Category Archives: News

Week in review: New Intel CPU vulnerabilities, SharePoint servers under attack

Here’s an overview of some of last week’s most interesting news and articles: High-risk vulnerability in Cisco’s secure boot process impacts millions of devices Red Balloon Security has discovered a high-risk vulnerability in Cisco’s secure boot process which impacts a wide range of Cisco products in use among enterprise and government networks, including routers, switches and firewalls. Tips to spring clean your company’s social media and stay protected Spring is a great time for organizations … More

The post Week in review: New Intel CPU vulnerabilities, SharePoint servers under attack appeared first on Help Net Security.

New infosec products of the week: May 17, 2019

Alcide launches continuous security and hygiene scanner for Kubernetes and Istio Alcide Advisor is a continuous security and hygiene scanner for Kubernetes & Istio, which automatically scans for the widest range of compliance, security and governance risks and vulnerabilities. Already deployed in numerous customer environments, and fully integrated with the CI/CD pipeline, it empowers engineering teams to maintain engineering motion and identify security drifts and risks, even before they are introduced to production. Keysight Technologies … More

The post New infosec products of the week: May 17, 2019 appeared first on Help Net Security.

How can we give cybersecurity analysts a helping hand?

It’s tough being a cybersecurity analyst these days. Over the last few years we have been repeatedly reminded of the challenge they are now facing, primarily through the steady stream of high-profile data breaches that have hit the headlines. In the last month alone Microsoft has been in the news after suffering a breach that enabled hackers to access customer email accounts, while a breach at beleaguered social giant Facebook was believed to have left … More

The post How can we give cybersecurity analysts a helping hand? appeared first on Help Net Security.

Memory analysis is the ground truth

In recent years, enterprises have adopted next-gen endpoint protection products that are doing an admirable job detecting anomalies. For example, searching for patterns such as remote access to memory, modification of specific registry keys and alerting on other suspicious activities. However, typically anomalies only provide us with an indication that something is wrong. In order to understand the root problem, respond and ensure that a machine is entirely clean, we must search for the malicious … More

The post Memory analysis is the ground truth appeared first on Help Net Security.

The largest breaches over the past three years have caused massive and irreparable damage

Publicly traded companies suffering the worst data breaches averaged a 7.5 percent decrease in stock price, a Bitglass report reveals. Bitglass researched the three largest data breaches of publicly traded companies from each of the last three years in order to uncover cybersecurity trends and demonstrate the extensive damage that can be done by improper security. Among the incidents detailed in the Kings of the Monster Breaches report are the Marriott breach of 2018, the … More

The post The largest breaches over the past three years have caused massive and irreparable damage appeared first on Help Net Security.

Half of companies missed GDPR deadline, 70% admit systems won’t scale

Even if given two years notice to achieve GDPR compliance, only half of companies self-reported as compliant by May 25, 2018, a DataGrail survey reveals. “The Age of Privacy: The Cost of Continuous Compliance” report benchmarks the operational impact of the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as sharing insights into lessons learned and attitudes toward privacy regulations. DataGrail surveyed more than 300 U.S. privacy management … More

The post Half of companies missed GDPR deadline, 70% admit systems won’t scale appeared first on Help Net Security.

Analysis of device data shines a light on cybersecurity risks in healthcare

The convergence of IT, IoT and OT makes it more difficult for the healthcare industry to manage a wide array of hard-to-control network security risks. IoT and OT devices are rapidly increasing in numbers, but traditional IT still represents the most vulnerable attack surface, according to the Forescout Technologies report. Forescout Technologies announced insights from 75 real healthcare deployments with more than 10,000 virtual local area networks (VLANs) and 1.5 million devices contained within the … More

The post Analysis of device data shines a light on cybersecurity risks in healthcare appeared first on Help Net Security.

Data will be processed by edge computing in 59% of IoT deployments by 2025

Edge computing is on the rise in IoT deployments and is expected to show solid growth over the coming years, according to Strategy Analytics most recent report. Strategy Analytics believes that data will be processed (in some form) by edge computing in 59% of IoT deployments by 2025. The driving forces in this assumption are the key benefits derived from edge computing, namely more efficient use of the network, security and response time. Currently, Strategy … More

The post Data will be processed by edge computing in 59% of IoT deployments by 2025 appeared first on Help Net Security.

Intel MDS attack mitigation: An overview

Intel has revealed on Tuesday that some of its CPUs are vulnerable to a number of new speculative execution attacks that may allow attackers to stealing sensitive data and keys/passwords. ZombieLoad, RIDL and Fallout attacks have been extensively written about by the various groups of researchers that came up with them, but many customers and enterprise users are still unclear on whether these could affect them and what they can do to protect themselves. A … More

The post Intel MDS attack mitigation: An overview appeared first on Help Net Security.

Identity theft victims could lead us to accept more security-improving friction

Far too many individuals who have never been victims of identity theft and financial crimes don’t understand how devastating those are to victims. “There are many victim services organizations that assist violent crime victims and the understanding of the trauma and the victim experience is not questioned (which is very appropriate and as it should be),” Eva Velasquez, president and CEO of the Identity Theft Resource Center (ITRC), told Help Net Security. After all, we … More

The post Identity theft victims could lead us to accept more security-improving friction appeared first on Help Net Security.

CISOs: What would you do over?

Just after the new year I was catching up with a CISO over lunch in Pike Place Market in Seattle. We were reminiscing about how tough it is to get a security program up and running in the beginning. Pausing to dip his taco in the excellent house salsa, he commented, “Y’know, if I had to do it all over again…” and he proceeded to tell me a story. My brain twitched with possibilities—here was … More

The post CISOs: What would you do over? appeared first on Help Net Security.

When all else fails, organizations realize they must share threat intel

A large majority of security IT decision makers are ready and willing to share valuable threat intelligence data to help the collective industry make better, more informed decisions when it comes to cyber attacks, an IronNet Cybersecurity report reveals. To compile the “Collective Offense Calls for a Collective Defense: A Reality Check for Cybersecurity Decision Makers” report, IronNet commissioned survey firm Vanson Bourne to interview 200 U.S. security IT decision makers across many industries including … More

The post When all else fails, organizations realize they must share threat intel appeared first on Help Net Security.

CEOs and business leaders trust AI, but employees are more cautious

Most senior executives (85%) classify themselves as artificial intelligence (AI) optimists, citing increased investment and trust in the technology. Eighty-seven percent say their company will invest in AI initiatives this year, the EY study reveals. The data was collected via an online study conducted by Engine on behalf of EY among a sample of 500 US CEOs and business leaders ages 21 and older who work for a company with US$25m–US$50m in revenue or US$50m … More

The post CEOs and business leaders trust AI, but employees are more cautious appeared first on Help Net Security.

The six biggest cybersecurity risks facing the utilities industry

The utilities industry is rapidly modernizing its infrastructure, adding more digitized equipment and connectivity across devices, plants, and systems. This evolution to “smart infrastructure” represents a positive, paradigm shift for the industry. Unfortunately, the security policies of many utilities have not evolved along with it, leaving them incredibly vulnerable. Utilities are investing heavily to modernize infrastructure. In fact, ABI Research projects that the industry will spend US$14 billion a year between 2018 and 2023 — … More

The post The six biggest cybersecurity risks facing the utilities industry appeared first on Help Net Security.

Microsoft plugs wormable RDP flaw, new speculative execution side channel vulnerabilities

For May 2019 Patch Tuesday, Microsoft has released fixes for 79 vulnerabilities, 22 of which are deemed critical. Among the fixes is that for CVE-2019-0708, a “wormable” RDP flaw that is expected to be weaponised by attackers very soon. About CVE-2019-0708 It’s a remote code execution vulnerability in Remote Desktop Services (formerly known as Terminal Services) that allows unauthenticated attackers to connect to the target system using RDP and send specially crafted requests. The flaw … More

The post Microsoft plugs wormable RDP flaw, new speculative execution side channel vulnerabilities appeared first on Help Net Security.

What does it take to be an infosec product strategist?

Choosing a security product that will best fit your organization’s needs is a challenge exacerbated by the “polluted, turbulent sea of ineffectual security products” that you’ll need to wade through in order to find the right and effective solution. “I tend to maintain an overwhelming sense that the majority of security products exist ‘just because’ – ‘just because’ the underlying technology seemed cool to build, ‘just because’ it is what has always been used despite … More

The post What does it take to be an infosec product strategist? appeared first on Help Net Security.

Security spring cleaning: 5 tips for tidying up network safeguards

Networks need regular cleaning just like your home, car or garage. Why? The answer is simple – poor security hygiene can lead to major data breaches. If you don’t regularly review your network, potential weaknesses and vulnerabilities will stack up. As we enter into spring cleaning season, now is as good a time as any for IT administrators and security professionals to catch up on yearly security maintenance. Here are several tasks that should be … More

The post Security spring cleaning: 5 tips for tidying up network safeguards appeared first on Help Net Security.

Organizations dissatisfied with WAFs ineffective protection, time-consuming management, high cost

Only 40% of organizations are satisfied with their web application firewall (WAF), according to the Ponemon Institute report released by Cequence Security. The State of Web Application Firewalls report is based on data gathered from 595 organizations across the U.S. On average, they have each deployed 158 web, mobile, and API-based applications, on premises and in the cloud. “The research clearly reveals WAF dissatisfaction in three areas,” said Dr. Larry Ponemon, chairman and founder of … More

The post Organizations dissatisfied with WAFs ineffective protection, time-consuming management, high cost appeared first on Help Net Security.

Cybersecurity, privacy and technologies still top challenges for IT audit teams and leaders

Cybersecurity, privacy and technologies—from mission-critical to digitally transformative—top the list of challenges IT audit teams and leaders grapple with every day, according to a study conducted by ISACA and Protiviti. An executive summary of the study notes the growing role and responsibilities of IT audit in digital transformation, partnerships between the IT organization and IT audit function, and differences in how IT audit leaders operate compared to other IT audit professionals. The 2019 IT Audit … More

The post Cybersecurity, privacy and technologies still top challenges for IT audit teams and leaders appeared first on Help Net Security.

Employees are aware of USB drive security risks, but don’t follow best practices

Employees are aware of the risks associated with inadequate USB drive security – yet their employers aren’t mandating following best practices, according to a report by Apricorn. “The State of USB Data Protection 2019: Employee Spotlight” survey report, which polled nearly 300 employees across industries including education, finance, government, healthcare, legal, retail, manufacturing, and power and energy, examined year-over-year trends of USB drive usage, policies and business drivers. The report reveals that while employees have … More

The post Employees are aware of USB drive security risks, but don’t follow best practices appeared first on Help Net Security.

Consumer spending on technology to reach $1.32 trillion in 2019

Consumer spending on technology is forecast to reach $1.32 trillion in 2019, an increase of 3.5% over 2018. Consumer purchases of traditional and emerging technologies will remain strong over the 2018-2022 forecast period, reaching $1.43 trillion in 2022 with a five-year compound annual growth rate (CAGR) of 3.0%, according to IDC. Consumer purchases of traditional and emerging technologies will remain strong over the 2018-2022 forecast period, reaching $1.43 trillion in 2022 with a five-year compound … More

The post Consumer spending on technology to reach $1.32 trillion in 2019 appeared first on Help Net Security.

PCs fail to boot up / Freeze after receiving Microsoft Windows 9-April-2019 updates and rebooting the PC

Quick Heal and Seqrite users are reporting that PCs fails to boot up / Freeze after installing 9th April Windows Updates and Rebooting the system. Symptoms:  Users have Quick Heal or Seqrite product installed and running on their systems. The PCs fail to boot up / Freeze after installing Windows Updates of 9-April-2019 and Rebootingthe system. There are…

Security roundup: March 2019

We round up interesting research and reporting about security and privacy from around the web. This month: ransomware repercussions, reporting cybercrime, vulnerability volume, everyone’s noticing privacy, and feeling GDPR’s impact.

Ransom vs ruin

Hypothetical question: how long would your business hold out before paying to make a ransomware infection go away? For Apex Human Capital Management, a US payroll software company with hundreds of customers, it was less than three days. Apex confirmed the incident, but didn’t say how much it paid or reveal which strain of ransomware was involved.

Interestingly, the story suggests that the decision to pay was a consensus between the company and two external security firms. This could be because the ransomware also encrypted data at Apex’s newly minted external disaster recovery site. Most security experts strongly advise against paying extortionists to remove ransomware. With that in mind, here’s our guide to preventing ransomware. We also recommend visiting NoMoreRansom.org, which has information about infections and free decryption tools.

Bonus extra salutary security lesson: while we’re on the subject of backup failure, a “catastrophic” attack wiped the primary and backup systems of the secure email provider VFE Systems. Effectively, the lack of backup put the company out of business. As Brian Honan noted in the SANS newsletter, this case shows the impact of badly designed disaster recovery procedures.

Ready to report

If you’ve had a genuine security incident – neat segue alert! – you’ll probably need to report it to someone. That entity might be your local CERT (computer emergency response team), to a regulator, or even law enforcement. (It’s called cybercrime for a reason, after all). Security researcher Bart Blaze has developed a template for reporting a cybercrime incident which you might find useful. It’s free to download at Peerlyst (sign-in required).

By definition, a security incident will involve someone deliberately or accidentally taking advantage of a gap in an organisation’s defences. Help Net Security recently carried an op-ed arguing that it’s worth accepting that your network will be infiltrated or compromised. The key to recovering faster involves a shift in mindset and strategy from focusing on prevention to resilience. You can read the piece here. At BH Consulting, we’re big believers in the concept of resilience in security. We’ve blogged about it several times over the past year, including posts like this.

In incident response and in many aspects of security, communication will play a key role. So another helpful resource is this primer on communicating security subjects with non-experts, courtesy of SANS’ Lenny Zeltser. It takes a “plain English” approach to the subject and includes other links to help security professionals improve their messaging. Similarly, this post from Raconteur looks at language as the key to improving collaboration between a CISO and the board.

Old flaws in not-so-new bottles

More than 80 per cent of enterprise IT systems have at least one flaw listed on the Common Vulnerabilities and Exposures (CVE) list. One in five systems have more than ten such unpatched vulnerabilities. Those are some of the headline findings in the 2019 Vulnerability Statistics Report from Irish security company Edgescan.

Edgescan concluded that the average window of exposure for critical web application vulnerabilities is 69 days. Per the report, an average enterprise takes around 69 days to patch a critical vulnerability in its applications and 65 days to patch the same in its infrastructure layers. High-risk and medium-risk vulnerabilities in enterprise applications take up to 83 days and 74 days respectively to patch.

SC Magazine’s take was that many of the problems in the report come from companies lacking full visibility of all their IT assets. The full Edgescan report has even more data and conclusions and is free to download here.

From a shrug to a shun

Privacy practitioners take note: consumer attitudes to security breaches appear to be shifting at last. PCI Pal, a payment security company, found that 62 per cent of Americans and 44 per cent of Britons claim they will stop spending with a brand for several months following a hack or breach. The reputational hit from a security incident could be greater than the cost of repair. In a related story, security journalist Zack Whittaker has taken issue with the hollow promise of websites everywhere. You know the one: “We take your privacy seriously.”

If you notice this notice…

Notifications of data breaches have increased since GDPR came into force. The European Commission has revealed that companies made more than 41,000 data breach notifications in the six-month period since May 25. Individuals or organisations made more than 95,000 complaints, mostly relating to telemarketing, promotional emails and video surveillance. Help Net Security has a good writeup of the findings here.

It was a similar story in Ireland, where the Data Protection Commission saw a 70 per cent increase in reported valid data security breaches, and a 56 per cent increase in public complaints compared to 2017. The summary data is here and the full 104-page report is free to download.

Meanwhile, Brave, the privacy-focused browser developer, argues that GDPR doesn’t make doing business harder for a small company. “In fact, if purpose limitation is enforced, GDPR levels the playing field versus large digital players,” said chief policy officer Johnny Ryan.

Interesting footnote: a US insurance company, Coalition, has begun offering GDPR-specific coverage. Dark Reading’s quotes a lawyer who said insurance might be effective for risk transference but it’s untested. Much will depend on the policy’s wording, the lawyer said.

Things we liked

Lisa Forte’s excellent post draws parallels between online radicalisation and cybercrime. MORE

Want to do some malware analysis? Here’s how to set up a Windows VM for it. MORE

You give apps personal information. Then they tell Facebook (PAYWALL). MORE

Ever wondered how cybercriminals turn their digital gains into cold, hard cash? MORE

This 190-second video explains cybercrime to a layperson without using computers. MORE

Blaming the user for security failings is a dereliction of responsibility, argues Ira Winkler. MORE

Tips for improving cyber risk management. MORE

Here’s what happens when you set up an IoT camera as a honeypot. MORE

The post Security roundup: March 2019 appeared first on BH Consulting.