—including on-premises and non-Microsoft applications—against any regulation or standard, so you can manage compliance across data assets in a unified way.

To learn more about these updates, read Grow and protect your business with more privacy controls from Microsoft 365.

The post Updates for Microsoft 365 help strengthen data privacy appeared first on Microsoft Security.

Test Your Knowledge on Cloud Adoption and Risks

Our data lives in the cloud, and nearly a quarter of it requires protection to limit our risk. You won’t be able to get far in your transformation to the cloud without learning the sources of cloud data risk and how to circumnavigate them.

In our latest Cloud Adoption and Risk Report, we analyze the types of sensitive data in the cloud and how it’s shared, examine IaaS security and adoption trends, and review common threats in the cloud. Test your knowledge on the latest cloud trends and see if your enterprise understands the basics of cloud-related risks.

Not prepared? Lucky for you this is an “open-book” test. Find some cheat sheets and study guides below.

Report: Cloud Adoption and Risk Report 2019

Blog: Cloud Security Risks – It’s not black and white

MVISION Cloud Data Sheet


Note: There is a widget embedded within this post, please visit the site to participate in this post's widget.

The post Test Your Knowledge on Cloud Adoption and Risks appeared first on McAfee Blogs.

Behind the Screens: An Interview with Trystan Orr

Trystan OrrCybersecurity is best approached holistically—by combining human, physical, and technical efforts together to mitigate threats. But how exactly does the human element play a role?  To grasp just how humans and psychology are central to the cybersecurity industry, we spoke to our very own Security Operations Center Analyst, Trystan Orr.

Q:  How did you first become interested in cybersecurity?

A:  I’ve been interested in technology since I was very young—I was introduced to computers and video games early.  But there was no particular turning point that got me into cybersecurity; it was more of a slow realization.  I took a couple of coding courses in high school and really liked them.  Then, in college, I took a security class and received my Security+ certification.  I really enjoyed just how pervasive security is: in anything you do, you have to consider security.

“At the same time, I started to notice a strong correlation between psychology and security. It’s about the way humans interact with the technology, and that’s why cybersecurity hit a note with me.  Humans can be your greatest risk- and your greatest strength.”

Q:  How do you apply your understanding of psychology to your job as a security analyst?

A:  One of the key parts of my job as an analyst is thinking of the business need that accompanies security initiatives.  For example, when a security alert is triggered, you have to think about the people behind the screens that triggered the alert.  This is where psychology comes in.  Once you have an understanding of who they are and what they’re doing in their day-to-day, you can respond to the alert.  You don’t want to suggest something that slows down the business, or stops the user from doing what they need to do.

Understanding the user, the human, allows us to offer these custom solutions.

Q:  Looking ahead a few years, what do you predict will be the next big change in the industry?

A:  Awareness.  I think people are becoming more aware of security, which is exciting to see.  For instance, users are becoming more aware of phishing and the importance of reporting potential phishing emails.

“I think part of this increased awareness is a shift from thinking of cybersecurity as a purely technological problem, to a human problem as well.  Users are starting to see the role they play in cybersecurity.” 

Q:  What do you see as the value of encouraging women to enter the industry?

A:  I think including more women in the industry brings different viewpoints that are valuable in discussion and problem-solving. It’s becoming much more apparent that you have to have different people and different personalities to be effective. If you have a different viewpoint, you also have different experiences backing up that viewpoint.

This is especially important in security; you have to be able to have open discussions about how certain security measures affect the user’s risk and productivity.  The goal is to understand what’s best for the user in order to offer the best solution.  This is best achieved when a variety of different viewpoints are brought to the table.

Q:  What advice do you have for anyone interested in entering the cybersecurity industry?

A:  When I first started in the industry as an intern, I didn’t have a security background.  I understood what was going on, but there was a lot I didn’t know. I realized that you must be completely unafraid to ask questions—before you start a new job or internship, and then throughout the entire time you’re there.

There’s a lot you can learn on your own too.  If you are even a little interested, you don’t have to pay loads of money to learn more about the industry.  Always be motivated and open to new ways you can learn.

To hear from more inspiring women in cybersecurity, check out our series.

The post Behind the Screens: An Interview with Trystan Orr appeared first on GRA Quantum.

Learning From the Vodafone-Huawei Backdoor Scandal

Veracode Vodafone Huawei Backdoor April 2019

Yesterday, Bloomberg reported that Vodafone uncovered hidden backdoors in Huawei equipment used for the carrier’s Italian business, which could have given Huawei unauthorized access to Italian homes and businesses. The alleged backdoors were found in 2011 and 2012, and Vodafone told Bloomberg that the issues were resolved at the time.

However, the BBC published a piece this morning in which Vodafone denied the Bloomberg report, citing a spokesperson who says that, "The 'backdoor' that Bloomberg refers to is Telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet.”

Further, the spokesperson indicated that Bloomberg was incorrect in saying that Huawei could have had unauthorized access to the carrier’s Italian network, nor does Vodafone have evidence of any unauthorized access.

According to the BBC, Vodafone took some time off of deploying Huawei equipment in its core networks until a few issues are resolved – namely that Huawei has been accused of being controlled by the Chinese government, which could pose a security risk. The US encouraged allies not to use the equipment in 5G networks, with Secretary of State Mike Pompeo saying the U.S. wouldn't be able to work with nations using the Chinese technology.

What’s the Deal with Backdoors?

Backdoors are a method of bypassing authentication or other security controls in order to access a computer system or the data contained on that system. They can exist at the system level, in a cryptographic algorithm, or within an application. Some backdoors are included in software intentionally, however, they can still pose a serious threat if uncovered by the wrong people.

According a paper from Veracode CTO Chris Wysopal and Veracode Chief Research Officer Chris Eng, backdoored software enables attackers to gain access to highly secure systems that are otherwise rigorously locked down and monitored. The network traffic to and from an application backdoor will most often look like typical usage of the networked application.

For instance, the network traffic of an attacker using backdoored blog software will look like the typical web traffic of a blog user. This will enable them to bypass any network IDS protection. Since the backdoored software is installed by the system operator and is legitimate software it will typically bypass anti-virus software protection.

Many attackers will place backdoors in the source code of software that they have legitimate access to simply because it is a challenge and because they can. They have no intention initially of compromising systems where the software will be installed but take the opportunity because they may want to use the backdoor in the future.

Companies like Apple have forsaken backdoors, and has gone as far as to create their hardware without third-party access to ensure an acceptable level of protection for users and their personal information.

Curious to find out if you have backdoors in your code? Get in touch so we can help.

Your AppSec Program Can Make Your Developers and Your CFO Happy

Veracode AppSec Developers CFO Dynamic Analysis

While cybersecurity risk is steadily growing, so too is the recognition that application security (AppSec) is critical to protecting valuable enterprise resources. More than ever, ensuring that you have a program that spans the entire SDLC is critical to preventing breaches into your organization and customer data. Just as it is important to inventory and secure all of the applications in your portfolio, it’s equally important that your applications are coded securely. Let’s be real: there are a few ways that shifting your application security program left can go wrong. This can include purchasing solutions that don’t really fit the needs of your organization, failing to determine what flaws need fixing first in order to avoid breach, and measuring success against the wrong metrics. This can cost you valuable resources, including your developers’ time and energy, your clients’ trust – and incite the ire of your organization’s CFO.

Here are three tips for running a developer-friendly AppSec program that saves your organization’s most precious resources.

Create Strong Application Security Policies

You know how you treat each email you receive with varying levels of attention and detail? The same sort of policies should be implemented when it comes to fixing flaws found in your software. Like any tool or methodology, AppSec requires a strong structural framework to deliver maximum results. A broadly defined and unfocused program, and the absence of strong AppSec policies, can lead to teams chasing down every flaw and fix. Essentially, you’re running the risk of overwhelming your developers who will no longer have the time or energy to take threats seriously.

There is no one-size-fits-all framework when it comes to creating application security policy (here’s a guide to get you started). It’s really a matter of setting the bar at the right risk and protection level, determining which flaws really matter, understanding remediation and mitigation, and keeping an eye on third-party applications and open source components. Focusing on AppSec standards, like OWASP Top 10, and balancing the needs of your organization will position you for maximum performance and protection, and help you avoid developer burnout.

Identify Appropriate Metrics

The right set of metrics and key performance indicators (KPIs) can greatly simplify and streamline both your software development and your application security. There are a few other metrics to consider beyond meeting your organization’s policy requirements. For example, organizations that have adopted Agile and DevSecOps will find themselves scanning applications and code more frequently. This kind of scanning, when done through automated integration with development systems and at the times best aligned for the development team, can limit the number of vulnerabilities introduced in the Testing and Production stages. Ensuring scan frequency also means reduced mean time to remediate (MTTR) – Veracode’s State of Software Security Volume 9 found that development teams who scanned 300 or more times per year are fixing flaws 11.5x faster than other organizations.

Another metric to consider is flaw density. Flaw density provides a way of looking at the number of flaws produced from a static analysis over the size of the application and can provide directional guidance when comparing groups of applications. A high flaw density simply means more flaws to address, allowing the opportunity to determine where best to use AppSec resources and prioritize flaws accordingly. The beauty of implementing a developer-friendly AppSec program is that it decreases flaw density over time. The Total Economic ImpactTM of the Veracode Application Security Platform, a Forrester Consulting study, shows that prior to using Veracode, the composite organization experienced 60 flaws per MB of code. After adopting the Veracode platform and integrating tools into their CI/CD pipeline, the composite saw a reduction in security flaws of 50% to 90% over three years.

Ensuring that your team has access to actionable results from all application security testing scans performed in a single platform makes coordinating remediation between security, development, and other IT teams easier and more efficient. It also simplifies your ability to measure against the metrics and KPIs set for your organization. To learn more about how to measure your AppSec program, check out the Everything You Need to Know About Measuring Your AppSec Program guide.

Select the Right Solutions

When it comes to AppSec, you need a combination of solutions to ensure that you’re securing your applications at every stage – that’s right, there’s still no silver bullet in security. In the Forrester Consulting study, the organizations interviewed used the Veracode Platform to build stringent security controls and integrate application security testing into their CI/CD pipeline. In addition to using Veracode Static Analysis and Veracode Dynamic Analysis, these organizations shifted security left using Veracode Greenlight and Veracode Software Composition Analysis to identify issues at inception in the SDLC.

As a result, they found that developers were introducing fewer flaws to their code and that the flaws they did find took less time to resolve because we are able to offer contextual remediation advice for those security flaws. Since security flaws were caught earlier in the SDLC, the organization saw a 90 percent reduction in time required to resolve these flaws. Resolutions which previously took 2.5 hours on average were reduced to 15 minutes.

With MTTR included in your overall metrics, it’s important that your application security solutions are designed for speed AND a low false positive rate. This means that security and development teams will spend less time sorting through results to find actual vulnerabilities, and spend more time fixing what matters so that they can move on to other projects.

Developing an AppSec Road Map Saves Time and Money

Organizations need to conduct security testing at the speed of modern day software development in order to maintain tight product roadmap deadlines and increase speed to market. When your teams take the time to understand the bigger picture, the solutions that they need to get the job done well and done efficiently, and they’re able to save time and money doing it, everybody wins. Your development teams will have the space to make your next standout product or feature. You will have the resources to invest in furthering their development education. Your applications will be more secure and your entire organization will be the better for it.

The Next Enterprise Challenge: How Best to Secure Containers and Monolithic Apps Together, Company-wide

Submitted by: Adam Boyle, Head of Product Management, Hybrid Cloud Security, Trend Micro

When it comes to software container security, it’s important for enterprises to look at the big picture, taking into account how they see containers affecting their larger security requirements and future DevOps needs. Good practices can help security teams build a strategy that allows them to mitigate pipeline and runtime data breaches and threats without impacting the agility and speed of application DevOps teams.

Security and IT professionals need to address security gaps across agile and fast pace DevOps teams but are challenged by decentralized organizational structures and processes. And since workloads and environments are constantly changing, there’s no silver bullet when it comes to cybersecurity, there’s only the info we have right now. To help address the current security landscape, and where containers fit in, we need to ask ourselves a few key insightful questions.

How have environments for workloads changed and what are development teams focused on today? (i.e. VMs to cloud to serverless > DevOps, microservices, measured on delivery and uptime).

Many years ago, the customer conversations that we were having were primarily around cloud migration of traditional, legacy workloads from the data center to the cloud. While performing this “forklift,” they had to figure out what IT tools, including security, would operate naturally in the cloud. Many traditional tools they had already purchased previously, before the cloud migration, didn’t quite work out when expanded to the cloud, as they weren’t designed with the cloud in mind.

In the last few years, those same customers who migrated workloads to the cloud, started new projects and applications using cloud native services, and building these new capabilities on Docker, and serverless technologies such as AWS Lambda, Azure functions, and Google Cloud functions. These technologies have enabled teams to adopt DevOps practices where they can essentially continuously deliver “parts” of applications independently of one and other, ultimately delivering outcome much faster to market than one would with a monolithic application. The new projects have given birth to CI/CD pipelines leveraging Git for source code management (using hosted versions from either GitHub or BitBucket), Jenkins, or Bamboo for DevOps automation, and Kubernetes for automated deployment, scaling, and management of containers.

Both of these thrusts are now happening in parallel driving two distinct classes of applications—legacy, monolithic applications, and cloud native microservices. The questions for an enterprise are simple; how do I protect all of this? And, how can I do this at scale?

What’s worth mentioning is also the maturity of IT and how these teams have evolved into leveraging “infrastructure as code.” That is, writing code to automate IT operations. This includes security as code or writing code to automate security. Cloud operations teams have embraced automation and have partnered with application teams to help scale the automation of DevOps driven applications while meeting IT requirements. Technologies like Chef, Puppet, Ansible, Terraform, and Saltstack are popular in our customer base when automating IT operations.

While vulnerabilities and threats will always persist, what is the bigger impact on the organization when it comes to DevOps teams and security?

What we hear when companies talk to us is that the enterprise is not designed to do security at scale for a large set of DevOps teams who are continuously doing build->ship->run and need continuous and uninterrupted protection.

A typical enterprise has a centralized IT and Security Ops teams who are serving many groups of internal customers, typically business units which are responsible for generating the revenue for the enterprise.

So, how do tens or hundreds of DevOps teams who continuously build->ship->run, interact with centralized IT and security Ops teams, at scale? How do IT and security Ops teams embrace these practices and technologies, and ensure that they are secure—both the CI/CD pipelines and the runtime environments?

These relationships between IT teams (including security teams), and the business units have largely been at an executive level (VP and up), but to deliver “secure” outcomes continuously—a more effective, a more automated interplay—between these teams are needed.

We see many DevOps teams across business units incorporating security with varying degrees of rigor—or buying their own security solutions that only work for their set of projects—purchased out of their business unit budgets, implementing them with limited security experience and no tie-back to corporate security requirements or IT awareness. This leads to a fragmented, duplicated, complicated, inconsistent security posture across the enterprise and higher cost models on security tools that becomes more complicated to manage and support. The pressure to deliver faster within a business unit is sometimes at the cost of a coordinated enterprise-wide security plan…we’ve all been there and there’s often a balance that needs to be found.

The relationship, at the working level, between business unit application teams and centralized IT and security Ops teams is not always a collaborative, healthy, working relationship. Sometimes it has friction. Sometimes, the root cause of this friction can be related to application teams having significantly higher understanding of DevOps practices, tools, along with higher understanding of technologies, such as Docker, Kubernetes, and various serverless technologies, than their IT counterparts. We’ve seen painful, unproductive discussions between application teams trying to educate their IT/Security teams on the basics, let alone, get them on board with doing things differently. The friction increases if the IT and security Ops teams don’t embrace the changes in their approach when it comes to container and serverless security. So, to us, the biggest impact right now is if a DevOps team wants to deliver continuously while following an enterprise-wide approach, then they need a continuous relationship with the IT and security operations teams, whom must become well educated in DevOps practices and tools, and microservices technologies (Docker, Kubernetes, etc), where the teams work together to automate security across pipelines and runtime environments. And, the IT and security teams need to level up their skills sets to DevOps and all associated technologies, and help teams move faster, not slower, while meeting security requirements.

To be true DevOps, the “Dev” part would be the application team, the “Ops” part would be ideally IT/security and they would work together. So, we think there could be some pretty big shifts on how enterprises organize their development teams and IT/security Ops teams as the traditional organizational models favor delivery of monolithic, legacy applications that do not do continuous delivery.

The biggest opportunity for IT/security Ops teams is engage the application teams with a set of self-service tools and practices that are positioned to help the teams move faster, while meeting the IT and security requirements for the enterprise.

How can DevOps teams take advantage of the best security measures to better protect emerging technologies like container environments and their supporting tools?

Well this could easily be a book! However, let’s try to summarize at a high level and break this down into “build,” “ship,” and “run.” By no means is this a complete list, but enough to get started. For more information, contact us

Security teams have fantastic opportunity to introduce the following services across the enterprise, for all teams with pipelines and runtimes, in a consistent way.


  • Identification of all source code repositories and CI/CD pipelines across the enterprise, and their owners.
  • Static code analysis.
  • Image scanning for malware.
  • Image scanning for vulnerabilities.
  • Image scanning for configuration assessments (ensure images are hardened).
  • Indicator of Compromise (IoC) queries across all registries.
  • Secrets detection.
  • Automated security testing in staged environments, with generic and custom test suites.
  • Image Assertion – declaring an image to be suitable for the next stage of the lifecycle based on the results of scans, tests, etc.
  • Provide reporting to both application teams and security teams on security scorecards.


  • Admission control – the allowance or blocking of images to runtime environments based on security policies, image assertion, and/or signed images.
  • Vulnerability shielding of containers – Trend Micro will be releasing this capability later this year.


  • Runtime protection of Docker and Kubernetes, including anomaly detection of abnormal changes or configurations.
  • Hardening of Kubernetes and Docker.
  • Using Kubernetes network policy capabilities for micro-segmentation, and not a third-party solution. Then, ensure Kubernetes is itself protected.
  • Container host-based protection—covering malware, vulnerabilities, application control, integrity monitoring, and log inspection—for full stack defense of the applications and the host itself.
  • Kubernetes pod-based protection (privileged container – one per pod). This can be shipped into Kubernetes environments just like any other container, and no host-based agent is required.

For serverless containers and serverless, application protection in every image or serverless function (AppSec library focusing on RASP, OWASP, malware, and vulnerabilities inside the application execution path). Trend Micro will be releasing an offer later this year to address this.

Trend Micro provides a stronger and more robust full lifecycle approach to container security. This approach helps application teams meet compliance and IT security requirements for continuous delivery in CI/CD pipelines and runtime environments. With multiple security capabilities, complete automation resources, and world class threat intelligence research teams, Trend Micro is a leader in the cybersecurity needs of today’s application and container driven organizations.

Learn more at www.trendmicro.com/containers.

The post The Next Enterprise Challenge: How Best to Secure Containers and Monolithic Apps Together, Company-wide appeared first on .

The best cyber security books out there, chosen by over 20 experts

Books are the best way to go about learning in-depth knowledge, and this applies to cybersecurity as well. To this end, we’ve decided to approach these 21  experts about what are the best educational cyber security books out there.

Of course, we know there is no such thing, and each book is good in its own way. The endgame is to create a go-to resource of curated books you, as a user, can read to take your online security knowledge to the next level.

The experts we’ve included in this roundup are leading figures in the industry, and are frequently the first ones to learn about a new kind of malware or cyber threat.

To help you better navigate the list, we’ve internal links so you can zip along from one expert’s recommendation to another.

Inbar Raz | Twitter | Principal researcher at PerimeterX

Inbar’s choice is “ A Bug Hunter’s Diary ”, by Tobias Klein. In a few words, Inbar summarizes the highlights of the book, and also a caveat:

I really liked it because the author did a great job at taking something that is technically sophisticated and hard, and socially admired [bug hunting, vulnerability exploitation]  – and making it accessible and understandable. I think that people who want to understand what vulnerability research is, without having to learn to do it themselves, will find it the perfect book for them. The caveat, though, is that you have to be able to read programming languages in order to fully understand the gravity of what he does.

A book for the technically minded user, who doesn’t mind delving into code to understand cyber threats.

Pierluigi Paganini | Twitter | Founder at Security Affairs

The book of choice for him is The Art of Deception by Kevin Mitnick.

It is a must read, the book explains the importance of social engineering in any attack.

The book shows that human is the weakest link in the cyber security chain, and the art of social engineering allows to exploit it. The book includes real stories and social engineering cases and demonstrates how to chain them in real hacking scenarios.

The reading of the book is suggested also to not tech-savvy people, it can teach them how to avoid being a potential victim of attacks.

Alexandru Stoian | Cybersecurity researcher for the Romanian CERT

His list of recommended book are technical in nature and written for a technically-savvy person who wants to dive into the intricacies of cybersecurity.

Lawrence Abrams | Founder and chief editor of Bleeping Computer | Twitter

Practical Malware Analysis by Michael Sikorksi and Andrew Honig is a frequently cited book in this roundup, and for good reason. It’s a go-to guide for many in learning both basic and advanced malware analysis and dissection techniques.

Understanding Cryptography by Christof Paar and Jan Pelzl is book oriented towards more advanced readers who want to improve their education in the technical basics of cryptography.

Claus Houmann | Twitter | Community manager at Peerlyst

His recommendations aren’t one book, but instead a treasury of free cyber security books that cover the most important aspects of the niche. You can find books for just about any level, from cybersecurity beginner who wants to learn the ropes, to advanced users who want to improve their technical expertise.

Here’s the  full list of free books which includes titles such as Car hackers Handbook and Reverse Engineering for Beginners.

He also recommended three useful ebooks written in collaboration by members of Peerlyst’s community of information security experts. The first one is The Beginner’s guide to Information Security , the second ebook is on the Essentials of Cybersecurity, while the third one talks about the Essentials of Enterprise Network Security.

Alexandre Campos | Profile page | Professor and IT Security team member

Here’s his answer when asked what is the best educational cyber security books out there:

There are lots of books I could mention here but since you ask me for only one, I can’t let aside “ Hacking Exposed 7 “, by Stuart McClure, Joel Scambray and George Kurtz. These security experts show us, in a nice way, how to understand what hackers do during an attack and how to protect us from their actions. They show us concepts and how they can be applied in practice, also telling us about several countermeasures against a wide variety of tools avaiable for hackers to use. It worths it each page you read.

Thomas Callahan | Cybrary

Thomas hails from Cybrary, an online library of courses in various subfields of cybersecurity, such as penetration testing, or malware analysis.

In no particular order, these are his recommended list of cyber security books:

General knowledge and awareness:

Practical guides:

Adam Shostack, author of Threat Modeling | Blog Profile

“I’m going to say that Steven Bellovin’s “ Thinking Security ” is my favorite antidote to jumping to conclusions.  Recently, I’ve seen lots of extreme responses to both the Intel management issue and the Windows Defender script engine.  Both are bad, but jumping to “you will be working the weekend” doesn’t help.  Bellovin’s book will.”

Dave Waterson | Personal Blog |CEO and founder of SentryBay

His recommended cybersecurity book is  Countdown to Zero Day by Kim Zetter. It’s accessible to users without a technical background, and goes over the destructive power of Stuxnet, the malware responsible for sabotaging Iranian centrifuges used in their nuclear program.

Ilya Kolmanovich | Twitter | IBM

Ilya is cybersec Threat Engineer and is part of IBMs Security Intelligence team.

His book of choice when it comes to cybersecurity education is  Practical Malware Analysis by Michael Sikorski.

Joe Shenouda | LinkedIn | Principal Cyber Analyst at Verizon

The three books that he recommends are:

  1.    Cyber War: The Next Threat to National Security and What to Do About It – Richard Clarke, Robert Knake
  2.    Cyberspies: The Secret History of Surveillance, Hacking, and Digital Espionage By Gordon Corera
  1.    Cybersecurity and human rights in the age of cyberveillance , edited by Joanna Klesza & Roy Balleste

Martijn Grooten | Editor of Virus Bulletin | Twitter

“My favourite book on cybersecurity is  Countdown To Zero Day , by Kim Zetter.

If it is specifically about educational cybersecurity books, my favourite would be Bulletproof SSL and TLS , by Ivan Ristic.”

Troy Hunt | Personal Blog |Creator of HaveIBeenPwned.com

We Are Anonymous by Parmy Olson offers in inside view into the worksings of shadowy hacking groups such as Lulz Sec, Anonymous and the Global Cyber Insurgency.

Xavier Mertens | Personal Blog | Handler for the ISC Initiative

His go to book is  Practical Malware Analysis . It’s safe to say that this book has fairly widespread endorsement by now.

Raj Samani | Computer Security Expert and Chief Scientist at  McAfee

The Cuckoo’s Egg by Cliff Stoll details the story of how the author managed to discover a computer espionage ring infiltrated in the Lawrence Berkeley Lab. The operation eventually led to the involvement of the CIA, and exposed the role of the KGB in the entire operation. 

Liviu Arsene | Twitter | Senior E-Threat Analyst at Bitdefender

His recommended book is Ghost in the Wires , a biography of Kevin Mitnick, a malicious hacker who broke into numerous companies, such as Motorola and Sun Microsystem, all while ducking and dodging the FBI.

Pavel Pohorelsky | Twitter | CTO at Lamantine

Future Crimes by Marc Goodman is a New York Times best seller, which dives into the underground world of blackhat hackers, and explores their motivations, methods and purposes, as viewed by a man working in law enforcement on a mission to stop them.

John E. Dunn | Twitter | Editor and Co-founder at Techworld

Move Fast and Break Things by Jonathan Taplin is an exploration of how the Internet started to change in the vision of the world greatest technology entrepreneurs such as Mark Zuckerber and Larry Page.

David Bisson | Twitter | Security Journalist and Associate Editor at Tripwire | Contributing Editor for Graham Cluley Security News

Worm by Mark Bowden traces the history of the Conficker worm, one of the first major threats against the Internet, and which put into perspective how important online security would be in the new technological world.

Spam Nation by Brian Krebs explores the world of spam, unmasking criminal groups responsible for flooding the email inboxes of tens of millions of users with scam offers, malware and ransomware.

Madalin Dogaru | Security Consultant at SentientChip

If you want to learn how to (ethically!) hack a computer, you’re going to need to know Python, and Black Hat Python by Justin Seitz teaches you the most important aspects.

Reversing: Secrets of Reverse Engineering by Eldad Eilam breaks down the processes required to reverse engineer software and computer internals.

Rtfm: Red Team Field Manual by Ben Clark contains all of the most important basic syntax in Windows and Linux command lines. Useful when Google doesn’t seem to be able to handle your search query.

Linux Shell Scripting Cookbook is a useful resource in learning how to use simple commands for complex tasks in the Linux shell.

Peter Kruse | Twitter | eCrime Specialist at CSIS Security

Countdown to Zero Day by Kim Zetter. By now, this is the third endorsement of this book, and highlights its quality,

Daniel Cid | Profile page | Founder/CTO of Sucuri, Inc

Stealing the Network: How to Own a Continent details how major hackings are accomplished from a technical point of view. A more interesting take on this book comes from review Amar Pai:

This is basically a Tom Clancy novel, but with PHP exploits, nmap console logs, IDA debugger sessions, and other info-sec-porn in place of the usual war-nerdy stats about submarines, missile launchers, Apache gunships, etc.

David Harley | Twitter | Anti-malware researcher and author

Since ‘true’ computer viruses occupy only a tiny corner of the current malware threatscape, it may seem strange to refer back to a groundbreaking book on viruses from 1990, but I really have to mention Dr. Frederick B. Cohen’s book ‘A Short Course on Computer Viruses ’. Not just because Cohen literally ‘wrote the book’ on viruses and is therefore a significant historical figure. Not  just because of what it tells us about the threat as it was seen at that time, though as a fairly abstract overview it does have interest. (If you want exhaustive discussion of specific historical malware, I have a few suggestions below.) But because if you absorb his analyses of technical defenses, you will be in a position to make certain vendors uncomfortable by asking questions about their magic algorithms.

Wearing my security manager’s hat (well, I would, but I haven’t occupied that particular vocational niche for many years, so I don’t have one), I also found Cohen’s ‘Protection and Security on the Information Superhighway ’ a useful resource (especially as a source of useful citations), if less groundbreaking.

There are, of course, many books intended for the edification of security managers, not all of which are terribly good. It might be a bit naughty to mention a book of which I was lead author and technical editor, but I really do think that the ‘AVIEN Malware Defense Guide for the Enterprise ’ (Syngress), though it too suffers from obsolescent technical assumptions, is still worth a look in that it offers a (probably unique) selection of chapters contributed by enterprise security professionals, security vendors, and researchers.

Long before I ever met Stephen Cobb, now a friend and colleague at ESET, one of my go-to resources for management-oriented information was his book ‘ The NCSA Guide to PC and LAN Security ’ (McGraw-Hill). That book was actually based on an earlier book, ‘Cobb’s Guide to PC and LAN Security’ which is available for download from Stephen’s blog at https://scobbs.blogspot.co.uk/ and as he says himself, ‘A lot of what I wrote about privacy principles is still relevant.’

I don’t claim to have more than the basic knowledge of cryptology, but if I needed to dig a little bit deeper, my first port of call would still be Bruce Schneier’s ‘Applied Cryptography: Protocols, Algorithms and Source Code in C ’ (Wiley), even though the 2nd edition goes back to 1996. However, ‘Cryptography Engineering: Design Principles and Practical Applications ’ (Wiley: by Niels Ferguson, Schneier, and Tadayoshi Kohno) and is much more recent, though I’m afraid I haven’t got around to reading it yet. For a more historical, less technical consideration, Simon Singh’s ‘The Code Book ’ (Doubleday) is a pleasant enough read.

And since I mentioned historical malware, I should mention ‘The Art of Computer Virus Research and Defense ’ (Addison-Wesley), by the much-missed researcher Peter Szor. It came out in 2005, so it’s not, of course, up to date, but it contains a great deal of information about early malware and detection technology. There are, in fact, a few books that cover the history of viruses and anti-virus technology accurately and in detail, but they’re not generally available now. For instance, Robert Slade’s Guide to Computer Viruses (and I won’t mention the book Rob and I wrote together a little later.)


The listed books here cover almost every aspect of cybersecurity, across all levels of skill. From the highly technical to the easy, literary reads anyone can enjoy. Hopefully, one or more of these books will help you out in becoming hack proof.

What book would you add to the list? Submit your proposals in the comments below.

The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe


Try Thor Foresight

The post The best cyber security books out there, chosen by over 20 experts appeared first on Heimdal Security Blog.

Survey reveals just how bad the UK is at creating passwords

There are more than 171,000 words in the English language, and yet millions of us can’t look beyond the word that’s right in front of us when selecting a password.

Yes, the NCSC (National Cyber Security Centre)’s Cyber Security Survey found that 3.6 million Britons use ‘password’ as their password. Just as bad are the 23.2 million who use ‘123456’ and the 3.8 million who use ‘qwerty’.

Other common passwords include people’s names (‘ashley’, ‘michael’, ‘daniel’, ‘jessica’ and ‘charlie’ were the most used), football teams and, bizarrely, the pop punk act ‘blink-182’.

But rather than simply castigate the British public for their ineptitude when selecting login credentials, the NCSC provides some much-needed advice on how we can better secure our accounts.

How to make your passwords stronger

When creating passwords, many experts advise using a combination of letters, numbers and special characters (which might explain the interest in Blink-182). However, the NCSC suggests that we might be better off with a combination of three random words.

The reason for this is simple. Despite the requirement for a mix of characters, most systems only require that passwords be six characters long. This might seem to be more than enough – a combination of 26 letters, 10 numerals and 33 special characters gives you 107 billion possible permutations – but reality rarely plays out this way.

For example, the number ‘1’ appears far more often than any other letter, and the special character (for there is typically only one) is almost always ‘-‘. Most of us have therefore given crooks a decent shot at two characters in your password – and they’ll typically be the last two characters.

If you try to outsmart crooks by gorging yourself on special characters, using passwords like ‘a3g^%s’, you’ve only made life harder for yourself. The password is almost impossible to memorise, and criminal hackers are aware of common substitutions, factoring them in when trying to access accounts.

However, as the NCSC advises, you can make your password much stronger simply by making it longer. Each additional letter you use makes your password 26 times harder to crack, meaning a ten-character password that uses letters alone has 141 trillion combinations.

To put it another way, How Secure Is My Password? predicts that the seemingly complex phrase ‘a3g^%s’ could be cracked in 400 milliseconds, whereas a ten-letter combination of three words, like ‘hardtocrack’, would take about a day.

That’s a decent result, but with the number of crooks in the wild churning through passwords, you can do better. Make your password a little longer, like ‘typingmypassword’, and you have a phrase that could take 35,000 years to crack – and that’s with the concession of making your password a literal description of itself.

Anyone capable of conjuring up three genuinely random words could create a password that would take trillions of years to crack without having to compromise on memorability.

Subscribe to the GRC Weekly for all the latest cyber security news and advice >>

The post Survey reveals just how bad the UK is at creating passwords appeared first on IT Governance Blog.