Daily Archives: October 15, 2020

New research shows risk in healthcare supply chain

Exposures and cybersecurity challenges can turn out to be costly, according to statistics from the US Department of Health and Human Services (HHS), 861 breaches of protected health information have been reported over the last 24 months. New research from RiskRecon and the Cyentia Institute pinpointed risk in third-party healthcare supply chain and showed that healthcare’s high exposure rate indicates that managing a comparatively small Internet footprint is a big challenge for many organizations in … More

The post New research shows risk in healthcare supply chain appeared first on Help Net Security.

New infosec products of the week: October 16, 2020

Cyborg Security launches HUNTR platform to help orgs tackle cyber threats Cyborg Security’s HUNTR platform provides advanced and contextualized threat hunting and detection packages containing behaviorally based threat hunting content, threat emulation, and detailed runbooks, supplying organizations what they need to evolve their security analysts into skilled hunters. Cloudflare One: A cloud-based network-as-a-service solution for the remote workforce As more businesses rely on the internet to operate, Cloudflare One protects and accelerates the performance of … More

The post New infosec products of the week: October 16, 2020 appeared first on Help Net Security.

Threat intelligence platform market to reach $234.9 million by 2022

The growing volume and complexities of cyber threats present a compelling case for adopting threat intelligence platforms (TIPs), a Frost & Sullivan analysis finds. These solutions help organizations navigate the ever-increasing threat landscape and allow for further analysis and threat intelligence operationalization. The TIP market least affected by the pandemic The yhreat intelligence platform market is one of the cybersecurity markets that will be least affected by COVID-19. It is estimated to reach $234.9 million … More

The post Threat intelligence platform market to reach $234.9 million by 2022 appeared first on Help Net Security.

Banks risk losing customers with anti-fraud practices

Many banks across the U.S. and Canada are failing to meet their customers’ online identity fraud and digital banking needs, according to a survey from FICO. Despite COVID-19 quickly turning online banking into an essential service, the survey found that financial institutions across North America are struggling to establish practices that combat online identity fraud and money laundering, without negatively impacting customer experience. For example, 51 percent of North American banks are still asking customers … More

The post Banks risk losing customers with anti-fraud practices appeared first on Help Net Security.

How will blockchain impact the global economy?

An analysis by PwC shows blockchain technology has the potential to boost global gross domestic product (GDP) by $1.76 trillion over the next decade. That is the key finding of a report assessing how the technology is being currently used and exploring the impact blockchain could have on the global economy. Through analysis of the top five uses of blockchain, ranked by their potential to generate economic value, the report gauges the technology’s potential to … More

The post How will blockchain impact the global economy? appeared first on Help Net Security.

NCC Group Remediate: Providing remedial action and support to strenghten clients’ security postures

NCC Group has officially launched its new Remediate service, which provides immediate remedial action and long-term strategic support to strengthen organizations’ security postures and reduce their cyber risk. The global cyber security and risk mitigation expert created Remediate to combine reactive support – including direct resolution of high-priority issues uncovered during testing and 24/7 incident response during a breach – with the proactive creation of long-term security roadmaps. Resource constraints and a lack of advanced … More

The post NCC Group Remediate: Providing remedial action and support to strenghten clients’ security postures appeared first on Help Net Security.

IDrive Online Backup releases EPYC, a secure video conferencing and AR powered video sharing app

IDrive Online Backup has released EPYC, a secure video conferencing and AR powered video sharing application, empowering remote workforces to meet face-to-face and collaborate on projects as if they were meeting in person. Due to COVID-19 and the current remote work climate, IDrive has recognized the need for businesses to enhance the tools they have at their disposal in order to keep their employees productive and present. By releasing EPYC, IDrive has helped solve this … More

The post IDrive Online Backup releases EPYC, a secure video conferencing and AR powered video sharing app appeared first on Help Net Security.

Privacera Platform 4.0: Automating the enterprise data governance lifecycle

Privacera announced the general availability of version 4.0 of the Privacera Platform, an enterprise data governance and security solution for machine learning and analytic workloads in the public cloud. Driven by increasing customer demand, Privacera 4.0’s new features include: access workflows for faster on-boarding and customized data access; expanded discovery for seamless data tagging in complex infrastructures; and an encryption gateway for automated encryption and decryption abilities. “For enterprises to truly maximize the value of … More

The post Privacera Platform 4.0: Automating the enterprise data governance lifecycle appeared first on Help Net Security.

Entrust Datacard MX Series Card Issuance systems now solving challenges for central issuance providers

Entrust announced new enhancements to the Datacard MX Series Card Issuance systems: the Duplex Drop on Demand Printing module; and new Metal Card Input and Metal Card Output modules. The enhancements build upon Entrust’s position as a leader in developing the core technologies needed to keep the world moving safely, while also highlighting the company’s commitment to providing customers with the scalability and flexibility needed to meet evolving business needs. Card issuers are looking for … More

The post Entrust Datacard MX Series Card Issuance systems now solving challenges for central issuance providers appeared first on Help Net Security.

Iran acknowledged cyberattacks on two governmental departments

Iran ’s cybersecurity authority revealed that two governmental departments were hit by cyberattacks this week, state media reported.

State media reported on Thursday that Iran’s cybersecurity authority acknowledged cyberattacks on two unnamed governmental departments.

The state-owned IRAN daily newspaper revealed that the cyberattacks took place on Tuesday and Wednesday respectively.

Iranian authorities are investigating the attacks that were defined as important.

Other governmental departments temporarily took down their online operation as a precaution measure.

Iran’s cybersecurity authority did not attribute the attack to a specific threat actor

This isn’t the first time that Irans‘ authorities claim to have been targeted by cyber attacks. In December 2019, the Iran telecommunications minister announced for two times in a week to have foiled a cyber attack against its infrastructure.

At the time, the Iranian minister Mohammad Javad Azari-Jahromi confirmed that the attack was neutralized by the national cyber shield, it also added that the attack was launched by the China-linked APT27 group seeking for gathering intelligence its country.

In October 2019, Iran announced it was fearing retaliation from Western countries that are accusing it to carry out physical and cyber attacks against their infrastructure and countries in the Middle East.

At the time, Iran’s oil ministry said that the Government of Washington has launched a full-scale economic war” against the Islamic Republic in retaliation for the shooting down of a US drone as well as attacks on oil tankers that the US has blamed Iran.

Tensions between Tehran and Washington have escalated since 2018 when President Trump reimposed sanctions on Iran. The situation went out of control after a US drone strike killed top Iranian general Qasem Soleimani in January.

The order to kill Soleimani was issued by President Trump that said Soleimani was planning an “imminent” attack on US personnel in Baghdad.

In January, the U.S. Department of Homeland Security (DHS) has issued warnings about the possibility of cyber-attacks launched by Iran-linked threat actors. The attacks could be the response of Teheran after Maj. Gen. Qassim Suleimani was killed by a U.S. drone airstrike at the Baghdad airport in Iraq.

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

The post Iran acknowledged cyberattacks on two governmental departments appeared first on Security Affairs.

Crooks hit Puerto Rico Firefighting Department Servers

Puerto Rico’s firefighting department discloses a security breach, hackers breached its database and demanded $600,000.

Puerto Rico’s firefighting department discloses a security breach, hackers breached its database and demanded a $600,000 ransom.

According to the department’s director, Alberto Cruz, the ability of the department to respond to emergencies was not impacted by the attack.

The department received an email from the threat actors that notifies it that they had encrypted its servers and demanded the payment of a ransom to release them.

Local police launched an investigation into the incident, while the department decided to don’t pay the ransom.

“The department contacted police and have not paid the money, officials said. The investigation is ongoing.” reported the Associated Press.

Pierluigi Paganini

(SecurityAffairs – hacking, Puerto Rico’s firefighting department)

The post Crooks hit Puerto Rico Firefighting Department Servers appeared first on Security Affairs.

Breach at Dickey’s BBQ Smokes 3M Cards

One of the digital underground’s most popular stores for peddling stolen credit card information began selling a batch of more than three million new card records this week. KrebsOnSecurity has learned the data was stolen in a lengthy data breach at more than 100 Dickey’s Barbeque Restaurant locations around the country.

An ad on the popular carding site Joker’s Stash for “BlazingSun,” which fraud experts have traced back to a card breach at Dickey’s BBQ.

On Monday, the carding bazaar Joker’s Stash debuted “BlazingSun,” a new batch of more than three million stolen card records, advertising “valid rates” of between 90-100 percent. This is typically an indicator that the breached merchant is either unaware of the compromise or has only just begun responding to it.

Multiple companies that track the sale in stolen payment card data say they have confirmed with card-issuing financial institutions that the accounts for sale in the BlazingSun batch have one common theme: All were used at various Dickey’s BBQ locations over the past 13-15 months.

KrebsOnSecurity first contacted Dallas-based Dickey’s on Oct. 13. Today, the company shared a statement saying it was aware of a possible payment card security incident at some of its eateries:

“We received a report indicating that a payment card security incident may have occurred. We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the locations affected and time frames involved. We are utilizing the experience of third parties who have helped other restaurants address similar issues and also working with the FBI and payment card networks. We understand that payment card network rules generally provide that individuals who timely report unauthorized charges to the bank that issued their card are not responsible for those charges.”

The confirmations came from Miami-based Q6 Cyber and Gemini Advisory in New York City.

Q6Cyber CEO Eli Dominitz said the breach appears to extend from May 2019 through September 2020.

“The financial institutions we’ve been working with have already seen a significant amount of fraud related to these cards,” Dominitz said.

Gemini says its data indicated some 156 Dickey’s locations across 30 states likely had payment systems compromised by card-stealing malware, with the highest exposure in California and Arizona. Gemini puts the exposure window between July 2019 and August 2020.

“Low-and-slow” aptly describes the card breach at Dickie’s, which persisted for at least 13 months.

With the threat from ransomware attacks grabbing all the headlines, it may be tempting to assume plain old credit card thieves have moved on to more lucrative endeavors. Alas, cybercrime bazaars like Joker’s Stash have continued plying their trade, undeterred by a push from the credit card associations to encourage more merchants to install credit card readers that require more secure chip-based payment cards.

That’s because there are countless restaurant locations — usually franchise locations of an established eatery chain — that are left to decide for themselves whether and how quickly they should make the upgrades necessary to dip the chip versus swipe the stripe.

“Dickey’s operates on a franchise model, which often allows each location to dictate the type of point-of-sale (POS) device and processors that they utilize,” Gemini wrote in a blog post about the incident. “However, given the widespread nature of the breach, the exposure may be linked to a breach of the single central processor, which was leveraged by over a quarter of all Dickey’s locations.”

While there have been sporadic reports about criminals compromising chip-based payment systems used by merchants in the U.S., the vast majority of the payment card data for sale in the cybercrime underground is stolen from merchants who are still swiping chip-based cards.

This isn’t conjecture; relatively recent data from the stolen card shops themselves bear this out. In July, KrebsOnSecurity wrote about an analysis by researchers at New York University, which looked at patterns surrounding more than 19 million stolen payment cards that were exposed after the hacking of BriansClub, a top competitor to the Joker’s Stash carding shop.

The NYU researchers found BriansClub earned close to $104 million in gross revenue from 2015 to early 2019, and listed over 19 million unique card numbers for sale. Around 97% of the inventory was stolen magnetic stripe data, commonly used to produce counterfeit cards for in-person payments.

Visa and MasterCard instituted new rules in October 2015 that put retailers on the hook for all of the losses associated with counterfeit card fraud tied to breaches if they haven’t implemented chip-based card readers and enforced the dipping of the chip when a customer presents a chip-based card.

Dominitz said he never imagined back in 2015 when he founded Q6Cyber that we would still be seeing so many merchants dealing with magstripe-based data breaches.

“Five years ago I did not expect we would be in this position today with card fraud,” he said. “You’d think the industry in general would have made a bigger dent in this underground economy a while ago.”

Tired of having your credit card re-issued and updating your payment records at countless e-commerce sites every time some restaurant you frequent has a breach? Here’s a radical idea: Next time you visit an eatery (okay, if that ever happens again post-COVID, etc), ask them if they use chip-based card readers. If not, consider taking your business elsewhere.

FIFA 21 Blockbuster Release Gives Fraudsters an Open Field for Theft

In-game features of the just-released FIFA 21 title give scammers easy access its vast audience.

Social media causes polarization – so where do we go from here?

The social dilemma described in the recent movie with the same title exists because technology groups think that they are not responsible for the content and data that people put in their applications. We think we can build the technology and let people decide how they will use it.  The truth is we have always…

The post Social media causes polarization - so where do we go from here? first appeared on IT World Canada.

Women in tech regressing in 2020? These strategies can help – Dallas Business Journal

Accenture's Anju Bhagat shed light on some alarming data that suggests that the proportion of women in the tech workforce has declined despite an increase in the number of female tech workers employed today.

The post Women in tech regressing in 2020? These strategies can help - Dallas Business Journal first appeared on IT World Canada.

Computer-Based Training: October 2020 Release in Review

We have expanded our content library and strengthened software security training programs across the globe.

Leading up to our final quarterly content library update, we released 50+ new courses to close cybersecurity skills gaps within their workforce. Today, roughly 3,500 partners are providing over 3 million licensed users with quality training that meets their needs and provides clear guidance on different aspects of workforce development.

This quarter’s release focuses on key elements which initially shaped our 2020 Roadmap, including::

Announcing the Zero Trust Deployment Center

Organizations have been digitally transforming at warp speed in response to the way businesses operate and how people work. As a result, digital security teams have been under immense pressure to ensure their environments are resilient and secure. Many have turned to a Zero Trust security model to simplify the security challenges from this transformation and the shift to remote work.

Over the past year, we have been hard at work helping customers navigate these challenges by listening to their difficulties, sharing our own learnings, and building controls, tools, and practices that enable the implementation of Zero Trust. However, one of the things we hear most consistently is the need for additional deployment support.

We are excited to announce the launch of the Zero Trust Deployment Center—a repository of information to improve their Zero Trust readiness as well as specific guidance on implementing Zero Trust principles across their identities, endpoints, data, applications, networks, and infrastructure. The Zero Trust Deployment Center breaks down deployment guidance into plain-language objectives across each of the technology pillars, providing an actionable list of steps needed to implement Zero Trust principles in your environment.

This repository is the perfect place to start planning and deploying your Zero Trust strategy.

A screenshot of the Zero Trust Deployment Center web page

Figure 1:  Zero Trust Deployment Center web page.

If you are already well underway in your journey, these objectives will provide a great framework to help measure your progress and ensure you are meeting critical milestones. If you’re interested in measuring your Zero Trust maturity, we’ve also created a Zero Trust assessment tool to help measure your current maturity and identify possible next milestones and priorities along with technologies.

Learn more about Zero Trust and Microsoft Security. Also, bookmark the Security blog to keep up with our expert coverage on security matters. And follow us at @MSFTSecurity for the latest news and updates on cybersecurity. 

The post Announcing the Zero Trust Deployment Center appeared first on Microsoft Security.

Twitter Locks Trump Campaign Account

Twitter Locks Trump Campaign Account

Twitter temporarily suspended the account of the president of the United States' election campaign for "posting private information."

The account @TeamTrump was locked for attempting to tweet a video referencing a recent article by the New York Post along with text describing presidential candidate Joe Biden as "a liar who has been ripping off our country for years."

The New York Post article published leaked emails that suggest that in 2015, while working for Ukrainian natural gas firm Burisma Holdings, Biden's son Hunter arranged for the then Vice President Joe Biden to meet with a top executive at the company.

The emails were found on a hard drive that was dropped off at a repair shop in 2019 and never collected. The drive was later placed into the hands of Robert Costello, a lawyer for Trump's personal attorney, Rudy Giuliani.

When the Trump campaign tried to post the tweet, Twitter suspended its account for “violating our rules against posting private information.” The suspension was carried out before the veracity of the article had been fact-checked. 

Joe Biden’s campaign has not ruled out the possibility that a meeting took place between Biden and an executive at Burisma Holdings, stating only that no record of the meeting could be found in Biden's "official schedules." 

The suspension occurred on the same day that the social media giant censored the Post's primary Twitter account for posting the Hunter Biden story.  Twitter also blocked numerous other user accounts for tweeting links to the Post’s Hunter Biden story for containing what it described as “hacked material.”

On Wednesday, Twitter CEO Jack Dorsey acknowledged “our communication around our actions on the @nypost article was not great. And blocking URL sharing via tweet or DM with zero context as to why we’re blocking: unacceptable.”

Twitter's enforcement of its policy to suspend accounts for posting an individual's leaked private information without their consent carries a distinct air of political partisanship. The social media platform took no steps to lock or suspend the account of Buzzfeed for its reporting of the Steele Dossier or the account of the New York Times when it tweeted an article referencing leaked tax-return data belonging to President Trump. 

US Indicts Money Launderers to Cyber-criminal Elite

US Indicts Money Launderers to Cyber-criminal Elite

The United States has indicted alleged members of a transnational gang that laundered millions of dollars for the cyber-criminal elite.

Fourteen alleged members of the criminal organization QQAAZZ were charged by a federal grand jury in the Western District of Pennsylvania in an indictment unsealed today. 

The QQAAZZ members are accused of conspiring with cyber-criminals all over the world to launder money stolen from victims of computer fraud in the United States and elsewhere. 

The indictment alleges that, since 2016, the gang has laundered, or attempted to launder, tens of millions of dollars’ worth of stolen funds. A related indictment unsealed in October 2019 charged five members of QQAAZZ.

Drawing from a network of members located in Latvia, Georgia, Bulgaria, Romania, and Belgium, among other countries, QQAAZZ opened and maintained hundreds of corporate and personal bank accounts at financial institutions in multiple countries to receive money stolen by cyber-criminals from bank accounts of victims.  

"The funds were then transferred to other QQAAZZ-controlled bank accounts and sometimes converted to cryptocurrency using 'tumbling' services designed to hide the original source of the funds," stated the Department of Justice.

"After taking a fee of up to 40 to 50 percent, QQAAZZ returned the balance of the stolen funds to their cybercriminal clientele."  

QQAAZZ advertised its services as a “global, complicit bank drops service” on Russian-speaking online cyber-criminal forums. Among the threat actors that used QQAAZZ's services are the creators of Dridex, Trickbot, and GozNym.

In a closely coordinated international operation, more than 40 house searches were carried out in Latvia, Bulgaria, the United Kingdom, Spain, and Italy, with criminal prosecutions initiated in the United States, Portugal, Spain, and the United Kingdom.  

More searches and arrests were carried out in Latvia by the Latvian State Police than in any other country. Police in Bulgaria, conducting searches as part of the international operation, uncovered an extensive Bitcoin-mining operation associated with QQAAZZ.

American victims impacted by QQAAZZ include a Jewish Orthodox Synagogue in Brooklyn, New York, a technology company in Windsor, Connecticut, a medical device manufacturer in York, Pennsylvania, and an automotive parts manufacturer in Livonia, Michigan.

CISO Stressbusters: 7 tips for weathering the cybersecurity storms

An essential requirement of being a Chief Information Security Officer (CISO) is stakeholder management. In many organizations, security is still seen as a support function; meaning, any share of the budget you receive may be viewed jealously by other departments. Bringing change to an organization that’s set in its ways can be a challenge (even when you’ve been hired to do just that). But whether you’ve been brought on to initiate digital transformation or to bring an organization into compliance, you’ll need everyone to see that it’s in their best interest to work together on the program.

I sat down to discuss some CISO Stressbuster tips with my colleague Abbas Kudrati who has worked as a CISO in many different organizations for over 20 years before joining Microsoft. Here are several things we identified as important to weathering the cybersecurity storms and in Abbas’s own words.

Abbas Kudrati, a Chief Cybersecurity Advisor at Microsoft shares his advice for relieving stress in today’s CISO Stressbuster post.

1. Business engagement makes a difference

My passion is for building or fixing things. My reputation in those areas means that I am often engaged to work on a new project or implement changes to an existing system. I’m a generalist CISO who works across industries, but in every role I’ve undertaken I’ve managed to get something unique done, and often received an award as well. My tasks have ranged from achieving better compliance to improving incident response plans or aligning with international standards such as CREST UK or COBIT 5.

My focus is on implementing the changes that are needed to make a difference and then finding a good successor to take over maintaining and operating a large, complex environment. My typical tenure as a CISO was two to three years, but I know some CISOs, particularly in large, complex environments such as mining organizations, where they’ve been in their role for six to eight years and running. They have a good rapport with their management; the CISO feels supported and they’re able to support the business in return. Those two things—engagement with management and reciprocal organizational support—are essential to being a successful CISO.

2. Know what you want to accomplish

It’s often difficult to gauge the state of an organization until you’re in it. Sometimes when you start a role you’ll realize how bad it is and think, “What have I gotten into?” You don’t want to mess up your CV by staying for only six months; so, you try to stick it out. But if the support and communication aren’t there, it’s not worth the stress of staying for more than two years. This is the common reason many CISO’s leave.

A different frustration can occur when you exceed targets. There have been instances when I’ve been brought on board to deliver a targeted result within three years but managed to accomplish it within 18 months to 2 years. Then in the second stage, the company says it can afford to keep it running. That’s not what I want. I want to make a difference and be planning around that; so, I can then choose to move on.

3. Hire and build the right talent

The final challenge, particularly in the countries where I’ve worked, is hiring the right talent. In the Asia-Pacific region, there’s a very competitive market for skilled individuals. In some situations, I’ve looked to use my academic connections to hire fresh minds and build them up. Not only do I get the skills I need, but I’m helping to support the development of our profession. This isn’t easy to achieve, but I’ve developed some of my most passionate employees this way.

4. Find mentors and advisors

It can be lonely being a CISO. Not many people understand what you do, and you often won’t get the internal support you need. It helps to find a mentor. I’ve always sought out mentors in the role of CISO who are doing security in a more advanced way. Don’t be limited just to finding this in your immediate location. Find the right mentor in any industry or region, and today that person can be anywhere in the world. In Australia, there are only a handful of people in organizations large enough to have a CISO at an executive level. Finding that international connection was invaluable to me.

Vendors and partners also can be a good sounding board and source of advice. I had a good relationship with the account team at Cisco and they introduced me to their CISO, who gave me a lot of valuable insights. This is something I’ve carried into my role at Microsoft—I provide our customers with the same kinds of insights and external viewpoint that I appreciated receiving in my earlier roles. Customers appreciate the insights you can provide, helping them to make tough decisions and evolve their strategy.

5. Burnout is real and career progression can be a challenge

Being a CISO is not an easy job. You’re on the frontline during security incidents; a routine 9-5 schedule is almost impossible. In the Asia-Pacific region, there are also limitations on where you can go to develop your career. Some countries are not big enough to have sufficient mature organizations that need a CISO. For example, there is a limit on how many CISO roles will exist in Malaysia or Indonesia. Australia is slightly bigger. Singapore has even more opportunities, but it’s still not on the same scale as countries in other parts of the world.

CISO’s often move on to be advisors, consultants, or even into early retirement. It’s quite common to see CISO’s retire and become non-executive directors on company boards, where their experience is invaluable. Being a virtual CISO allows you to share expertise and support, work on specific projects (such as hiring a team), share expertise, or educate an organization without being tied into permanent employment. When moving on, a CISO will often take a reduction in salary in exchange for a reduction in stress and regained family time.

For me, the move to being Chief Security Advisor for the Asia-Pacific region at Microsoft was a logical and fulfilling step. I can pay forward to customers that support that I received from vendors as a CISO. My experience and expertise can help organizations better consider the changes required to undertake a successful digital transformation.

6. Discipline and human connections are essential

There is so much disruption in a CISO’s working life; it’s important to focus on your physical and mental well-being as much as your work. Take regular breaks; go outdoors and get some fresh air. Take time for mental well-being with meditation or physical exercise. COVID-19 has underlined how important it is to connect with your family. Since a crisis may interrupt your holidays and weekends, don’t count on those times to relax.

Building your ally network both within the company and outside is essential to maintaining your sense of balance, perspective, and support. I really like the concept of allies that Microsoft fosters across different groups, backgrounds, and environments. We all need to be there to support each other. Now that the whole world is connected, we can be, too. Checking how people are and supporting them is core to managing our group stress, and has never been more important than during a pandemic. Take the time to connect.

7. Truths to remember

This is a wake-up call for organizations that may be thinking of hiring a CISO, or just looking to fill a spot in an organizational chart—having a warm body in that position is not enough. Business executive and leadership teams must provide adequate resources and give the CISO the ability to manage risk and help the business be successful. Keep these tips in mind when you’re hiring:

  • CISO’s don’t own security incidents; they manage them.
  • CISO’s need access to all business units for success.
  • CISOs need to understand the business to be effective; please mentor them.
  • CISO’s need to collaborate with their peers; so, don’t isolate them.
  • CISOs need to be involved in all technology decisions to manage risks.

Being a CISO is a dream job for many cybersecurity professionals, including me. The job is stressful; however, many CISOs accept the challenges because they feel they’re making a difference. I enjoyed having that sense of purpose and leading teams toward a specific goal. That focus—and the opportunity to be part of a leadership team—is becoming a requirement for today’s modern security executive. With this in mind, how will your business optimize its practices for the sake of your CISO’s success?

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post CISO Stressbusters: 7 tips for weathering the cybersecurity storms appeared first on Microsoft Security.

Cyber-Attack on Major US Bookseller

Cyber-Attack on Major US Bookseller

American bookseller Barnes & Noble has been hit by cyber-criminals the day after resolving a connection issue with its Nook e-reader service.

The beleaguered bookstore has been emailing customers since Monday to notify them of the attack and warn them that their data may have been compromised.

"It is with the greatest regret we inform you that we were made aware on October 10, 2020, that Barnes & Noble had been the victim of a cybersecurity attack, which resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems," states the notification email.

The company said that while some personal information belonging to customers may have been exposed, no evidence had been found so far to suggest that payment data had been impacted.

"Firstly, to reassure you, there has been no compromise of payment card or other such financial data," wrote the bookseller. "These are encrypted and tokenized and not accessible."

However, customers were warned that attackers may have accessed their email address, billing and shipping addresses, and telephone number and were advised that they may now receive unsolicited emails. Transaction details regarding what purchases customers had made may also have been compromised.

"We currently have no evidence of the exposure of any of this data, but we cannot at this stage rule out the possibility," acknowledged the company. 

News of the cyber-attack on Barnes & Noble follows a "system failure" experienced by the bookseller that interrupted e-reader content access for some of the store's users. According to PublishersLunch, difficulties were also experienced by some customers who were trying to access their online accounts.

Good E-Reader reported on Monday that some B&N branches struggled to process customer orders in-store as a result of the technical issue.

"We have a serious network issue and are in the process of restoring our server backups," said Barnes & Noble in a statement to Fast Company on Wednesday.

"Our systems are back online in our stores and on BN.com, and we are investigating the cause. Please be assured that there is no compromise of customer payment details, which are encrypted and tokenized.”

Government CIOs Praised for Pandemic Response, Better Collaboration Required

Government CIOs Praised for Pandemic Response, Better Collaboration Required

Collaboration with local governments and public higher education is critical to managing increasingly complex cyber-risk.

According to a new research document from Deloitte and the National Association of State Chief Information Officers (NASCIO), as US state and local governments are top targets for ransomware and other cyber-attacks, they can benefit by working together. The report claimed that they are often a target for ransomware and other attacks and that there is “a value to having states build a collaborative relationship with local governments and institutions of public higher education.”

This can enable all parties to benefit from sharing knowledge and resources, and coordinating approaches. “Such a collaborative approach may offer considerable advantages in terms of cost efficiencies, better cyber-hygiene and culture, and improved security of citizens’ data,” the report said.

Reflecting on 2020, the report claimed the pandemic forced state governments to “act quickly in response to public health and safety concerns” and this led CISOs and their staff to support the increased demands for technology, enabling remote work “despite being severely constrained by the lack of resources for cybersecurity.”

It claimed security teams “worked closely with IT departments to secure the government enterprise, the virtual work environment, technology infrastructure and the supply chain.” The top cybersecurity challenge barriers to overcome cited were the following:

  • Lack of sufficient cybersecurity budget
  • Inadequate cybersecurity staffing
  • Legacy infrastructure and solutions to support emerging threats
  • Lack of dedicated cybersecurity budget
  • Inadequate availability of cybersecurity professionals

“Reinventing statewide operations overnight, moving quickly at scale, relying on available resources amplified the importance of cybersecurity and highlighted shortcomings in the cybersecurity ecosystem,” the report said.

It also stated that some of the changes made in response to the COVID-19 pandemic are likely to remain, such as remote working, and “delivering citizen services without the need to visit government offices in person may become the norm as well.” This is because “states will need to adjust to this new reality, and CISOs will need to orient their strategies to meet the needs of this next normal.”

“The last six months have created new opportunities for cyber-threats and amplified existing cybersecurity challenges for state governments,” said Meredith Ward, director of policy and research at NASCIO. “The budget and talent challenges experienced in recent years have only grown, and CISOs are now also faced with an acceleration of strategic initiatives to address threats associated with the pandemic.”

Srini Subramanian, principal at Deloitte and Touche LLP, and state and local government advisory leader, said: “Continuing challenges with resources beset state CISOs/CIOs. This is evident when comparing the much higher levels of budget that federal agencies and other industries like financial services receive to fight cyber-threats.”

Silent Librarian APT Targeting Universities with Spear Phishing Attacks

Security researchers discovered that an APT group known as “Silent Librarian” is actively targeting universities with spear phishing attacks. Malwarebytes learned in mid-September that Silent Librarian, also known as “TA407” and “COBALT DICKENS,” had launched a new attack campaign. In its analysis of the operation, the security firm found that the threat actor had registered […]… Read More

The post Silent Librarian APT Targeting Universities with Spear Phishing Attacks appeared first on The State of Security.

US Cyber Command and Microsoft Are Both Disrupting TrickBot

Earlier this month, we learned that someone is disrupting the TrickBot botnet network.

Over the past 10 days, someone has been launching a series of coordinated attacks designed to disrupt Trickbot, an enormous collection of more than two million malware-infected Windows PCs that are constantly being harvested for financial data and are often used as the entry point for deploying ransomware within compromised organizations.

On Sept. 22, someone pushed out a new configuration file to Windows computers currently infected with Trickbot. The crooks running the Trickbot botnet typically use these config files to pass new instructions to their fleet of infected PCs, such as the Internet address where hacked systems should download new updates to the malware.

But the new configuration file pushed on Sept. 22 told all systems infected with Trickbot that their new malware control server had the address, which is a “localhost” address that is not reachable over the public Internet, according to an analysis by cyber intelligence firm Intel 471.

A few days ago, the Washington Post reported that it’s the work of US Cyber Command:

U.S. Cyber Command’s campaign against the Trickbot botnet, an army of at least 1 million hijacked computers run by Russian-speaking criminals, is not expected to permanently dismantle the network, said four U.S. officials, who spoke on the condition of anonymity because of the matter’s sensitivity. But it is one way to distract them at least for a while as they seek to restore operations.

The network is controlled by “Russian speaking criminals,” and the fear is that it will be used to disrupt the US election next month.

The effort is part of what Gen. Paul Nakasone, the head of Cyber Command, calls “persistent engagement,” or the imposition of cumulative costs on an adversary by keeping them constantly engaged. And that is a key feature of CyberCom’s activities to help protect the election against foreign threats, officials said.

Here’s General Nakasone talking about persistent engagement.

Microsoft is also disrupting Trickbot:

We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world. We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.


We took today’s action after the United States District Court for the Eastern District of Virginia granted our request for a court order to halt Trickbot’s operations.

During the investigation that underpinned our case, we were able to identify operational details including the infrastructure Trickbot used to communicate with and control victim computers, the way infected computers talk with each other, and Trickbot’s mechanisms to evade detection and attempts to disrupt its operation. As we observed the infected computers connect to and receive instructions from command and control servers, we were able to identify the precise IP addresses of those servers. With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.

To execute this action, Microsoft formed an international group of industry and telecommunications providers. Our Digital Crimes Unit (DCU) led investigation efforts including detection, analysis, telemetry, and reverse engineering, with additional data and insights to strengthen our legal case from a global network of partners including FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Symantec, a division of Broadcom, in addition to our Microsoft Defender team. Further action to remediate victims will be supported by internet service providers (ISPs) and computer emergency readiness teams (CERTs) around the world.

This action also represents a new legal approach that our DCU is using for the first time. Our case includes copyright claims against Trickbot’s malicious use of our software code. This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place.

Brian Krebs comments:

In legal filings, Microsoft argued that Trickbot irreparably harms the company “by damaging its reputation, brands, and customer goodwill. Defendants physically alter and corrupt Microsoft products such as the Microsoft Windows products. Once infected, altered and controlled by Trickbot, the Windows operating system ceases to operate normally and becomes tools for Defendants to conduct their theft.”

This is a novel use of trademark law.

Barnes & Noble warns customers it has been hacked, customer data may have been accessed

American bookselling giant Barnes & Noble is contacting customers via email, warning them that its network was breached by hackers, and that sensitive information about shoppers may have been accessed. In the email to customers, Barnes & Noble says that it became aware that it had fallen victim to a cybersecurity attack on Saturday October […]… Read More

The post Barnes & Noble warns customers it has been hacked, customer data may have been accessed appeared first on The State of Security.

Customised Ubiquiti Clients and Randomised MAC Addresses on Apple Devices

Customised Ubiquiti Clients and Randomised MAC Addresses on Apple Devices

You know how some people are what you'd call "house proud" in that they like everything very neat and organised? You walk in there and everything is in its place, nice and clean without clutter. I'm what you'd call "network proud" and the same principle applies to how I manage my IP things:

Customised Ubiquiti Clients and Randomised MAC Addresses on Apple Devices

That's just a slice of my Ubiquiti network map which presently has 91 IP addresses on it between clients and network devices. Each one has been meticulously customised by both name and icon so that it's immediately recognisable on the map. For example, the Nanoleaf in my daughter's room has the correct image associated to it and her name alongside it so I can easily differentiate it from the one in my son's room. Like I say, network proud, so you can imagine my horror when confronted with the image below:

Customised Ubiquiti Clients and Randomised MAC Addresses on Apple Devices

"TroysAppleWatch"?! Where's the apostrophe?! And the spaces?! And what's that hideous default icon doing there?! This wasn't the first time I'd seen this either; I'd noticed clients losing their settings for weeks now. I had a theory about what might be the cause so a week ago, I snapped a pic of a bunch of the Apple clients on my network, including their MAC addresses:

Customised Ubiquiti Clients and Randomised MAC Addresses on Apple Devices

Ah, look at those beautiful names and icons 😊

Now let's look at the details of my watch as they stand today and in particular, the MAC address it has:

Customised Ubiquiti Clients and Randomised MAC Addresses on Apple Devices

It's completely different to the one I snapped last week. Same watch, same hostname, different MAC address. The root cause quickly became evident: MAC addresses are effectively unique identifiers and the appearance of the same one over and over again provides the ability to track devices. We've known about this for years; even back in 2013, rubbish bins in London were tracking people via their MAC addresses so this isn't a new thing. To address this privacy risk, in their recent OS updates Apple have begun randomising the MAC address on iPhones, iPads and Apple watches which, whilst improving privacy, has kinda messed up my otherwise very clean Ubiquiti setup.

The fix is simply to jump into the Wi-Fi network and look for the "Private Address" toggle:

Customised Ubiquiti Clients and Randomised MAC Addresses on Apple Devices

Turning that off causes the device to disconnect from the network:

Customised Ubiquiti Clients and Randomised MAC Addresses on Apple Devices

Before joining back on with a new (now static) MAC address:

Customised Ubiquiti Clients and Randomised MAC Addresses on Apple Devices

After this the phone came back online and because it's reverted to a MAC address I'd previously associated a name and icon to, everything now looks just fine:

Customised Ubiquiti Clients and Randomised MAC Addresses on Apple Devices

It's the same deal with the watch which has an equivalent setting:

Customised Ubiquiti Clients and Randomised MAC Addresses on Apple Devices

One final thing on this: Apple's official docs suggest that whilst the MAC address is unique per network, it's static once assigned to the network:

To reduce this privacy risk, iOS 14, iPadOS 14 and watchOS 7 use a different MAC address for each Wi-Fi network. This unique, static MAC address is your device's private Wi-Fi address for that network only.

That's not consistent with the piece I referenced earlier though which referred to "a feature that periodically changes the MAC address your device uses with each Wi-Fi network", although that was related to a public beta of iOS 14 back in July. But it's also not consistent with my own observations; whilst it's possible that I was looking at changing names and icons for my own devices across different Wi-Fi networks within my own home (I have a primary network, an IoT network and a guest network), the same can't be said of my partner Charlotte who definitely has only ever connected to the primary network. Yet, last week when I was first looking into this, her watch and phone weren't recognised:

Customised Ubiquiti Clients and Randomised MAC Addresses on Apple Devices

When we're talking about a home network, I can't see any downside to not randomising the MAC and so far, it's completely solved the problem I was seeing in my Ubiquiti network. Plus, even if the MAC does remain static on a per-network basis, I do still want my own devices in my own home recognised regardless of what SSID they happen to be connected to.

And so, with that done, it's back to being network proud 😊

Customised Ubiquiti Clients and Randomised MAC Addresses on Apple Devices

Elite security intelligence for zero cost. Meet the Recorded Future Express browser extension

Many thanks to the great folks at Recorded Future, who are sponsoring my writing this week. Recorded Future empowers your organization, revealing unknown threats before they impact your business, and helping your teams respond to alerts 10 times faster. How does it do this? By automatically collecting and analyzing intelligence from technical, open web, and … Continue reading "Elite security intelligence for zero cost. Meet the Recorded Future Express browser extension"

Cyber insurance: A guide for businesses

Cyber threats are so numerous that it’s impossible to prevent security incidents altogether.

That’s why they organisations increasingly relying on cyber insurance policies to cover the costs when data breaches and cyber attacks occur.

But just how helpful is cyber insurance? We take at a look at everything you need to know in this blog.

What is cyber insurance?

Cyber insurance is a specific type of protection, helping organisations mitigate the financial costs associated with information security incidents.

These costs typically won’t be included in standard business insurance policies, which tend to cover only the damage or loss of equipment itself, rather than harm caused by a cyber security event.

How does cyber insurance work?

When a covered organisation suffers a security incident and submits a claim, the insurer will investigate and then pay out accordingly.

Security incidents cause many issues that can’t be fixed with financial reimbursement, such as the time and effort it takes to recover or the reputational damage you could face.

Likewise, the cost of a data breach is related to the speed at which organisations can detect and respond to an incident. Indeed, Ponemon Institute’s Cost of a Data Breach Report 2020 found that organisations that can address a breach within 200 days save about £750,000 compared to those that take longer to respond.

If organisations have to wait for their insurer to review the incident, the costs will escalate and their premium will increase.

You must therefore view cyber insurance as a complement to your cyber security defences and an extra resource to mitigate costs rather than an alternative.

What does a cyber insurance policy cover?

Cyber insurance covers the financial costs of incidents that affect the confidentiality, integrity and availability of information. This includes cyber attacks and data breaches, as well as other events that impact IT systems and networks.

Policies generally provide organisations with the means to manage the incident. This includes forensic investigation, incident response, legal assistance and public relations support.

What is not covered by cyber insurance?

Cyber insurance policies generally don’t cover damages that were caused or exacerbated by the organisation itself.

This might include business email compromise fraud or acts of gross negligence.

Likewise, some insurers won’t reimburse organisations that pay up after a ransomware attack, given that experts advise organisations not to pay because payment helps fuel the cyber crime industry and could make the organisation a soft target for future attacks.

Who needs cyber insurance?

Any organisation that relies on information technology or processes sensitive data is vulnerable to cyber attacks and data breaches, and should therefore consider cyber insurance.

You can find out whether cyber insurance is the right strategy by following ISO 27001’s risk assessment methodology, which helps organisations decide the most appropriate way to address cyber security issues.

Organisations can:

  • Modify the risk by applying security controls that will reduce the likelihood of it occurring and/or damage it will cause.
  • Retain the risk by accepting that it falls within previously established risk acceptance criteria, or via extraordinary decisions.
  • Avoid the risk by changing the circumstances that are causing it.
  • Share the risk with a partner, such as a cyber insurance firm or a third party that is better equipped to manage the risk.

How much does cyber insurance cost?

An AdvisorSmith study found that the average cost of cyber insurance was $1,500 (about £1,160) per year for $1 million (£770,000) in coverage.

However, the costs will vary greatly depending on the organisation’s size, industry, the amount of sensitive data it processes and the strength of its existing cyber security measures.

Some insurers may also offer different levels of protection. For example, you could pay less each month but be covered against a smaller set of damages – or vice versa.

Is my existing cyber security enough?

Organisations are free to decide whether they should purchase cyber insurance.

In most cases, there is no legal or contractual requirement to have cyber insurance, so the organisation might decide that its budget is better spent on cyber defences and business continuity management.

However, there may well be times where it makes financial sense to invest in cyber insurance, for example when the costs of a breach far exceed the amount you would be paying in coverage.

Also, it’s worth remembering that almost all insurance brokers state that the organisation must take appropriate steps to prevent security incidents.

Make sure you have the right defences in place with our Cyber Security as a Service.

With this annual subscription service, our experts are on hand to advise you on the best way to protect your organisation.

They’ll guide you through a variety of security practices – including vulnerability scans, staff training and the creation of policies and procedures – ensuring that you have the foundations of an effective security strategy.

These measures will help you stay one step ahead of cyber criminals, preventing a wide array of threats and putting you in a position to claim competitive cyber insurance rates.

The post Cyber insurance: A guide for businesses appeared first on IT Governance UK Blog.

3 reasons cyber security training is essential

Organisations are always looking for ways to improve their security practices, and one of the most effective ways to achieve this is by enrolling employees on cyber security training courses.

A recent Lucy Security study found that 96% of respondents agreed that a greater level of awareness over cyber security threats contributed to overall improvements in their defences.

Despite that, comparatively few provided adequate training to help staff mitigate the risks of data breaches and cyber attacks.

For example, only 81% of respondents said they conduct phishing simulations, and only 51% say their organisation has a mechanism to report suspicious emails.

With October being European Cyber Security Awareness Month, there has never been a better time is there to boost your organisation’s knowledge of effective information security practices.

Here are three reasons to consider it.

1. You’ll reduce the risk of data breaches

Almost all data breaches are caused by a mistake somewhere in the organisation. So if you want to keep your organisation secure, your employees to know what they’re doing.

That doesn’t only mean negligence – it could also be mistakes that you don’t even know are mistakes, such as gaps in your policies, ineffective processes or a lack of proper technological defences.

Placing staff on information security training courses will help them understand the mistakes they’re making and teach them to work more effectively.

This is especially useful if you intend to commit to a framework such as ISO 27001, the international standard for information security, as there are specific courses that teach you how to follow the Standard’s requirements.

2. You’ll meet compliance requirements

Cyber security laws and regulations inevitably contain complex requirements, so organisations need employees with specialist knowledge to achieve compliance.

For example, organisations that are required to appoint a DPO (data protection officer) under the EU GDPR (General Data Protection Regulation) must find someone with an in-depth understanding of data protection law.

The stakes associated with the position are huge; if the DPO doesn’t perform their tasks in accordance with the GDPR’s requirements, the organisation is liable to face regulatory action.

It’s therefore paramount that the DPO is given every resource available to do their job properly, and training courses should always be sought where possible.

They are not only the quickest way of studying but also usually include exams, which reassures employers that the individual is qualified.

The same advice applies for individuals in roles that involve compliance with the NIS Regulations (Network and Information Systems Regulations 2018), the PCI DSS (Payment Card Industry Data Security Standard), ISO 27001 or any other law or framework.

3. You’ll foster career growth

Training courses enable employees to pick up new skills and gain more advanced qualifications, which will help them move into more senior roles.

This isn’t only beneficial for them but also their employers. It’s getting increasingly hard to find qualified information security professionals, with one report estimating that there will be 3.5 million unfilled jobs in the industry by 2021.

Finding qualified personnel isn’t the only problem. A small pool of skilled workers also means job candidates can command a higher salary and more benefits.

As such, organisations might not be able to afford qualified professionals even if they can find them.

They should therefore do whatever they can to support employees who want to go on training courses. Organisations will almost certainly benefit from the extra knowledge, and it eases the pressure of finding skilled personnel in the job market.

Which course is right for you?

Cyber security is a broad industry, so you need to decide which area suits you best. To help you make that choice, here are some of our most popular training courses:

Knowledge of ISO 27001, the international standard for information security, is an absolute must for anyone who handles sensitive data. We offer several ISO 27001 courses, including an introduction to the Standard and guidance on specific roles, such as internal auditor and lead implementer.

ISO 22301 is the international standard for business continuity. Organisations that follow its framework can be sure that they’ll continue operating when disaster strikes.

Our Foundation-level course covers the essentials of the Standard, but we also offer advanced courses for those that want to lead an implementation project or audit.

Any organisation that transmits, processes or stores payment card data must comply with the PCI DSS. Our training courses help you understand the basics of the Standard, implement its requirements and complete the SAQ (self-assessment questionnaire).

The GDPR is the most significant update to information security law in more than twenty years. Anyone who handles personal data or is responsible for data protection needs to comply with its requirements.

Regular staff should familiarise themselves with the Regulation via our Foundation-level course, senior staff would benefit from our Practitioner course and those looking to fulfil the DPO role should enrol on our Certified DPO training course.

A version of this blog was originally published on 31 October 2018.

The post 3 reasons cyber security training is essential appeared first on IT Governance UK Blog.

India Witnessed Spike in Cyber Attacks Amidst Covid-19 – Here’s Why?

The COVID-19 outreach is turning out to be not only health, social, and economic hazard but also a cybersecurity crisis. The pandemic has presented new challenges for businesses in the areas of remote collaboration and business continuity. With increased remote working for better business continuity, employees are using numerous Internet tools. As businesses and people have started relying more