Category Archives: Opinion

The Ethical Hacker Network: Security Assumptions – Don’t Make an ASS of U and ME

EH-Net - Kron - Security AssumptionsHave you ever stopped to ask yourself if the things you are defending against are really your biggest security problems? I am going to challenge you to think about things a little differently, as I have been myself recently. Prepare yourself, as this may challenge some of your core security beliefs, things we have been taking as gospel since the early days of securing networks. We all know our time is precious and limited, so it is more important than ever to use what time we have wisely. That is exactly why I think we need to look deep into our beliefs and be willing to challenge ourselves on a profound, uncomfortable level. So, let’s make an attempt to be completely and utterly honest with ourselves about our security assumptions.

Do you require users to have long, complex passwords and expect them not to write them down? Do you use firewalls to cover up unpatched software, block access to vulnerable or unused services or to make up for poor configuration? What about Full Disk Encryption? Do you deploy that on every machine in your organization?

The post Security Assumptions – Don’t Make an ASS of U and ME appeared first on The Ethical Hacker Network.



The Ethical Hacker Network

Binance Coin: BNB Presents Another Opportunity for Interested Buyers

Binance Coin has recently cooled by some 13%, back to a critical near-term area of support, ahead of further leaps north. BNB/USDT presents an opportunity for buying […]

The post Binance Coin: BNB Presents Another Opportunity for Interested Buyers appeared first on Hacked: Hacking Finance.

Litecoin Price Analysis: There is Still Opportunity to Grab Some LTC Before it Shoots Back to $100 and Beyond

Litecoin (LTC) price has a minor technical pullback ahead of further potential leaps into the sky. There appear to be just three significant price barriers that are […]

The post Litecoin Price Analysis: There is Still Opportunity to Grab Some LTC Before it Shoots Back to $100 and Beyond appeared first on Hacked: Hacking Finance.

XRP Price Analysis: XRP/USD Trading Around the Bargain Buying Zone

Ripple’s XRP bulls are sleeping within consolidation mode, as price action immensely narrows, ahead of the next fully committed direction. XRP/USD is trading just above a big […]

The post XRP Price Analysis: XRP/USD Trading Around the Bargain Buying Zone appeared first on Hacked: Hacking Finance.

Opinion: my Grandfather’s John Deere would support our Right to Repair

Willie Cade's grandfather, Theo, an engineer at John Deere, helped invent the manure spreader. His grandson thinks John Deere's efforts to kill right to repair legislation is what stinks.

The post Opinion: my Grandfather’s John Deere would support our Right to Repair appeared first on The Security Ledger.

Related Stories

Breaking the cybersecurity stalemate by investing in people

No surprise, it happened again. In 2018, the financial toll cyber breaches took on organizations hit $3.86 million, a 6.4 percent rise from 2017. Before last year’s close, analysts at Gartner claimed worldwide spending on infosec products and services would increase 12.4 percent, reaching over $114 billion in 2019. In fact, when the U.S. government announced a 2019 budget of $15 billion for cybersecurity-related activities, it came with a 4.1 percent jump and a caveat: … More

The post Breaking the cybersecurity stalemate by investing in people appeared first on Help Net Security.

Bitcoin Cash Price Analysis: U.S. Electronics Giant Avnet to Accept BCH; Price Action has Cooled but Subject to Further Buying Pressure

Nasdaq listed electronics giant Avnet is set to start accepting Bitcoin Cash and Bitcoin as a method of payment.  BCH/USD price is consolidating after a decent push […]

The post Bitcoin Cash Price Analysis: U.S. Electronics Giant Avnet to Accept BCH; Price Action has Cooled but Subject to Further Buying Pressure appeared first on Hacked: Hacking Finance.

Ethereum Price Analysis: Core Developers Eye ASIC-Resistant Algorithm ProgPoW Integration

The Ethereum core developer team discussed in their most recent meeting the integration of an ASIC-resistant algorithm, ProgPoW. ETH/USD price action is within consolidation mode; a formation […]

The post Ethereum Price Analysis: Core Developers Eye ASIC-Resistant Algorithm ProgPoW Integration appeared first on Hacked: Hacking Finance.

How the Google and Facebook outages could impact application security

With major outages impacting Gmail, YouTube, Facebook and Instagram recently, consumers are right to be concerned over the security of their private data. While details of these outages haven’t yet been published – a situation I sincerely hope Alphabet and Facebook correct – the implications of these outages are something we should be looking closely at. The first, and most obvious, implication is the impact of data management during outages. Software developers tend to design … More

The post How the Google and Facebook outages could impact application security appeared first on Help Net Security.

Zcash Price Analysis: Faster and More Energy Efficient ZEC Miner Released by Bitmain

The mining giant, Bitmain, launched a newly upgraded miner for Zcash (ZEC). It is said to be three times more efficient. ZEC/USD bulls are enjoying a rally […]

The post Zcash Price Analysis: Faster and More Energy Efficient ZEC Miner Released by Bitmain appeared first on Hacked: Hacking Finance.

The art of securing ERP applications: Protecting your critical business processes

In this Help Net Security podcast recorded at RSA Conference 2019, Juan Pablo Perez-Etchegoyen, CTO at Onapsis talks about the challenges of securing and monitoring ERP applications for vulnerabilities and compliance gaps across cloud and on-premise deployments. Juan Pablo leads the research & development team that keeps Onapsis on the cutting-edge of the business-critical application security market. Here’s a transcript of the podcast for your convenience. Hello everyone. Welcome to this Help Net Security podcast. … More

The post The art of securing ERP applications: Protecting your critical business processes appeared first on Help Net Security.

Four key security tips when using any collaboration technology

With database breaches and ransomware attacks making daily news, security is now a top priority for companies, and collaboration solutions are no exception. In the current age of global connectivity, video conferencing and collaboration technologies have become an inescapable part of doing business. Business partners and remote employees around the world rely on these solutions to stay connected and communicate effectively, especially when in-person meetings aren’t possible. While it’s easy enough to say, “my company … More

The post Four key security tips when using any collaboration technology appeared first on Help Net Security.

The modern threat landscape and expanding CISO challenges

Prior to starting Signal Sciences, its founders were running security at Etsy, and growing frustrated with existing legacy technology. So they built their own. For this interview with Andrew Peterson, CEO at Signal Sciences, we dig deep into hot topics such as modern CISO challenges and application security visibility. Prior to co-founding Signal Sciences, Andrew has been building leading edge, highly performing product and sales teams across five continents for +15 years with such companies … More

The post The modern threat landscape and expanding CISO challenges appeared first on Help Net Security.

Stellar Price Analysis: XLM/USD Jumps 10% as IBM Launches Stellar-Powered World Wire Platform

XLM/USD late on Monday was holding double-digit gains, as the price broke down a significant barrier of resistance. Information technology giant IBM has launched the World Wire […]

The post Stellar Price Analysis: XLM/USD Jumps 10% as IBM Launches Stellar-Powered World Wire Platform appeared first on Hacked: Hacking Finance.

Dash Price Analysis: The Technology and Its Cryptocurrency that Keeps Bringing Real-Word Value Use Cases

Dash Text launched a new service initially piloting in Venezuela for donation payment in DASH without the requirement of the internet. DASH/USDT has a significant barrier ahead […]

The post Dash Price Analysis: The Technology and Its Cryptocurrency that Keeps Bringing Real-Word Value Use Cases appeared first on Hacked: Hacking Finance.

Tron Price Analysis: TRX/USD Heading for a Big Bullish Retest after Escaping Descending Wedge Pattern

The Tron (TRX) price is cooling, with eyes on a retest of a breached wedge pattern structure. TRX/USD could see very fast return to the $0.030000 price […]

The post Tron Price Analysis: TRX/USD Heading for a Big Bullish Retest after Escaping Descending Wedge Pattern appeared first on Hacked: Hacking Finance.

Latest trends in automated threat intelligence-driven network security

Since the earliest days of the Internet both network threats and network defenses have been evolving. In this Help Net Security podcast recorded at RSA Conference 2019, Todd Weller, Chief Strategy Officer at Bandura Cyber, talks about the latest trends in automated threat intelligence-driven network security. Here’s a transcript of the podcast for your convenience. We’re here with Todd Weller, CSO of Bandura Cyber. How are you Todd? I’m great. Fired up for another RSA … More

The post Latest trends in automated threat intelligence-driven network security appeared first on Help Net Security.

Meet the new generation of white hats

The past two years have seen an explosion in the number of software vulnerabilities being published, jumping from 6,447 in 2016 to 14,714 in 2017. Seeing as 2018 beat out the previous year with 16,521 CVEs reported, we should prepare ourselves for plenty of patching ahead in 2019. While factors like the adoption of automated Application Security Testing (AST) tools by more vendors and the absolute growth of code are definitely playing a bigger role … More

The post Meet the new generation of white hats appeared first on Help Net Security.

XRP Price Analysis: XRP/USD is Free to Run Wild Following Triangular Structure Escape

XRP/USD is running at two sessions in the green, as the bulls escape from a triangular pattern structure. The supply zone is tracking from the $0.3300-$0.3500 price […]

The post XRP Price Analysis: XRP/USD is Free to Run Wild Following Triangular Structure Escape appeared first on Hacked: Hacking Finance.

Cardano Price Analysis: Bulls Enjoy Explosive Breakout as Hoskinson Teases ADA-Supported Ledger Wallet

The Cardano (ADA/USDT) price is elevated thanks to another wave of buying pressure out from a bullish pennant pattern. Cardano’s community has much to be excited about […]

The post Cardano Price Analysis: Bulls Enjoy Explosive Breakout as Hoskinson Teases ADA-Supported Ledger Wallet appeared first on Hacked: Hacking Finance.

NEM Price Analysis: The Foundation and XEM are on a Strong Road to Recovery

NEM (XEM/USDT) has jumped a chunky 18% over the last four sessions of consecutive gains. The NEM community is very much optimistic about the organization’s restricting plan. […]

The post NEM Price Analysis: The Foundation and XEM are on a Strong Road to Recovery appeared first on Hacked: Hacking Finance.

Thinking of threat intelligence as a contributing member of your security team

Threat intelligence is widely considered as a significant asset for organizations, but implementation of this intelligence within security operations can often be cumbersome. In this Help Net Security podcast recorded at RSA Conference 2019, Nicholas Hayden, Senior Director of Threat Intelligence at Anomali, talks about the intelligence-driven security operations center. Here’s a transcript of the podcast for your convenience. My name is Nicholas Hayden. I’m the Senior Director of Threat Intelligence for Anomali. Today, on … More

The post Thinking of threat intelligence as a contributing member of your security team appeared first on Help Net Security.

The quantum sea change: Navigating the impacts for cryptography

Professionals in cybersecurity and cryptography (and even non-IT executives) are hearing about the coming threat from quantum computing. It’s reaching the mainstream business consciousness. A December 2018 report from Deloitte notes “It is expected that 2019 or 2020 will see the first-ever proven example of quantum supremacy, sometimes known as quantum superiority: a case where a quantum computer will be able to perform a certain task that no classical (traditional transistor-based digital) computer can solve … More

The post The quantum sea change: Navigating the impacts for cryptography appeared first on Help Net Security.

Security Panel Insights: Being Asked a Great Question and Not Realizing It Until Later

Being a Thought Leader

RSA Conference just concluded last week — RSAC 2019, to be exact — and I have never attended this particular security conference before. If you work in information security, you go to several events a year and quickly realize that some vendors spend the majority of the marketing budget on these conferences. It can be a bit of an overwhelming circus. Everyone is yelling the latest buzzwords at you, telling you if only you had their products, your problem would be solved.

This year, I was asked by Recorded Future to speak to an audience in a panel, so I decided to come and give it a try. I have been very lucky lately to have Recorded Future as a vendor because they’ve been asking me to give them my thoughts on security topics and on their solutions. One doesn’t always think of growing older in a positive way, but strangely enough, it does mean you’ve seen more things and your thoughts seem to bring all those experiences together, so I’m going to play that role for a bit.

Moreover, most vendors in the security space are pleased to have you as a customer, but aren’t really looking to hear your honest opinions on topics other than renewal. I am pleased that my experiences with Recorded Future are very different and that they’ve been forcing me to be a better security practitioner.

Being on a Panel

I have been on panels before. You sit with others in the same industry but play different roles. It’s usually on a stage with a moderator in front of your peers. The moderator comes up with great questions that make you think — he proposes them to you, and you get to go completely blank in front of an audience. It’s the best!

The idea, though, is that you think about problems from different perspectives and see if you can find a new idea in the mix or play off each other’s answers to come up with a unique solution to some of the problems we all face. If you didn’t attend this panel breakfast, you missed out on something very cool.

The win for me that day was being asked a question by a rather insightful audience member.

Being Asked a Pivotal Question and Not Realizing It

After stumbling my way through the moderator’s questions with a million thoughts buzzing through my head and unable to form a coherent thought, we opened the floor to the audience for questions. It was the second question asked by an audience member: “Do you think it is possible to modularize security use cases?” I had an immediate, visceral response of, “No, absolutely not,” and then had to stop and wonder why I thought that and why it evoked such an immediate response in me.

At the time that I answered that, I didn’t think it was really an effective thing to do since the use cases we have are all unique to the environment we live in — the solutions we’ve implemented to address our unique problems, the risk and attack surfaces we present, and the budgets we have to work with. Our other panel members gave very eloquent responses as to whether they thought we could or couldn’t, and why. That question stuck in my head though. I didn’t realize how pivotal that question was until after a short nap, and then it hit me — the young woman who asked it had just described the entire information security product space and was asking if it was a good idea or not, and I really didn’t think it was.

Being Smarter the Second Time Around

Now, I want to answer that question again, hindsight being 20/20, as the adage goes. The information security industry has been creating solutions in search of a problem for ages and it isn’t working well for us. I explained to the audience member, my thinking was that it’s a difficult proposition to take a series of solutions to individual problems and chain them together to solve your unique problems. There are gaps in the use cases that are specific to each individual security practitioner, each department within the organization, the organization as a whole, and the greater security community.

The gut feeling that hit me happened because I’ve been working through modular use cases for a year now. It’s been like putting a round peg in a square hole every time with finding a security solution that matches your individual needs. You keep getting a bigger hammer to force them in, you use glue logic and Python to stitch them together into something that gets you closer, and you fill in any gaps with really good people and a thorough understanding of your capabilities and processes.

The problem is that the result is a rat’s nest and you can’t see the blind spots you have — at least until some kind threat actor shows them to you.

Not to say that security products are bad because of this — they solve a unique set of problems that they have seen a number of times — but the responsibility is on us, the feet on the ground, to realize whether our unique problem set is solved or even described by those solutions. Making those use case solutions more modular actually takes us away from our unique problems and exacerbates the situation of solution gaps described previously. We have to hold our vendors accountable to the problems they are actually solving, and they need to hold us accountable to tell them what we really need.

If there’s not a match, each of us need to be honest with the other about it. I have been trying to do it with all the vendors I work with. I am sure it is perceived as being a difficult customer, but honestly, there’s room for each side to grow in their respective roles. We can make our vendors better able to provide the solutions we need and our vendors can make us really examine our problems in new ways if we take the time to help one another.

I think that’s the answer I would rather have given, had I been able to sleep the night before and been able to form coherent thoughts in front of an audience. Hopefully I didn’t come off as the crazed, sleep-deprived person I thought I did — but I know for a fact that I came away with more than when I went in.

Being Thankful

I’m truly thankful to have vendors like Recorded Future who are forcing me to be a better threat intelligence analyst, a better security practitioner, and hopefully, a thought leader in an industry that needs more of them.

Darian Lewis

Darian Lewis is lead threat intelligence analyst at Relativity.

The post Security Panel Insights: Being Asked a Great Question and Not Realizing It Until Later appeared first on Recorded Future.

     

Threat Analyst Insights: Weekly Threat Intelligence Report Template

Monday mornings mark the start of a new week, with a new set of cybersecurity topics and issues for employees across all teams to review and discuss. Like many of us returning from an all too short weekend, we (hopefully) used the time to relax and recover from last week’s malware infections, zero-day vulnerabilities, and that troublesome employee who clicked on one too many phishing emails.

One optimal method of recounting notable security events from the past week is to receive a weekly threat intelligence report catered to your organization’s intelligence requirements and goals. Ideally, these weekly reports function as one of the most anticipated reports for members of multiple teams and sufficiently aggregate events from all sources. Tailoring this report to ensure it provides value on a regular basis requires timely planning and execution.

Ultimately, one of the most important aspects of your weekly threat intelligence report will be its structure, with a template devoting sections to encompass all notable events that have impacted your environment, relevant industries, and the general cybersecurity field. The following are three examples of sections we at Recorded Future consider to be essential for an actionable and relevant weekly threat intelligence report.

1. Information Specific to Your Environment

This section of a weekly threat intelligence report would ideally be devoted to highlighting some of the most significant events that had or may have an impact on your organization’s environment.

As far as what we refer to as a “significant” event, it’s important to allow for flexibility based on your organization’s intelligence requirements or business strategy. Examples can include online discussion among threat actors planning to target company infrastructure, leaked credentials associated with employees (or customers), or vulnerabilities observed in technology leveraged within your enterprise.

This section will highlight and provide analysis regarding events captured by your respective security teams as well as third-party organizations you may be utilizing for threat intelligence services. Leveraging the technical capabilities of third parties allows organizations to receive input on events they may have missed or events that require additional context from an outside party.

2. Information Specific to Your Industry

Weekly intelligence reports also must highlight what events are impacting your industry peers and how it may impact trends observed by your team. Naturally, there will be limitations when researching these events in that disruption campaigns or threat actor targeting of industry peers would very likely be kept under wraps by the organizations dealing with those issues.

This section will help identify potential future campaigns from nation-state or well-resourced actors who are more likely than others to think about targeting in terms of multiple industries. Research for this component of the weekly report places a great deal of emphasis on open source intelligence techniques to cover cyber threat reporting uploaded to blogs and security news sites, as well as government or academic publications and reporting. Examples such as a piece of malware compromising a competitor can often be just as newsworthy as if it had impacted your own environment and potentially serve as an indicator of an impending security event that could be mitigated entirely.

3. Information Specific to the Cybersecurity Field

A section devoted to “prominent” security events is highly recommended in a customized weekly intelligence report for a security team, with events such as the 2017 WannaCry ransomware outbreak serving as grim reminders of the potential devastation that cyber events can potentially inflict on a global scale. This section is used to inform coworkers or leadership about topics impacting all industries, as well as trending security topics. Events compiled here have far-reaching ramifications and may serve as the groundwork for strategic analytic products.

Never Stop Adapting

The most important consideration when developing a template for weekly threat intelligence reports is that each story (regardless of headers or section titles) should not serve as a mere summary of the event. Every article must contain the thoughts of the analysts observing or reporting on the event and how they relate to their company’s (or customers’) mission. Every story must answer the question: How does this impact me?

Additionally, we encourage organizations to never stop adjusting the template of a weekly report to address the current threat landscape or company focus. Devote sections to more specific topics requested by your leadership, such as cyber events impacting a particular geographic region or events referencing a trending variant of malware. It is not unusual for sections, such as the ones we covered, within your weekly report to become outdated — for example, a variant of malware may become less notable as security patches emerge and awareness from your security team helps mitigate the threat as time goes on.

Many security professionals do not have the opportunity to proactively identify and compile events while meeting the varying schedules of multiple writers. With Recorded Future, security teams can utilize our many analytic products — our Weekly Threat Landscape report being just one — customized to align with their intelligence requirements.

Feel free to download your own copy of our Weekly Threat Landscape report template for inspiration, and to learn more about how Recorded Future can help organizations better understand and prevent threats, request a personalized demo today.

Parker Crucq

Parker Crucq is a threat intelligence analyst at Recorded Future.

The post Threat Analyst Insights: Weekly Threat Intelligence Report Template appeared first on Recorded Future.

     

Drowning, Not Waving…

Last week I attended The European Information Security Summit 2019 and spoke on the closing keynote panel at the end of the second day. The topic was “Unacceptable personal pressure: How senior Cyber Security Executives safeguard their own mental health, and those of their teams”, and as a panel we were surprisingly open about our experiences. … Read More

Security is not a buzz-word business model, but our cumulative effort

Security is not a buzz-word business model, but our cumulative effort

This article conveys my personal opinion towards security and it's underlying revenue model; I would recommend to read it with a pinch of salt (+ tequila, while we are on it). I shall be covering either side of the coin, the heads where pentesters try to give you a heads-up on underlying issues, and tails where the businesses still think they can address security at the tail-end of their development.

A recent conversation with a friend who's in information security triggered me to address the white elephant in the room. He works in a security services firm that provides intelligence feeds and alerts to the clients. Now he shared a case where his firm didn't share the right feed at the right time even though the client was "vulnerable" because the subscription model is different. I understand business is essential, but on the contrary isn't security a collective argument? I mean tomorrow if when this client gets attacked, are you going just to turn a blind eye because it didn't pay you well? I understand the remediation always cost money (or more efforts) but holding the alert to a client on some attack you witnessed in the wild based on how much money are they paying you is hard to contend.

I don't dream about the utopian world where security is obvious but we surely can walk in that direction.

What is security to a business?

Is it a domain, a pillar or with the buzz these days, insurance? Information security and privacy while being the talk of the town are still come where the business requirements end. I understand there is a paradigm shift to the left, a movement towards the inception for your "bright idea" but still we are far from an ideal world, the utopian so to speak! I have experienced from either side of the table - the one where we put ourselves in the shoes of hackers and the contrary where we hold hands with the developers to understand their pain points & work together to build a secure ecosystem. I would say it's been very few times that business pays attention to "security" from day-zero (yeah, this tells the kind of clients I am dealing with and why are in business). Often business owners say - Develop this application, based on these requirements, discuss the revenue model, maintenance costs, and yeah! Check if we need these security add-ons or do we adhere to compliance checks as no one wants auditors knocking at the door for all the wrong reasons.

This troubles me. Why don't we understand information security as important a pillar as your whole revenue model?

Security is not a buzz-word business model, but our cumulative effort

How is security as a business?

I have many issues with how "security" is being tossed around as a buzz-word to earn dollars, but very few respect the gravity or the very objective of its existence. I mean whether it's information, financial, or life security - they all have very realistic and quantifiable effects on someone's physical well-being. Every month, I see tens (if not hundreds) of reports and advisories where quality is embarrassingly bad. When you tap to find the right reasons - either the "good" firms are costly, or someone has a comfort zone with existing firms, or worst that neither the business care nor do they pressure firms for better quality. I mean at the end, it's a just plain & straightforward business transaction or a compliance check to make auditor happy.

Have you ever asked yourself the questions,

  1. You did a pentest justifying the money paid for your quality; tomorrow that hospital gets hacked, or patients die. Would you say you didn't put your best consultants/efforts because they were expensive for the cause? You didn't walk the extra mile because the budgeted hours finished?
  2. Now, to you Mr Business, CEO - You want to cut costs on security because you would prefer a more prominent advertisement or a better car in your garage, but security expenditure is dubious to you. Next time check how much companies and business have lost after getting breached. I mean just because it's not an urgent problem, doesn't say it can't be. If it becomes a problem, chances are it's too late. These issues are like symptoms; if you see them, you already are in trouble! Security doesn't always have an immediate ROI, I understand, but don't make it an epitome of "out of sight, out of mind". That's a significant risk you are taking on your revenue, employees or customers.

Now, while I have touched both sides of the problem in this short article; I hope you got the message (fingers crossed). Please do take security seriously, and not only as your business transaction! Every time you do something that involves security on either sides, think - You invest your next big crypto-currency in an exchange/ market that gets hacked because of their lack of due-diligence? Or, your medical records became public because someone didn't perform a good pen-test. Or, you lose your savings because your bank didn't do a thorough "security" check of its infrastructure. If you think you are untouchable because of your home router security; you, my friend are living in an illusion. And, my final rant to the firms where there are good consultants but the reporting, or seriousness in delivering the message to the business is so fcuking messed up, that all their efforts go in vain. Take your deliverable seriously; it's the only window business has to peep into the issues (existing or foreseen), and plan the remediation in time.

That's all my friends. Stay safe and be responsible; security is a cumulative effort and everyone has to be vigilant because you never know where the next cyber-attack be.