Daily Archives: May 8, 2020

Weekly Update 190

Weekly Update 190

I went with the "just record it live" approach again this week and honestly, it's working out much better for me. It's easier to publish (no manual retrieval of audio and video from devices, no editing in Premier, no waiting for upload) and doing it in my office gets almost the same audio and video quality as the "old" way anyway. Plus, I get to interact with people whilst recording so all in all, I'm pretty happy with this approach. Let me know how you find it and if you have any suggestions for improvement, I'll try and do this earlier in the day next Friday to hit the Aus and US friendly time zones rather than Aus and Europe per the last couple of weeks.

Weekly Update 190
Weekly Update 190
Weekly Update 190
Weekly Update 190


  1. We're tracking exceptionally well in Australia during the pandemic, especially in my home state of Queensland (great empirical data on that Twitter account)
  2. Half of people who responded to my Bluetooth poll leave it turned on all the time (count me in that half too)
  3. On average, I load a new breach into HIBP every 4 days but this week was 4 of them across the span of 5 days (mostly due to getting on top of a bunch of disclosures)
  4. There's been a significant uptick in HIBP usage over the last month (definitively not related to any specific breaches, best guess is it's related to changes in working patterns)
  5. I get "I've been hacked and need help" emails pretty much every single day (I'm yet to find a good way of handling these)
  6. Sponsored by Duo: Five reasons you should secure your VPN with MFA to ensure an additional layer of defense. Get the guide by Duo Security.

Mirror Mirror On The Wall, Is My Cloud The Most Secure?

What is the value of your cloud security investment?

How does your cloud security measure up with industry peers?

Amongst all the cloud security measures available, where should you get started?

Do you think nothing short of a magic will help answer these questions? If you answered YES! to any of the above questions, read on.

Cloud Adoption is Mainstream!

Cloud computing has evolved from being a market disruptor to the expected approach for IT. Today, businesses are evolving from being “cloud-first” to “cloud-only” According to the McAfee Cloud Adoption and Risk Report 2019, 87% enterprises said they experienced benefits from the cloud that helped drive business acceleration.

Need for Cloud Security Solutions is Paramount!

With businesses moving more sensitive data into the cloud, the need for cloud security solutions is paramount. Consider this – the average cost of a data breach for the US is $8.19 million1! The cost of loss of reputation, non-compliance or credibility is immense. Businesses recognize this truth and the need for cloud security as part of their cloud adoption journey.  As organizations adopt new infrastructure and software, cloud security spending is continuing to increase. By 2023, spending on global cloud security solutions is expected to reach $12.7 billion, according to the Forrester Analytics: Cloud Security Solutions Forecast, 2018 To 2023 (Global) report.2

So, does IT really need a magical mirror to help answer foundational questions like measuring the value of their cloud security spending?

McAfee MVISION Cloud has the Answer!

McAfee MVISION Cloud, a leading Cloud Access Security Broker that provides comprehensive visibility and control across enterprise SaaS, PaaS, and Infrastructure as a Service environments, and the MVISION Cloud Security Advisor (CSA) might just have the answer!

Join us for a live webinar with Kima Hayuk, Senior IP Protection Manager for Electronic Arts and Thyaga Vasudevan, Head of Product, MVISION Cloud, McAfee.

When: May 14th, 10AM PST | 10 AM SGT | 1:00PM BST

Where: Register here Mirror Mirror On The Wall, Is My Cloud The Most Secure?


  1. Learn about Electronic Arts’ cloud journey and how McAfee MVISION Cloud helps address their complex cloud security requirements
  2. Introducing MVISION CSA and how it works:
    • CSA as a tool to measure your cloud security maturity and risk posture
    • CSA as a tool to measure the value generated by your cloud investment
    • CSA as a tool to measure your cloud security posture vs. industry peers
    • CSA as a tool to get a list of unique and actionable recommendations to guide on your cloud journey.

Join Us to learn more about what customers and analysts are calling a game changer!


1 https://www.ibm.com/security/data-breach

2Forrester Analytics: Cloud Security Solutions Forecast, 2018 To 2023(Global) report, 1 April 2019, Jennifer Adams, Andras Cser and Sanjeev Kumar


The post Mirror Mirror On The Wall, Is My Cloud The Most Secure? appeared first on McAfee Blogs.

DigitalOcean Data Leak Incident Exposed Some of Its Customers Data

DigitalOcean, one of the biggest modern web hosting platforms, recently hit with a concerning data leak incident that exposed some of its customers' data to unknown and unauthorized third parties. Though the hosting company has not yet publicly released a statement, it did has started warning affected customers of the scope of the breach via an email. According to the breach notification

Principles of a Cloud Migration – Security W5H – The WHERE


“Wherever I go, there I am” -Security

I recently had a discussion with a large organization that had a few workloads in multiple clouds while assembling a cloud security focused team to build out their security policy moving forward.  It’s one of my favorite conversations to have since I’m not just talking about Trend Micro solutions and how they can help organizations be successful, but more so on how a business approaches the creation of their security policy to achieve a successful center of operational excellence.  While I will talk more about the COE (center of operational excellence) in a future blog series, I want to dive into the core of the discussion – where do we add security in the cloud?

We started discussing how to secure these new cloud native services like hosted services, serverless, container infrastructures, etc., and how to add these security strategies into their ever-evolving security policy.

Quick note: If your cloud security policy is not ever-evolving, it’s out of date. More on that later.

A colleague and friend of mine, Bryan Webster, presented a concept that traditional security models have been always been about three things: Best Practice Configuration for Access and Provisioning, Walls that Block Things, and Agents that Inspect Things.  We have relied heavily on these principles since the first computer was connected to another. I present to you this handy graphic he presented to illustrate the last two points.

But as we move to secure cloud native services, some of these are outside our walls, and some don’t allow the ability to install an agent.  So WHERE does security go now?

Actually, it’s not all that different – just how it’s deployed and implemented. Start by removing the thinking that security controls are tied to specific implementations. You don’t need an intrusion prevention wall that’s a hardware appliance much like you don’t need an agent installed to do anti-malware. There will also be a big focus on your configuration, permissions, and other best practices.  Use security benchmarks like the AWS Well-Architected, CIS, and SANS to help build an adaptable security policy that can meet the needs of the business moving forward.  You might also want to consider consolidating technologies into a cloud-centric service platform like Trend Micro Cloud One, which enables builders to protect their assets regardless of what’s being built.  Need IPS for your serverless functions or containers?  Try Cloud One Application Security!  Do you want to push security further left into your development pipeline? Take a look at Trend Micro Container Security for Pre-Runtime Container Scanning or Cloud One Conformity for helping developers scan your Infrastructure as Code.

Keep in mind – wherever you implement security, there it is. Make sure that it’s in a place to achieve the goals of your security policy using a combination of people, process, and products, all working together to make your business successful!

This is part of a multi-part blog series on things to keep in mind during a cloud migration project.  You can start at the beginning which was kicked off with a webinar here: https://resources.trendmicro.com/Cloud-One-Webinar-Series-Secure-Cloud-Migration.html.

Also, feel free to give me a follow on LinkedIn for additional security content to use throughout your cloud journey!

The post Principles of a Cloud Migration – Security W5H – The WHERE appeared first on .

Friday Squid Blogging: Jurassic Squid Attack

It's the oldest squid attack on record:

An ancient squid-like creature with 10 arms covered in hooks had just crushed the skull of its prey in a vicious attack when disaster struck, killing both predator and prey, according to a Jurassic period fossil of the duo found on the southern coast of England.

This 200 million-year-old fossil was originally discovered in the 19th century, but a new analysis reveals that it's the oldest known example of a coleoid, or a class of cephalopods that includes octopuses, squid and cuttlefish, attacking prey.

More news.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Great Minds Think Alike: Aligning Security With Business Priorities

Do you ever feel like security and risk professionals have a completely different set of priorities than the rest of the business? Well that???s because, at most companies, they do. Security professionals are concerned with securing things ??? like servers, networks, and applications ??? from cyber risks.ツ? Business decision-makers are concerned with the customer experience, growing revenue, and innovation.

Forrester addresses this discrepancy in a recent report, citing that, ???Only 16 percent of global security decision makers at enterprises claim that they are identifying new sources of data-driven revenue, and just 14 percent are developing secure customer-facing mobile and web applications.???[1]

The difference in priorities can have a negative impact on a business. For example, by concentrating solely on the security of products and services, security professionals fail to protect against new attacks that focus on how to manipulate decisions made by or about your company or the perception of your products and services. These types of attacks are commonly associated with innovation, so businesses are often fearful that innovative software will expose the company to risk. But innovation is the only way for a company to progress and stay relevant. So, it???s kind of a catch-22.

How can you solve this dilemma? You need security to align with the business priorities, which means security has to concentrate on the customer experience. Just as development is creating minimum viable products, security must match it with minimum viable security. If security and development are aligned, it will open the door to innovation, making security a competitive advantage.

To learn more about this concept, including ways to shift the security mindset, watch the following video featuring Amy DeMartine based on a recent Forrester report she co-authored, Secure What You Sell: CISOs Must Tackle Product Security to Protect Customers.


[1] Secure What You Sell: CISOs Must Tackle Product Security To Protect Customers,??? by Jeff Pollard, Amy DeMartine with Laura Koetzle, Elsa Pikulik, Peggy Dostie, Forrester Research, Inc.

NIST Introduces Framework for Secure Software Development

NIST Cybersecurity recently published a whitepaper outlining software development practices, known collectively as a secure software development framework (SSDF), that can be implemented into the software development lifecycle (SDLC) to better secure applications. The outlined practices are based on pre-established standards and guidelines as well as software development practice documents.

NIST Cybersecurity states that, if properly implemented, the SSDF practices should, ???help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences.???

Some of the key tasks outlined in the framework include:

Provide secure code training

Most developers aren???t formally trained in writing secure code. If you take the time to train developers, and any other individuals with responsibilities that contribute to secure development, they???ll be able to write secure code from the start. If code is secure from the start of the development phase, it eliminates rework and speeds the time to deployment.

To ensure successful training on secure code practices, tailor the training to specific roles, document the desired outcomes, and review the training plans periodically.

Automate and integrate security tests

By leveraging automatic testing methods instead of using a manual process, you can improve consistency, accuracy, and comprehensiveness. For human-readable code, like source code, NIST Cybersecurity recommends using a ???static analysis tool to automatically check code for vulnerabilities and for compliance with the organization???s secure coding standards.??? The static analysis tool should be used to, ???remediate documented and verified unsafe software practices on a continuous basis as human-readable code is checked into the code repository.???

For executable code ??? binaries, directly executed bytecode, and directly executed source code ??? NIST Cybersecurity recommends integrating ???dynamic vulnerability testing into the project???s automated test suite.??? And, if resources are available, ???incorporate penetration testing to simulate how an attacker might attempt to compromise the software in high-risk scenarios.???

Once you???ve selected your application security tests, they should be integrated into the developers existing workflows and processes. NIST suggests ???configuring the toolchain to perform automated code analysis and testing on a regular basis.??? And, since the tests will produce a long list of vulnerabilities and flaws, you need to put a process in place to assess, prioritize, and remediate the flaws. The longer you wait to remediate flaws, the longer cyberattackers have to exploit the application.

Use open source code securely

Open source code, and all other third-party code, is still susceptible to vulnerabilities and flaws. Start by seeing if there are any publicly known flaws in the software modules that the vendor failed to fix. Then check to see if the module is being actively maintained for new vulnerabilities. If it isn???t being actively maintained, determine a plan of action for how you are going to test the code, and ???use the results from commercial services for vetting the modules and services.???


To learn more, download the NIST Cybersecurity whitepaper, Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF). Or, to find out how Veracode can help you address the practices identified in the whitepaper, visit our product page.

Threat Roundup for May 1 to May 8

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Apr 24 and May 1. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More



20200508-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for May 1 to May 8 appeared first on Cisco Blogs.

Microsoft researchers work with Intel Labs to explore new deep learning approaches for malware classification

The opportunities for innovative approaches to threat detection through deep learning, a category of algorithms within the larger framework of machine learning, are vast. Microsoft Threat Protection today uses multiple deep learning-based classifiers that detect advanced threats, for example, evasive malicious PowerShell.

In continued exploration of novel detection techniques, researchers from Microsoft Threat Protection Intelligence Team and Intel Labs are collaborating to study new applications of deep learning for malware classification, specifically:

  • Leveraging deep transfer learning technique from computer vision to static malware classification
  • Optimizing deep learning techniques in terms of model size and leveraging platform hardware capabilities to improve execution of deep-learning malware detection approaches

For the first part of the collaboration, the researchers built on Intel’s prior work on deep transfer learning for static malware classification and used a real-world dataset from Microsoft to ascertain the practical value of approaching the malware classification problem as a computer vision task. The basis for this study is the observation that if malware binaries are plotted as grayscale images, the textural and structural patterns can be used to effectively classify binaries as either benign or malicious, as well as cluster malicious binaries into respective threat families.

The researchers used an approach that they called static malware-as-image network analysis (STAMINA). Using the dataset from Microsoft, the study showed that the STAMINA approach achieves high accuracy in detecting malware with low false positives.

The results and further technical details of the research are listed in the paper STAMINA: Scalable deep learning approach for malware classification and set the stage for further collaborative exploration.

The role of static analysis in deep learning-based malware classification

While static analysis is typically associated with traditional detection methods, it remains to be an important building block for AI-driven detection of malware. It is especially useful for pre-execution detection engines: static analysis disassembles code without having to run applications or monitor runtime behavior.

Static analysis produces metadata about a file. Machine learning classifiers on the client and in the cloud then analyze the metadata and determine whether a file is malicious. Through static analysis, most threats are caught before they can even run.

For more complex threats, dynamic analysis and behavior analysis build on static analysis to provide more features and build more comprehensive detection. Finding ways to perform static analysis at scale and with high effectiveness benefits overall malware detection methodologies.

To this end, the research borrowed knowledge from  computer vision domain to build an enhanced static malware detection framework that leverages deep transfer learning to train directly on portable executable (PE) binaries represented as images.

Analyzing malware represented as image

To establish the practicality of the STAMINA approach, which posits that malware can be classified at scale by performing static analysis on malware codes represented as images, the study covered three main steps: image conversion, transfer learning, and evaluation.

Diagram showing the steps for the STAMINA approach: pre-processing, transfer learning, and evaluation

First, the researchers prepared the binaries by converting them into two-dimensional images. This step involved pixel conversion, reshaping, and resizing. The binaries were converted into a one-dimensional pixel stream by assigning each byte a value between 0 and 255, corresponding to pixel intensity. Each pixel stream was then transformed into a two-dimensional image by using the file size to determine the width and height of the image.

The second step was to use transfer learning, a technique for overcoming the isolated learning paradigm and utilizing knowledge acquired for one task to solve related ones. Transfer learning has enjoyed tremendous success within several different computer vision applications. It accelerates training time by bypassing the need to search for optimized hyperparameters and different architectures—all this while maintaining high classification performance. For this study, the researchers used Inception-v1 as the base model.

The study was performed on a dataset of 2.2 million PE file hashes provided by Microsoft. This dataset was temporally split into 60:20:20 segments for training, validation, and test sets, respectively.

Diagram showing a DNN with pre-trained weights on natural images, and the last portion fine-tuned with new data

Finally, the performance of the system was measured and reported on the holdout test set. The metrics captured include recall at specific false positive range, along with accuracy, F1 score, and area under the receiver operating curve (ROC).


The joint research showed that applying STAMINA to real-world hold-out test data set achieved a recall of 87.05% at 0.1% false positive rate, and 99.66% recall and 99.07% accuracy at 2.58% false positive rate overall. The results certainly encourage the use of deep transfer learning for the purpose of malware classification. It helps accelerate training by bypassing the search for optimal hyperparameters and architecture searches, saving time and compute resources in the process.

The study also highlights the pros and cons of sample-based methods like STAMINA and metadata-based classification methods. For example, STAMINA can go in-depth into samples and extract additional signals that might not be captured in the metadata.  However, for bigger size applications, STAMINA becomes less effective due to limitations in converting billions of pixels into JPEG images and then resizing them. In such cases, metadata-based methods show advantages over our research.

Conclusion and future work

The use of deep learning methods for detecting threats drives a lot of innovation across Microsoft. The collaboration with Intel Labs researchers is just one of the ways in which Microsoft researchers and data scientists continue to explore novel ways to improve security overall.

This joint research is a good starting ground for more collaborative work. For example, the researchers plan to collaborate further on platform acceleration optimizations that can allow deep learning models to be deployed on client machines with minimal performance impact. Stay tuned.


Jugal Parikh, Marc Marino

Microsoft Threat Protection Intelligence Team


The post Microsoft researchers work with Intel Labs to explore new deep learning approaches for malware classification appeared first on Microsoft Security.

3 ways to put the expanding perimeter on ISE and gain zero-trust

Security has been heating up for well over a decade. In 2013, we added fuel to the fire as the malware economy and large organizational breaches (not just incidents) hit the front page. We hunkered down and layered-in defenses with moats, walled perimeters and roving guards for when the bad dudes got in. And now we are losing our perimeter. We are losing control as massive trends, such as the cloud migration, a mobile workforce, and the addition of all those scary connected things, are pulling the perimeter apart. As this happens we’re often caught in the balancing act between driving the business forward by promoting connections with locking it down and providing protection.

To cool this phenomenon down, and to avoid locking down IT initiatives that are propelling business, organizations are rethinking how they look at access. We are realizing there was some truth in the old sect of security professionals who said to “trust no one,” and now we can add “trust no one thing.” From these cries arose the zero-trust framework.

Although not entirely new, it is becoming easier to achieve zero trust with advances in technology that are making it possible to continually authenticate and authorize access at many points within the network. We are now able to build security directly into the network and achieve a segmented network that continually authenticates the endpoint and authorizes access based on a least privilege model, to ensure endpoints only get the access they require to meet mission objectives.

Cisco Identify Services Engine (ISE) has been taking on secure access challenges for almost ten years. We recently performed a customer survey to find out how innovations within ISE are enabling a zero-trust approach in the workplace to manage the expanding perimeter and to build security and protection directly into the network.

3 ways to put the expanding perimeter on ISE and gain zero-trust

Asset Visibility: 75% of customers surveyed said the capability they value the most from ISE is knowing who and what’s on the network.

Gaining visibility is the first step. If we cannot correctly identify what is connecting, and gain endpoint visibility that is not only granular, but also dynamic with context that keeps up with the evolving threat landscape, it is impossible to enforce a policy that will control access to only what an endpoint requires to get the job done, and not risk disrupting business objectives.

Network Segmentation: 79% of respondents stated that the ability to use the network itself to enforce access policy was that value they achieve the most out of ISE.

Network segmentation is an outcome of effective asset visibility. Obtaining granular control of the endpoint, no matter where the endpoint is located, is difficult to achieve without granular visibility. In the past, the lack of visibility has been a major barrier to building zones of access based on trust. ISE implements segmentation precisely the way you intended and makes it easy to control policy consistently across wireless, wired, and VPN connections. Another 58% stated they achieve this value without buying more security products, which can increase CAPEX and often adds complexity with bolt-on solutions that do not recognize a platform approach.

ISE TV quote

Value without increasing costs: 79% agree that ISE significantly improved their security profile and reduced operational costs.

The organizations we partner with at Cisco have real challenges and a limited budget is one of them. The ISE team has been focusing on simplifying the user experience to ensure that customers can move to advanced use cases like network segmentation without increasing complexity and operational costs. And with a focus on interoperability and platform integrations, customers will be able to accelerate their protection as well as the value of existing solutions to gain an active arm of protection from passive security solutions without an increase in investment.

ISE TV quote

ISE has been cooling of network access and control for almost ten years, which explains why 95% of those surveyed said they would recommend ISE to a colleague or friend.

You can read more about the results of the survey here.
To learn more about ISE, visit https://www.cisco.com/go/ise

The post 3 ways to put the expanding perimeter on ISE and gain zero-trust appeared first on Cisco Blogs.

Used Tesla Components Contain Personal Information

Used Tesla components, sold on eBay, still contain personal information, even after a factory reset.

This is a decades-old problem. It's a problem with used hard drives. It's a problem with used photocopiers and printers. It will be a problem with IoT devices. It'll be a problem with everything, until we decide that data deletion is a priority.

Evaluating and Selecting AppSec Vendors to Fit Your Business Needs

Application security (AppSec) has seen quite an uptick over the last 10 years, with no signs of slowing down. When your organization is ready to tackle the challenge of building a strong AppSec program, you may find yourself wondering where to plug in various tools and solutions ??? and even where to start with comparing AppSec vendors.

How can you properly evaluate the marketplace and select the right solutions for your organization???s needs? Consider a framework that combines developer enablement with AppSec governance for an approach that covers the needs of modern software development without breaking the bank. Here???s a guide on what to look for when assessing potential vendors to determine whether they???re the right fit for your business.

Range of scanning and testing technologies

Overcoming challenges in DevSecOps means the ability to scale up and scale down as needed. It also entails empowering developers to fix security issues on their own and easing efficiency with automated solutions.

As no one single tool can act as a window into the health of your AppSec, it???s important to choose a vendor that offers several scanning and testing technologies with the ability to scale and automate from anywhere to bolster dispersed workforces. At the heart of developer enablement and AppSec should live comprehensive analysis tools with solutions like the following:

  • Static Analysis (SAST): Static application security testing (SAST) is a testing process that looks at the application code that your own team writes. This test process is performed without executing the program, but rather by examining the source code, byte code or application binaries for signs of security vulnerabilities.
  • Software Composition Analysis (SCA): This testing type identifies vulnerabilities in open source libraries that your team has included in the code.
  • Interactive Application Security Testing (IAST): IAST uses an agent inside the application or runtime environment that observes where an application could be exploited when executed.
  • Dynamic Analysis (DAST): Dynamic application security testing (DAST) looks at the application from the outside in ??? by examining it in its running state and trying to manipulate it in order to discover security vulnerabilities. The dynamic test simulates attacks against a web application and analyzes the application???s reactions, determining whether it is vulnerable.
  • Penetration Testing:ツ?A solution that goes beyond automated testing for a manual assessment of the health of your code

Note: Run an evaluation of the tools with your own applications, not standardized benchmark applications. Some vendors optimize results for benchmarking applications but deliver far worse results or require extensive tuning for custom apps. Insist that you will scan your own apps and want to be present for any tuning that needs to occur so that you can estimate the effort per application.

SaaS vs. on-prem solutions

When surveying options for vendors, it???s important to decide whether cloud-based SaaS solutions or on-premises tools are the better fit. On-prem tools that require installation, setup time, training, and maintenance are typically not easy to scale and are more expensive, requiring a surplus of skills and time. That means organizations are slower to start scanning and securing their applications.

Cloud-based services, however, do not require businesses to buy tools and go through the process of installation and continued maintenance or patching. There is also less of a responsibility for the accuracy of detection as that falls on the vendor and little to no downtime in running scans and receiving results that guide DevSecOps programs. When a vendor offers SaaS solutions in the cloud, they handle the deployment and upkeep swiftly so that organizations can start scanning from day one and don???t have to worry about AppSec tools weighing on their processes (or servers) as they scale up and scale down.

AppSec governance solutions

Three of the key factors for AppSec governance include defining your program to achieve specific goals, scaling your program through best practices learned along the way, and proving the value of your AppSec solution. Good AppSec governance tools directly impact remediation management by informing decisions your security and development teams make, while also helping your organization meet compliance needs. Vendors that are thoughtful about AppSec governance offer solutions including:

  • Policy and Reporting:ツ?Your AppSec vendor should have policy and reporting tools that provide a clear report on progress to help set goals, define SLAs, and meet compliance requirements.
  • Remediation Management:ツ?Remediation management solutions enable your organization to fix found flaws quickly.
  • Analytics:ツ?It???s important for your AppSec vendor of choice to offer analytics tools that provide clear insight into metrics to help you manage and mature your DevSecOps programs, as well as demonstrate success.

Developer enablement resources

Developer enablement is critical to the success of your DevSecOps program, as developers are the ones creating secure code. Resources designed for enablement will help developers find and fix flaws faster, as well as reduce the introduction of new flaws. If your vendor of choice offers these resources to developers, you???ll have an easier time opening a door of communication between development and security to shift AppSec left earlier in the development process. Focus on vendors that offer:

  • Integrations: Ask potential vendors how they would handle integrations with your development pipeline, and what their range of compatible integrations looks like.
  • Training:ツ?Vendors that offer developer training through real-time feedback while coding, workshops, and hands-on learning care about empowering your developers to write more secure code. Ask potential vendors what they offer for training materials, including programs that provide real-world experience breaking and fixing applications.
  • Remediation Guidance:ツ?Remediation guidance is an essential part of developer enablement and ongoing training. Ask potential vendors what they offer for in-context guidance and one-on-one expert advice when it comes to your specific application types, and the programming languages your developers use most.

The numbers

Have a discussion with potential vendors about numbers that can shed light on their business wellbeing and, ultimately, the impact it will have on your organization???s investment. To understand whether a potential vendor has the fortitude to meet your business needs, ask the following questions:

  • How financially stable is this vendor?
  • Will the vendor exist in the market in five to 10 years?
  • What is the vendor???s market share?

You can get a pulse on a potential vendor???s standing in the market by looking at its:

  • Revenue numbers
  • Number of customers
  • Number of scans completed
  • Reputation among its audience
  • History and track record of success
  • Innovation and breadth of offerings

Finally, take a look at how much money potential vendors charge???and how much they???ll cost you in the long run:

  • What is the price per unit (tool, scan, etc.)?
  • Carefully compare SaaS vs. on-prem solutions ??? the operational costs of on-prem solutions can be significant and should be scoped out before signing the paperwork.
  • Can you consolidate various scan types into one vendor to reduce effort and get package deals?
  • Does the solution require tuning of applications, maintenance, and operations? What is the labor cost associated with this?

Finding a vendor that fits the bill

Be prepared to approach each of your top options for vendors with questions about their suite of solutions and how they can fit into your existing processes. Look for vendors that offer multiple testing types like SAST, DAST, and SCA for a well-rounded approach to your application security.

Equally as important is finding a vendor with SaaS-based solutions in the cloud so that you won???t have to delay projects or spend time waiting for maintenance down the road. If you can find all the above in a price range that fits your budget, you???ll be well on your way to more secure applications that keep you - and your customers - safe.ツ?

Learn more about AppSec best practices, and how to get started, in our new guide, AppSec Best Practices vs. Practicality.

Learn Five Easy Steps To Fix Joomla Hack

When we talk about the second most popular Current Management System (CMS), then Joomla is there. It enables the user to do website publishing conveniently, and it is user-friendly. Although Joomla is one of the most used systems to build sites, there are still chances of a hack. If you are not keeping a check on updating its plugins, then soon you can face such a problem. Therefore you must learn several things related to fix Joomla hack.

You have to learn the fact that a new update comes with some more advanced security tools, which are useful in preventing the hacks. So, if you will keep on using the old version, there are chances that a black hat hacker might get access to your website. Hackers are just like mosquitoes who modifies their skills to get into the system, and only new security tools, which only comes with update can keep them away!

But, in case your website gets hacked, then here are some vital steps, which you can follow and can get from this problem. Here you can learn how to fix Joomla hack.

What Are Signs That A Website Has Been Hacked?

Before you fix Joomla hack, you must have to analyze if your site is hacked or not? Further, you can proceed with the solutions.

  •       Your website is redirecting to spam
  •       Your admin account keeps on logging you out
  •       The bulky and slow loading speed of page
  •       Google check a website for ‘malware’ and ‘phishing’ and then blacklist it
  •       There are undesirable and malicious ads popping up with spam 

Jump Into The Fix Joomla Hack And Malware Removal Process  

If you come across some common indicators like abnormal browser behavior, modified files, and Blacklist warnings by Google and other search engines, then you need to get it fixed soon. Below is the process, which can help you in such a situation!

Fix Joomla hack

The very first step that you should opt for is to clean the full website, on gaining information about potential malware location. Furthermore, it is also very vital to determine if there are any changes in the files. For this, you can make a comparison between the infected files with the previous files saved as backup. It will help you, and you can then remove the malicious files.

By using a database admin panel, like PHPMyAdmin or Adminer, clean the hacked Joomla database. Moving forward, you have to secure all your accounts because many smart hackers intentionally leave backdoors to reaccess your website. That is why you should carefully cleanse the infected files that have the chance to work as a backdoor.

  1. Database Cleanup

The Joomla SQL injection can make new database users; therefore, the first work is to start cleaning infected files. Once you detect the rogue users, immediately delete them using SQL statement Drop user. You can also do the sanitization of the user input, and also prohibit the database permissions to the account. 

  1. Safeguarding the Server

There are always chances of faulty servers to cause damage, even if the installation process is secure. There are many vital points to remember regarding Joomla security, but here are some of the most vital:

  •       Make sure to remove the unused subdomains
  •       Routine check-up of configuration issues
  •       Ensure to close the open ports
  •       Always block the messages that can leak the information
  1. Setting Authorizations

Firstly make sure that no one can executable like .php .aspx etc. Only allow us to upload the images on the server. After this, you can jump forward towards setting the permission for the server. 

Here, you have to ensure that you are using the famed file extensions. Here, you do not have to worry because you can easily get extensions, as Joomla is a pretty bog CMS. It is one of the vital steps to fix Joomla hack because they get updated fast. 

  1. Check Changed Files in Joomla

Usually, the hackers make changes to your original files and add malicious files to it. They inject infected files that help them to get more access over the website. It can cause a problem for you during installation. In such cases, you need to do a fresh installation, and for that, you must have a backup. 

You can use various handy commands to check the modifications done to your files, and that helps to fix Joomla hack.

  1. Check The User Logs

The best way to figure out the root cause of Joomla hack is through the System logs. These help to record all the activities that took place earlier. There is always a recoding request, whenever a SQL Injection or XSS takes place. Not just this, these hackers also try to create new admin accounts. You can follow these vital steps to check any suspicious users:

  •       Start by logging in your Joomla Dashboard.
  •       Next, click Users and pick Manage.
  •       Here you can check for distrustful users who recently registered.
  •       Further, continue to remove the unknown user.
  •       Ensure to check the last date of the user
  •       Seek out for the location where the server logs are stored.
  •       Remove the unknown IPs, if any.


So these were the vital steps to fix Joomla hack. Also, remember the ways to determine if your website is hacked or not!

The post Learn Five Easy Steps To Fix Joomla Hack appeared first on .

This Week in Security News: 7 Tips for Security Pros Patching in a Pandemic and Coinminer, DDoS Bot Attack Docker Daemon Ports

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about a malicious cryptocurrency miner and Distributed Denial of Service (DDoS) bot that targets open Docker daemon ports. Also, learn about tips for IT and security pros struggling to patch properly throughout the pandemic.


Read on:

#Let’sTalkSecurity: Bounty Smarter Not Harder

This Week, Rik Ferguson, Vice President of Security Research at Trend Micro, hosted the first episode of #Let’sTalkSecurity featuring Katie Moussouris, Founder and CEO of Luta Security. This series explores security and how it impacts our digital world. In discussion with some of the brightest and most influential minds in the community, Trend Micro explores this fascinating topic. Check out this week’s episode and follow the link to find information about upcoming episodes and guests.

Teaming Up with INTERPOL to Combat COVID-19 Threats

Partnerships matter in times of a crisis. Specifically, public-private partnerships matter in cybersecurity, which is why Trend Micro is always happy to reach out across industry, academia, and law enforcement to collaborate. Trend Micro is delighted to be working with long-time partner, INTERPOL, over the coming weeks on a new awareness campaign to help businesses and remote workers stay safe from an influx of COVID-19 threats.

7 Tips for Security Pros Patching in a Pandemic

Patch management has historically been a challenge for IT and security teams, which are under pressure to create strong programs and deploy fixes as they are released. Now, their challenges are intensified as a global shift to remote work forces companies to rethink patching strategies. In this article, experts in vulnerability and patch management share their advice for IT and security pros struggling to patch properly throughout the pandemic.

Principles of a Cloud Migration – Security W5H – The When

Security is as important to your cloud migration as the actual workload you are moving to the cloud. It is essential to plan and integrate security at every single layer of both architecture and implementation. If you are doing a disaster recovery migration, you need to make sure that security is ready for the infrastructure, your shiny new cloud space, as well as the operations supporting it.

Samsung Patches 0-click Vulnerability Impacting All Smartphones Sold Since 2014

This week Samsung released a security update to fix a critical vulnerability impacting all smartphones sold since 2014. The security flaw resides in how the Android OS flavor running on Samsung devices handles the custom Qmage image format (.qmg), which Samsung smartphones started supporting on all devices released since late 2014.

Security 101: How Fileless Attacks Work and Persist in Systems

As security measures get better at identifying and blocking malware and other threats, modern adversaries are constantly crafting sophisticated techniques to evade detection. One of the most persistent evasion techniques involves fileless attacks, which do not require malicious software to break into a system. Instead of relying on executables, these threats misuse tools that are already in the system to initiate attacks.

Zoom Acquires Keybase to Bring End-to-End Encryption to Video Platform

Popular communications platform provider Zoom Video announced on Thursday that it has acquired secure messaging and file-sharing service Keybase for an undisclosed sum. The move is the latest by the company as it attempts to bolster the security of its offerings and build in end-to-end encryption that can scale to the company’s massive user base.

Phishing, Other Threats Target Email and Video App Users

Trend Micro has seen several threats abusing tools utilized in work from home (WFH) setups. Cybercriminals are using credential phishing sites to trick users into entering their credentials into fake login pages of email and collaboration platforms and videoconferencing apps.

Firefox 76 Delivers New Password Security Features and Security Fixes

Just in time for this year’s World Password Day, Mozilla has released new Firefox Lockwise features. Starting with Firefox 76, users will be able to check whether any of the passwords they use are vulnerable (e.g., identical to a password that has been breached) and be alerted when their login and password is involved in a breach.

Excel Files with Hidden Sheets Target Users in Italy

A spam campaign using emails that have Excel file (.xls) attachments has been seen circulating and targeting users in Italy, Germany and other countries. The attachment appears blank when opened, but it has a sheet set to “hidden” that attempts to connect to a URL and download a file. Setting sheets to hidden is a documented feature. Some of the subjects of the spam emails written in Italian involve topics like free services, correcting information, invoice details, order completion and service assistance.

Coinminer, DDoS Bot Attack Docker Daemon Ports

Researchers found an open directory containing malicious files, which was first reported in a series of Twitter posts by MalwareHunterTeam. Analyzing some of the files, Trend Micro found a malicious cryptocurrency miner and Distributed Denial of Service (DDoS) bot that targets open Docker daemon ports. The attack starts with the shell script named mxutzh.sh, which scans for open ports (2375, 2376, 2377, 4243, 4244) and then creates an Alpine Linux container that will host the coinminer and DDoS bot.

Naikon APT Hid Five-Year Espionage Attack Under Radar

After five years under the radar, the Naikon APT group has been unmasked in a long-term espionage campaign against several governments in the Asia-Pacific region. The Chinese APT group was first uncovered by Kaspersky researchers in 2015. A recently discovered widespread campaign reveals the group has spent the past five years quietly developing their skills and introducing the “Aria-body” RAT into their arsenal of weapons.

What do you think about Firefox’s new Lockwise password security features? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: 7 Tips for Security Pros Patching in a Pandemic and Coinminer, DDoS Bot Attack Docker Daemon Ports appeared first on .

Meant to Combat ID Theft, Unemployment Benefits Letter Prompts ID Theft Worries

Millions of Americans now filing for unemployment will receive benefits via a prepaid card issued by U.S. Bank, a Minnesota-based financial institution that handles unemployment payments for more than a dozen U.S. states. Some of these unemployment applications will trigger an automatic letter from U.S. Bank to the applicant. The letters are intended to prevent identity theft, but many people are mistaking these vague missives for a notification that someone has hijacked their identity.

So far this month, two KrebsOnSecurity readers have forwarded scans of form letters they received via snail mail that mentioned an address change associated with some type of payment card, but which specified neither the entity that issued the card nor any useful information about the card itself.

Searching for snippets of text from the letter online revealed pages of complaints from consumers who appear confused about the source and reason for the letter, with most dismissing it as either a scam or considering it a notice of attempted identity theft. Here’s what’s the letter looks like:

A scan of the form letter sent by U.S. Bank to countless people enrolling in state unemployment benefits.

My first thought when a reader shared a copy of the letter was that he recently had been the victim of identity theft. It took a fair amount of digging online to discover that the nebulously named “Cardholder Services” address in Florida referenced at the top of the letter is an address exclusively used by U.S. Bank.

That digging indicated U.S. Bank currently manages the disbursement of funds for unemployment programs in at least 17 states, including Arkansas, Colorado, Delaware, Idaho, Louisiana, Maine, Minnesota, Nebraska, North Dakota, Ohio, Oregon, Pennsylvania, South Dakota, Texas, Utah, Wisconsin, and Wyoming. The funds are distributed through a prepaid debit card called ReliaCard.

To make matters more confusing, the flood of new unemployment applications from people out of work thanks to the COVID-19 pandemic reportedly has overwhelmed U.S. Bank’s system, meaning that many people receiving these letters haven’t yet gotten their ReliaCard and thus lack any frame of reference for having applied for a new payment card.

Reached for comment about the unhelpful letters, U.S. Bank said it automatically mails them to current and former ReliaCard customers when changes in its system are triggered by a customer – including small tweaks to an address — such as changing “Street” to “St.”

“This can include letters to people who formerly had a ReliaCard account, but whose accounts are now inactive,” the company said in a statement shared with KrebsOnSecurity. “If someone files for unemployment and had a ReliaCard in years past for another claim, we can work with the state to activate that card so the cardholder can use it again.”

U.S. Bank said the letters are designed to confirm with the cardholder that the address change is valid and to combat identity theft. But clearly, for many recipients they are having the opposite effect.

“We encourage any cardholders who have questions about the letters to call the number listed on the back of their cards (or 855-282-6161),” the company said.

That’s nice to know, because it’s not obvious from reading the letter which card is being referenced. U.S. Bank said it would take my feedback under advisement, but that the letters were intended to be generic in nature to protect cardholder privacy.

“We are always seeking to improve our programs, so thank you for bringing this to our attention,” the company said. “Our teams are looking at ways to provide more specific information in our communications with cardholders.”