Daily Archives: November 12, 2020

Making history: The pandemic, disaster recovery and data protection

It was an accomplishment for the ages: within just a couple of days, IT departments hurriedly provided millions of newly homebound employees online access to the data and apps they needed to remain productive. Some employees were handed laptops as they left the building, while others made do with their own machines. Most connected to their corporate services via VPNs. Other companies harnessed the cloud and software and infrastructure services (SaaS, IaaS). Bravo, IT! Not … More

The post Making history: The pandemic, disaster recovery and data protection appeared first on Help Net Security.

Enterprises embrace Kubernetes, but lack security tools to mitigate risk

Businesses increasingly embrace the moving of multiple applications to the cloud using containers and utilize Kubernetes for orchestration, according to Zettaset. However, findings also confirm that organizations are inadequately securing the data stored in these new cloud-native environments and continue to leverage existing legacy security technology as a solution. Businesses are faced with significant IT-related challenges as they strive to keep up with the demands of digital transformation. Now more than ever to maintain a … More

The post Enterprises embrace Kubernetes, but lack security tools to mitigate risk appeared first on Help Net Security.

How IoT insecurity impacts global organizations

As the Internet of Things becomes more and more part of our lives, the security of these devices is imperative, especially because attackers have wasted no time and are continuously targeting them. Chen Ku-Chieh, an IoT cyber security analyst with the Panasonic Cyber Security Lab, is set to talk about the company’s physical honeypot and about the types of malware they managed to discover through it at HITB CyberWeek on Wednesday (October 18). In the … More

The post How IoT insecurity impacts global organizations appeared first on Help Net Security.

Malware activity spikes 128%, Office document phishing skyrockets

Nuspire released a report, outlining new cybercriminal activity and tactics, techniques and procedures (TTPs) throughout Q3 2020, with additional insight from Recorded Future. Threat actors becoming even more ruthless The report demonstrates threat actors becoming even more ruthless. Throughout Q3, hackers shifted focus from home networks to overburdened public entities, including the education sector and the Election Assistance Commission (EAC). Malware campaigns, like Emotet, utilized these events as phishing lure themes to assist in delivery. … More

The post Malware activity spikes 128%, Office document phishing skyrockets appeared first on Help Net Security.

ML tool identifies domains created to promote fake news

Academics at UCL and other institutions have collaborated to develop a machine learning tool that identifies new domains created to promote false information so that they can be stopped before fake news can be spread through social media and online channels. To counter the proliferation of false information it is important to move fast, before the creators of the information begin to post and broadcast false information across multiple channels. How does it work? Anil … More

The post ML tool identifies domains created to promote fake news appeared first on Help Net Security.

Infosys delivers cloud-powered, cognitive-first managed services for IT operations

Infosys launched Infosys Live Enterprise Application Management Platform to help organizations run their IT portfolios as engines driving intuitive decisions, building responsive value chains, and delivering perceptive experiences for the business. The open, end-to-end managed services platform for IT operations, from transition to transformation, delivers value by: Setting up a business command center to act as the digital brain, unifying and analyzing input from disparate IT tools and processes to drive zero-touch, zero-latency IT support … More

The post Infosys delivers cloud-powered, cognitive-first managed services for IT operations appeared first on Help Net Security.

AWS Glue DataBrew: Enabling customers to clean and normalize data without writing code

Amazon Web Services announced the general availability of AWS Glue DataBrew, a new visual data preparation tool that enables customers to clean and normalize data without writing code. Since 2016, data engineers have used AWS Glue to create, run, and monitor extract, transform, and load (ETL) jobs. AWS Glue provides both code-based and visual interfaces, and has dramatically simplified extracting, orchestrating, and loading data in the cloud for customers. Data analysts and data scientists have … More

The post AWS Glue DataBrew: Enabling customers to clean and normalize data without writing code appeared first on Help Net Security.

Secure Code Warrior Missions: Interactive coding simulations of real-world applications

Secure Code Warrior has launched Missions—hands-on, interactive coding simulations of real-world applications that encourage developers to experience the real-time impact of poor code practices in a safe environment. Missions is the result of Secure Code Warrior’s acquisition of Iceland-based start-up Adversary in April 2020. 40 missions covering common security vulnerabilities are currently available, all of which are based on real-world scenarios like the cyber-attacks and security breaches Facebook, WhatsApp, GitHub and high-profile banks have faced. … More

The post Secure Code Warrior Missions: Interactive coding simulations of real-world applications appeared first on Help Net Security.

New PCI Regulations Indicate the Need for AppSec Throughout the SDLC

Last year, the PCI Security Standards Council published the PCI Secure Software Standard and the PCI Secure Software Lifecycle (Secure SLC) Standard as a part of a new PCI Software Security Framework (SSF), also referred to as PCI S3. The SSF offers objective-focused security best practices that outline what a good application security program looks like, with consideration for both traditional and modern payment platforms and evolving development practices. The framework was developed with input from industry experts within the PCI Software Security Task Force (SSTF) and PCI SSC stakeholders.

The new SSF recognizes that there is no one-size-fits-all approach to software security. Vendors need to determine which software security controls and features best serve their specific business needs. But the outlined security requirements and assessment procedures help vendors ensure that the right steps are taken to protect the integrity and confidentiality of payment transactions and customer data.ツ?

The Secure SLC Standard is an important part of the SSF because it helps organizations maintain good application security (AppSec) practices by outlining security requirements and assessment procedures for vendors to ensure that they are managing the security of their payment software throughout the software lifecycle. In order to meet the requirements of the Secure SLC Standard, and in-turn the SSF, vendors need to have AppSec as part of their development process before the first line of code until the product is released. ツ?

Previous AppSec requirements ??? like those laid out in the PCI Payment Application Data Security Standard (PA-DSS), a component of PCI Data Security Standard (PCI DSS) ??? only focused on software development and lifecycle management principles for security in traditional payment software. But modern payment software is faster and more iterative, so it needs AppSec to be integrated and automated throughout the entire development lifecycle. The new SSF regulations expanded to include the new methodology and approach for validating modern software security as well as a separate secure software lifecycle qualification framework for vendors, so the PA-DSS will be retired at the end of October 2022.

What does this mean for existing PA-DSS validated applications? Existing PA-DSS validated applications will remain on the List of Validated Payment Applications until their expiry dates. At the end of October 2022, PCI SSC will move PA-DSS validated payment applications to the ???Acceptable Only for Pre-Existing Deployments??? tab. Any new updates to PA-DSS validated payment applications must be assessed under the SSF.

A great way to start your journey to SFF compliance is by enrolling in Veracode Verified. Many of the requirements in Veracode Verified map to PCI requirements. Veracode Verified helps you improve your company???s secure software development practices and shows the maturity of your program through the completion of a three-tier process.

To learn more about the new PCI Software Security Framework, including additional details on migrating from PA-DSS to SSF, check out our recent blog post, The Migration From PA-DSS to SSF: Everything You Need to Know.

SOCwise: A Security Operation Center (SOC) Resource to Bookmark

Core to any organization is managing cyber risk with a security operations function whether it be in-house or outsourced. McAfee has been and continues their commitment to protecting cyber assets. We are dedicated to empowering security operations and with this dedication comes expertise and passion. Introducing SOCwise a monthly series of blogs, podcasts and talks driven by two highly experienced and devoted security operations professionals.  This is an ongoing resource of helpful advice on SOC issues, distinct SOC functional lessons, best practices learned from a range of projects and customers and perspectives on the future of security operations.  In addition, we will invite guests to contribute to this series.

Meet the SOCwise

From Michael Leland, Technical Director of Security Operations, McAfee

From the perspective of a ‘legacy SIEM’ guy I can tell you that there’s nothing more important to a security analyst than intelligence. Notice I didn’t say ‘data’ or ‘information’ – I didn’t even say ‘threat intelligence’. I’m talking about ‘Situational Awareness’. I’m specifically talking about business, user and data context that adds critical understanding and guidance in support of making more timely, accurate or informed decisions related to a given security event. A typical SOC analyst might deal with dozens of incidents each shift – some requiring no more than a few minutes and even fewer clicks to quickly and accurately determine the risk and impact of potential malicious activities. Some incidents require much more effort to triage in hopes to understand intent, impact and attribution.

More often we find the role of SOC analyst to be one of data wrangler – asking and answering key questions of the ‘data’ to determine if an attack is evident and if so, what is the scope and impact of the adversarial engagement. Today’s modern SOC is evolving from one of centralized data collection, information dissemination and coordination of intelligence – one where each stakeholder in security was a part of the pre-determined set of expectations throughout the evaluation and implementation process – to a fully distributed cast of owners/creators (application development, operations, analysts, transformation architects, management) where the lines of authority, expectation and accountability have blurred sometimes beyond recognition.

How can a modern SOC maintain the highest levels of advanced threat detection, incident response and compliance efficacy when they may no longer have all (or sometimes even some) of the necessary context with which to turn data into intelligence? Will Security Operations Centers of the future resemble anything like the ones we built in previous years. From the massive work-from-home migration brought on by an unexpected pandemic to cloud transformation initiatives that are revolutionizing our modern enterprise, the entire premise of a SOC as we know it are being slowly eroded. These are just some of the questions we will try to answer in this blog series.

From Ismael Valenzuela, Senior Principal Engineer, McAfee

I have worked for 20 years in this industry that we once used to call, information security. During this time, I have had the opportunity to be both on the offense and the defense side of the cyber security coin, as a practitioner and as a consultant, as an architect and as an engineer, as a student as well as a SANS author & instructor. I want to believe that I have learned a few things along the way. For example, as a penetration tester and a red teamer, I have learned that there is always a way in, that prevention is ideal, and that detection is a must. As a security architect I have learned that a defensible architecture is all about the right balance between prevention, monitoring, detection and response. As an incident responder I learned that containing an adversary is all about timing, planning and strategy. As a security analyst I have learned the power of automation and of human-machine teaming, to do more analysis and less data gathering. As a threat hunter I have learned to be laser focused on adversarial behaviors, and not on vulnerabilities. And as a governance, risk and compliance consultant, that security is all about tradeoffs, about cost and benefit, about being flexible, adaptable and realizing that for most of our customers, security is not their core business, but something they do to stay in business. To summarize 20 years in a few phrases is challenging, but no one has summarized it better than Bruce Schneier in my opinion, who wrote, precisely 20 years ago: “security is a process, not a product”.

And I am sure that you will agree with me that processes have changed a lot over the last 20 years. This transformation that had already started with the adoption of Cloud and DevOps technologies it is now creating an interesting and unforeseen circumstance. Just when security operations barely found its footing, and right when it was finally coming out from under the realm of IT, garnering respect and budget to achieve desired outcomes, just when we felt that we made it, we are told to pack our things, leave the physical boundaries of the SOC and have everyone work remote.

If this didn’t introduce enough uncertainty, I read that Gartner predicts that 85% of data centers will be gone by 2025. So, I can’t help but wonder: is this the end of it? Is the SOC dead as we know it? What is the future of SecOps in this new paradigm? How will roles change?  Will developers own security in a ‘you code it, you own it’ fashion? Is it realistic to expect a fully automated SOC anytime soon?

Please join us in this new SOCwise series as Michael and I explore answers to these and more questions on the future and the democratization of SOC and SecOps.

The post SOCwise: A Security Operation Center (SOC) Resource to Bookmark appeared first on McAfee Blogs.

Animal Jam Hacked, 46M Records Roam the Dark Web

Animal Jam, just the latest in a string of attacks on gaming apps, has adopted a transparent communications strategy after stolen data turned up on a criminal forum.

Look who’s speaking at Technicity GTA

The key to understanding any situation is to speak with people who are in the thick of doing the work. With that in mind, when ITWC decided to shine the light on public sector IT innovation in the GTA, we reached out to the individuals and organizations that are working in the trenches to improve…

The post Look who’s speaking at Technicity GTA first appeared on IT World Canada.

Employee Spotlight: From Building Code to Building Teams

Reading Time: ~ 3 min.

Webroot is a dynamic team of hard-working individuals with diverse backgrounds. One of those hard-working individuals is Ben Jackson, Senior Manager of Software Development, Engineering. Ben started off building pages in HTML. Now he leads high-performing teams and helps develop architectures from his home in the UK. We sat down with Ben to find out how he got into software and where he sees the biggest growth opportunities.

What were you doing before working at Webroot?

I worked at a Smart Meter manufacturer in the UK on their manufacturing systems and had a short stint at a big UK retailer called Next working on their retail website.

What brought you to Webroot?

The opportunity to work on some really cool tech, and the people and culture really attracted me.

What is your role in the company?

I am a Senior Software Development Manager for the Sky Services and Efficacy tools.

How did you get into software development?

I took a shine to it from an early age when I was trying to find something to do for a career back at school. I started with the most basic HTML web page in my spare time by copying the code from a textbook into notepad and saving it as an html file to see it run. I have never looked back.

What are the primary coding languages you specialize in?

Microsoft .net framework technologies with languages such as C#. I can use Visual Basic but I’m not a huge fan, and also Java.

What are the advantages of those languages and how do they manifest themselves in your work?

C# is in the core of what we do as a team. All our applications are in the Microsoft .net framework stack, and through the use of .net core in a lot of our new projects, we can run our code on any operating system, making it very easy to deploy, such as in Linux or Docker containers.

What parts of your job require you to think outside of strictly writing code, for example, system architecture, use cases, etc.?

Most of my job requires me to think outside of writing code, especially working with other engineering teams, product management, and helping design the architecture of some of our decoupled systems.

What are your proudest accomplishments as a software engineer?

I have contributed to and led numerous software projects in my career that I am very proud of, but my proudest achievements are in building teams that work together to deliver something special and noteworthy in terms of how the team collaborated together, especially my current team.

Where do you think the future of software development is headed?

It is tricky to say as direction changes all the time and people have such differing opinions, but I feel it will certainly be the continuation of the cloud (Amazon Web Services, Microsoft Azure and Google Cloud) being king. The management of the infrastructure to run applications will further be detached from the developer so that they will just be writing the code and handing it over to the cloud to deploy, scale and manage for you automatically. Serverless architectures will become more of the norm, I think.

War Games or The Matrix?

War Games! It was released the year before I was born, but I have grown up with it through watching re-runs.

What else do you like to do besides coding?

I am a big football (soccer) and sports fan and try to watch as much as I can. I used to play 11-a-side football as a goalkeeper every Saturday for a local team until my recent retirement to spend more time with my two children, who are my biggest focus now outside of work.

Any personal details or stories you’d like to share?

I once appeared on a Portuguese news channel while at a friend’s stag (bachelor party). I was dressed as a pirate, doing the iconic scene from the film Titanic at the front of a fishing boat as it came into the harbor. For some reason, a news crew interviewed us and ran it on the early evening news with the Titanic theme song by Celine Dion playing in the background. I have no idea why they found us so interesting!

Want to find out about job opportunities at Webroot? Visit our careers page.

The post Employee Spotlight: From Building Code to Building Teams appeared first on Webroot Blog.

Ethical Hacker’s Comic Dream Gets Backing

Ethical Hacker's Comic Dream Gets Backing

A Texas security professional's dream of creating a comic book publishing company dedicated to titles about hacking is edging closer to reality.

Robert Willis started a campaign on Kickstarter to self-finance and create a new publishing company named Paraneon. The company will specialize in cyber-punk and sci-fi comics that are written by hackers and for hackers to inspire young people to pursue STEM careers. 

"Superheroes dominate the comic books, which I think is great, but I want to see more hacker and tech going on in this series," said Willis. 

"I really want to inspire kids the same way I was inspired when I was younger."

With just over two days to go to reach its modest $2,000 total, Willis' idea has already received $6,324 in support from 100 backers. In return for funding the project, backers choose to receive the first titles to be published under Paraneon, collected together in a graphic novel called Initiating . . . Paraneon.

Those who pledge $200 or more to support the creation of the first three titles can opt to be drawn into one of the hacking comic titles, The Hive Network

"You will be drawn without clothing in a tank, but none of your goodies will be shown," said Willis. 

The setting for the books—the Paraneon Universe—comprises technocentric cities, underground worker colonies, and apocalyptic "drylands." In this reality, pollution and global warming have caused all factories and production to be moved to Mars, where more androids dwell than do humans.

"The initial books lay out the world, which is very technocentric," Willis told Bleeding Cool. "The stories introduce characters and the scenery. Future books will expand on hacking scenarios from real-world hackers like myself."

InfoSec professional and ethical hacker Willis, who wrote all of the titles himself, has hired artists all over the world to bring his vision of Paraneon to life. 

"I really want to raise money right now so I can bring in known people from the comic book industry," said Willis, "known writers and known illustrators."

If the project proves to be successful, Willis plans to use live action and animation to bring the Paraneon Universe to life in the future.

OpenText’s digital forensics software solutions now available on Microsoft Azure

OpenText EnCase Forensic and EnCase Endpoint Investigator are now certified on Microsoft Azure, the company announced earlier this week at OpenText Enfuse On Air 2020. 

The post OpenText's digital forensics software solutions now available on Microsoft Azure first appeared on IT World Canada.

Cyber-Mercenaries Sell Espionage Campaigns

Cyber-Mercenaries Sell Espionage Campaigns

Ransomware-as-a-Service (RaaS), dedicated phishing campaigns, and digital espionage can be bought on the cyber-criminal underground, according to new research by BlackBerry.

In a report published today, BlackBerry's Research and Intelligence team reveals the illegal activities of a cyber-espionage campaign they have been tracking for six months. 

The campaign, dubbed CostaRicto by researchers, is seemingly operated by a group of APT mercenaries called “hackers-for-hire” who operate bespoke malware tooling and complex VPN proxy and SSH tunneling capabilities.

Key findings of the report are that CostaRicto targets can be found the world over: in Europe, the Americas, Asia, Australia, and Africa. However, the majority of targets are concentrated in South Asia, particularly in India, Bangladesh, and Singapore.

Researchers say this data could suggest that the threat actor behind the campaign is based in that region but selling their illegal services on an international black market to the highest bidders. 

The command-and-control (C2) servers utilized by CostaRicto are managed via Tor and/or through a layer of proxies. The attacker practices "better-than-average operation security," creating a complex network of SSH tunnels established in the victim’s environment. 

A strain of malware that hasn't been seen before is used to create a backdoor in the victim's network. Researchers described the malware as "a custom-built tool with a suggestive project name, well-structured code, and detailed versioning system." 

Whoever created the backdoor project named it Sombra, a reference to a character in the video game Overwatch who specializes in intelligence assessment and espionage and is known for their hacking abilities. 

The malware appears to have been rolled out in October 2019, but version numbers suggest that the project is still in the debug testing phase. Researchers found indications that the operation may have been around even longer.

"The timestamps of payload stagers go back to 2017, which might suggest the operation itself has been going on for a while, but used to deliver a different payload," said researchers.

An IP address to which the backdoor domains were registered overlaps with a pre-existing phishing campaign attributed to APT28. However, researchers believe it most unlikely that a direct link exists between CostaRicto and that particular advanced persistent threat group.

Bridge the Gap Between the Security You Have and the Security You Need

Change happens – sometimes much faster than expected – like it has in 2020. When the threat landscape shifts suddenly, security professionals must quickly react and change their security posture. This not only means reconfiguring existing security investments but also adding new ones.

But given the number of heterogenous security applications sold by multiple vendors, new security expansions are tough to manage. They not only have to co-exist with the existing security infrastructure, but they must be integrated to avoid leaving security gaps attackers can exploit. User and business experience must be maintained as well. Is it any wonder, then, that CISOs continue to struggle? It’s hard to optimize and manage existing cybersecurity software investments — and expand security capabilities – all the while keeping up with shifting business needs.

It is time you demand more from your security vendors. It’s perfectly reasonable to expect them to do the following:

  • Anticipate the changes you now face
  • Offer solutions that handle those changes with pre-integrated capabilities from multiple best of breed vendors
  • Enable you to not only select the right vendor but also compose a solution quickly for your environment
  • With a few clicks, do a quick POC in your environment and move rapidly into production

Here’s where “Composable Security,” a breakthrough architectural extension from McAfee addresses this chronic IT turbulence. In practice, the concept allows MVISION ePO (ePolicy Orchestrator) administrators to add multi-vendor security modules quickly and easily assemble best-in-class solutions that meet your particular needs. Users can compose, and then re-compose, powerful, cloud-based or on-prem security solutions certified to seamlessly plug-and-play. With a few clicks, you can add new capabilities to your existing security infrastructure in minutes.

MVISION ePO now offers Composable Security capabilities. Let’s take a closer look:

MVISION Marketplace delivers value quickly and simply

The era of monolithic and often disconnected, security solutions has passed. We believe customers want a connected security architecture that can rapidly adopt and implement new tools, sensors and data from a myriad of disparate but innovative solutions. When change occurs seemingly overnight, like we saw with the explosion in the number of people working from home due to Covid-19, executives don’t have the luxury of waiting until the next budget cycle to take action. But with MVISION Marketplace, we are enabling companies to easily scale their security infrastructure.

This new application marketplace enables McAfee and our partners to deliver pre-integrated, best-in-class solutions to customers. The marketplace offers products that expand and extend McAfee solutions. Organized in easy to understand categories, the marketplace features a tile per partner. Each integration is “McAfee Certified” which means that McAfee has certified the integration with that partner.

Clicking on the tile enables you to drill down and understand the value delivered by each integration. When you see something you like, click through and try it out. Here’s where pre-integration makes the combined value proposition easy to understand. The idea is for customers to experience the value quickly before they make a decision.

By utilizing our partners in the MVISION Marketplace, you can not only evolve your security architecture; you also improve your team’s responsiveness to real-time threats—and become less preoccupied with tool integration.

We worked closely with multiple partners to build out this marketplace. These composable solutions are from leaders in their field including Attivo Networks, IBM Security, Seclore, Service Now, Siemplify, and ThreatQ. Their certified solutions extend the capabilities of existing security environments, whether cloud-based or on premise. This new ability to mix and match applications over and over also addresses many pressing business challenges. It helps organizations address technology, time, compliance, and resource constraints in minutes — rather than in hours, days or weeks.

Attivo working with McAfee delivers the best endpoint solution in the industry. Attivo’s blog covers how McAfee + Attivo are better together for customers.

Seclore working with McAfee delivers the best Information security solution in the industry. Read their blog to learn how McAfee + Seclore are better together for customers.

ThreatQuotient, Swimlane, and Siemplify, working with McAfee, deliver one of the best SOC solutions in the industry. Learn more about how ThreatQuotient, Swimlane, and Siemplify are better together with McAfee for our customers.

Our market leading Security Innovation Alliance Program has created the largest integrated security ecosystem in the industry. We’re not done. You can expect us to add new partners quickly. In the meantime, if you find a partner missing that you want us to add to our list, please reach out to me.

A new MVISION API enables customers to add their own innovations

We live in an era where more security is automated rather than managed through consoles. MVISION API’s goal is to be the single interface for your non-console interactions with the McAfee portfolio. It’s a powerful capability that delivers a single, web scale, global interface with unparalleled access to your McAfee portfolio. The goal is threefold:

  • See what McAfee sees: As you deploy McAfee controls in your IT infrastructure, McAfee products start seeing security events; they discover devices; they see users access assets; they see processes running on endpoints; they see network movement; they see cloud access as well as any files being uploaded to the cloud. That same visibility will be delivered through this API.
  • Know what McAfee knows: When it comes to threat intelligence, McAfee has vast knowledge about what is good, what is bad, what is suspicious and what is not known. All this is available to your controls from McAfee and shows up as alerts or reputations of files, URLs etc. If you are an inquisitive SOC analyst, you may want to increase your knowledge through queries and searches or get more details about a campaign. The bidirectional “Know API” is geared towards enabling you to get access to this type of information.
  • Do what McAfee can do: McAfee is the market leader in security orchestration. McAfee launched the industry’s most popular orchestration product 15 years ago as McAfee ePolicy Orchestrator (ePO). That knowledge and power is now available through the DO APIs. You can now use the DO APIs to essentially orchestrate and automate the McAfee portfolio like you have used ePO.

The API, at launch, is tuned towards an Open EDR solution enabling customers to expand and extend MVISION EDR.  Top use cases are driven by the need of SOC analysts to build playbooks, manage cases, search for IOCs, synchronize Incidents and build intelligent extensions to the vast amount of control visibility we provide.

We have very ambitious plans. So, watch this space as we make rapid progress.

What’s a marketplace without developers?

Opening up the MVISION Developer Portal to all Innovators using the MVISION APIs, application developers and ISVs can build public or private applications. This portal for application developers enables them to build, test, and certify their applications prior to making them available on MVISION Marketplace or for customers to develop and deploy their private apps.

I expect startups will leverage MVISION APIs to build their innovation on top of McAfee products. In fact, we encourage them to do so and deliver their innovations next to McAfee products and deliver them to our customers through the marketplace.

Of course, organizations can also choose to create a variety of custom apps using MVISION APIs from the MVISION Developer Portal. The only limit is your own creativity. You can build new Intelligent apps, automate your current processes, integrate your SIEM, build an OT extension, or just sit back and enjoy a comprehensive dashboard that tracks your security posture.

MVISION ePO’s Composable Security extensions are simple and quick

These capabilities work together to deliver a Composable Security Platform enabling McAfee and its ecosystem to deliver pre-integrated, high-value solutions to customers. This is a big breakthrough that will make your job easier.  All it now takes is a few minutes to make a few clicks to add valuable new capability.

Try it out and see for yourself at http://marketplace.mcafee.com/ and https://developer.mcafee.com/.  I hope you will find this set of capabilities valuable and welcome your ideas on how to make them even better. And don’t be shy. Drop me a line @ javed_hasan@mcafee.com to tell me what improvements you want to see.

The post Bridge the Gap Between the Security You Have and the Security You Need appeared first on McAfee Blogs.

Most Americans Reuse Passwords for Work Devices

Most Americans Reuse Passwords for Work Devices

New research into the security behavior of employees in the United States has found that most Americans reuse passwords on work devices. 

A September 2020 survey of 500 full-time US employees by portfolio website Visual Objects found that 63% increased their vulnerability to cyber-attacks by recycling the same passwords for multiple accounts on work devices.

The majority of those surveyed (63%) said that they weren't concerned about where they stored their personal data and were comfortable keeping it on their work devices. 

This could be because they see cybersecurity as something that their employer should take care of. Almost all (91%) said that they feel companies are more responsible for cybersecurity efforts than employees are. 

A Visual Objects spokesperson commented: "Most companies sent office devices home with employees during COVID-19, allowing workers to intermix work and personal data. Employees risk introducing malware onto work devices when using them for personal activities."

The findings revealed a link between the age of the workers and their attitude to cybersecurity. While only 2% of baby boomers said that they always reuse work-related passwords, 13% of millennials confessed to always using duplicate passwords. 

More survey respondents in the baby boomer age group (27%) said that they were not concerned with where they stored their personal data than in any other age group. Only 17% of millennials felt very unconcerned about storing personal data on work devices.  

Christine Sabino, a senior associate at data breach claims company Hayes Connor, said that millennials have a natural inclination to keep personal and work information separate.

“[Millennials] have more technological devices, like a personal laptop, tablet, mobile phone, and games console,” Sabino said. “They are less likely to require the use of their work laptop for these [personal] activities.”

More than three-quarters of US workers (76%) said that they felt at least somewhat accountable for ensuring cybersecurity measures were followed at their company. 

“Employees have a responsibility to ensure guidelines and processes are followed,” commented Cyphere's Harman Singh. 

“Employees must take small actions that have a bigger impact on improving culture, such as appropriately reacting to suspicious emails, calls, or information online.”

Thankful for broadband internet, and hopeful for much more  

Using broadband internet

Thankful for broadband internet, and hopeful for much more  

 Where would we be without our internet this year? 

We’ve shoppedworkedstudied and taughtjob huntedand cared for each other online this year in ways we haven’t before—not to mention entertained ourselves plenty too. As so many of us have faced challenges and outright adversity this year, it’s difficult to imagine what this year would have been like without the support of a reliable broadband internet connection. So much so, you can argue that it’s become a necessity.  

For that, I’m thankful—and recognize that we have a long way to go before all of us can share in those same thanks. As I’ve mentioned in earlier blogs, fixed broadband internet access at home remains elusive for many. In the U.S. alone, one analysis shows that more than 150 million people do not use the internet at broadband speeds, which is practically half of the U.S. population. 

What is broadband internet? 

A good question to ask here is what exactly constitutes “broadband?” The Federal Communications Commission (FCC) defines broadband speeds as 25 Megabits per second (Mbps) of download speed and 3 Mbps of upload speed. (Note that the FCC estimates only 21 million people in the U.S. are without broadbanda number widely considered to be low.) 

Put in everyday terms, 25 Megabits per second of download speed is baseline figure that should provide a family of two to four people with enough capacity to engage in bandwidth-hungry activities like working from home, schooling online, or even receiving medical care through telemedicine, along with streaming to stay entertained and informed too. 

As we look at that figure of 150 million underserved people, we see people who live in remote areas that simply aren’t wired for broadband yetrepresenting millions of rural residents and people living on tribal lands. Additionally, it also includes people in urban areas who potentially have access to a broadband connection, yet their income levels impact their ability to subscribe to it. 

Obviously, a major hurdle in rolling out broadband nationwide is the 1.9 billion acres that makes up our country. The physical, technological, and financial efforts associated with building fixed broadband access across rural and remote terrain are substantial to say the least. Additionally, there are regulatory matters as well, like the rules that govern access to existing utility poles and conduits needed for broadband deployment. 

Broadband is no longer a luxury, it’s a utility 

Ultimately, we’re talking about connecting not just homes, but entire communities—people, businesses, libraries, granges, local government, and more. Getting them access to broadband isn’t just a commercial interest, it’s a matter of infrastructure as well. Just as water and electricity are utilities, we can argue that the internet, broadband internet, has long since evolved into a utility. The reasons are clear: education, economic growth, employment and even access to healthcare all stand to improve when broadband is available to a community, as has been seen in communities such as Chattanooga, Tennessee and in Delta County, ColoradoThus it makes sense that connecting them has become a joint endeavor by the public and private sector. 

Meanwhile, last summer, the lack of adequate broadband across Nebraska during the pandemic prompted the state’s governor and legislature to allocate pandemic relief funds and pass bills that would speed the deployment of broadband across the state. As reported by the Omaha World-Heraldone of Nebraska’s rural power district managers said of fixed broadband service“It goes beyond economic development, it goes beyond watching Netflix, there’s some real business implications here.” 

However, even in communities where broadband is physically available, pockets of low-speed connectivity exist as well. According to the Pew Research Center, only 53 percent of adults with an income under $30,000 had broadband access at home. For those with an income of between $30,000 and $100,000, that figure takes a major leap up to 81%. Instead, lower-income Americans turn to their smartphones for all their internet access. From the findings: 

As of early 2019, 26% of adults living in households earning less than $30,000 a year are “smartphone-dependent” internet users–meaning they own a smartphone but do not have broadband internet at home. In contrast, only 5% of those living in households earning $100,000 or more fall into this category in 2019. 

Smartphones alone aren’t enough 

What does a smartphone-only internet life might look like? Pew Research Center put that into perspective in a survey where respondents were asked about job hunting on the internet. Some 32of people with a reported household income of under $30,000 said that they submitted a job application by phone. For those households making more than $75,000, that figure was just 7%. (Cost is certainly a factor, yet it is encouraging to see that the reported average cost of broadband in the U.S. is dropping—down to $50 a month from just over $67 a month a year ago.) 

That’s just one example of a smartphone-only internet, yet you can imagine how difficult it must be to create a resume, complete schoolwork, or work remotely when your internet experience is limited to the small screen of a phone. Contrast that with this year’s need to work and study at home. A low-income household that’s dependent on smartphones misses out. Their internet is a less useful and less productive internet experience. They simply can’t work, learn, and train at home like fully connected households can. 

The road to broadband for all 

My hope in sharing this issue with you is so that we can all gain a bit of perspective. Far fewer people have access to a broadband internet experience than we might initially think, which results in a lack of connectivity that stunts the benefits and opportunities they and their communities can realize. 

Granted, the solution for increasing broadband access largely rests with state-level broadband offices, budgeting and legislation at the federal government level, along with public partnerships and interest groups who are all pushing for improved broadband access. (And, in the states which allow it, municipal broadband solutions.) However, as individuals, we can let this reality shape some of our decision-making on a local level.  

When library funding measures come up for approval in your community, consider giving them your “yes” voteas they may present an opportunity to fund library locations and services where people can access free broadband. Likewise, give school levies your consideration, they may help get a computer in the hands of a student who doesn’t have one. (An 11% increase in PC, Mac, and Chromebook sales this year was largely driven by the education market, which needed to supply computers for in-home learning.) These are just a couple of ways that we can “think global, act local” and help others get access to a full broadband internet experience. 

So as Thanksgiving approacheslet’s indeed say thanks for the connectivity and internet experience so many of us enjoyand how vital that was this year. Likewise, let’s remember that our country and the communities within it still have a way to go before the overwhelming majority of us can benefit from that same experience—so that they can enjoy and be thankful for it too. 

 Stay Updated  

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.  

The post Thankful for broadband internet, and hopeful for much more   appeared first on McAfee Blogs.

System Management Mode deep dive: How SMM isolation hardens the platform

Ensuring that the platform firmware is healthy and trustworthy is fundamental to guaranteeing that powerful platform security features like Hypervisor-protected code integrity (HVCI) and Windows Defender Credential Guard are functioning as expected. Windows 10 achieves this by leveraging a hardware-based root of trust that ensures unauthorized code like Unified Extensible Firmware Interface (UEFI) malware cannot take root before the Windows bootloader launches.

Key to defending the hypervisor, and by extension the rest of the OS, from such low-level threats is protecting System Management Mode (SMM), an execution mode in x86-based processors that runs at a higher effective privilege than the hypervisor. Because of its traditionally unfettered access to memory and device resources, SMM is a known vector of attack for gaining access to the OS and hardware. SMM is particularly vulnerable to threats like confused deputy attacks, in which malicious code tricks another code with higher privileges to perform certain activities. One could have perfect code in SMM and still be affected by behavior like trampolining into secure kernel code.

Sometimes referred to as “Ring -2”, SMM is used by OEMs to interact with hardware like NV RAM, emulate hardware functionality, handle hardware interrupts or errata, and perform other functions. SMM runs in the form of interrupt handlers that are triggered by timers or access to certain memory, registers, or hardware resources. OEM drivers and runtime firmware services may explicitly trap SMM to control certain hardware functionality.

To stop sophisticated attacks from taking control of the system through SMM, the OS must have enforcement or oversight of SMM’s behavior. As part of Secured-core PCs and System Guard, Intel and AMD have developed mechanisms to isolate SMM from the OS by enforcing and reporting what resources SMM has access to.

SMM isolation

Isolating SMM is implemented in three parts: OEMs implement a policy that states what they require access to; the chip vendor enforces this policy on SMIs; and the chip vendor reports compliance to this policy to the OS.

Diagram showing process of isolation in System Management Mode

The policy provided by the OEM is a list detailing the resources that the SMI handlers require access to. This policy is validated and enforced by the chipset vendors’ specific enforcement mechanism detailed later. The OS does not have any control over what the policy is; it is only guaranteed enforcement of the policy stated.

Trusted Computing Base (Tcb) Launch, introduced in the Windows implementation of Dynamic Root of Trust (DRTM), gets the enforced policy from the chip vendor’s reporting mechanism. Because resource access is specific to a platform’s needs, Tcb Launch compares the OEM’s SMM access policy with several levels of Windows SMM isolation requirements to determine the level of isolation provided. The isolation level achieved by the OEM’s policy is measured for attestation and is reported to the OS.

The isolation levels consist of increasing restrictions on what SMIs may access, as well as enforcement capabilities required on the system. An example of an isolation requirement is that SMIs may not access memory owned by the OS. Additionally, these requirements can include restrictions on the following resources:

  1. SMM page configuration lockdown
  2. Static page tables
  3. Model-Specific Register (MSR) access
  4. IO port access
  5. Processor state save access

In order to ensure a consistent security promise for customers using Secured-core PCs if the  minimum requirements are not met, the DRTM measurements are capped, and local and remote attestation fail. SMM isolation is tied with DRTM because without DRTM, the OS cannot trust anything evaluated by the boot environment as it is not protected from the influence of SMM. SMIs are suspended during DRTM, so the new root of trust established by DRTM can evaluate the security of the SMM access policy.

Not only are these protections utilized by Windows for local secrets protection, but remote attestation tools can also leverage this information to determine the security posture of a specific device. This attestation report can be used to prevent access to sensitive network files, for example, unless a certain combination of features is present.

Diagram showing SMM architecture

AMD solution (SMM Supervisor)

During UEFI boot phase, the SMM Supervisor is loaded as a UEFI driver. This driver is signed by AMD and authenticated by the Platform Security Processor (PSP) at the time of DRTM launch. Failure of authentication will fail DRTM. (It is also under firmware anti-rollback protection by PSP.)

SMM Supervisor provides and initializes the SMI entry routine (the first code block executed after SMI is triggered). This routine is also signed by AMD and authenticated by PSP at the time of DRTM launch. Upon DRTM event, PSP also verifies that the SMI entry is properly configured to this authenticated block. Failure of this authentication will also result in DRTM failure.

SMM Supervisor marks critical pages—including SMM Supervisor code block, internal data, the page table itself, exception handler, as well as processor save state—as supervisor pages, accessible only  from current privilege level 0 (CPL0, the most privileged level).

Immediately after SMI is triggered, the SMI entry routine demotes the system to execute under CPL3 (least privileged level) before executing any third party SMI handlers. From CPL3 environment, MSR, IO, and supervisor pages access, critical register changes such as CR3, as well as privileged instructions such as “hlt” and “cli” all end up as General Protection Fault enforced by CPU hardware.

In order for SMI handlers under CPL3 to access privileged data and register, SMM Supervisor provides syscall interface to allow third-party SMI handlers to make such requests. The backend of the syscall interface, which resides in SMM supervisor, is controlled by SMM secure policy. The said policy is a deny list that can be customized per platform to determine which MSRs, IOs, or memory regions can be accessed from CPL3. SMM secure policy is reported to and verified by OS secure loader during DRTM event.

Intel Hardware Shield

Intel® Hardware Shield, a part of the Intel vPro® platform, uses CPU hardware and firmware to enforce the platform’s SMM access policy. Generationally, these capabilities evolve using new CPU hardware features in conjunction with existing CPU capabilities to strengthen related micro-architectural flows and provide new register locks in support of related firmware hardening*.

  • Intel vPro® platform with 8th Generation Intel® Core™ vPro® processors introduced firmware hardening and hardware-locked static page table support to reduce SMM privilege with regard to memory and to lock the memory configuration. These new locks include: CR3 lock, MSEG lock, SMBASE lock, etc.
  • Intel vPro platform with 9th Generation Intel Core vPro processors added an Intel signed SMM module enables attestation of the SMM memory configuration using Intel® Trusted Execution Technology (Intel® TXT), a component of Intel® Hardware Shield, via PCR17. The module first verifies the integrity of the hardened SMM code used to enforce the SMM access policy. It then reports this, as well as the details of the policy, back to the OS. Therefore, the OS can verify the trustworthiness of SMM and evaluate the platform’s SMM access policy without the possibility of interference from SMI handlers.
  • Intel vPro platform with 10th Generation Intel Core vPro processors enhanced the verified CPL0 SMM components to create a privilege separation with SMI handlers in order to extend policy enforcement to MSRs, IO ports, and SMM state save (access policy may vary by platform). The reporting mechanism was extended to include these capabilities as well.

*No product or component can be absolutely secure.

Secured-core PCs give the simplest experience for customers to get Secure Launch and SMM protection

Enabling SMM protection and System Guard Secure Launch may be achieved when the following support is present:

  • Intel, AMD, or ARM virtualization extensions
  • Trusted Platform Module (TPM) 2.0
  • On Intel: TXT support in the BIOS
  • On AMD: SKINIT package must be integrated in the Windows system image
  • On Qualcomm: Implements DRTM TrustZone application and supports SMC memory protections.
  • Kernel DMA Protection (learn more)

Further configuration information and requirements can be found here.On Secured-core PCs, virtualization-based security is supported, and hardware-backed security features like System Guard Secure Launch with SMM Protections are enabled by default. Customers do not need to worry about  configuring the necessary functionality as Secured-core PCs come with the right configurations from OEMs, thereby providing the simplest path to the most secure Windows 10 systems. Learn more about the line of Secured-core PCs available today.

 

The post System Management Mode deep dive: How SMM isolation hardens the platform appeared first on Microsoft Security.

Recommendations Accepted in Boost for EU Data Transfers

Recommendations Accepted in Boost for EU Data Transfers

The European Data Protection Board (EDPB) has adopted recommendations on measures around transfer tools which aim to assist controllers and processors acting as data exporters.

During its 41st plenary session, the EDPB adopted recommendations which will essentially ensure a level of protection for data being transferred outside of Europe.

In doing so, the EDPB is seeking a consistent application of the GDPR and the court’s ruling across the EEA. 

EDPB chair Andrea Jelinek said: “The EDPB is acutely aware of the impact of the Schrems II ruling on thousands of EU businesses and the important responsibility it places on data exporters.

“The EDPB hopes that these recommendations can help data exporters with identifying and implementing effective supplementary measures where they are needed. Our goal is to enable lawful transfers of personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the EEA.”

Following the July determination that Privacy Shield was unlawful, this is one step closer to data transfers being compliant once again.

The recommendations contain a roadmap of the steps data exporters must take to find out if they need to put in place supplementary measures to be able to transfer data outside the EEA in accordance with EU law, and help them identify those that could be effective.

The EDPB said that “data exporters are responsible for making the concrete assessment in the context of the transfer, the third country law and the transfer tool they are relying on,” and “must proceed with due diligence and document their process thoroughly, as they will be held accountable to the decisions they take on that basis, in line with the GDPR principle of accountability.”

Jelinek said: “The implications of the Schrems II judgment extends to all transfers to third countries. Therefore, there are no quick fixes, nor a one-size-fits-all solution for all transfers, as this would be ignoring the wide diversity of situations data exporters face.

“Data exporters will need to evaluate their data processing operations and transfers and take effective measures bearing in mind the legal order of the third countries to which they transfer or intend to transfer data.”

Cordery partner Jonathan Armstrong told Infosecurity that this appears to be draft guidance, which may be welcomed “but as we know, the courts don’t have to follow guidance and we’ve seen in the past how they often don’t.”

He added: “There’s no 100% safe way of doing data transfers even if you follow guidance from the EDPB – companies will still have to do their own risk assessment which is effectively double due-diligence – (a) who am I transferring data to (and are they safe) and (b) where is the data going (and is that country safe or can I strap on additional measures to make it safe).”

Commenting, William Long, global co-leader of Sidley’s privacy and cybersecurity practice, and leader of the EU Data Protection practice, said the recommendations are welcome in this respect; however, they will need to be carefully reviewed by international companies to determine the kind of data transfer assessment they will need to carry out.

“In particular, the six steps require data mapping, identifying the GDPR data transfer mechanism, such as Standard Contractual Clauses (SCCs), and an assessment of the laws in the country outside of the EEA where the data is being transferred to (e.g. the US),” he said.

“Where the assessment reveals that the third country legislation impinges on the effectiveness of the data transfer mechanism (e.g. SCCs) then the recommendations set out a non-exhaustive list of supplementary measures to bring the level of protection of the data transferred to an EU standard of essential equivalence. The measures include a number of technical measures focusing on state-of the-art encryption and pseudonymization, so information security professionals may need to be closely involved in these assessments.”

Long said despite the recommendations being made, a further significant step forward would be for the European Commission and the US government to promptly negotiate a successor to the EU-US Privacy Shield program that directly addresses the CJEU’s concerns in Schrems II.

The six recommendations, as featured by Hogan Lovells, are as follows:

  • Step One: Identify international data transfers
  • Step Two: Identify data transfer mechanisms
  • Step Three: Assess the law in the third country
  • Step Four: Adopt supplementary measures
  • Step Five: Adopt necessary procedural steps
  • Step Six: Re-evaluate at appropriate intervals

Are You Prepared for Cybersecurity in the Boardroom?

Corporate boards have many dimensions of responsibility. Cybersecurity can be one of the most nuanced and important areas of focus for a board, but not all board members are well versed in why and what they need to care about related to cybersecurity.

Cybersecurity is a board level topic for three main reasons:

  1. Cybersecurity breaches are a serious matter for any company
  2. Companies must be aware of cybersecurity governance, regulation and compliance
  3. Everyone in the company and on the board should be responsible and accountable for good cybersecurity practices

Security breaches are serious matters! 

Security breaches can hurt companies financially, negatively impact brand reputation, and result in data loss (both personal and company intellectual property) just to name a few of the impacts. Unfortunately breaches that impact hundreds of millions or even billions of people are more common that we would like. Some of the more notable cybersecurity breaches you may remember are Equifax back in 2017, Adobe in 2013, and Zynga (the company that makes Words with Friends) in 2019. In July 2020, we saw key high-profile Twitter accounts compromised. You don’t want to see your company name in the news headlines due to a breach!

Cybersecurity governance, regulation and compliance

Besides security breaches, governance in cybersecurity is becoming more important. Governance describes the policies and processes which determine how organizations detect, prevent, and respond to cyber incidents. In many organizations, there is a division between the governance and management activities. Board members should be involved in evaluating security related reporting requirements and overall competence of the cybersecurity program, policies and procedures. If you are a US public company, there are additional board requirements from the Securities and Exchange Commission that you should be familiar with such as requiring written disclosure of how the board administers its risk oversight function.

Government regulations and compliance also needs to be considered. However, just being compliant doesn’t mean you are secure. Cyber legislation has been frequently proposed by Congress over the years. Almost all US states have their own laws about what constitutes a security breach and when to disclose the breach. It is important to understand the local, state and federal laws (including international laws) related to cybersecurity for where you do business.

Everyone is responsible and accountable

Everyone on the board is responsible and could potentially be held accountable for a breach both legally and financially. It is not only the CISO, CSO or CIO’s responsibility to care and do the right thing. We all have a role to play to ensure the company is protected and set up for success.

When one person doesn’t do their part, things can fall apart for a company. For instance, in August 2020, a former Uber company executive was criminally prosecuted for not disclosing a data breach back in 2016. Uber’s former Chief Security Officer was charged with obstruction of justice and concealing a felony for allegedly failing to report their 2016 breach to the Federal Trade Commission.  This is the first direct example in the US of an executive facing criminal charges and jail time over how they responded to a data breach.

Evaluating your company’s cybersecurity stance

As you discuss cybersecurity on the board, how do you evaluate your company’s stance? Here are some tips you can start doing today. This list is by no way complete, but here are things you can start doing today.

  1. Approach – How does your company approach cybersecurity? Depending on which approach your company takes will determine how much your company is at risk and what you need to do differently.
    • Passive – all threats will just go away and aren’t a big deal
    • Reactive – cybersecurity responsibility is delegated to the IT department and they react as things happen internally or are seen in the news. They are always playing ‘catch up’
    • Proactive – Seek to avoid issues and pay attention on a regular basis. May consult with third party companies to ensure security posture is high
    • Progressive – There is extensive leadership involvement in reviewing the company’s security posture. They hold proactive frequent reviews knowing that an attack can happen at any time and may also consult with third party companies to proactively address weaknesses.
  2. Risk Management & Compliance – How much time and attention does senior management spend on evaluating cybersecurity risk management practices? Are they up to date on the latest regulations in their city, state, and country?
    • Every company should have an effective risk management plan they are executing towards. They should be gathering and analyzing data from multiple inputs, systems and teams to ensure they aren’t at risk for a major attack. Part of managing the risks is ensuring they are compliant with the rules and regulations of the government. The company should understand and know the laws that impact them.
  3. Review of Procedures – How often are you reviewing your cybersecurity policies and procedures?
    • Ideally you would want to review these policies and procedures at least 2x/year and when you have a major change within the company (i.e. has there been new or departure of key personnel, merger/acquisition, re-org, new regulations required, etc)
  4. Security Hygiene – Does the company practice good security hygiene?
    • Your company should keep up to date with the latest patches/updates for all hardware and software systems as well as utilize and enable the latest features in their security software.
    • Your company should be able to find the signal in the noise with their current security solutions and not have too many disparate products they don’t utilize fully.
    • The company should also perform frequent backups of key data and shut off old servers and virtual machines that aren’t being used anymore.
    • The suppliers and vendors to the company should follow any necessary rules and regulations to ensure they are protecting the company’s sensitive information appropriately.
  5. Bring in an ‘expert’ – Has the company hired reputable third-party experts to perform a risk analysis or see if they can “hack into” the company systems?
    • There are third party companies who will perform penetration testing to determine how easy a “hacker” can get into your company. These companies can tell you what can be seen publicly such as do you have IP addresses beaconing out and look at detailed areas of your company to identify risks. If a third party has been brought in, what were the findings and were changes made promptly to address vulnerabilities.
  6. Response procedures – What is the company’s breach response protocol?
    • Companies should have an incident response team and a detailed list of actions the incident response team members should take if a vulnerability or breach is discovered.
  7. Education – How often are you educating employees on best practices and holding simulations on what to do if a cyber related incident were to occur?
    • Companies hold fire drills so they are prepared with “muscle memory” if a fire were to break out. The same sentiment holds true for cyber related incidents. It is very important that there is continuous training for all levels of employees on how to keep the company safe from breaches and cyber-attacks as well as what to do if something was to happen. You can never be too prepared.

Cybersecurity is a very important topic for the boardroom and should not be taken lightly; however, it doesn’t need to be overwhelming. Utilize these tips to get you on the right path for your company, and if you don’t have a cybersecurity expert on your board, there are experts who can provide guidance.

 

The post Are You Prepared for Cybersecurity in the Boardroom? appeared first on McAfee Blogs.

Home-Point Cybersecurity: Bring Your Enterprise Home

For more than 20 years, the cybersecurity industry has been focused on enterprises, not on a larger national integrated security environment – and certainly not on comprehensive home security. Smart devices that make home life more convenient have been growing in acceptance and adoption, but by and large, the industry continues to concentrate on enterprise security. Even from a standards perspective, the National Institute of Standards and Technology (NIST) has focused on enterprises and the federal government, not the home.

The NIST Cybersecurity Framework, for example, a highly regarded security framework, is intended  for enterprises, not homes. Yet today, the devices and connectivity in many homes outnumber those in small businesses of 20 years ago. Homes are following along the same path as small businesses, and like them, need more focused attention and protection.

COVID-19 forced organizational change in the blink of an eye, forcing an overnight transition from mostly centralized work environments to a highly distributed work-from-home infrastructure.  This rapid shift to working from unsecured and unmanaged environments (IT, IoT, mobile, cloud, etc.), has greatly complicated organizational cybersecurity exposure challenges while creating a massive expansion of the digital attack surface. With many employees having to use personal devices for business purposes, enterprises now need to consider adopting policies that provide them greater management and control over these personal devices. The security challenge once focused on BYOD (bring your own device) has now morphed into BYEH — “Bring Your Enterprise Home.” We need new security standards and practices to address this shift.

While my company and others had the policies, management processes, controls, equipment and software in place to protect this new corporate ecosystem, they did so with the understanding the home is a very inhospitable security environment at present.

In my own home, for instance, there are many different systems of devices (wireless lighting, smart locks, multiple smart TVs, multiple streaming devices, smart plugs, wireless security system, digital assistants, wireless speakers, cameras, thermostats, and other home management connected devices.  And this is before we add in the computers, laptops, iPads and smart phones for all its residents. An ever-growing number of IoT devices are helping people to transform their houses into smart homes, but homeowners often don’t know how to secure these devices. Additionally, many of the products don’t communicate or integrate with each other, exacerbating the discovery of security weaknesses.

Today, a bad actor can break into a home and steal things of value – bank account, credentials, sanity (by turning smart lights on and off at 3 am and blasting music from connected speakers) – without even physically walking through the door. This is a major problem for individuals, but it’s an even greater problem for enterprises and governments turning to remote work to continue operations during the COVID-19 pandemic.

Take all of the devices in each home, smart or otherwise, multiplied by all of the federal government employees alone, and you’ll have a vision for how large a threat vector we’ve just created by asking employees to work from home. Then add in government contractors, who may or may not have access to the same level of security as permanent employees.  Then realize this is not just a government problem but a whole-of-nation problem, where businesses and other organizations need to assure their staffs’ remote access to their corporate properties are protected and secure.

Cybersecurity is not the only area we need to address. For example, ISPs often give priority to supporting enterprise customers when there are outages.  Timelines from reporting-to-fix for enterprises is measured in hours, while timelines for correcting consumer outages is quite often measured in days.  Now, however, the lines between what is a remote critical connection and what is not are highly blurred. How does an organization indicate to an ISP that a specific connection needs a critical designation and a priority response? How do we extend the concept of “home-points” being a component in an individual enterprise’s infrastructure?

Relatedly, broadband access and network connection speeds are now more important than ever. It may be time for the Federal Communications Commission to rethink its designation of broadband, as 25/3 Mbps is not really suitable for a family with multiple children engaged in remote learning while Mom and Dad work from home.

The waves of change that COVID-19 has set in motion have turned homes into workspaces, making every connected device in a home a risk to each person’s employer.  Now the home isn’t just a smart home; it’s a remote office, as well as a schoolroom, a doctor’s office and the front door to malls and grocery stores.

As we work to adapt our economy and country in the wake of the pandemic, it’s critical that we also rethink the security of our homes to ensure there are standards for protection in place. Our homes are now part of an enterprise environment. It’s time that we as a nation considered the home as such and adopted policies and security practices to meet the new BYEH reality.

The post Home-Point Cybersecurity: Bring Your Enterprise Home appeared first on McAfee Blogs.

3 Must-dos to Secure Your Applications

Applications can be thought of as living and evolving pieces of your organization. They are unique, constantly changing and running everywhere. From the time they are written by developers, to being tested, deployed and finally hitting runtime, the application journey leaves room for increased attack surface. Let’s explore how you can you keep yourself at lockstep with securing apps with these three must-dos:

1. Secure the workloads that apps run on

Protecting workloads is the most dynamic way to ensure security for applications and the environments that run them. Cisco Secure Workload protects your applications by generating app behavior- driven policies and enforces it across any multi-cloud environment.

2. Secure access to apps across all users and devices

This is critical for all organizations to guarantee integrity of all users and devices that access their applications.  Cisco’s Duo Beyond enables you to establish user-device trust and secure access to applications. This helps you identify corporate versus personal devices with easy certificate deployment, block untrusted endpoints, and give users secure access to internal applications without using VPN.

3. Monitor how apps perform, to detect and remediate anomalies

Take advantage of application performance monitoring tools to give your organization visibility to applications functions to manage any sudden anomalies at runtime. Cisco AppDynamics is a leading application performance monitoring solution providing deep insight into transaction behavior and metrics for applications running in public and private cloud environments. Having this insight will let you and your teams stay ahead of any unpredictable cases including potential security threats.

While there are many solutions out there to prevent threats at different points of your organization, securing applications requires new thinking and unique set of solutions that remain continuous as the applications evolve. Cisco App-First Security brings together a comprehensive set of proucts that help your developer and security teams deliver together. The best way to learn more about these products is to try their free trials, Duo and AppD are offering them now.

In addition, Cisco DevNet gives you plenty of help for your learning journey. The new DevNet learning track and accompanying DevNet Sandbox give you a hands-on, immersive experience. You can also find docs and other resources on the new Cisco Application-First Security website.

 

CRAT wants to plunder your endpoints

By Asheer Malhotra.

  • Cisco Talos has observed a new version of a remote access trojan (RAT) family known as CRAT.
  • Apart from the prebuilt RAT capabilities, the malware can download and deploy additional malicious plugins on the infected endpoint.
  • One of the plugins is a ransomware known as “Hansom.”
  • CRAT has been attributed to the Lazarus APT Group in the past.
  • The RAT consists of multiple obfuscation techniques to hide strings, API names, command and control (C2) URLs and instrumental functions, along with static detection evasion.
  • The attack also employs a multitude of anti-infection checks to evade sandbox based detection systems.

What’s new?

Cisco Talos has recently discovered a new version of the CRAT malware family. This version consists of multiple RAT capabilities, additional plugins and a variety of detection-evasion techniques. In the past, CRAT has been attributed to the Lazarus Group, the malicious threat actors behind multiple cyber campaigns, including attacks against the entertainment sector.

Indicators and tactics, techniques and procedures (TTPs) discovered by this investigation resemble those of the Lazarus Group.

Read More >>

Hashtag Trending – Honda doubles down on self-driving cars; SpaceX gets praise; Restaurant industry’s digital transformation

Honda will be the first to mass-produce level 3 autonomous cars, Space X is making strides with rural internet access, and how restaurants are being more resilient and creative amidst the pandemic.

The post Hashtag Trending - Honda doubles down on self-driving cars; SpaceX gets praise; Restaurant industry's digital transformation first appeared on IT World Canada.

Talkin’ About Infosec News – 11/09/2020

Originally aired on 11/09/2020 Articles discussed in this episode: https://www.darkreading.com/threat-intelligence/6-ways-passwords-fail-basic-security-tests/d/d-id/1339299 https://www.infosecurity-magazine.com/news/national-guard-uvm-health-network/ https://www.zdnet.com/article/toy-maker-mattel-discloses-ransomware-attack/

The post Talkin’ About Infosec News – 11/09/2020 appeared first on Black Hills Information Security.

Uncovered: APT ‘Hackers For Hire’ Target Financial, Entertainment Firms

A hackers-for-hire operation has been discovered using a strain of previously undocumented malware to target South Asian financial institutions and global entertainment companies. Dubbed "CostaRicto" by Blackberry researchers, the campaign appears to be the handiwork of APT mercenaries who possess bespoke malware tooling and complex VPN proxy and SSH tunneling capabilities. "CostaRicto targets

New ModPipe Point of Sale (POS) Malware Targeting Restaurants, Hotels

Cybersecurity researchers today disclosed a new kind of modular backdoor that targets point-of-sale (POS) restaurant management software from Oracle in an attempt to pilfer sensitive payment information stored in the devices. The backdoor — dubbed "ModPipe" — impacts Oracle MICROS Restaurant Enterprise Series (RES) 3700 POS systems, a widely used software suite in restaurants and hospitality

“Privacy Nutrition Labels” in Apple’s App Store

Apple will start requiring standardized privacy labels for apps in its app store, starting in December:

Apple allows data disclosure to be optional if all of the following conditions apply: if it’s not used for tracking, advertising or marketing; if it’s not shared with a data broker; if collection is infrequent, unrelated to the app’s primary function, and optional; and if the user chooses to provide the data in conjunction with clear disclosure, the user’s name or account name is prominently displayed with the submission.

Otherwise, the privacy labeling is mandatory and requires a fair amount of detail. Developers must disclose the use of contact information, health and financial data, location data, user content, browsing history, search history, identifiers, usage data, diagnostics, and more. If a software maker is collecting the user’s data to display first or third-party adverts, this has to be disclosed.

These disclosures then get translated to a card-style interface displayed with app product pages in the platform-appropriate App Store.

The concept of a privacy nutrition label isn’t new, and has been well-explored at CyLab at Carnegie Mellon University.

Leveraging AI tools to drive operational efficiency and promote brand

With a recent forecast from IDC estimating that worldwide revenues for artificial intelligence (AI) will total more than $156 billion in 2020, the writing is truly on the wall. With a global pandemic disrupting customer service at every turn, it’s time to pull AI from the pilot projects and use it to optimize the consumer…

The post Leveraging AI tools to drive operational efficiency and promote brand first appeared on IT World Canada.

MISSIONS — The Next Level of Interactive Developer Security Training

If organizations want to get serious about software security, they need to empower their engineers to play a defensive role against cyberattacks as they craft their code. The problem is, developers haven't had the most inspiring introduction to security training over the years, and anything that can be done to make their experience more engaging, productive, and fun is going to be a powerful

Smashing Security podcast #204: Green buttons, Olympic attacks, and… an apology

There's been a cybersecurity goof in the wake of the US presidential elections, the US fingers the hackers responsible for disrupting the Winter Olympics in South Korea, and we take a long hard look at long hard legal mumbojumbo... All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Jack Rhysider from Darknet Diaries.

Is your organisation ready for the DSP Toolkit compliance deadline?

Each year, certain healthcare organisations must complete a self-assessment via the DSP (Data Security and Protection) Toolkit to demonstrate their data security and information governance compliance.

The deadline is normally 31 March, but in light of the COVID-19 pandemic, the cut-off for 2020 submissions was pushed back to 30 September 2020 and the conformance date to 31 March 2021.

Why you need to comply

If your organisation is within scope, you are legally required to comply with the DSP Toolkit. This will be the case if you:

  • Have access to NHS patients’ personal data;
  • Provide support services to an NHS organisation; or
  • Have access to national informatics services.

The compliance requirements differ depending on which of four categories your organisation falls into.

Category 1 covers NHS trusts; Category 2 covers arms-length bodies, clinical commissioning groups and commissioning support units; Category 3 covers an assortment of other organisations, including care homes, pharmacies, NHS business partners and secondary-use organisations; and Category 4 covers GP practices.

The compliance requirements become less rigorous as you move down through categories, reflecting the lower level of risk those organisations face.

Although the requirements might seem like a burden, there are benefits. For example, you can be sure that your services – as well as those of third parties – are more reliable, making life as easy as possible for patients and staff.



Confirming your compliance

DSP Toolkit compliance is externally validated during Care Quality Commission inspections, which rate the organisation’s activities based on certain KLOEs (key lines of enquiry).

The ratings are based on evidence from the organisation’s submissions. If rated ‘good’ or ‘outstanding’, the requirements have been met; a ‘requires improvement’ or ‘inadequate’ rating means they have not.

It’s worth emphasising that the DSP Toolkit standard was updated for 2019–20 and the previous version withdrawn.

Among its changes, version 2 incorporates the requirements of the Cyber Essentials scheme, the MCSS (Minimum Cyber Security Standard) and the NIS Regulations 2018, and rationalises some of the evidence items related to the GDPR (General Data Protection Regulation).

How to achieve DSP Toolkit compliance

Depending on which compliance category you fall into, your route to meeting the DSP Toolkit’s requirements may be more or less burdensome.

You can find out what you need to do by downloading DSP Toolkit – A compliance guide.

This free guide explains the applicability and scope of the Toolkit, as well as the steps you should take to plan and coordinate your compliance project.

Find out more

The post Is your organisation ready for the DSP Toolkit compliance deadline? appeared first on IT Governance UK Blog.