Daily Archives: December 6, 2019

Its Time to Help Defend Organizations Worldwide

Folks,

I trust this finds you all doing well. It has been a few months since I last blogged - pardon the absence. I had to focus my energies on helping the world get some perspective, getting 007G ready for launch, and dealing with a certain nuisance.

Having successfully accomplished all three objectives, it is TIME to help defend organizations worldwide from the SPECTRE of potentially colossal compromise, which is a real cyber security risk that looms over 85% of organizations worldwide.


When you know as much as I do, care as much as I do, and possess as much capability as I do, you not only shoulder a great responsibility, you almost have an obligation to educate the whole world about cyber security risks that threaten their security.

So, even though I barely have any time to do this, in the interest of foundational cyber security worldwide, I'm going to start sharing a few valuable perspectives again, and do so, on this blog, that blog and the official PD blog (;see below.)


Speaking of which, earlier this week, I had the PRIVILEGE to launch the official PD blog -  https://blog.paramountdefenses.com


Stay tuned for some valuable cyber security insights right here from January 06, 2020
and let me take your leave with a befitting (and one of my favorite) song(s) -



Best wishes,
Sanjay.


PS: Just a month ago, the $ Billion Czech cyber security company Avast was substantially compromised, and guess what the perpetrators used to compromise them? They used the EXACT means I had clearly warned about TWO years ago, right here.


DevSecOps Challenges From a Security Perspective

The transition from DevOps to DevSecOps requires security professionals to have a whole new understanding of development processes, priorities, tools, and painpoints. It’s no longer feasible for security professionals to get by with a superficial understanding of how developers work. But this understanding can be a significant undertaking for most security pros who haven’t had to be immersed in the development side of the house previously.

In its new report, Building an Enterprise DevSecOps Program, analyst firm Securosis notes of security teams and DevSecOps, “Their challenge is to understand what development is trying to accomplish, integrate with them in some fashion, and figure out how to leverage automated security testing to be at least as agile as development.”

In this same paper, Securosis highlights the questions security professionals ask them most often surrounding DevSecOps, which include “can we realistically modify developer behavior?” “What tools do we start with to ‘shift left’” and “how do we integrate security testing into the development pipeline?” These are all valid and important questions, but Securosis points out that there are also questions security teams should be asking, but aren’t, including:

  • How do we fit — operationally and culturally — into DevSecOps?
  • How do we get visibility into Development and their practices?
  • How do we know changes are effective? What metrics should we collect and monitor?
  • How do we support Development?
  • Do we need to know how to code?

The questions the security team is currently asking are about security tasks in DevSecOps; the questions they aren’t asking are about how to understand and work with the development organization. And those are the questions they should start asking. Where to start? The key development areas security teams need to understand when trying to get a handle on application security include the following:

Process: At the very least understand why development processes have changed over the years, what they are trying to achieve, and make sure security testing embraces the same ideals.

Developer tools: You need to understand the tools developers use to manage the code they are building in order to understand where code can be inspected for security issues.

Code: Security tests are shifting left and looking at code, not fully developed applications. The traditional thinking about security audits needs to shift as well.

Open source: You would be hard-pressed to find an app that isn’t made up primarily of open source code. Understand why, and then work with the development team to help them continue to use open source code, but in a secure way.

How security tools affect developer processes: Make sure the security tools you select integrate with the tools and processes developers already use and don’t slow them down with false positives.

Cultural dynamics: You need to fully understand the development team’s goals and priorities – which are most often centered around speed. That understanding is key to getting developer buy-in and acceptance.

SDLC: It’s best practice to include some kind of security analysis in each phase of the software lifecycle. For instance, threat modeling during design, and software composition analysis during development. In this way, you establish a process-independent AppSec program that will work with varying development processes.

For more details on these development areas and practical advice on building an effective DevSecOps program, check out the full Securosis report.

Cyber News Rundown: ZeroCleare Malware

Reading Time: ~ 2 min.

ZeroCleare Malware Wiping Systems

IBM researchers have been tracking the steady rise in ZeroCleare deployments throughout the last year, culminating in a significant rise in 2019. This malware is deployed on both 32 and 64-bit systems in highly targeted attacks, with the capability to completely wipe the system by exploiting the EldoS RawDisk driver (which was also used in prior targeted attacks). The malware itself appears to be spreading through TeamViewer sessions and, though the 32-bit variant seems to crash before wiping can begin, the 64-bit variant has the potential to cause devastating damage to the multi-national corporations being targeted.

FTC Scam Threatens Victims with Terrorism Charges

FTC officials recently made an announcement regarding scam letters purporting to be from the commission and the numerous complaints the letters have sparked from the public. Victims of the scam are told that, due to some suspicious activity, they will be personally and financially monitored as well as face possible charges for terrorism. These types of scams are fairly common and have been in use for many years, often targeting the elderly with greater success.

Take back your privacy. Learn more about the benefits of a VPN.

Misreported Data Breach Costs Hospital Millions

Following an April 2017 complaint, the Office of Civil Rights has issued a fine of $2.175 million after discovering that Sentara Hospitals had distributed the private health information for 577 patients, but only reported eight affected. Moreover, it took over a year for the healthcare provider to take full responsibility for the breach and begin correcting their security policies for handling sensitive information. HIPAA violations are extremely time-sensitive and the slow response from Sentara staff could act as a lesson for other organizations to ensure similar events don’t reoccur.

Android Vulnerability Allows Hackers Easy Access

Researchers have identified a new Android exploit that allows hackers access to banking applications by quickly stealing login credentials after showing the victim a legitimate app icon, requesting additional permissions, and then sending the user to their expected app. Even more worrisome, this vulnerability exists within all current versions of AndroidOS and, while not found on the Google Play Store, some illicit downloaders were distributing it.

Smith & Wesson Hit by Magecart

In the days leading up to Black Friday, one of the largest retail shopping days of the year, malicious skimming code was placed onto the computer systems and, subsequently, the website of Smith & Wesson. In a slight break from the normal Magecart tactics, they attackers were masquerading as a security vendor to make their campaign less visible. The card-skimming code was initially placed onto the website on November 27 and was still active through December 2.

The post Cyber News Rundown: ZeroCleare Malware appeared first on Webroot Blog.

Accelerated Digital Innovation to impact the Cybersecurity Threat Landscape in 2020

Its December and the Christmas lights are going up, so it can't be too early for cyber predictions for 2020.   With this in mind, Richard Starnes, Chief Security Strategist at Capgemini, sets out what the priorities will be for businesses in 2020 and beyond.


Accelerated digital innovation is a double-edged sword that will continue to hang over the cybersecurity threat landscape in 2020.  As businesses rapidly chase digital transformation and pursue the latest advancements in 5G, cloud and IoT, they do so at the risk of exposing more of their operations to cyber-attacks. These technologies have caused an explosion in the number of end-user devices, user interfaces, networks and data; the sheer scale of which is a headache for any cybersecurity professional. 

In order to aggressively turn the tide next year, cyber analysts can no longer avoid AI adoption or ignore the impact of 5G. 

AI Adoption
Hackers are already using AI to launch sophisticated attacks – for example AI algorithms can send ‘spear phishing’ tweets six times faster than a human and with twice the success. In 2020, by deploying intelligent, predictive systems, cyber analysts will be better positioned to anticipate the exponentially growing number of threats.

The Convergence of IT and OT
At the core of the Industry 4.0 trend is the convergence of operations technology (OT) and information technology (IT) networks, i.e. the convergence of industrial and traditional corporate IT systems. While this union of these formerly disparate networks certainly facilitates data exchange and enables organisations to improve business efficiency, it also comes with a host of new security concerns.

5G and IoT
While 5G promises faster speed and bandwidth for connections, it also comes with a new generation of security threats. 5G is expected to make more IoT services possible and the framework will no longer neatly fit into the traditional security models optimised for 4G. Security experts warn of threats related to the 5G-led IoT growth anticipated in 2020, such as a heightened risk of Distributed Denial-of-Service (DDoS) attacks.

Death of the Password
2020 could see organisations adopt new and sophisticated technologies to combat risks associated with weak passwords.

More Power to Data Protection Regulations
In 2020, regulations like GDPR, The California Consumer Privacy Act and PSD2 are expected to get harsher. We might also see announcements of codes of conduct specific to different business sectors like hospitality, aviation etc. All this will put pressure on businesses to make data security a top consideration at the board level.