Daily Archives: September 21, 2020

Focus on Fixing, Not Just Finding, Vulnerabilities

When investing in an application security (AppSec) program, you expect to see a return on your investment. But in order to recognize a return, your organization needs to determine what success looks like and find a way to measure and prove that the program is meeting your definition of success.

For those just starting on their AppSec journey, success might be eliminating OWASP Top 10 vulnerabilities or lowering flaw density. But as you begin to mature your program and work toward continuous improvements, you should start measuring your program against key performance indicators (KPIs) like fix rate. Fix rate is used to indicate how fast your organization is closing ??? or remediating ??? flaws. The formula for fix rate is the number of findings closed divided by the number of findings open. As you can see in the diagram below, of the 6,609 flaws, 2,581 flaws areツ?open and 4,028 are closed. This means that flaws are remediated at a rate of 16 percent. The faster your organization fixes flaws, the lower the chances of an exploit. For the sake of continuous improvement, you should be finding that your organization is improving its fix rate by remediating flaws faster year over year.

Fix rate


Using Veracode Analytics to examine fix rate and prove AppSec success.

Using Veracode Analytics custom dashboards, you can examine your total fix rate or break it out by application, scrum team, business unit, or geographical location. These dashboards can be shared with stakeholders and executives to show areas where your fix rate is improving or areas that need additional attention and resources.

When examining fix rate across applications, you should be finding that your more critical applications have a better fix rate. If that???s not the case, you need to be examining the application security policies you have in place for fixing flaws. High-severity and highly exploitable flaws should be prioritized over low-severity flaws with a lower chance of exploitability. The same logic applies to applications: High-risk applications storing large amounts of sensitive data should be prioritized.

When examining the fix rate across scrum teams and locations, you should find that teams and geographical locations are continuously improving their fix rate. If not, you should use the data to tailor future security trainings or to ask stakeholders and executives for additional resources.

How does fix rate impact return on investment?

By remediating flaws faster, you are reducing the chance of an exploit which could cost your business thousands ??? even millions ??? to resolve. For example, Capital One had a third-party vulnerability that was not remediated, and it led to a massive data breach which exposed its customer???s social security numbers and bank account numbers. It cost Capital One approximately 150 million dollars to resolve the matter.

Faster time to remediation also means faster time to production. Once developers fix all of the flaws defined in their policy, code can be moved to production. If code is moved to production at a faster rate, an organization ??? and its customers ??? can start recognizing value from the application sooner.


For additional methods on proving AppSec success, check out our recent video, How to Use Analytics to Measure AppSec ROI.

Special Delivery: Don’t Fall for the USPS SMiShing Scam

Special Delivery: Don’t Fall for the USPS SMiShing Scam

According to Statista, 3.5 billion people worldwide are forecasted to own a smartphone by the end of 2020. These connected devices allow us to have a wealth of apps and information constantly at our fingertips – empowering us to remain in constant contact with loved ones, make quick purchases, track our fitness progress, you name it. Hackers are all too familiar with our reliance on our smartphones – and are eager to exploit them with stealthy tricks as a result.

One recent example of these tricks? Suspicious text messages claiming to be from USPS. According to Gizmodo, a recent SMS phishing scam is using the USPS name and fraudulent tracking codes to trick users into clicking on malicious links.

Let’s dive into the details of this scheme, what it means for users, and what you can do to protect yourself from SMS phishing.

Special Delivery: Suspicious Text Messages

To orchestrate this phishing scheme, hackers send out text messages from random numbers claiming that a user’s delivery from USPS, FedEx, or another delivery service is experiencing a transit issue that requires urgent attention. If the user clicks on the link in the text, the link will direct them to a form fill page asking them to fill in their personal and financial information to “verify their purchase delivery.” If the form is completed, the hacker could exploit that information for financial gain.

However, scammers also use this phishing scheme to infect users’ devices with malware. For example, some users received links claiming to provide access to a supposed USPS shipment. Instead, they were led to a domain that did nothing but infect their browser or phone with malware. Regardless of what route the hacker takes, these scams leave the user in a situation that compromises their smartphone and personal data.

USPS Phishing Scam

Don’t Fall for Delivery Scams

While delivery alerts are a convenient way to track packages, it’s important to familiarize yourself with the signs of phishing scams – especially as we approach the holiday shopping season. Doing so will help you safeguard your online security without sacrificing the convenience of your smartphone. To do just that, follow these actionable steps to help secure your devices and data from SMiShing schemes:

Go directly to the source

Be skeptical of text messages claiming to be from companies with peculiar asks or information that seems too good to be true. Instead of clicking on a link within the text, it’s best to go straight to the organization’s website to check on your delivery status or contact customer service.

Enable the feature on your mobile device that blocks certain texts

Many spammers send texts from an internet service in an attempt to hide their identities. Combat this by using the feature on your mobile device that blocks texts sent from the internet or unknown users. For example, you can disable all potential spam messages from the Messages app on an Android device by navigating to Settings, clicking on Spam protection, and turning on the Enable spam protection switch. Learn more about how you can block robotexts and spam messages on your device.

Use mobile security software

Prepare your mobile devices for any threat coming their way. To do just that, cover these devices with an extra layer of protection via a mobile security solution, such as McAfee Mobile Security.

Stay updated

To stay updated on all things McAfee  and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Special Delivery: Don’t Fall for the USPS SMiShing Scam appeared first on McAfee Blogs.

Fall 2020 NICE eNewsletter Available

The Fall 2020 NICE eNewsletter is available now. The NICE eNewsletter is published quarterly to provide information on academic, industry, and government developments related to the National Initiative for Cybersecurity Education (NICE), updates from key NICE programs, projects, the NICE Working Group, and other important news. For additional archived issues please click here.

How social media is used to commit financial fraud

Social media is a fraudster’s heaven. There are billions of targets – Facebook itself had over 2.6 billion monthly active users in the first quarter of 2020. Because of the very nature of these platforms, users can be quite careless about the amount of personal information they post. For cybercriminals,…

Cambridgeshire crowned the UK’s cyber crime capital

Cambridgeshire has the unwanted distinction of being the UK’s fastest-growing hotspot for cyber crime, after the number of attacks in the county increased by 49% over a three-year period.

Figures from the ONS (Office of National Statistics) show that security incidents in Cambridgeshire increased from 2,789 in 2016 to 4,155 in 2018.

Although the total number of attacks trails the Thames Valley – which saw 11,232 attacks per year on average – Cambridgeshire had the fastest rate of increase and largest total per capita.

In 2018, Cambridgeshire saw 63.7 cyber attacks per 10,000 people, compared to 48 per 10,000 in the Thames Valley.

The next most densely populated regions for cyber crime were Leicestershire (59.2) and Nottinghamshire (56.4).

What is happening in Cambridgeshire?

At first glance, these figures – which were collated by the Internet service provider Fasthosts – suggest that Cambridgeshire is some sort of Wild West for cyber crime.

Attacks in the region have skyrocketed in recent years, with only North Wales (+47%) seeing a comparable increase.

One reason to account for this is that the timeframe of this analysis coincides with major economic growth in the region.

In 2017, Cambridge became the fastest-growing city in the UK, with businesses attracted to its proximity to London and the North, as well as its highly educated workforce.

The city trails only Edinburgh in terms of residents who are educated to undergraduate degree-level, making it an ideal spot for organisations in technical industries, such as biotech, digital innovation and medicine.

And, of course, Cambridge is home of one of the most world’s prestigious universities, with its various colleges employing almost 8,000 academic and more than 3,500 administrative staff.

Unfortunately, these sectors are especially prone to cyber attacks due to the sensitive information that they keep.

For example, the pharmaceutical giant AstraZeneca, which is based in Cambridge, was last year imitated in a sophisticated phishing scam targeting job seekers.

Meanwhile, universities have long been considered a cyber security liability, due to budgetary constraints and their necessarily wide networks.

In 2019, Jist – the agency that provides Internet services to UK universities and researcher centres – put 50 universities’ cyber security practices to the test, and found that their team of ethical hackers breached every one within two hours.

Protect your organisation

Cambridgeshire’s susceptibility to cyber attacks is particularly disheartening for us to hear at IT Governance, given that we’re based in the region.

We’ve helped local businesses with more than 1,000 projects, but there’s still clearly a long way to go when it comes to data protection.

One of the essential steps to cyber security is to educate your employees on the risks they face and the ways they can mitigate the risk.

Our Complete Staff Awareness E-learning Suite contains everything you need to stay secure, from organisations’ legal requirements to specific issues that employees face, such as phishing emails and social media scams.

The post Cambridgeshire crowned the UK’s cyber crime capital appeared first on IT Governance UK Blog.