Daily Archives: September 4, 2020

Weekly Update 207

Weekly Update 207

I kicked off a little bit earlier on this one in order to wrap up before the Burning Minds keynote, and it's interesting to see just how much difference that little sliver of sunlight makes to the video quality. Check the very start of the video versus the very end; this is the sunset slipping through the crack in the fully drawn blinds, make a massive difference. In other news, I'm talking about how I prepare my talks and deliver them timed down to the minute (I had 20 seconds spare on this one), the dramas I'm having with the Shelly units and putting another dozen neon lights in the house, how encryption and hashing are fundamentally different and we should stop conflating the terms and finally, a bit in response to an audience question about how to phrase messaging for a customer attempting to use a Pwned Passwords.

Weekly Update 207
Weekly Update 207
Weekly Update 207
Weekly Update 207


  1. I've been really carefully planning the timing of my talks for years now (dug this tweet out as a reminder of how valuable this approach has been)
  2. Thread here on installing the new RGB LED downlights (no, this is not my bedroom!)
  3. Stefán from EVE Online has written a bunch about how to frame messaging when a customer attempts to use a Pwned Password (search through his other posts on the topic too, CCP Games has put a heap of research into this)
  4. Whilst I'm pimping his writing, check out yesterday's post too: Using HaveIBeenPwned, Application Insights and Grafana to detect credential stuffing attacks (this is really neat)
  5. Sponsored by: AppTrana - A Risk Based Managed Cloud WAF that includes Security Assessment of your Site, Instant Managed protection, 24x7 Monitoring & CDN

How Piyush’s remarkable efforts ignited a larger impact of giving back

At McAfee, we support team members who are passionate about giving back. You are encouraged and empowered to make a substantial impact in improving our community and volunteering to help others. 

Piyusha Software architect in our Bangalore office, is a team member particularly passionate about his community and has dedicated countless hours volunteering at the Sheila Kothavala Institute for the Deaf (SKID).  

Two years ago, his impact was multiplied when he shared his volunteer story during McAfee’s Social Initiative Contest (SIC)a program that contributes resources to the causes important to select employees who volunteer for non-governmental organizations (NGO). 

Moved by Piyush’s story, the judges funded his program for two years in a row! Funding enhanced infrastructure of a special school for hearing impaired kids and provided a tactile library that helps visually impaired students see the world through touch. 

We asked Piyusfour questions to learn more. 

How did you get involved? 

I’m a son of educators. My father was a principal and my mother was a university senior lecturer. The importance of educational success runs deep for me. Seven years ago, I found my own educational calling when I was introduced to theSheila Kothavala Institute for the Deaf  (SKID), an organization that supports the education of differently-abled students and equips them to successfully graduate high school. 

How often do you volunteer? 

What started as weekend volunteer endeavor soon grew into an every-morning commitment. Before going into work at McAfee, dedicate an hour each morning teaching math and volunteering with students at SKID.  

What has helped you the most in your volunteer journey? 

Figuring out how to communicate with hearingimpaired kids was a challenge for me. However, the immense support I received from the kids helped to relieve a lot of the pressure. I started to learn sign language along with them and became more effective at teaching. Spending time every day with these kids has motivated me in unexpected ways. Not only do I want to do as much as I can for them, but I also find myself more engaged at work. I’m thankful McAfee supports our passions in and out of the office.

Describe how your involvement evolved with SKID. What do you hope to accomplish in the future? 

First, want to thank McAfee for their encouragement as I can take my volunteer activities to greater heights and accomplish even more through their supportWith the funds McAfee awarded, I was able to establish a complete science lab and build an interactive curriculum that complements day-to-day learning, procure games catered towards kids with special needs, and build a tactile library for visually impaired students. 

After volunteering seven years with hearing-impaired students, this year, I’ve taken it upon myself to work more with the visually impaired. The joy on the faces of these kids continues to motivate me to do even more! 

Piyush is a stunning example of how one person’s selfless contributions have the power to inspire others and spark change on a large scale. He continues to inspire, not just through his unrelenting dedication to helping others, but through his words by encouraging others to take simple steps in giving back.

Looking to work for a company that supports the extraordinary contributions of their team members? Search our job opportunities. 


The post How Piyush’s remarkable efforts ignited a larger impact of giving back appeared first on McAfee Blogs.

AppSec Tools Proliferation Is Driving Investments to Consolidate

When it comes to application security (AppSec), it???s important to note that no one testing type can uncover every flaw. Each tool is designed with a different area of focus, along with various speeds and costs ??? so it???s necessary to employ a mix of testing types.

A good way to think about AppSec testing types is to compare them to health exams. You wouldn???t have a cholesterol test and assume your annual physical was complete. Similarly, you shouldn???t conduct a static analysis scan and assume you???ve covered all the bases.

In the chart below, you???ll notice that static analysis works on any type of application (web, desktop, mobile, etc.) and covers a broad range of programming languages. However, it can???t find business logic flaws or alert you to known vulnerabilities in open source components.

Penetration testing might look like it can uncover every vulnerability, but it too has its downsides. Penetration tests are manual, so not only are they time consuming and expensive but also the results are quickly outdated. And, since penetration testing is conducted in staging or production, it often creates unplanned work for the development team.

Mix of AppSec scans

Most organizations know that they need to implement several testing types. In fact, a recent survey sponsored by Veracode and conducted by Enterprise Strategy Group (ESG), revealed that more than 71 percent of organizations use more than 10 different AppSec tools. But of these organizations surveyed, 84 percent answered that the number of AppSec tools they employ is posing a challenge.

ツ? ツ?Individual AppSec tools in use

Multiple testing types are necessary for a mature AppSec program, but they can be challenging to manage.

Why do multiple testing types cause a challenge at many organizations? Because most AppSec vendors only offer one or two testing types. So if an organization chooses a vendor that only offers static analysis, and they want to add more testing types, they have to employ more vendors.

Multiple vendors can be challenging for an organization to manage because the scan metrics will appear on separate dashboards, which makes it difficult to assess risk across the enterprise. The ESG study confirms this challenge with over 40 percent of respondents citing AppSec metrics as an ongoing issue.

34 percent of ESG survey respondents plan to consolidate vendors to alleviate the burden of multiple testing types.

Finding one vendor that offers a comprehensive set of AppSec tools ??? like Veracode ??? can alleviate the burden of vendor management. Veracode offers static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing which, if used together, can enable your organization to drive down risk across the entire application lifetime from development to testing to production.

Veracode Analytics provides metrics for all five offerings in one central location. Having metrics in one place allows organizations to assess the value of their scan types, pinpoint where further investments are needed, and compare the success of their program to similar organizations in the industry. Organizations can share the findings from their analytics with stakeholders or executives to show the return on investment or make a case for an increased AppSec budget.

Veracode Analytics

Veracode application analysis tools cover web and mobile apps, as well as microservices in most major programming languages and frameworks, and development teams can automate analysis in the pipeline with Veracode's integrations.

ツ? ツ?ツ?My code, our code, production code

By integrating tools into the pipeline, developers can easily conduct scans early and often, resulting in reduced security debt and faster time to deployment.

For additional information on AppSec tool proliferation, and to learn more about the 34 percent of respondents planning to consolidate vendors, check out the ESG report, Modern Application Development Security.


Webcast: How to Present: Secrets of a Retired SANS Instructor

John Strand // Ok, that was a bit of a dramatic title. But, it works. In this Black Hills Information Security (BHIS) webcast, John covers the tips and tricks on how to effectively present technical topics to large and small groups. This presentation includes, but is not limited to: crotch sniffing dogs, heart attacks, how […]

The post Webcast: How to Present: Secrets of a Retired SANS Instructor appeared first on Black Hills Information Security.

Phishing attacks: 6 reasons why we keep taking the bait

Phishing scams are among the most common and dangerous type of attack that organisations face.

Indeed, Verizon’s Data Breach Digest found that 90% of all data breaches involve phishing.

But what makes these attacks so successful? An Osterman Research report suggests there are six causes of phishing.

1. Users are the weakest link

Even if most of us think we would be able to spot a phishing scam when we receive one, it only takes a momentary lapse in judgement for us to fall victim.

The panic one experience when they receive a message claiming that, for example, there has been suspicious activity on the recipient’s account will in many cases cause people to overlook signs that the message is malicious.

But by that point it’s too late, with the victim already clicking links, opening attachments and handing over their username and password.

The good news is this is a weakness that organisations and individuals have the power to address. All they have to do learn about the way phishing works and the clues to look out for.

Unfortunately, most users don’t receive the necessary training. Indeed, researchers have found that 52% of users receive training no more than twice per year, and 6% of users have never received security awareness training.

The result? IT departments are not at all confident in their users’ ability to recognise incoming threats, or in their organisation’s ability to stop phishing campaigns and related attacks.

2. Organisations aren’t doing enough

Staff awareness training isn’t the only step that organisations can take to better protect themselves from phishing scams.

The report highlights three key areas of weakness:

  • Insufficient backup processes

In the event of a ransomware attack, most organisations have insufficient backup processes. This leaves them unable to quickly restore content on servers, user workstations and other endpoints to a healthy state.

  • Lack of user testing

Most organisations do not have adequate procedures in place to test their users, leaving them unable to determine which staff members are the most susceptible to an attack.

Conducting a simulated phishing attack can help you establish whether your employees are vulnerable to phishing emails, enabling you to take immediate remedial action to improve your cyber security posture.

  • BYOD security risks

Many organisations lack a BYOD (Bring Your Own Device) policy, meaning that, should a cyber criminal compromise an employee’s device, they will be able to gain access to sensitive data not only on that device but to leverage their access across the network.

3. Criminal organisations are well funded

The massive success that cyber criminals have had in recent years means they have plenty of funds to invest in scams.

As such, they can invest in technical resources to root out make their scams run more efficiently – whether that’s in the number of scams they can send, the authenticity of their bogus messages or the complexity of their campaigns.

It’s also enabled cyber criminals to branch out into new attack vectors. For example, there has been a significant increase in social media in recent years.

This is particularly dangerous, because most advice about phishing relates to email-based scams – or, occasionally, to phone scams (‘vishing’). People are therefore less likely to spot the techniques that fraudsters use on social media.

4. Cyber criminals are shifting their focus

The availability of stolen data on the dark web has decreased its commercial value.

Scammers can now buy payment card data on the dark web for as little as $9 (about £6.80), so there’s less profit to be had for those stealing and selling this information.

In response, cyber criminals have changed tactics, looking to make money through organisations directly thanks to ransomware attacks.

These types of attack are no more complicated for a cyber criminal to pull off, but the rewards can be much greater.

Although experts warn organisations not to pay ransoms, it’s certainly tempting to wire transfer a lump sum in the hopes that you’ll get your systems back online rather than face the headaches that come with incident response.

5. Phishing tools are low-cost and widespread

There are an increasing number of tools that are designed to help amateurs with little IT knowledge get into the cyber crime industry.

The availability of phishing kits and the rise of ransomware-as-a-service has resulted in an explosion of ransomware and other exploits coming from an ever growing network of amateur cyber criminals.

6. Malware is becoming more sophisticated

Over time, phishing and various types of malware have become more sophisticated.

The problems of phishing, spear-phishing, CEO fraud, business email compromise and ransomware are simply going to get worse without appropriate solutions and processes to defend against them.

Protect your organisation against phishing

Educated and informed employees are your first line of defence. Empower them to make better security decisions with our complete staff awareness e-learning suite.

A cost-effective way of managing all your staff awareness training in one place, the complete suite contains eight e-learning courses to help you transform your employees from threats to assets.

Find out more

A version of this blog was originally published on 27 March 2017.

The post Phishing attacks: 6 reasons why we keep taking the bait appeared first on IT Governance UK Blog.