Daily Archives: August 15, 2019

Key Ways to Make the Case for AppSec Budget

Security departments are juggling a multitude of security initiatives, and each is competing for a slice of one budget. How do you make the case that AppSec deserves a slice of that budget pie, or a bigger slice, or even to make the pie bigger? Here are a few key ways:

Find a compelling event

The most obvious compelling event, of course, is a breach, but there are other events that will compel executives to budget for application security. For instance, regulations could be a compelling event – if you have to comply with a security regulation (PCI, NY DFS cybersecurity regulations, etc.) or pay a fine, that’s an easy budget win. In addition, customers asking about the security of software could be a compelling event. IT buyers are increasingly asking about the security of software before purchasing. We recently conducted a survey of IT buyers with IDG, and 96 percent of respondents reported that they are more likely to consider doing business with a vendor or partner whose software has been independently verified as “secure.” Sales losing a deal because they couldn’t respond to a security audit would certainly be considered a compelling event.

Look to the future

A clear road map and plan for your AppSec program not only gives you more credibility, but also helps to “warm up” your investors to what you’re planning on doing in future years. Show the efficiencies and risk reduction your program will make in the future to highlight how upfront investment will lead to future results. For instance, an investment in developer training will make developers more self-sufficient and lessen the burden on security teams.

Benchmark

It can be powerful to illustrate where your organization’s security program sits relative to other organizations and your peers. If you're lagging, it’s a clear indication that further investment is needed. If you're leading, you can use that fact to prove your progress and make the case for more ambitious projects.

Veracode’s State of Software Security is a good benchmarking resource, as is the OpenSAMM framework. The State of Software Security report includes comparisons by industry, so you can point to the application security progress made by others within your own industry. In addition, OWASP’s Application Security Verification Standard (ASVS) can help organizations to classify applications into three different levels from low to high assurance. This helps firms to allocate security resources based on the software’s business importance or risk breach.

Know your audience

Speak the language of executives when making the case for more budget. For instance, telling the CFO, “we've reduced the number of SQL injections” won’t resonate. Rather than the number of SQL injections, talk about how the program will reduce the number of breaches by X percent, or how it will reduce the cost to fix vulnerabilities by X percent. Be mindful of your audience and frame your budgeting conversation accordingly.

Be visible and credible

The more credible you are, the better your chances of getting the budget you’re asking for. Clearly understand what you're going to do with the money, and how you're going to justify that spend. Prove that you understand how your organization works and that you will use the money effectively. Finally, tie application security to business priorities and initiatives, and be able to show a clear roadmap for your program.

In addition, be visible. It's important to promote success of your program. Present on the progress you’re making, run awareness sessions, or have visible dashboards.

Break down your budget (must, should, could)

You’ll have a range of priorities and things that you could be spending money on in your AppSec program. Give your budget stakeholder options. Start with what you must do – for instance, what you need to achieve for regulatory compliance. And then give them some wiggle room in the middle on projects that they should or could do. If you go in with a number in mind and don't get it, be ready to slice and dice your budget request.

Learn more

Get more details on these strategies and additional tips and advice on making the case for AppSec budget in our new guide, Building a Business Case for Expanding Your AppSec Program.

The Cerberus Banking Trojan: 3 Tips to Secure Your Financial Data

A new banking trojan has emerged and is going after users’ Android devices. Dubbed Cerberus, this remote access trojan allows a distant attacker to take over an infected Android device, giving the attacker the ability to conduct overlay attacks, gain SMS control, and harvest the victim’s contact list. What’s more, the author of the Cerberus malware has decided to rent out the banking trojan to other cybercriminals as a means to spread these attacks.

According to The Hacker News, the author claims that this malware was completely written from scratch and doesn’t reuse code from other existing banking trojans. Researchers who analyzed a sample of the Cerberus trojan found that it has a pretty common list of features including the ability to take screenshots, hijacking SMS messages, stealing contact lists, stealing account credentials, and more.

When an Android device becomes infected with the Cerberus trojan, the malware hides its icon from the application drawer. Then, it disguises itself as Flash Player Service to gain accessibility permission. If permission is granted, Cerberus will automatically register the compromised device to its command-and-control server, allowing the attacker to control the device remotely. To steal a victim’s credit card number or banking information, Cerberus launches remote screen overlay attacks. This type of attack displays an overlay on top of legitimate mobile banking apps and tricks users into entering their credentials onto a fake login screen. What’s more, Cerberus has already developed overlay attacks for a total of 30 unique targets and banking apps.

So, what can Android users do to secure their devices from the Cerberus banking trojan? Check out the following tips to help keep your financial data safe:

  • Be careful what you download.Cerberus malware relies on social engineering tactics to make its way onto a victim’s device. Therefore, think twice about what you download or even plug into your device.
  • Click with caution.Only click on links from trusted sources. If you receive an email or text message from an unknown sender asking you to click on a suspicious link, stay cautious and avoid interacting with the message altogether.
  • Use comprehensive security. Whether you’re using a mobile banking app on your phone or browsing the internet on your desktop, it’s important to safeguard all of your devices with an extra layer of security. Use robust security software like McAfee Total Protection so you can connect with confidence.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post The Cerberus Banking Trojan: 3 Tips to Secure Your Financial Data appeared first on McAfee Blogs.

Will You Ace Your Cybersecurity Internship?

Reading Time: ~ 4 min.

Cybersecurity has become the hot industry – tips and tricks on how to get the most out of your cybersecurity internship (and land a job after graduation). 

Students today are faced with grueling course loads, pressure to get real-world experience and a looming competitive job market. The need for hands-on knowledge and a developed resume is crucial, making internships a necessity. However, once you nail your interview and land your position, how do you prepare and make the most out of the opportunity?

The goal of an internship is to prepare you for your future career. While earning a college degree in computer science is quite an accomplishment, in the cybersecurity field, a theoretical knowledge and your required coding and science classes just aren’t enough. It’s critical to supplement those courses with real experience tackling a variety of threats in the cyber landscape, not only to gain new skills, but also understand what it’s really like to work in cybersecurity to decide if that career path is right for you.

Learn how Webroot is building a cybersecurity talent pipeline through our annual Coding Challenge.

According to a recent Wall Street Journal article, companies and government organizations are beginning to lock in contracts with cybersecurity job candidates younger than ever before–during junior, sometimes even sophomore year. Often, these early recruits are individuals who interned for the company in the past and proved themselves as an invaluable member of the team; securing a good position and acing your internship have never been more crucial to future career success. There’s no better feeling than having job security heading back to college for your senior year or being able to focus your electives on skills that will immediately translate to skills you’ll need for your upcoming role.

Be Eager and Ready to Learn 

While pursuing a major in cybersecurity provides the background necessary for your internship, you won’t know it all. You should walk into your internship everyday ready to learn the ins and outs of the field and be eager to take on new experiences. Say “yes” to everything.

According to William W. Dyer, director of the Corporate Affiliates Program for the Jacobs School of Engineering at the University of California San Diego, “Students study theories, case studies and learn both fundamental and advanced coding, but are not able to work on threats and breaches in real-time. They have structured work with a finite ending (quarters are 10 weeks long), whereas hacks and threats can happen at any time and require immediate response and solutions.”

A simple way to learn (and network) is to reach out to a few professionals who are working on a project you’re interested in or skilled in an area you’d like to further develop. Grabbing a quick coffee with someone who has been working in the cybersecurity field will allow you to gain valuable insights and real-world anecdotes. Not only will these people be able to mentor you, but they could even be a reference when the time comes for you to apply for jobs after graduation. 

Be Up-To-Date on All Things Cybersecurity 

Before your first day, it’s important to be well versed in the latest cybersecurity news, trends and data breaches. Taking the initiative to keep up on the latest in the industry and to provide an educated opinion on these issues will not only set you apart from other interns, but it will impress your managers and allow you to have a deeper understanding of your tasks and assignments. Every security incident is an opportunity to learn and ask questions that will serve you well later.

When pressed for what cybersecurity students should do to prepare for a future career in the space, Fred Yip, manager of software development at Webroot said, “Follow cybersecurity news and podcasts to understand what problems the industry is facing.” 

Listening to a security podcast on your morning commute or setting up simple Google alerts for topics such as, ‘data breach,’ or ‘cybersecurity,’ will keep you up to date on the conversations happening in the space. Lots of great discussions happen on professional LinkedIn forums and Twitter too.

Continue to Grow in Cybersecurity, Even After Your Internship Ends

Once your internship has concluded, it is important to keep growing and honing your arsenal, especially that crucial developer knowledge. According to Dyer, “We encourage our students to participate in any and all extracurricular activities that enhance their skills.” Taking online tutorial courses or participating in hackathons or coding challenges are a great way to put your new skills to the test.

That said, continuing to challenge yourself in school and taking coding and cybersecurity classes is also important. Classes that are focused around operating systems, network security, digital forensics or a variety of computer programming languages like C++, Javascript, Python are all courses that will serve you in your future career. Finding the link between class and real-world is the key to a successful career. 

Also continue following industry news and engaging with professionals through social channels. The network you create during your college years with classmates, professors and folks you meet during your internships will be instrumental in securing future opportunities. Check in with your internship managers, what’s their take on the latest data breach, acquisition or trend?

In today’s competitive job market, setting yourself apart through quality work is important and can be the key to a future at that company. While the classroom provides you with the concepts necessary to succeed, real-world experience will not only help you decide if a career in cybersecurity is something you want to continue to pursue, but you will gain invaluable knowledge and begin to grow your professional network that will be so crucial upon graduation. It is important to connect with colleagues and other interns, keep up with cybersecurity news, engage with professionals and accept as many opportunities as possible to learn about your chosen career path, allowing you to get the most out of your internship.

The post Will You Ace Your Cybersecurity Internship? appeared first on Webroot Blog.

IT Governance’s 2019 Cyber Resilience Report reveals major data protection weaknesses

Anti-malware technology is one of the most basic cyber security mechanisms that organisations should have in place, but according to IT Governance’s 2019 Cyber Resilience Report, 27% of respondents haven’t implemented such measures.

This finding is even more surprising given that our customer base is naturally more knowledgeable about information security than the average organisation. Our results represent the most optimistic assessment of organisations’ cyber resilience, so the chances are things are even worse in the wider world.

Anti-malware technology isn’t the only area where organisations are neglecting essential cyber security measures. The report also found that:

  • 43% of organisations don’t have a formal information security management programme.

An information security management plan provides a comprehensive assessment of the way an organisation addresses data protection risks. It ensures that preventative measures are appropriate to the scale of the risk and that every necessary precaution is being taken.

Organisations that lack a formal plan will be tackling security measures piecemeal, if at all.

  • 33% of organisations don’t have documents that state how they plan to protect their physical and information assets.

Without documented plans, it’s impossible to track whether they work and what adjustments are necessary. More to the point, it’s possible that the organisation has no plans in place at all, exposing them to myriad threats.

  • 30% haven’t implemented identity and access controls.

Sensitive information should only be available to those who need it to perform their job, otherwise you run the risk of someone in the organisation using it for malicious purposes.

In some cases, an unauthorised person simply viewing the information is a serious privacy breach. You wouldn’t want everyone at an organisation being able to look at your medical information or political affiliations, for example. That’s why it’s essential to implement controls that ensure that only approved employees can access certain information.

Where do these figures come from?

The report has its origins in our Cyber Resilience Framework, which we developed last year to help organisations improve their ability to prevent security incidents and respond when disaster strikes.

Alan Calder, the founder and executive chairman of IT Governance, said: “Attackers use cheap, freely available tools that are developed as soon as a new vulnerability is identified, producing ever more complex threats, so it is evident that, in the current landscape, total cyber security is unachievable.

“An effective cyber resilience strategy is therefore the answer, helping organisations prevent, prepare for and respond to cyber attacks, and ensure they are not only managing their risks but also minimising the business impact.”

As part of the framework, we offered a self-assessment questionnaire, which helped organisations see how their existing measures compared to the framework and how much work was necessary to achieve cyber resilience.

We collated the results of the self-assessment to create this report, which provides a broader insight into how organisations are addressing cyber security risks and which threats are most commonly overlooked.

How does your organisation compare?

Download the report for free from our website to see the survey results in full and guidance on where organisations are going right and wrong.

If you’d like to know how your organisation compares to the survey’s respondents, our self-assessment questionnaire is still available.

CR report

The post IT Governance’s 2019 Cyber Resilience Report reveals major data protection weaknesses appeared first on IT Governance Blog.

How to Build Your 5G Preparedness Toolkit

5G has been nearly a decade in the making but has really dominated the mobile conversation in the last year or so. This isn’t surprising considering the potential benefits this new type of network will provide to organizations and users alike. However, just like with any new technological advancement, there are a lot of questions being asked and uncertainties being raised around accessibility, as well as cybersecurity. The introduction of this next-generation network could bring more avenues for potential cyberthreats, potentially increasing the likelihood of denial-of-service, or DDoS, attacks due to the sheer number of connected devices. However, as valid as these concerns may be, we may be getting a bit ahead of ourselves here. While 5G has gone from an idea to a reality in a short amount of time for a handful of cities, these advancements haven’t happened without a series of setbacks and speedbumps.

In April 2019, Verizon was the first to launch a next-generation network, with other cellular carriers following closely behind. While a technological milestone in and of itself, some 5G networks are only available in select cities, even limited to just specific parts of the city. Beyond the not-so widespread availability of 5G, internet speeds of the network have performed at a multitude of levels depending on the cellular carrier. Even if users are located in a 5G-enabled area, if they are without a 5G-enabled phone they will not be able to access all the benefits the network provides. These three factors – user location, network limitation of certain wireless carriers, and availability of 5G-enabled smartphones – must align for users to take full advantage of this exciting innovation.

While there is still a lot of uncertainty surrounding the future of 5G, as well as what cyberthreats may emerge as a result of its rollout, there are a few things users can do to prepare for the transition. To get your cybersecurity priorities in order, take a look at our 5G preparedness toolkit to ensure you’re prepared when the nationwide roll-out happens:

  • Follow the news. Since the announcement of a 5G enabled network, stories surrounding the network’s development and updates have been at the forefront of the technology conversation. Be sure to read up on all the latest to ensure you are well-informed to make decisions about whether 5G is something you want to be a part of now or in the future.
  • Do your research. With new 5G-enabled smartphones about to hit the market, ensure you pick the right one for you, as well as one that aligns with your cybersecurity priorities. The right decision for you might be to keep your 4G-enabled phone while the kinks and vulnerabilities of 5G get worked out. Just be sure that you are fully informed before making the switch and that all of your devices are protected.
  • Be sure to update your IoT devices factory settings. 5G will enable more and more IoT products to come online, and most of these connected products aren’t necessarily designed to be “security first.” A device may be vulnerable as soon as the box is opened, and many cybercriminals know how to get into vulnerable IoT devices via default settings. By changing the factory settings, you can instantly upgrade your device’s security and ensure your home network is secure.
  • Add an extra layer of security.As mentioned, with 5G creating more avenues for potential cyberthreats, it is a good idea to invest in comprehensive mobile security to apply to all of your devices to stay secure while on-the-go or at home.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post How to Build Your 5G Preparedness Toolkit appeared first on McAfee Blogs.

New Research: Lessons from Password Checkup in action



Back in February, we announced the Password Checkup extension for Chrome to help keep all your online accounts safe from hijacking. The extension displays a warning whenever you sign in to a site using one of over 4 billion usernames and passwords that Google knows to be unsafe due to a third-party data breach. Since our launch, over 650,000 people have participated in our early experiment. In the first month alone, we scanned 21 million usernames and passwords and flagged over 316,000 as unsafe---1.5% of sign-ins scanned by the extension.
Today, we are sharing our most recent lessons from the launch and announcing an updated set of features for the Password Checkup extension. Our full research study, available here, will be presented this week as part of the USENIX Security Symposium.

Which accounts are most at risk?

Hijackers routinely attempt to sign in to sites across the web with every credential exposed by a third-party breach. If you use strong, unique passwords for all your accounts, this risk disappears. Based on anonymous telemetry reported by the Password Checkup extension, we found that users reused breached, unsafe credentials for some of their most sensitive financial, government, and email accounts. This risk was even more prevalent on shopping sites (where users may save credit card details), news, and entertainment sites.

In fact, outside the most popular web sites, users are 2.5X more likely to reuse vulnerable passwords, putting their account at risk of hijacking.
Anonymous telemetry reported by Password Checkup extension shows that users most often reuse vulnerable passwords on shopping, news, and entertainment sites.


Helping users re-secure their unsafe passwords

Our research shows that users opt to reset 26% of the unsafe passwords flagged by the Password Checkup extension. Even better, 60% of new passwords are secure against guessing attacks—meaning it would take an attacker over a hundred million guesses before identifying the new password.
Improving the Password Checkup extension

Today, we are also releasing two new features for the Password Checkup extension. The first is a direct feedback mechanism where users can inform us about any issues that they are facing via a quick comment box. The second gives users even more control over their data. It allows users to opt-out of the anonymous telemetry that the extension reports, including the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the domain involved for improving site coverage. By design, the Password Checkup extension ensures that Google never learns your username or password, regardless of whether you enable telemetry, but we still want to provide this option if users would prefer not to share this information.


We're continuing to improve the Password Checkup extension and exploring ways to implement its technology into Google products. For help keeping all your online accounts safe from hijacking, you can install the Password Checkup extension here today.