Category Archives: security

5 Components of the Kubernetes Control Plane that Demand Special Attention in Your Security Strategy

Organizations and security incidents in Kubernetes environments, these are 5 key components of the control plane that demand special attention

Organizations are no strangers to security incidents in their Kubernetes environments. In its State of Container and Kubernetes Security Fall 2020 survey, StackRox found that 90% of respondents had suffered a security incident in their Kubernetes deployments in the last year. Two-thirds of respondents explained that they had weathered a misconfiguration incident, followed by vulnerability cases, runtime events and failed audits at 22%, 17% and 16%, respectively.

Misconfiguration incidents are so prolific because they can appear in many different aspects of an organization’s Kubernetes environment. For instance, they can affect the Kubernetes control plane. This section of a Kubernetes deployment is responsible for making global decisions about a cluster as well as for detecting and responding to events affecting the cluster, notes Kubernetes.

This raises an important question: how can organizations harden the Kubernetes control plane against digital attacks?

To answer that question, this blog post will discuss five components within the Kubernetes control plane that require special attention within organizations’ security strategy. These are the kube-apiserver, etcd, kube-scheduler, kube-controller-manager and cloud-controller-manager. It will then provide recommendations on how organizations can secure each of these components.


What it is

Per Kubernetes’ documentation, kube-apiserver is the front end for the Kubernetes control plane. It functions as the main implementation of a Kubernetes API server. Organizations can scale kube-apiserver horizontally by deploying more instances.

Why it needs to be secured

The Container Journal noted that attackers are committed to scanning the web for publicly accessible API servers. Acknowledging that reality, organizations need to make sure they don’t leave their kube-apiserver instances publicly exposed. If they do, they could provide attackers with an opening for compromising a Kubernetes cluster.

How to secure it

Administrators can follow the Container Journal’s advice by configuring their API servers to allow cluster API access only via the internal network or a corporate VPN. Once they’ve implemented that security measure, they can use RBAC authorization to further limit who has access to the cluster. They can enable this feature specifically via the kube-apiserver.


What it is

Kubernetes uses etcd as key value backing store for cluster data. In order to use etcd, organizations need to have a backup plan for the highly sensitive configuration data that they’d like to protect with this store.

Why it needs to be secured

As with kube-apiserver, organizations might accidentally leave etcd exposed to the Internet. The New Stack covered the work of one software developer who conducted a search on Shodan to look for exposed etcd servers. This investigation uncovered 2,284 etcd servers that malicious actors could access through the Internet.

How to secure it

Kubernetes notes in its cluster administration resources that etcd is equivalent to root permission in the cluster. In response, administrators should grant permission to only the nodes that require access to etcd clusters. They should also use firewall rules as well as the feature’s inherent security features, notably peer.key/peer.cert and client.key/client.cert, to secure communications between etcd members as well as between etcd and its clients.


What it is

The kube-scheduler is a component within the control plane that watches for the creation of new pods with no assigned node. If it detects such a pod, it selects a node for them to run on. It makes these decisions by taking individual and collective resource requirements, data locality and other considerations into consideration, per Kubernetes’ website.

Why it needs to be secured

Any compromise involving the kube-scheduler could affect the performance and availability of a cluster’s pods, explains Packt. Such an event could thereby cause disruptions in an organization’s Kubernetes environment that undermines business productivity.

How to secure it

Administrators can follow Packt’s advise to secure the kube-scheduler by disabling profiling, a feature which exposes system details. They can do this by setting the “–profiling” setting to “false.” Additionally, they can disable external connections to kube-scheduler using the “AllowExtTrafficLocalEndpoints” configuration to prevent outside attackers from gaining access to this control plane component.


What it is

This particular component lives up to its name in that it runs controller processes. Each of those processes, including those run by the node controller, replication controller and others, are separate processes. However, the kube-controller-manager compiles all of those processes and runs them together.

Why it needs to be secured

A security issue in the kube-controller-manager could negatively affect the scalability and resilience of applications that are running in the cluster. Such an event could thus have an effect on the organization’s business.

How to secure it

Organizations can secure the kube-controller-manager by monitoring the number of instances that they have of this feature deployed in their environments. They can also follow the recommendations that StackRox made in September 2020 by restricting the feature’s file permissions, configuring to serve only HTTPs, binding it to a localhost interfact and using Kubernetes RBAC to allow access to individual service accounts per controller.


What is it?

Last but not least, the cloud-controller-manager enables administrators to link their cluster into their Cloud Service Provider’s (CSP’s) API. They can then use that feature to separate out elements that interact with the CSP’s cloud platform from those that interact with the cluster. Per Kubernetes’ documentation, cloud-controller-manager functions similarly to kube-controller-manager in its ability to compile multiple processes into one. The difference is that the cloud-controller-manager runs controllers that are specific to an organization’s CSP only.

Why it needs to be secured

Issues involving the cloud-controller-manager pose a similar threat to organizations as those that affect the kube-controller-manager.

How to secure it

Acknowledging the similarities between kube-controller-managers and cloud-controller-managers, organizations can use the same measures to secure both.

The Security Work Doesn’t End There

The five control plane components discussed above all demand attention as part of an organization’s overall Kubernetes security efforts. Even so, organizations’ work to secure their Kubernetes architecture doesn’t end there. There are also the Node components.

For information on how to secure that part of a Kubernetes cluster, click here.

About the Author: David Bisson is an information security writer and security junkie. He’s a contributing editor to IBM’s Security Intelligence, Tripwire’s The State of Security Blog, and a contributing writer to Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.

Pierluigi Paganini

(SecurityAffairs – hacking, Kubernetes)

The post 5 Components of the Kubernetes Control Plane that Demand Special Attention in Your Security Strategy appeared first on Security Affairs.

Streamlining Security with Cisco SecureX

Customers need simplified security platform solutions for XDR, SASE, and Zero Trust

It’s no secret that cybersecurity has become increasingly difficult in recent years. We often blame an expanded attack surface and more sophisticated attackers. While they certainly play a substantial role, today’s security setbacks are also a byproduct of the rising complexity faced by defenders. There are just too many disparate, siloed security products for organizations to use effectively against threats that are growing in quantity and severity.

“Positive shifts in digital transformation have made it evident that security technologies in siloes contribute to more complexity,” said Michael Degroote, infrastructure consultant at Mohawk Industries. “Our teams are losing precious time connecting the dots and integrating all these tools that don’t work with one another.”

Security professionals today are inundated with alerts and can’t keep up with the very technology designed to help them. They’re spending a disproportionate amount of time trying to manually integrate different solutions from various vendors. According to our 2020 CISO Benchmark Report, due to a lack of time and resources, today’s organizations are only able to remediate 50% of legitimate security threats. Doing more of what we have been doing as an industry clearly is not going to help. It’s time to think differently.

Cisco Secure and simple

At Cisco, we’ve been working on this challenge for several years, and recently launched our Cisco SecureX platform as part of the solution. With Cisco SecureX, organizations can easily address a wide range of use cases, including SecOps, NetOps, and ITOps, using technologies from both Cisco and third parties. This results in a more cohesive and collaborative approach to security. Cisco SecureX makes security a more holistic and natural extension of our customers’ environments, removing barriers, accelerating response, and streamlining operations.

But just as a team is only as strong as its weakest player, a platform is only as strong as its least effective pillar. We therefore strive to add only the most effective technologies to our roster. Our Cisco Secure portfolio is the broadest in the industry, covering every threat vector and access point with leading technologies. It covers you across the network, cloud, users and endpoints, and applications. The SecureX platform is made better by each product, and in turn, each product is made better by being a part of the platform.

On our way to becoming the world’s largest cybersecurity company, we innovated, built, partnered, and acquired a lot of security products. Our portfolio grew until we counted 83 different names and variations! So in addition to making our technology easier to use through the SecureX platform, we have also made it easier to find with an updated, simplified naming architecture under our Cisco Secure brand.

Additionally, we are aligning our newly named products under several key approaches that are driving our customers’ security strategies – including XDR, SASE, and Zero Trust. We hope that our new product naming helps you more easily determine the right mix of technologies to address these critical areas and build greater resiliency for the future.

SecureX – Setting the XDR standard  

Extended Detection and Response (XDR) is a new approach that delivers visibility into data across networks, clouds, endpoints, and applications while applying analytics and automation to response. Our SecureX platform plays an important role in organizations’ move to XDR.

As part of the platform, Cisco Secure Network Analytics provides enterprise-wide visibility and real-time threat detection, while Cisco Secure Endpoint stops attacks with cloud-delivered endpoint protection. Additionally, Cisco Secure Email combats phishing, business email compromise, ransomware, and spam. These technologies work together – and with other solutions – to collaboratively secure an organization’s entire infrastructure from a wide variety of threat vectors.

A platform approach takes you further

Networking and security are becoming increasingly intertwined, as organizations transition to multi-cloud environments and embrace a secure access service edge (SASE) model. As the world’s largest networking and security company, Cisco is well-positioned to lead this evolution to SASE. With data and employees becoming more distributed, our technologies, delivered via a platform, help to securely connect any user or device to any application, whether it’s in the data center or cloud.

And of course, zero trust is a comprehensive approach to securing all access across your networks, applications, and environment – including access from users, computers, phones, IoT devices, cloud applications, and more. Our platform offers a zero-trust strategy across your workforce, workloads, and workplace.

An ecosystem of complementary solutions

With an integrated platform, you can unify your security, simplify your operations, and maximize the potential of each of your solutions. The technologies highlighted above represent some of the key drivers of our platform. They are further strengthened by:

MEDIAPRO, a leader in the European audiovisual sector, has leveraged Cisco’s platform approach to reduce its threat detection time by 90 percent. “Each of the Cisco security solutions [is] very powerful, but all of them combined and overseen by Talos is simply amazing,” said MEDIAPRO’s telecom engineering deputy director, Laura Juarez Ramallo.

These are the kinds of customer results we are aiming for with Cisco SecureX and our updated portfolio. It’s time for the industry to view security not as a mixed bag of point solutions, but as an open, cohesive ecosystem of complementary technologies all working together for the greater good. And as we’ve learned from our customers, we need to keep things simple in order to keep them secure.

Discover what makes Cisco SecureX different, and learn more about our simplified product renaming.

The post Streamlining Security with Cisco SecureX appeared first on Cisco Blogs.

Threat actors are actively exploiting Zerologon flaw, Microsoft warns

Microsoft researchers are warning that threat actors are continuing to actively exploit the ZeroLogon vulnerability in attacks in the wild.

Microsoft is warning that threat actors are actively exploiting the ZeroLogon vulnerability in the Netlogon Remote Protocol.

The CVE-2020-1472 flaw is an elevation of privilege that resides in the Netlogon. The Netlogon service is an Authentication Mechanism used in the Windows Client Authentication Architecture which verifies logon requests, and it registers, authenticates, and locates Domain Controllers.

An attacker could exploit the vulnerability to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.

An attacker could also exploit the flaw to disable security features in the Netlogon authentication process and change a computer’s password on the domain controller’s Active Directory.

“Microsoft has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol (CVE-2020-1472) which was previously addressed in security updates starting on August 11, 2020.” reads a post published by MSRC VP of Engineering Aanchal Gupta. “If the original guidance is not applied, the vulnerability could allow an attacker to spoof a domain controller account that could be used to steal domain credentials and take over the domain.”

Microsoft strongly encourages administrators of enterprise Windows Servers to install the August 2020 Patch Tuesday as soon as possible to protect their systems from Zerologon attack that exploits the CVE-2020-1472.

Because the initial documentation regarding Zerologon patching process was not clear enough, Microsoft provided the following updates:

  1. UPDATE your Domain Controllers with an update released August 11, 2020 or later.
  2. FIND which devices are making vulnerable connections by monitoring event logs.
  3. ADDRESS non-compliant devices making vulnerable connections.
  4. ENABLE enforcement mode to address CVE-2020-1472 in your environment.

At the end of September, Microsoft issued a similar warning. The IT giant published a series of Tweets to warn of attackers that are actively exploiting the Windows Server Zerologon in attacks in the wild. The IT giant urged Windows administrators to install the released security updates as soon as possible.

In early October, Microsoft spotted a series of Zerologon attacks allegedly launched by the Russian cybercrime group tracked as TA505, CHIMBORAZO and Evil Corp.

Microsoft experts spotted the Zerologon attacks involving fake software updates, the researchers noticed that the malicious code connected to command and control (C&C) infrastructure known to be associated with TA505.

In the same period, Microsoft published a post and a series of tweets to warn of cyber attacks exploiting the Zerologon vulnerability carried out by the Iran-linked APT group known as MuddyWater, aka Mercury.

On September 18, The Department of Homeland Security’s CISA issued an emergency directive to order government agencies to address the Zerologon vulnerability (CVE-2020-1472) by September 21.

Pierluigi Paganini

(SecurityAffairs – hacking, Windows)

The post Threat actors are actively exploiting Zerologon flaw, Microsoft warns appeared first on Security Affairs.

I’ve Joined the 1Password Board of Advisers

I've Joined the 1Password Board of Advisers

Almost a decade ago now, I wrote what would become one of my most career-defining blog posts: The Only Secure Password is the One You Can't Remember. I had come to the realisation that I simply had too many accounts across too many systems to ever have any chance of creating decent unique passwords I could remember. So, I set out to find a password manager and 10 Christmas holidays ago now, I spent the best 50 bucks ever:

I've Joined the 1Password Board of Advisers

I choose 1Password way back then and without a shadow of a doubt, it has become one of the most important pieces of software I have ever used. Since that date in 2011, I doubt there's been a single day I haven't used 1Password to log into a website, fill in my credit card details or refer to other notes stored securely within the product. In fact, just thinking about the frequency with which I use the password manager, I must have interacted with 1Password in one way or another tens of thousands of times now. So, I've just kept buying it:

I've Joined the 1Password Board of Advisers

I've been buying the Families Plan because 1Password isn't just for me, it's for everyone and what better time to start learning about securing your online assets than as early as possible:

1Password has been a part of my family for years so my announcement today comes with much excitement: I'm becoming a part of the 1Password family and joining their board of advisers! I'll be devoting a slice of my time to help the company build even better products and services in an era when password management has never been more important. I'll be talking more about the work we're doing together over time but for now, I'm just happy to be joining a great team building important software that makes a meaningful difference to so many people 😊

How to Firewall: Small Business Edition

Smaller organizations need simplified security — without sacrificing control, flexibility, and threat preventionOur vision is for all organizations, especially small organizationsto have strong firewall security with simplified management. The firewall must perform, protect, and get out of the way. Many small organizations have told us they don’t want to hear about every possible firewall option. They just want to know what we recommend. 


If you want our mosteasily managed firewall, highly configurable and with granular threat protection, with an architecture that can grow with your organization, ask your Cisco reseller about the new Cisco Secure Firewall Small Business EditionIt features our simplified cloud management and logging, silent desktop-sized firewall appliance, every Cisco threat defense capabilityand 50 remote access VPN licenses … it’s our most affordably priced small business firewall package, ever. Cisco partners appreciate it too, as the tightly integrated solution has only two part numbers.

Choosing the right firewall for you

If your team is like most in small businesses, (where “team” might even be you alone!), and you do not have staff dedicated solely to networking and security, we recommend cloud-managed firewalls to most customersOur physical and virtual firewall appliances, and our cloud-delivered SASE firewall, can be managed from Cisco’s secure cloud. Customers find cloud-based firewall managers simpler, with automated upgrades that save time. Firewall firmware updates may be simply executed … with a single click. Additionallythe modern user interface automatically saves your old configurationand provides clear visibility into active remote access VPN sessions. More information on the solution can be found here. 

When you need a firewall appliance, our new Cisco Secure Firewall Small Business Edition targets organizations needing granular security policies and configurations with complex routing, VPN, and encrypted traffic inspection. MX is ideal for customers desiring the greatest simplicity and leveraging Meraki’s integrated management of switches, access points, and firewalls.

Want to unlock the simplicity of Secure Firewall Small Business Edition for yourself? Start a free trial for cloud management and logging by visiting: 

The post How to Firewall: Small Business Edition appeared first on Cisco Blogs.

Get SASE Your Way with a Platform Approach to Security

The ongoing convergence of networking and security is leading many companies down the path towards a Secure Access Service Edge (SASE) model. More applications are moving into the cloud, and employees and devices are accessing them from seemingly infinite locations. As a result, organizations are rethinking and transforming how they securely deliver the right data and applications to the right people and places at the right time.

How can organizations best provide secure access to an increasingly distributed, mobile workforce? And how can businesses optimize for today’s needs while remaining flexible for tomorrow’s uncertainties? SASE (pronounced “sassy”) is about bringing networking and security capabilities together and delivering them through the cloud for improved performance and agility. It’s about leveraging the internet to enhance the user experience while reducing costs and complexity.

The criticality of agility in IT infrastructure has become especially apparent this year. Organizations that don’t embrace a multi-cloud environment and other emerging technologies risk getting left behind and opening themselves up to heightened security concerns. However, it’s important to note that SASE is still a journey that no one has completed yet. Rather, it is a necessary aspiration and step forward for today’s organizations.

Getting SASE with Cisco

So how do you get more “SASE”? As the world’s largest networking and security company, we understand that not every business is in the same place or ready to move as quickly as others. That’s why we meet you where you are and show you the way from there. Whether you are ready to fully embrace the cloud, or want to maintain a hybrid model to protect previous investments, we can help.

While the term SASE is new, the overall concept is not. As noted by Cisco’s SVP/GM of Cloud and Network Security, Jeff Reed, Cisco has already been moving in the direction of SASE for years. We have been designing our solutions to operate more like an extension of your team – less bolted on, more built in. Some of the ways we have been pushing towards this model include:

SASE and SecureX

A key component of SASE is vendor consolidation. Cisco’s global infrastructure and broad portfolio across both networking and security enable us to help customers decrease their reliance on disparate vendors. This is especially important now since 81% of organizations say they are currently finding it challenging to manage a multi-vendor environment.

In June, our efforts to simplify security manifested in the launch of our integrated platform, Cisco SecureX. Through SecureX, customers get unified access to security, networking, and IT applications from both Cisco and many third parties to streamline and strengthen security. Cisco SecureX is included with every Cisco security product, and reduces the need for overwhelmed security teams to work with a multitude of siloed technologies to investigate and remediate issues. It also fosters greater collaboration between SecOps, NetOps, and ITOps teams for a more coordinated and efficient response to incidents.

Our SecureX platform and customizable buying programs allow you to start with the technology you need and build from there – all the while benefiting from integrated architecture that is ready to expand and evolve with you. With Cisco, you can progress along your journey to SASE while taking advantage of comprehensive security capabilities that extend beyond SASE use cases. For example:

  • Unleash your workforce by delivering a seamless, secure connection to applications in any environment – data center or cloud – from any location and device.
  • Simplify security, streamline policy enforcement, and enhance threat protection by combining multiple functions into a single service.
  • Unite security and networking through a flexible, integrated approach that meets multi-cloud demands at scale.


At the core of Cisco’s approach to SASE is Cisco SD-WAN and Cisco Umbrella. Cisco SD-WAN is a cloud-delivered overlay WAN architecture with application optimization that delivers predictable performance in multi-cloud environments. Cisco Umbrella is a cloud-native service that unifies multiple security technologies in a single solution, including DNS-layer security, secure web gateway, firewall, and cloud access security broker (CASB) capabilities. Cisco Umbrella simplifies and flexibly secures direct-to-internet access, cloud app usage, and remote workers. Now, the Cisco SD-WAN and Umbrella integration enables you to simply infuse effective cloud security throughout your SD-WAN fabric so you can protect your branch offices and roaming users.

You can deploy cloud security across your SD-WAN fabric to thousands of branches in minutes, and instantly gain protection against threats on the internet. Powered by Umbrella’s global network and Cisco Talos threat intelligence, it’s the easiest way to protect users anywhere they access the internet and cloud apps. By combining simple, automated tunnel creation from Cisco SD-WAN with Umbrella’s secure web gateway and cloud-delivered firewall, you gain additional flexibility and more granular security controls. Additionally, Cisco just released further infrastructure innovations built for SD-WAN and SASE, helping customers achieve new levels of business resiliency and agility. See our case study with Tamimi Markets to find out how customers are partnering with Cisco for SASE.

Simplify your SASE journey

This week at our digital Partner Summit, we are sharing more details with our valued partners about how we’re leading the evolution of SASE, so they too can play a role in our customers’ success. Partners will hear more about how technologies such as Cisco SD-WAN, Cisco Umbrella, Cisco Secure Access by Duo, and Cisco SecureX work together to simplify your SASE journey.

We know that it’s your business, your architecture, and your future. You need to be able to do SASE your way. That’s why we’re here and ready to prepare you for what’s now and what’s next.

For more information on getting SASE with Cisco:

The post Get SASE Your Way with a Platform Approach to Security appeared first on Cisco Blogs.

Maintain Cloud Security Posture with Cisco Secure Cloud Analytics

Your business is facing some of its most rapid growth… maybe ever. According to the Cisco Annual Internet Report, cloud data centers will process nearly 95% of workloads in 2021. Over the past decade, businesses began racing into the cloud. With a newfound understanding of the great flexibility it can offer, CISOs around the world invested millions to migrate their business’ workloads into IaaS and PaaS based systems. Large enterprises spotted an opportunity to minimize their overhead costs and move away from some of the more traditional on-prem data centers, while small businesses realized that they can truly flourish in the public cloud. The laundry list of benefits includes added flexibility, lower costs, easier management and maintenance, and better overall agility that allows small organizations to function while operating with tighter resources.

It almost sounds too good to be true, right? Well, despite this massive cloud migration, 94% of organizations are moderately to extremely concerned about cloud security1. We’ve seen some big-name enterprises fall victim to attacks that stem from one critical mistake: misconfigured assets in the public cloud.

1. 2020 Cloud Security Report, Cybersecurity Insiders 

Today at our Partner Summit 2020 event, we are excited to announce new features that will soon be available in Cisco Secure Cloud Analytics (formerly Stealthwatch Cloud), a SaaS-based Network Detection & Response (NDR) offering, that give CISOs more confidence in their ongoing journey in the cloud. This solution is already built to protect your public cloud resources as it provides comprehensive visibility into all of your public cloud traffic. It is a true multi-cloud solution and can ingest native telemetry from Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP). It even has the ability to detect threats in encrypted traffic without active packet inspection.

New to Secure Cloud Analytics, is a highly flexible event viewer that offers a wealth of information about your business’ cloud deployment, resource configuration, alignment to industry standards and regulations and so much more. Here is a breakdown of how these features will help your business:

1. Encourage collaboration through simple reporting on cloud security posture

Secure Cloud Analytics enables your DevOps and SecOps groups to work cohesively, as one team. It identifies a critical gap that often exists between these functions. Your SecOps team is focused on threat hunting and protecting the business. It must monitor the network for alerts and address suspicious behavior in a timely manner. DevOps is responsible for implementing changes to code and configuring cloud resources but often lacks visibility into what SecOps is discovering about the network. The event viewer allows SecOps teams to identify vulnerabilities and gather critical information about configurations in the cloud and seamlessly deliver this information to DevOps to ensure that proper adjustments are made and that cloud workloads stay secure. Integrated with Cisco SecureX and other 3rd party platforms, Secure Cloud Analytics makes it easier than ever for teams to communicate their findings and make fluid adjustments in the public cloud.

2. Maintain compliance and meet standards unique to your industry

There is no one team solely responsible for ensuring compliance or meeting segmentation rules, however these new features enable teams to find and share information about public cloud traffic easily. The event viewer allows users to monitor cloud posture as it relates to various industry best practices. Users can investigate all cloud accounts and be alerted on those that are not compliant with industry standards like PCI, HIPAA and CIS frameworks or custom internal policies. Robust filtering and query searches allow the user to zero in on misconfigured or vulnerable assets that cause any compliance concerns.

3. Seamlessly monitor and protect your public cloud resources

The bread and butter of Secure Cloud Analytics is its ability to classify your network devices and monitor their behavior to detect threats. This process is known as dynamic entity modeling. Upon deployment, Secure Cloud Analytics starts to establish a baseline for learned ‘normal’ behavior. While it does provide some alerts out of the box, the most powerful alerts are triggered when it begins to understand the network and sees some deviation from the behavioral norm. It automatically groups your cloud resources into roles like EC2 instances, S3 buckets, AWS load balancers and more. It generates alerts like Geographically Unusual Azure API Usage and AWS Lambda Invocation Spike that are designed specifically to spot vulnerabilities in your cloud configurations.

Your business needs to keep finding new ways to innovate, stay agile, and protect its sensitive workloads. Ensure confidence in your cloud security posture with Secure Cloud Analytics.

To learn more please visit our webpage and

At-a-Glance summarizing these features, and sign up for a 60-day free trial today.

The post Maintain Cloud Security Posture with Cisco Secure Cloud Analytics appeared first on Cisco Blogs.

Home Depot blunder emails customer order info to strangers

Multiple reports emerged today from Home Depot customers in Canada stating that the company had accidentally sent them hundreds of emails containing order information of strangers. Multiple users received hundreds of "order ready for pickup" reminder emails, each pertaining to a different order and not associated with their account. [...]

What’s next for Cisco SecureX?

Impactful simplicity, visibility, and efficiency through XDR and more

Over the past several years, we’ve made incredible headway in our mission to simplify, streamline, and strengthen security for our customers. With the launch of Cisco SecureX, we focused those efforts into bringing you a cloud-native, built-in platform experience to tackle your biggest pain point – rising complexity.

Cisco SecureX brings together a wide range of security, networking, and IT technologies to deliver impactful simplicity, visibility, and efficiency. By providing XDR capabilities and more with every Cisco Secure product, SecureX lessens the burden of having to correlate intelligence from disparate technologies and conduct time-consuming, manual response.

Not only do we clear the path for more comprehensive, holistic security by integrating our own products, but we also work closely with many technical alliance partners to provide third-party integrations. This allows customers to incorporate other technologies they already have into the platform to further increase the value of their SecureX deployment.

With the Cisco SecureX platform, you can:

  • Simplify your security with an open architecture and broad set of integrations that allow you to use various products together to better defend your infrastructure.
  • Enhance your visibility with a unified view and in-depth analytics across your entire security ecosystem, accelerating the time to detect and investigate even the most hidden threats.
  • Increase your efficiency through automation and streamlined security operations to lower costs and improve productivity.

When we first unveiled SecureX, we told you that it wasn’t the end, but rather a crucial stepping stone in our journey to simplicity. SecureX is a dynamic platform through which we will continue to incorporate new features and functionality to enhance your security posture. We want to continue helping your business become more resilient and your security teams more relaxed, while at the same time accomplishing more.

The latest innovations

This week at our digital Partner Summit, we’re sharing details on some of the SecureX innovations that will further reduce complexity and increase protection for our customers. These innovations include:

  • Cisco SecureX orchestration – With SecureX orchestration, you can use pre-built or easily customizable workflows to automate routine security tasks. Leverage already created workflows aligned to common use cases, or build custom workflows with a drag-and-drop interface that requires no special skills to use. Draw upon both Cisco and third-party technologies to enable automated actions that decrease onerous work for security teams.
  • In-depth collaboration with the SecureX ribbon – Cisco SecureX fosters improved collaboration among security, networking, and IT groups. Now, with the SecureX ribbon, operational disconnects between these groups can be further reduced. The ribbon allows for the saving and sharing of information across teams and tools, and stays with you when you pivot to other applications to maintain context around certain events. It provides a single location for various team members to get answers and take actions without having to continuously switch back and forth between consoles.
  • New Cloud Security Posture Management – Integrated with SecureX, Cisco Secure Cloud Analytics enables greater collaboration between SecOps and DevOps to help your business maintain proper cloud security posture. It now includes a highly flexible event viewer that allows your SecOps team to monitor for behavior that may be indicative of threats or misconfigurations in the cloud. They can then easily share this information with DevOps, the group ultimately responsible for addressing gaps in cloud security. These new features are designed to encourage more transparency to help safeguard sensitive workloads in the public cloud.
  • Cisco Secure portfolio simplification – In addition to making our security technology easier to use, we have also made it easier to understand through a simplification of our product portfolio and naming. Products under our Cisco Secure brand now have more descriptive names that more closely map to customer outcomes and objectives, and we have reduced the overall number of different product names by 50 percent to minimize confusion for our customers.

Cisco SecureX is the broadest, most integrated security platform in the industry, protecting you from the network and cloud to endpoints and applications. The core of SecureX, and where we started, is with threat response. We have built onto the platform from there to make it more inclusive for addressing a wide range of security use cases, including but not limited to XDR.

Customer success with SecureX

Approximately 11,000 customers have already taken advantage of SecureX threat response, and 72% have been able to eliminate manual investigation tasks. According to Simon Evans, Security Engineer with the Royal Bank of Canada, “Any product like SecureX threat response that integrates easily with our current infrastructure and gives us more visibility into what is going on from a threat perspective is a plus.”

SecureX enables security teams to focus on more forward-thinking initiatives versus just basic responsibilities, helping you grow your business instead of simply keeping it running. We will continue to evolve the SecureX platform and work with our partners to meet our customers’ growing needs amidst an ever-changing and more challenging business environment.

For more information, find out what Gartner has to say about XDR, and visit our SecureX page for the latest updates.

The post What’s next for Cisco SecureX? appeared first on Cisco Blogs.

ISE 3.0 Makes Its Move on the Cloud to Simplify the Zero-Trust Workplace

In 2020 we all learned that the future can hit us at any time. As businesses adapted to new realities on the backs of natural disasters, global health emergencies, and political uncertainty, the network and the digital transformation of doing business moved from a means of thriving to one of sheer survival.


As IT accelerated the digital transformation, we were all thrust across the chasm and up the adoption curve with many future-leaning technologies and ways of doing business. Cloud, mobility, and the need to remotely manage their network infrastructure, including Internet of Things (IoT) devices, moved from the roadmap — something we will look into — to something we have to do.


To complicate things, these technologies that enable business resiliency are also increasing the attack surface and pushing the boundaries of IT. Security teams were already overwhelmed with a slew of disconnected vendors and products. This added level of complexity isn’t making it any easier to find the attackers hiding within siloed levels of visibility across the distributed network and taking advantage of rushed IT — who are often sacrificing protection and organizational policy in the name of speed and survival. 


Business resiliency and agility are why we put our heads down and went to work to build Cisco Identity Services Engine (ISE) 3.0. ISE 3.0 will enable IT teams and businesses to be agile and adapt to changing global macro conditions and minimize business disruptions.


“We have been on a journey with gaining visibility into our network. With ISE 3.0 we really have total visibility. We are seeing things we never knew were there. Combining this with stability and improvements makes 3.0 a great release.”

­– Simon Furber, Network and Infrastructure Security Architect, Brunel University



 Solving more for customers with 3.0:


 • To remain agile and build business resiliency, we need zero trust built into our networks. ISE 3.0 closes the gaps of visibility into endpoints with Cisco AI Endpoint Analytics and segmentation as part of Software-Defined Access (SDA). Customers can now leverage machine learning to automate endpoints’ identification and ensure access based on privilege. Read how Adventist Health identified 70% of all endpoints.


 • Customers want fast, lightweight security, so we are releasing agentless posture in 3.0, giving IT the freedom to choose between an agent or agentless approach in ensuring that the endpoint is compliant with organizational policy and accelerating zero trust. 


 • Where and how customers consume their security has evolved, and to lead in this transition, we are kicking off our cloud-enabled story with ISE deployable from the cloud (AWS). Not only does this simplify the unification of policy across campus and branch, it also enables IT to apply consistent, intelligent policy decisions to any location, from anywhere, extending the zero-trust workplace. 


 • And since everyone wants “easy,” we revamped the UI to unleash guided workflows for advanced use cases. To further simplify the user experience for IT and the flexibility of operations, we enabled rich APIs to help simplify ongoing operations.


ISE 3.0 is a fantastic milestone to achieve in 2020 and shows that we can all be resilient, adapt, and overcome within global disruptions. I am proud to be not only a leader, but also a member of this amazing team. This team is why ISE is the market share leader and continues to see tremendous growth, with more than 40,000 customers and counting … not to mention the two industry award just this year alone. The traction we are making in the market is key to our overall SDA strategy and will give customers a solid foundation in extending zero trust into the workplace. So stay tuned. We have more in store for you in 2021 as we look to solve for your secure network access challenges.



To learn more about ISE 3.0, please read this “What’s New in 3.0” at-a-glance. You can find the full release notes here.

The post ISE 3.0 Makes Its Move on the Cloud to Simplify the Zero-Trust Workplace appeared first on Cisco Blogs.

Strengthen customer relationships with Cisco SecureX

Cisco Partner Summit is one of my favorite events as I get feedback from partners on our technology roadmap, but more importantly, it is a valuable opportunity to discuss how we can work together to solve customers’ security challenges.  Now this year is virtual, so it is a bit of a game-changer in terms of delivery and interaction, but some of the underlying key security challenges remain for customers – perhaps elevated due to the pandemic.

So, what are some of the more pressing customer security challenges?  Well, we continue to see Security Operation Centers in a constant race against time to stay ahead of advanced threats.  The time to detect and remediate is at the heart of this race.  In fact, as part of our CISO 2020 Benchmark Report, 56% of CISOs stated that time-to-detect is a critical key performance indicator.  However, security teams are all too often held back in this race, overwhelmed with a slew of disconnected vendors and products. The complexity hampers the team’s ability to enter this race with the best possible operational security fitness.

The old way of doing things in the industry left us in disarray.  For years the path forward was to deploy best of breed technologies in an attempt to stay ahead of threat actors.  All of these disparate security investments not working well together left customers with massive operational inefficiencies and a porous defense.  Customers might have felt protected with the latest new technology and multiple technologies delivering a defense in depth strategy.  The stark reality is that the underlying architecture is a complex mess with technologies from multiple vendors, multiple providers resulting in hidden context, conflicting alerts, and multiple manual efforts dramatically reducing time-to-detect and time-to-remediate.  Today’s approach is unsustainable.  The complexity is only yielding limited visibility, lack of orchestration, a patchwork of products creating security gaps, skills shortages, and more.  Throwing more technology at the problem is not the answer. Customers realize that they must break out of this vicious circle.

This is where a platform approach will make all the difference by tackling the most pressing challenge of complexity.  At Partner Summit, I delivered an Innovation Talk on Cisco SecureX. Our cloud-native, built-in platform experience within our portfolio that connects to existing customer infrastructures, dramatically innovating time-to-detect and time-to-remediate.  SecureX is truly helping customers sharpen their Security Operation Center fitness, making it easier to stay ahead of advanced threats.  A Financial Customer stated: “Security priorities are the ability to respond to threats quicker, and operational efficiencies. SecureX addressed our top priorities and challenges.”

There is an amazing opportunity for us to partner together and build new business opportunities together by helping customers transform their security infrastructure.  Together we can help customers move from a complex infrastructure with disjointed solutions to a simpler infrastructure that is integrated, resilient, and open.  The platform approach with SecureX shows our customers how to remove bottlenecks that slow down their team’s access to answers and actions.  And, this empowers customers with the industry’s most advanced XDR (extended detection and response) capabilities and more, to help them achieve greater visibility, simplicity, and efficiency. As a Cisco Secure partner is that you strengthen customer relationships while growing your business with multiple recurring revenue streams.

Cisco SecureX is an exciting and powerful platform that makes using and managing security easier for our customers.  SecureX is the culmination of an effort that began several years ago that started with Cisco Threat Response, long before XDR was a thing, which now is an integral feature of our platform called SecureX threat response.  As a result, we have a massively proven platform that has helped over 11,000 customers unlock value with the threat response feature.  Of course, the SecureX platform extends innovation beyond SecureX threat response with SecureX orchestration, SecureX ribbon, and more.  Here are some responses back from SecureX customers based on a recent survey:

  • Almost all of our customer said SecureX helps them get a unified view needed for rapid threat response
  • More than 90% of our customers reported that SecureX enables their security teams to collaborate more effectively
  • 82% of customers emphasized the importance of our platform’s ability to connect to 3rd party security tools for comprehensive investigations.

SecureX customers are unlocking tremendous value with Cisco Secure portfolio and 3rd party solutions while building up their security operation fitness in the process.  After all, it is a race against time; getting rid of complexity enhances security fitness so customers will stay ahead of advanced threats.  We are looking forward to working with our Cisco Secure partners to help customers confidently tackle their most pressing security and security operation challenges with SecureX.

The post Strengthen customer relationships with Cisco SecureX appeared first on Cisco Blogs.

Cisco Takes a Simple, Secure, and Scalable Approach to SASE

The erosion of the network perimeter has accelerated over the last year and this has changed the way we look at security. I wrote a blog about the emerging concept of a Secure Access Service Edge (SASE) architecture earlier this year and highlighted the core components that are required.  In the past few months I haven’t seen anyone debunk the SASE direction that Gartner outlined, but I have seen many different interpretations of the approach and evaluation criteria that should be used when developing a SASE strategy.

I think it would be best to reference the challenges that fueled the development of this concept, to help ground us on the proper areas of focus or evaluation.

  • Increased security and networking complexity in distributed environments
  • Gaps in security and performance problems related to cloud/SaaS adoption
  • Scale and throughput across a wide range of security functions

The SASE concept is based on cloud-native capabilities that simplify the IT environment while improving security and enabling dynamic scalability (simplicity, security, and scalability). We believe that these are the core tenants that you should keep in mind as you develop your SASE strategy. Based on that structure, let’s take a look at how Cisco is delivering on the SASE vision.


Cisco’s Umbrella, Duo and Meraki solutions have consistently delivered high performance while leading the market with their simplified customer experience from initial deployment to configuration and ongoing management tasks. For example, in the last eighteen months Umbrella has added secure web gateway, firewall as-a-service and CASB capabilities all within its single, easy to use console. I recently blogged about the addition of the SecureX to all Cisco security solutions. This security platform not only aggregates data from across the Cisco security portfolio it also includes third-party data and automated response actions to further simplify the daily tasks of your security analysts and improve response time.

One of the leading SASE use cases involves the transition to direct-internet-access (DIA) from branches and remote offices. To date early adopters have struggled with long deployment times because of the complex SD-WAN, tunnel and cloud security integration tasks. Cisco has drastically simplified the solution to this multi-faceted challenge starting from purchasing (with a single Cisco SD-WAN and Umbrella SKU), through deployment (with automated integration of Cisco SD-WAN and Umbrella) so you can get hundreds of locations connected quickly, to simplified, ongoing management (policy control from one cloud-based dashboard and automated failover).

Another popular SASE use case involves connecting and protecting remote/home based workers. Cisco has simplified the process for remote workers to connect into Umbrella cloud security from a variety of devices no matter where they are. The AnyConnect client (which is included with Umbrella SIG Essentials package) has recently grown to cover over 100 million devices and can easily direct outgoing traffic to Umbrella for a broad set of security functions.


Gartner currently shows the SASE concept rising quickly on the hype cycle.  Many vendors are claiming flashy, SASE-like capabilities, but when evaluating solutions, it’s important to keep the end goal in mind. What good is it to carry traffic and have flashy dashboards if you aren’t effective stopping the increasing amount of internet-based threats that are bogging down Security teams and costing millions of dollars to remediate?

At Cisco we pride ourselves on our security effectiveness. Cisco Advanced Malware Protection (AMP) posted the highest score for malware detection in recent, independent testing and was in the lowest group for false positives.  Umbrella has placed number one for multiple years on third party tests for detection of new malware, malicious files and phishing attacks.  AV-TEST just placed Cisco Umbrella first in security efficacy (see the Raviv Levi blog), after Umbrella received the highest security detection rate (96.39%) in the recent AV-TEST report. Umbrella unifies DNS-layer protection, secure web gateway, advanced threat detection, firewall, and cloud access security broker (CASB) functionality, making security invisible and seamless to the end user, regardless of what device they are using. In the same set of tests, Umbrella also received the number one position for having the lowest percentage of false positives (0.65%) across all vendors tested. The best threat detection and blocking with the least amount of time-consuming false incidents is the best of both worlds for overworked security teams.


As cloud adoption accelerates your internet traffic multiplies quickly. Luckily Cisco has a lot of experience building high performance, high volume networks.  Umbrella is built on a resilient, global cloud infrastructure that boasts 100% business uptime since 2006. Umbrella provides direct peering with over 1000 of the world’s top internet service providers (ISPs), content delivery networks (CDNs) and SaaS platforms to deliver the fastest route for any request — resulting in superior speed, effective security and the best user satisfaction. Recent Miercom testing of typical SaaS traffic showed that Umbrella’s network delivers up to a 7X reduction in latency when compared to a typical ISP connection.

The Umbrella network currently handles over 250 billion internet requests per day. Using Anycast routing, our customer facing data centers across the globe are available using the same single IP address. As a result, your requests are transparently sent to the nearest data center and failover is automatic. Our infrastructure is built in an elastic format which provides extreme flexibility enabling traffic to scale up dramatically, delivering a low latency path to their applications no matter where they are hosted. Unlike many other providers, Cisco doesn’t just rent common infrastructure from a public cloud service.  We own, actively manage and tune our own equipment for high throughput security.  This empowers us to adjust the control necessary to maintain consistent high performance.

Start the journey now and do SASE your way

Implementing a full SASE architecture is a multi-step journey that will be different for each organization, but the time to start is now. At Cisco, we have a proven track record in the core SASE areas of networking, security, and identity services. We can provide you with solutions that include the consolidation, ease of deployment, and management that you need to scale your business, and provide effective security for users anywhere they choose to work – without a degradation in speed, performance or user experience.  And we know it’s important for you to be able to choose a transition path that works best for your business, and support integration with your existing security investments. So, let’s go…pick a partner you trust, it’s time to get SASE!

For more information see the Roadmap to SASE or visit the SASE webpage.

The post Cisco Takes a Simple, Secure, and Scalable Approach to SASE appeared first on Cisco Blogs.

Cisco Secure – Conquering Complexity with Simplified Security

Over the past several decades, threat actors have become increasingly prolific with their attacks. And as new attacks have evolved, we in the security industry have been there every step of the way to rapidly protect our customers. While our intentions have always been to build robust defenses against emerging threats, this has unfortunately resulted in a cybersecurity marketplace that can at times be overwhelming to comprehend and navigate.

Today’s organizations are often working with a dozen or more different security companies, each with multiple products. We repeatedly hear from our customers that their teams are being crushed by complexity, and that they long for vendors to keep it simple. Not just in the way our technology works, but even down to what it’s called.

Industry analysts agree. According to ESG Senior Principal Analyst Jon Oltsik, “The security industry has been too complex for years. There are too many products for security professionals to learn the names of, let alone become proficient in.”

As a worldwide leader in cybersecurity, we take this message to heart. Our innovations and acquisitions over the years have resulted in a broad set of technologies – often with separate names for different models, on-premises versus cloud options, and sub-components within each product. We realize that it has become confusing for our customers, and we want to do our part to reverse this trend in the industry and make the cybersecurity market less daunting.

With this challenge in mind, our security team set out several years ago to make our technology easier. Easier to procure, easier to use, and certainly easier to understand. We have been on a journey to simplify the Cisco security experience for our customers through three major initiatives:

And we haven’t taken this task lightly. We are keenly aware that as the largest enterprise cybersecurity company in the world, we have a unique opportunity to lead the way with a bold transformation of unprecedented magnitude. This careful and dedicated effort has required all hands on deck, because to truly make a difference and set an example in the industry, we have to do it right. 

From confusion to clarity   

As I discussed in an earlier blog post, we recently reached a major milestone in this mission with the launch of our integrated security platform, Cisco SecureX, as well as the reveal of our renamed security portfolio, ‘Cisco Secure.’ Now, we are extending that important simplification to the product level.

Today’s organizations have an expansive range of products (literally thousands) to choose from when it comes to protecting their environment. When we present you with a solution, we want to make sure you can immediately understand what it does and which part of your infrastructure it protects. After all, even the greatest security products are no good if people can’t understand what they do or how to use them.

We have therefore simplified the naming of our security products with new, more descriptive monikers. We are making sure that our naming clearly indicates the value of each product so that it can serve as a roadmap for helping you build out your capabilities. For example, Cisco Advanced Malware Protection (AMP) for Endpoints will now be called “Cisco Secure Endpoint.” And the Cisco Email Security Appliance and Cisco Cloud Email Security are now both referred to as “Cisco Secure Email.” Whether you want on-premises or cloud delivery, it doesn’t have to make the name more complex.

While our goal has been simplicity, the path to getting there has not been easy. For our renaming alone, we conducted more than 100 hours of interviews with customers, partners, analysts, and other stakeholders to obtain their thoughts on this transition. That’s in addition to months of extensive internal collaboration among various Cisco teams.

Our teams have worked hard to make our new product names more closely align with our customers’ security goals and outcomes. In the end, we have reduced our product names by 50 percent, and I’m happy to report that it’s already making a difference for our end users. One customer said, “The new names really make it easier to identify what each product does.” And another added, “[The updated names] create a kind of checklist for customers to help identify their needs.”

This is exactly the kind of feedback we want to hear. At the end of the day, we want you to feel more secure – with your technology choices, with Cisco as a strategic partner, and with the security industry overall. Cisco has a great responsibility to help overwhelmed defenders take back control of their environments. We will continue to listen, learn, and take action to help solve the issue of complexity and create a clear path forward for our customers.

Learn more about the newly renamed Cisco Secure portfolio, and keep an eye on our Cisco Security Blog for future posts on this important, ongoing transformation.


The post Cisco Secure – Conquering Complexity with Simplified Security appeared first on Cisco Blogs.

Cisco’s Duo Security launches Trust Monitor to simplify access monitoring

Duo combines human control with ML-driven automation to help safely enable remote work

A modern, zero-trust security architecture ensures that only authorized users using safe devices gain access to corporate applications. However, establishing trust over time, and consistently and continuously monitoring access granted to users, is a challenge for organizations that have had to quickly evolve their access strategy in light of remote work.

That’s why I’m proud to announce the general availability of Duo Trust Monitor, Duo’s machine learning-driven risk detection, starting Thursday, November 19. The feature will be available in Duo Access and Beyond editions.

Duo Trust Monitor analyzes real-time authentication data to create a baseline of normal user behavior at the point of login. Once Duo Trust Monitor observes these access patterns, it surfaces risky logins to help the security team identify suspicious activity and aid in the investigation of compromised accounts.

While many tools on the market rely on simple or static rules, Duo Trust Monitor looks at access patterns more holistically — taking into account extended access history and context between multiple variables, such as device and location.

The visibility Duo Trust Monitor provides, combined with Duo’s expressive policy engine, lies at the center of Cisco’s zero-trust for the workforce strategy – linking risk detection directly to access control.

Duo Trust Monitor - Visibility & Policies between every application, trusted users and trusted devices

When Duo Trust Monitor highlights anomalous activity, this informs better, more tailored policy. For example, if Duo Trust Monitor identifies a suspicious login from a risky location, a Duo administrator can set a geolocation restriction in response. By improving policy in light of anomalous access, Duo Trust Monitor’s events become stronger in signal and enable IT admins to further narrow suspicious access.

While we’re excited to offer this capability via Duo’s administrative console, we’re also proud to provide an open API to integrate with existing processes and workflows, whether our own SecureX platform, or even custom security operations tooling.

For security to scale, it’s important to achieve a balance between control and automation. Purpose-built user behavior analytics will become more common as a cornerstone of a zero-trust security architecture, vs. the generalized approach of simply correlating security events that inundate teams today.

As the industry continues to apply artificial intelligence and machine learning to security, it’s imperative that we reduce work for teams to do through careful design of analytics and automation. Duo Trust Monitor is designed to empower small teams to have a large impact by focusing on the access risks that are specific to their business and enable work from anywhere.

For more information, check out our documentation or reach out to Duo to learn more.

The post Cisco’s Duo Security launches Trust Monitor to simplify access monitoring appeared first on Cisco Blogs.

Humans are Bad at URLs and Fonts Don’t Matter

Humans are Bad at URLs and Fonts Don’t Matter

Been a lot of "victim blaming" going on these last few days. The victim, through no fault of their own, has been the target of numerous angry tweets designed to ridicule their role in internet security and suggest they are incapable of performing their duty. Here's where it all started:

Let me include a screen grab of the poll NordVPN posted in that tweet because for reasons that will become apparent in a moment, your experience may differ:

Humans are Bad at URLs and Fonts Don’t Matter

When I first saw this poll, it had already ended so the votes were on full display. I assumed Baidu got the lion's share of the votes by virtue of the HTTP address not being served over the secure scheme, even though HTTPS has got absolutely nothing to do with the trustworthiness of the contents of a website. If I'm completely honest, I had no idea what the correct answer would be because frankly, I'm bad at reading URLs. Turns out it was the third one:

Ah, tricky! Everything becomes clear(er) if I manually change the font in the browser dev tools to a serif version:

Humans are Bad at URLs and Fonts Don’t Matter

The victim I was referring to in the opening of this blog post? The poor old sans-serif font with multiple people throwing it under the proverbial bus as a useless typographic choice for expressing domain names. I'm going to come to the defence of the simple typeface in this blog, starting with an explanation of what we're actually seeing here - homoglyphs:

In orthography and typography, a homoglyph is one of two or more graphemes, characters, or glyphs with shapes that appear identical or very similar.

But the characters in NordVPN's poll only appear similar because the case is being mixed, so why not just lowercase everything? That's what happens already once the URL appears in the browser's address bar:

For the domain NordVPN used in the poll, let's have a look at how it renders in the browser (oddly, the site doesn't support HTTPS so I've changed the scheme, but the domain name is the same):

Humans are Bad at URLs and Fonts Don’t Matter

Turns out that isn't a phishing website, rather it's a legit real estate services business, shown here in Chrome at the very common resolution of 1080p. Can you spot the subtle difference in the domain name compared to the search engine? Can you clearly see how the "i" is not an "l"? Obviously, the image is resized to the width of paragraphs on this blog, give it a click if you want to check it out at 1:1 size. But let's also keep some perspective here; look at how many pixels are different between an "i" and an "l":

Humans are Bad at URLs and Fonts Don’t Matter

Are we really saying we're going to combat phishing by relying on untrained eyes to spot 6 pixels being off in a screen of more than 2 million of them?! Of course not, especially if someone has just arrived at this page after clicking on a link like NordVPN's with the uppercase "I" and especially not if instead of a "fine real estate" website the page was a phish designed to look precisely like Google. Bartek's suggestion was entirely understandable, but also entirely unreliable.

Much of this comes back to the old chestnut about how involved users should be in the whole decision-making process around the trustworthiness of a URL and indeed, how proactive technology should be to help them with this task. For example:

So... someone wants to look for some fine real estate on and the browser pops a warning? Poor Googie! Just having a similar name doesn't make a site "bad" (or potentially bad) in just the same way as not having a similar name doesn't mean the URL isn't pointing at a phishing site. More on that soon.

But there's another problem too and it boils down to the fact that homoglyphs are a much broader issue than a couple of characters in sans-serif appearing similar. For example, the Wikipedia article on the topic demonstrates how the first letter of our Latin alphabet expressed in lowercase is indistinguishable from a Cyrillic version when expressed in the Helvetica font:

Humans are Bad at URLs and Fonts Don’t Matter

The blue in-fill is the familiar "a" whilst the red outline is the Cyrillic one and whilst these two characters look the same, they're actually totally different. Consequently, you could feasibly have two different URLs expressed that whilst visually identical, actually go to different places. Here's a beautiful illustration of the problem:

Humans are Bad at URLs and Fonts Don’t Matter

If you look at the address bar in the current version of Firefox, your eyes tell you you're looking at yet if you look at the title of the tab, you realise you're not on the tech giant's website at all rather you're on аррӏе.com instead. Huh?!

Now let's get really messed up and inspect the paragraph above in Firefox's dev tools:

Humans are Bad at URLs and Fonts Don’t Matter

The browser shows the company name we all recognise on the page and just under the mouse we see the same name again in the status bar. Yet in the dev tools we see the href attribute of the hyperlink referring to an unrecognisable string of characters and the domain name within the <a> tag almost looking like a very familiar one, albeit for the fourth character. Click the link on Firefox and you end up on a page talking about IDN homographs but if you're on Chrome, the experience is different; it still looks like the tech company's domain in the browser but hovering over the link shows the href value from above in the status bar. Actually clicking the link then gives you this:

Humans are Bad at URLs and Fonts Don’t Matter

This is a demonstration from April 2017 of phishing with Unicode domains:

Visually, the two domains are indistinguishable due to the font used by Chrome and Firefox. As a result, it becomes impossible to identify the site as fraudulent without carefully inspecting the site's URL or SSL certificate

You can delve into the details of how this works in the link above but for now, there's two important messages to take away with you:

  1. Even careful visual inspection of the URL is insufficient to determine the actual website address you're visiting
  2. Different clients can render precisely the same URL in completely different ways

This is why sentiments such as this are so misplaced:

This is not a "sin" committed by either typographers or coders and blaming the poor old sans-serif font merely makes it the victim in all of this. It's a misplaced sentiment as we simply have similar looking characters in different alphabets. Is it any wonder that people are bad at reading and understanding even the domain part of the URL then making decisions based on that which affect their security and privacy?

What if we took a different tack? I mean what if we somehow made it much clearer to people the actual URL they're on in a way that isn't ambiguous due to the characters used in the address? Be more "user-centric", as it were:

Let's tackle why this doesn't get us any closer to a real solution and this is where things gets worse - much worse. Before you start watching the video I've embedded below, let me set some context: this talk is by Emily Schechter who works on the Google Chrome team. I saw her deliver this keynote at LocoMocoSec in Hawaii a couple of years ago and it really resonated with me. Emily is one of the best in the business with more access to real world information on how people interact with browsers than just about anyone, so listen to her words carefully (I've deep-linked to the relevant section, just give it one minute of your time):

Do you think you can understand just from the URL who's publishing these sites? Can you tell which one of these is the real Google blog site?

Humans are Bad at URLs and Fonts Don’t Matter

I can't, because as we've already established, I'm bad at reading and understanding even the domain part of the URL, just like you are. In case you were wondering, the real Google blog website is at and the only way I know that is because I fast forwarded to the 16 minute mark of the video and heard Emily say that! The point I'm obviously making here is that when we talk about people being bad at interpreting URLs, it's not a problem that's solved simply by changing the font or "centring their experience", the issue is so much deeper than that.

But none of that stopped the Twitter peanut gallery from chiming in on their displeasure about difficulties that URLs pose. Some suggestions were reasonable, others were, well:

A common theme amongst the responses on Twitter was about user-centricity, empathy and accessibility. These are all good sentiments, but as I said in a follow-up tweet, they're all motherhood statements that carry nothing of substance. It's akin to saying "we should solve world hunger" then wandering off without actually providing any solutions. Or saying something like we should just have a "funded multi-disciplinary team" and that'll solve the probl... ah:

I'm sure it'd be very nice to have this team, but what are they actually going to build? Is it a button? A notification somewhere? This isn't a solution to phishing, it's suggesting that there should be a team of people who can find solutions to phishing, kinda like the Google Chrome team, right? 🙂

A suggestion that was more practical in nature involved displaying some form of verified identity on the site:

Whilst this sounds good in theory, as Bartek observed, browsers don't do that anymore and for good reason: it never worked in the first place. It never worked for all the sorts of reasons I outlined in that blog post and the others that preceded it. At the very heart of EV's failure was this simple false premise: that on a per website basis, users are able to use their own judgement to accurately make a trust decision based on the absence of a little-known (and rarely present) visual indicator. They couldn't, just as they can't with URL parameters, fonts with or without serifs and indeed even entire URLs without any obfuscation whatsoever. It. Just. Doesn't. Work.

But what if they could? I mean what if the world was completely different to what it actually is and people understood visual security indicators? Not just visual indicators, what if people could actually read and understand URLs?

Clearly, they can't at present (we've already established that), so what would be the challenges in changing this behaviour?

Scott nailed it here - changing the status quo across billions of internet users simply isn't feasible and any solution that requires them to detect subtle nuances in the structure of a URL is bound to fail. There are places where visual indicators can be very effective, but we're talking really obnoxious ones such as Chrome's warning above on the punycode Apple domain. That's a very different kettle of phish (sorry, couldn't help myself!) to suggesting that we can train people to read and understand URLs.

So, can we just take the humans out of the picture and instead identify phishing sites with the technology? We can already and last month I wrote about how NordVPN's CyberSec can block this sort of thing outright:

Humans are Bad at URLs and Fonts Don’t Matter

Per that blog post, this was a legitimate phishing site (ok, I used the word "legitimate" in an odd fashion here but you know what I mean 🙂), and check out the URL; none of the prior suggestions around using a serif font stop sites like this. Does anyone honestly think less people would fall for it if the font was more decorative?!

Before wrapping up this post, it's worth touching on why we have sans-serif fonts in places like Twitter clients. In fact, let's first acknowledge that unless someone can prove me wrong, every Twitter client uses a sans-serif font. Certainly, the Twitter website does, so does the native iOS client and so does Tweetbot. If you're using a client that doesn't, I'd love to know about it. Now, do you think it's just coincidence that things worked out that way? Are coders "sinners" for building the clients using these fonts or might there actually be a legitimate reason why? Of course it's the latter:

Sans-serif fonts tend to have less stroke width variation than serif fonts. They are often used to convey simplicity and modernity or minimalism. Sans-serif fonts have become the most prevalent for display of text on computer screens. On lower-resolution digital displays, fine details like serifs may disappear or appear too large.

That said, I've obviously taken a different approach with this blog but I'm also not trying to condense as much information into a small space as what Twitter is. Regardless, a sans-serif font is no more a "sin" than a serif font would stop phishing so no, I can't see Twitter clients changing tact and it would make very little difference anyway.

So, what's the answer? I mean the actual solution rather than just, say, recontextualising killer networks. (Ok, so I took that from the bullshit generator but it's indistinguishable from some of suggestions referenced earlier.) Turns out we do have solutions and as several people pointed out, using a decent password manager is one of them:

Want to make a meaningful difference to phishing attacks? Stop whinging about fonts and instead get people using an up to date browser that flags known phishing sites running through NordVPN with CyberSec turned on and authenticating to websites using 1Password. Keep educating people, by all means, but expect even the savviest internet users will ultimately be as bad at reading URLs as I am 🙂

Gartner’s report on innovation insight for XDR

Gartner recently shared a new report on “Innovation Insight for Extended Detection and Response.”  XDR (as our industry loves acronyms) is the first of nine top 2020 trends1. If you’re a security and risk management leader, it’s a must-read, so download the Gatner XDR Report right now.

What is innovation and what triggers it?

I recently watched Tim Kastelle, a thought leader on innovation, give a TedTalk. He describes innovation as needing (1) a new idea (2) that adds value and (3) actually happens (i.e. becomes real). In security, we have many tools that are real and add value today. But as our IT environment changes and the old ways of security stop working (as well as before), three innovation triggers arise:

  • Fantasy, if we think of a new idea and buyers say it’d add value, but we haven’t figured out how to make it real.
  • Frustration, if we already made a new idea real, but not many adopt it — perhaps due to insufficient added value.
  • Or fear, if buyers are valuing other sellers’ innovations, and we don’t have a new idea yet to address this threat.

Is XDR a new idea?

Pulitzer-nominated author, W. Brian Arthur, defines innovation in his book “The Nature of Technology”. He states, “Technologies […] share common ancestries, and combine, morph, and combine again, to create further technologies.” And according to Tim, some of the biggest innovation mistakes is focusing only on brand new ideas for every problem. So, often the best innovation combines old knowledge with a new approach! We’ve gained a lot of knowledge by developing cloud-native Endpoint Detection and Response (EDR) as well as Network Detection and Response (NDR) technologies over the last decade. One such example of innovation is natively integrating them together along with other control points (e.g. email and cloud security) with a new platform approach, which possesses a true understanding of the underlying data from each source. We believe Gartner agrees, as they say that “Major component parts of security infrastructure protection are reaching feature maturity, and a number of vendors offer broad portfolios. Integrating them is a natural next step. Concurrently, cloud big data storage and analytics and machine learning capability are enabling more centralized approaches to security.” But Cisco also introduces many brand-new ideas that enables our XDR innovation to stand apart from others – some examples are explained at the end.

Will XDR cause fear or frustration in other technologies?

Per our view, Gartner devotes a significant portion of this research comparing and contrasting the new XDR idea to the mature SIEM (Security Information and Event Management) and newer SOAR (Security Orchestration, Automation and Response) ideas. Many SIEM sellers may be experiencing fear as Gartner acknowledges that “While the SIEM market is mature, many organizations have not deployed SIEM tools, have failed or incomplete implementations, or only use SIEM for log storage and compliance.” And many SOAR sellers may be frustrated by low adoption over the last several years; Gartner says “Newer SOAR tools are designed to provide integration across multiple components, but are hobbled with a lack of available APIs, data merging issues and a workflow that is disconnected from the detection activity that can efficiently launch response activities.” The innovation trigger that sets XDR apart from SIEM and SOAR is the level of integration of their products at deployment, which is why “XDR products will be appealing to more pragmatic organizations that are overwhelmed by security complexity and the lack of skilled security operations staff.” Yet our understanding when Gartner says that “XDRs are not a replacement for all SIEM use cases, such as generic log storage or compliance.” is that XDR will complement SIEM (and even SOAR) tools that customers have already invested in.

Does XDR add value?

Absolutely! We believe Gartner’s 2020 Hype Cycle for Security Operations2 says XDR will unlock a “high benefit” for customers selecting a security solution provider with a portfolio of infrastructure protection products. For comparison, our understanding is that SIEM and SOAR tools will just provide a “moderate benefit”. The second key finding in Gartner’s Innovation Insight is that “XDR products are beginning to have real value in improving security operations productivity with alert and incident correlation, as well as built-in automation.” While XDR is early in its development and adoption, Gartner says that “Most organizations already have blind spots so XDRs can add value even if they are not 100% integrated.”

Is XDR still a fantasy or is it real?

We already quoted Gartner above saying that XDR is providing “real value” plus they say that “Being newer to the market, XDR has not just the promise, but also the reality of having APIs built in right from the start.” Yet, it’s true that many vendors get stuck in the fantasy of their great idea that never fully gets executed. And we believe that Gartner acknowledges these risks when they say “if the pioneering XDR vendors deliver too little security or productivity value, or solution providers simply do not deliver on their roadmaps, or XDR products end up needing the same level of integration work as modern SIEM tools, then it is likely that XDR will die in the Trough of Disillusionment.” But solving the technical problem is only the first step. Tim notes that you need the right business model to go with it. And this could cause some XDR tools to die, because if the upfront cost and time to start using it is too high, the idea will never spread from early adopters to the mainstream.

That’s why since 2018, Cisco has included XDR capabilities — starting with SecureX threat response — as part of each security products’ existing subscription. It’s very real as over 11,000 customers has adopted SecureX as part of their daily security operations to be more productive. And the on-going improvements and validation for our cloud-native platform approach with analytics and automation built in is why we already deliver the industry’s broadest XDR.

Mature technologies are combined with cutting-edge innovation

In June, we launched the SecureX ribbon, which simplifies breach defense by natively connecting detection to response with capabilities integrated within each other products’ consoles — rather than always forcing teams to pivot into yet another bolted-on tool. This ribbon is a consistent user interface located at the bottom of each products’ console, which can be minimized or expanded. Capabilities from one product, such as live endpoint queries, are turned into ribbon apps and accessible by your network, email and cloud security products. Incident management and casebooks that centralize, normalize, and correlate alert context and enable cross-team collaboration is maintained in a consistent location. These built-in extensions work across the broadest portfolio. And soon, using a browser extension, the ribbon will work across your entire infrastructure, including third-party security tools or even a blog you rely on today.

Our mature NDR and EDR technologies have been natively integrated before XDR was even coined. They identify and contain up to 70% more malicious intent and risk exposure, more accurately, by connecting many types of machine learning-enhanced analytics across the most data sources. We speed up decision making with improved coverage of MITRE ATT&CK matrix by mapping IOCs per incident. We reduce detection time by up to 95% with proactive threat hunting and vulnerability management or by identifying subtle or hidden attacks via insider, unknown, or encrypted threats that point products miss. We improve compliance posture by detecting regulatory, zero trust, and custom policy violations. And we monitor and understand user and entity behaviors whether on-prem or not, managed or not. We reduce threat dwell time by up to 85% by pinpointing root cause with visual investigation and by connecting playbook-driven automation across the most control points. You can quickly control outbreaks to minimize the impact of a breach with improved coverage of, and automated, MITRE ATT&CK mitigations.

More intelligent detections result in more productive security operations. More confident responses result in more effective security. And by reading issue 1 of this Gartner newsletter on XDR, you can learn why.


Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

1. Gartner, Top 9 Security and Risk Trends for 2020, 17 September 2020
2. Gartner, Hype Cycle for Security Operations, 2020, Pete Shoard, 23 June 2020 


The post Gartner’s report on innovation insight for XDR appeared first on Cisco Blogs.

How to Make the Most of Your Budding Cybersecurity Career

Having a career in cybersecurity can be one of the most rewarding experiences of your life. But it can also be extremely difficult starting off. Where can you turn for allies? How can you relate your knowledge to non-technical employees?

To find some answers to these questions, Cisco asked numerous experts in the field of cybersecurity to answer the following question: “If given the chance, what advice would you give yourself when you first joined the industry?” Their insights help to reveal a number of resources that they wish they would have drawn on early in their careers. Provided below are their responses.

Martijn Grooten | Researcher, Writer and Security Professional | @martijn_grooten | (LinkedIn)

Security likes “rock stars”, that is, people who have very good technical skills or who are loud, very present, and can tell a good story. When you’re new in the industry, as I once was, it’s tempting to look up to them and try hard to be liked by them. This might give you a short-term career or confidence boost, but in the long-run, I have learned it is much more important to look out for people who are kind and who have a good moral compass.


Jason Lau | Chief Information Security Officer, | @JasonCISO | (LinkedIn)

Like many others, my cybersecurity career didn’t really have a clear path, and it was through many side- channels and industry events that I met peers who ultimately gave me some great advice.

Looking back, I would have told myself much earlier on to focus on the human element of cybersecurity. I was one of the earliest to dabble with eLearning in the days when the Internet was first gaining popularity before the Dot Com boom. This was when it was being used and tested in university courses where I was teaching engineering.

Given the success of eLearning, I would tell myself to continue in this space since there was already so much focus on technology, systems and software in the early days of cybersecurity and not enough on the “people” side of things, which is the initial cause of many incidents. Focusing on this topic could have made a much bigger impact on the early days of the security awareness training industry.

Fortunately, it is not too late now! I have been lucky enough to continue teaching cybersecurity at many universities as well as to conduct corporate security and privacy training to help improve the awareness for all. I feel this is a critical part of any industry. Cybersecurity is a shared responsibility, so the more sharing we do, the safer we will all become as a whole.


Phillimon Zongo | Chief Executive Officer at Cyber Leadership Institute | @PhilZongo | (LinkedIn)

There’s certainly things that I could have done better. Now that I have spent a lot of time mentoring people, I would say it would have been better if I had looked for a highly experienced mentor from day one. That would have accelerated my career trajectory in those five years that I’ve been pushing myself.

I wouldn’t say it’s a big disadvantage. The path that I took was of self-discovery. I trained myself, I bought books and I scribbled everywhere. I just studied over time. But it’s true that persistence and resilience and never giving up are important because writing is very frustrating. For my first article, it took me about three and a half months to write a three-page article. That’s when I was aiming for quality. Eventually, I got it published in an international journal.

However, I would say if I were to go back, there’s not much that I would change because this formula is working for me now. I’m just continuously pushing myself, setting goals towards things that I’m afraid of doing. That’s what I do. Before I start doing something, I ask myself, “Am I scared?” If I’m not scared, then I don’t do it because it is through doing things that we are afraid of that we grow the most.

If there is one critical piece of advice that I’d give to aspiring cybersecurity professionals, it is that cybersecurity has become a product business issue with implications to the global economy; to the business value chain; to customer retention, business growth managers, and acquisitions; as well as to strategic business imperatives. If you can place yourself as someone who can communicate persuasively and with impact, who can simplify that critical message and push it to the wider business community, you’ll be able to differentiate yourself. Every time I mentor people, I see people doing the same old thing. They get certification after certification but forget that maybe 10 million people look like you. How are you different? What is something different that you bring to the table? I would say writing is something that you should strongly consider.


Ambler T. Jackson | Senior Privacy Subject Matter Expert | (LinkedIn)

If I had an opportunity to go back to the beginning of my career, I would have dedicated some additional time to learning about the technical considerations of data governance first. While I later studied data governance, what you learn from databases, data models, and data management helps to provide the big “forest-from-the-trees” picture for understanding why and how organizations capture data and how data elements move throughout the data lifecycle. I wish that I had obtained the formal education at the outset, as it would have helped to set the stage for fully understanding the lifecycle of a data element early on.




Amanda Honea-Frias | Head of Product Security at Duo, Cisco | @pandaporkchop | (LinkedIn)

I am not one to wish for a time machine in general. I believe each success and failure has made me who I am today. I do not want to sound like I have had a perfect journey and that I have achieved all that I have intended to accomplish. Quite the contrary. My life is a continuous journey, and my occupation is just a part of that journey.





Katie Moussouris | CEO of Luta Security | @k8em0 | (LinkedIn)

If I were to go back and give my younger self advice, I would probably aim myself towards early ventures that accumulated a lot of capital, a lot of cash. And the reason for that is not that everything comes down to money, it’s just that money makes a lot of things easier, such as making your ideas come to light and to fruition.

When you’re a minority woman in any industry, I think it’s a challenge for us to be taken seriously early in our careers, mid-career or late in our careers. I think that having access to capital and the means to make some of our ideas come true is important. That would have been the advice I would have given myself back then.




Mo Amin | Independent Cyber Security Culture Consultant  | @infosecmo | (LinkedIn)

If you can, try and find a mentor. There are more avenues and channels now than when I was starting out. When you find someone, make sure that you play your part in the relationship. You need to put the effort in, too. Also, remember to be patient with yourself. You can’t know everything at once. Pick an area that interests you and try to become the best that you can be in it.




Richard Archdeacon | Advisory Chief Information Security Officer, Duo Security | (LinkedIn)

It’s about people. We have to understand the technology. But the most important skill is communication. No matter how strong our technology controls are, we will get nowhere unless we can explain the “what” and the “why.” Otherwise, we will become an obstruction and not a help.

Our colleagues do not come to work to do security. They come in to carry out their tasks in their own departments in order to fulfill their roles. We need to ensure that they feel secure at work but not hindered from carrying out what they see as urgent.

An essential element of any change program is to articulate a vision and a set of objectives. This was a fundamental part of every IT transformation I have undertaken. However, all too often, technology solutions drove security. So, we have had to learn to build a network of the human sort in organizations as well as to ensure they understand the need and benefit of secure working. This has been the biggest change in security. Those CISOs who have succeeded have managed this aspect of their role well.


Want to learn more about what budding security professionals can do to advance their careers? Download Cisco’s eBook today!

The post How to Make the Most of Your Budding Cybersecurity Career appeared first on Cisco Blogs.

Trend Micro HouseCall for Home Networks: Giving You a Free Hand in Home Network Security

Remember when only desktop computers in our homes had connections to the internet? Thanks to the latest developments in smart device technology, almost everything now can be connected— security cameras, smart TVs, gaming consoles, and network storage, to name just a few. While a home network provides lots of benefits, it can also expose us to safety and privacy risks.

But checking for those risks need not be costly. How about a network security checker available for free? Yes, you read that right. Trend Micro’s free Housecall for Home Networks (HCHN) scans the connected devices in your home network and detects those that pose security risks. And in doing so, it gives you a sense for what real network security entails. We have a solution for that also.

Want to know more?

Trend Micro HCHN uses intelligent network scanning technology to scan the devices connected to your home network for vulnerabilities. These can range from a low risk type—such as an easily identifiable Wi-Fi Name that hackers can use to attack your router and home network—to high risk types, such as SSL-Poodle (for man-in-the-middle attacks), Shellshock (for remote code execution attacks), Heartbleed (which puts website passwords at risk) and WannaCry (which is a Windows ransomware cryptoworm). These and other vulnerabilities can be detected through the help of this handy tool.

In addition, HCHN checks devices for open ports that are usually targeted by hackers and malware and can be exploited for cybercriminal activities. Examples include ports 20 and 21, used via the File Transfer Protocol (FTP) to transfer files between an FTP client (20) and FTP server (21), which can deliver a multitude of vulnerabilities to the internet; as well as port 23, which sends data in Clear Text, which can be used by attackers to listen in, watch for credentials, or inject commands, enabling the hacker to perform Remote Code Executions.

Moreover, HCHN gives you a report about the status of your home network and its connected devices and offers helpful advice for keeping your network and devices secure.

Lastly, HCHN provides you a notification when:

  • A new device joins the network
  • Connecting to a new network
  • A new vulnerability is found in the network.


Ready to install?

HCHN is easy to use and accessible from any device, be it Windows (7, 8 and 10), MacOS (10.12 or later), Android (5.0 or later) or iOS (8.0 or later). For your computer hardware, you just need to have Intel Pentium or compatible processor, a 256MB of RAM (512MB recommended) with at least 50MB available disk space and you’re set.

  • Download and install the application from the Web, Google Play Store or Apple App Store.
  • During install, accept the Privacy and Personal Data Collection Disclosure Agreement which indicates the necessary information gathered in order to check for and identify vulnerabilities in devices connected to your home network and you’re good to go.
  • Once installed, inspect your home network’s security risk exposure by clicking (applies to Windows and MacOS) or tapping (applies to Android and iOS) Scan Now. You’re then presented with the result.


Are my home network and connected devices safe?

Here’s a few scans we did–from a Windows PC, then from and Android and iOS devices.

When the scan is complete on a Windows computer it shows two tabs: Home Network and Devices.

The first tab indicates a snapshot of your home network, identifying the devices at risk.

Figure 1. HouseCall for Home Networks – Home Network

The second tab indicates a list of the devices scanned and the details of any device risks found.

Figure 2. HouseCall for Home Networks – Device List

On the Android device, once the scan has finished, the screen will reveal any security risks detected. You can view the issue to see more details of the security risk in your home network. You can then slide to the next panel and check to verify all the connected devices on your network.

Figure 3. HCHN – At Risk Devices

Similarly, upon completing the network scan from an iOS device, the app will display the risk that needs your attention. Just as with the Android device, you can move to the next panel to review the list of connected devices that were identified by Trend Micro HCHN.

Figure 4. HCHN – Needs Attention

A Few Reminders and Recommendations …

  • Use HCHN regularly to check the posture of your home network security, since new vulnerabilities and network risks may appear in the device after a time due to lack of firmware updates or a failure by the manufacturer to address a newfound risk.
  • Ensure that the devices (including mobile devices such as phones or tablets) are on and connected to the network when a scan is performed.
  • Some security products installed from the device initiating the network scan might detect the scan as suspicious and show a warning message or block user access. This doesn’t mean that HCHN is a malicious application. Add HNCN to your security product’s exception list, so it’s allowed to examine your network and connected devices for security risks.
  • The HNCN app does not automatically block dangerous network traffic or suspicious devices from connecting to your network. For that, and more home network security features, you should increase your home’s network protection with Trend Micro Home Network Security. To that we now turn.

What Home Network Security Provides

While a free network scan helps to determine the underlying dangers in your home network, to fully protect not only your home network but your family, you should consider Trend Micro Home Network Security (HNS) as a permanent enhancement to your network. It can shield your home against a wide variety of threats, including network intrusions, risky remote connections, phishing, ransomware, harmful websites and dangerous downloads. Additional features include the following:

  • New Device Approval gives you control over the devices that are allowed access to your home network.
  • Remote Access Protection limits malicious individuals from using remote desktop programs to connect to your devices at home.
  • Voice Control lets you issue voice commands to Alexa or Google Home to perform specific functions on HNS such as conducting a scan, obtaining your home network’s security status, pausing internet usage, disabling internet access for a user, and so on.
  • Parental Controls’ flexible and intuitive feature set, comprised of Filtering, Inappropriate App Used, Time Limits and Connection Alerts, can help any parent to provide a safe and secure internet experience for their kids. Combined with Trend Micro Guardian, parents can extend these protections to any network their children connect to, Wi-Fi or cellular.

Download the HNS App on your Android or iOS device to give it a spin. Note that the HNS App, when used by itself, performs the same functions as the HCHN app on those devices.

If you like what you see, pair the HNS App to a Home Network Security Station to get the full range of protections. (Note too that once you do, the HCHN App will be disabled on all your devices and network and replaced by Home Network Security.)

Figure 5. Home Network Security (HNS) App

Figure 6. HNS App Paired with the Home Network Security Station

Final Words

Home networks come with security risks. As the tech-savvy member of your household, you need to be aware of those risks. Using Trend Micro HouseCall for Home Networks (HCHN), you’ll be able to know which devices are connected to your home Wi-Fi network and whether these devices bear security risks that can be exploited by hackers and malicious software. Moreover, you’ll be provided with suggestions, in case your devices are found vulnerable.

However, just knowing the security risks is only half the battle in protecting your home network. You’ll need a more robust system that can automatically block suspicious and malicious traffic and do more— such as protecting your child’s online safety. Trend Micro Home Network Security (HNS) can address your home network’s security, even as it monitors your home network, prevents intrusions, blocks hacking attempts and web threats, and protects your family’s privacy, while keeping the internet safe for your kids.

Download Trend Micro Housecall for Home Networks from the Web, Google Play Store or Apple App Store to give it a try.

Go to Trend Micro Home Network Security to get more details on the solution, or to buy.

The post Trend Micro HouseCall for Home Networks: Giving You a Free Hand in Home Network Security appeared first on .

Over 100 irrigation systems left exposed online without protection

Researchers found more than 100 smart irrigation systems running ICC PRO that were left exposed online without a password last month.

Security experts from the Israeli security firm Security Joes discovered more than 100 irrigation systems running ICC PRO that were left exposed online without protection. ICC PRO is a top-shelf smart irrigation system designed by Motorola.

The ICC PRO systems were deployed with default factory settings, which don’t have a password for the default user’s account.

To worsen the situation, experts pointed out that it is quite simple to search for these devices exposed on the Internet by using IoT search engines like Shodan.

Once the attacker has gained access to the device, it can perform multiple actions from the control panel, including control the quantity and the pressure of the water delivered to the pumps, deleting users, or change settings.

irrigation systems

The experts revealed that the majority of the devices were located in Israel.

Security Joes co-founder Ido Naor reported his findings to CERT Israel last month, which notified Motorola and CERT teams in other countries. CERT Israel also contacted the companies that exposed the irrigation systems online without protection. Motorola also sent a letter to its customers about the risks of exposing irrigation systems online without protection.

The good news is that several organizations started securing their devices, the number of unsecured ICC PRO instances dropped to 78 today.

In April, an attack hit an Israeli water facility attempting to modify water chlorine levels. In June, officials from the Water Authority revealed two more cyber attacks on other facilities in the country.

Two cyber-attacks took place in June and according to the officials, they did not cause any damage to the targeted infrastructure.

One of the attacks hit agricultural water pumps in upper Galilee, while the other one hit water pumps in the central province of Mateh Yehuda.

Israel’s National Cyber Directorate announced to have received reports of cyber attacks aimed at supervisory control and data acquisition (SCADA) systems at wastewater treatment plants, pumping stations and sewage facilities.

Pierluigi Paganini

(SecurityAffairs – hacking, irrigation systems)

The post Over 100 irrigation systems left exposed online without protection appeared first on Security Affairs.

HPE addresses critical auth bypass issue in SSMC console

HPE fixed a remote authentication bypass vulnerability in HPE StoreServ Management Console (SSMC) data center storage management solution.

Hewlett Packard Enterprise (HPE) has addressed a maximum severity (rated 10/10) remote authentication bypass vulnerability, tracked as CVE-2020-7197, affecting the HPE StoreServ Management Console (SSMC) data center storage management solution.

HPE SSMC is a management and reporting console for HPE Primera (data storage for mission-critical apps) and HPE 3PAR StoreServ systems (AI-powered storage cloud service providers) data center arrays.

The CVE-2020-7197 flaw is a remote authentication bypass vulnerability that affects HPE 3PAR StoreServ Management and Core Software Media prior to

“HPE StoreServ Management Console is an off node multiarray manager web application and remains isolated from data on the managed arrays. SSMC is vulnerable to remote authentication bypass.” reads the advisory.

The flaw can be exploited by threat actors with no privileges and doesn’t require user interaction.

HPE has addressed the issue with the release of the HPE 3PAR StoreServ Management Console

“This SSMC release includes important security and quality improvement defect fixes that strengthen the security posture of SSMC appliances,” reads the changelog.

Hewlett Packard Enterprise acknowledged the researchers Elwood Buck from MindPoint Group for reporting the flaw.

Pierluigi Paganini

(SecurityAffairs – hacking, StoreServ Management Console)

The post HPE addresses critical auth bypass issue in SSMC console appeared first on Security Affairs.

Defense in Diversity

Security has always claimed that “Defense in Depth” is the dominant strategy. As we enter the world of automated workloads at internet-scale, it has become clear that it is in fact “Defense in Diversity” that wins over depth. When dealing with large-scale automated attacks, iteration over the same defense a million times is cheap. However, attacking a million defenses that are slightly different is costly for the threat actor.

It then comes down to this: How can you raise the cost to your adversary’s observations and actions without raising your cost equally as the defender?

As human beings, we have a cognitive limit on things like recollection, working memory, dimensional space, etc. Operating outside of any one of these parameters can be viewed as beyond our peripheral cognition. Machines, however, have no problem operating outside these boundaries, being able to compute, analyze, and respond on a vastly greater scale. That being said, machines also need proper input and interaction from the human element in order to maximize efficiency and help determine things like known good and bad behavior on a network.

The first step to achieving “Defense in Diversity” is learning to identify what elements of your approach to security are human-scale problems and which are machine-scale problems.

Diversity is the countermeasure to Determinism. Extreme forms of diversity are feasible for machines but infeasible for humans, so we need to be careful in its application in our systems. By keeping these human-level versus machine-level constraints and capabilities in mind, we need to design automation that has machine-scale diversity and operational capacity while still being able to be operated at the human-scale by the defenders.

In order to effectively combat an increasingly strategic and varied set of threats, security professionals need to take a more varied approach to defense. While repetitive and static use of an effective technique or tool might keep some adversaries at a disadvantage, or even force some of them to give up outright, at some point, your organization is going to come across an attacker that not only recognizes your defense patterns, but also knows how to counter or even circumvent them, leaving you defenseless and open for attack.

Take a moment to consider the following: What aspects of your processes or automation techniques could a threat actor use against you?  Just because you can automate something for security, does not mean you should.  Our systems are becoming more and more automation-rich as we move from human-scale operations to machine-scale operations. However, it is paramount that we understand how to automate safely and not to the advantage of our attackers. AI and ML learning are an invaluable part of our set of defensive techniques, but there are still some scenarios where human-scale ingenuity and reasoning are vital to keeping our information secure.

I encourage you to take some time to assess your organization’s current approach to security and ask yourself some important questions:

  • How deterministic are your defense methods?
  • Are there any methods that you’re currently using that threat actors might be able to abuse or overcome? How would you know threat actors have taken control?
  • What set of processes are human-scale? (manually executed)
  • What set of processes are machine-scale? (automated by machines)

Recognizing how to efficiently balance the human and AI/ML components in your organization and understanding the advantages each provide will allow you to better defend against threats and allow you to seize victory against whatever foes come your way.

The post Defense in Diversity appeared first on Cisco Blogs.

“Are we affected?” – A simple question, but quite hard to answer

Who doesn’t remember the simple questions you had as a kid, or you now get as an adult from your children:

“Why is the banana crooked?”
“Why is the sky blue”
“Why do people get sick?”

That last question is especially relevant today with the current situation – we deal daily with the question “Am I affected?”

I won’t give any answers to these questions in this article, but as a Cybersecurity Consultant, I regularly hear many versions of this simple question in my daily conversations with customers:

“Are we affected?”
….by this Vulnerability / Threat / Malware / …

Problem statement

Why it’s so difficult in the year 2020 (only a couple of days to go until 2021), with 30+ security tools in place, to answer that question? Due to the volume of threats that are out there, it’s not possible to find an easy answer. You have to check vulnerability databases (which only cover the publicly available vulnerabilities out there, not the unpublished ones), keep the systems patched, finetune the IPS ruleset, keep endpoint agent up-to-date to ensure the latest and greatest, enable all available engines, and many, many more. The security stack gets bigger and bigger, whether it is on premise or shifted to the cloud as a service. When things don’t work together, skilled people and solid processes must make up the gap. This has been the situation in cybersecurity for far too long.Even today, Security Operations teams have many questions every day, but those answers are locked up in various threat intelligence sources and technologies. If answers are available, they almost always take too long to answer and require highly skilled people to find them. Time is more critical than ever. That’s why security must work together, but too often it doesn’t. This lack of integration poses a massive security risk to any organization. And juggling multiple consoles just makes the already-complex security challenges even harder. At Cisco, we’re changing all of that – so you can maximize your protection with an integrated platform approach.

Let’s walk through an example of a security vulnerability that the On the 17th of September they issued a press release to inform the managing directors of German companies that still operated an affected VPN gateway. After the letter was sent, half of the companies took action and patched their systems. However, more than 80 companies remained vulnerable including many large IT service providers.

Just compare this with traffic regulations in Germany­ that mandate a recurring technical inspection of the vehicle every 2 years. If you do not comply with this safety standard, the license to drive this vehicle expires – just think how many partly ancient systems participate in the world largest traffic network (the Internet).

How are we trying to solve our challenge?

Let’s get back to the main question: “Are we affected?” As we see there are a couple of challenges with where to start, what to combine/correlate, where to focus and dig deeper, how to “glue” events together to create a causality chain, how and where to escalate to an IR Team, etc. We quickly dig into frameworks like MITREATT&CK, NIST, or tools like SIEM / SIRP / SOAR and this would be absolute fine, but we run the risk of ending up like this:

Please let me explain how we can proceed with a straightforward conversation about how you can start easily and expand into enterprise solutions which you may already have in place. The Cisco Secure journey began a decade ago , when we started to build a security portfolio built around three foundational capabilities:

The result was SecureX-SecureX is a cloud-native, built-in platform experience within our portfolio that is integrated and open for simplicity, unified in one location for visibility, and maximizes operational efficiency.

If you want more information about the architecture and what’s under the hood, I highly recommend attending the upcoming Cisco Live! EMEAR (there is a dedicated SecureX track!) or check out the OnDemand sessions.

How we should solve our challenge!

So how does this help to answer, “Are we affected?”.

Wouldn’t it be great to be able to execute a simple search query across your Cisco Secure and integrated 3rd party products simultaneously? The good news is that it is possible, and not only that, you can even take immediate action with this truly integrated platform.

Here’s a very short manually executed search query:

20 Second Threat Hunting of a malicious Domain

In 20 seconds, we learned that we are affected by a malicious domain on an endpoint (contacting that domain), in an email (containing links to that domain), and in the network (probably the actual traffic destined to that domain’s host). We are empowered to take immediate action on the endpoint by creating a forensic snapshot and isolating the host from the network.

Time is one of the scarcest resources for most organizations. You don’t want to spend more time and talent integrating your investments. You want an integrated and open platform that simplifies your existing ecosystem and is interoperable with thirdparty solutions. To counter attacks and stay compliant, you need answers in one unified view, not isolated alerts. Gaining contextual awareness across your security ecosystem helps your teams share and coordinate response faster. Evolving from manual to automated workflows with a few clicks results in faster remediation with better precision. And by eliminating the friction and repetition in your processes, you can save time and lower your ongoing costs.

Another time-consuming and often error-prone activity is the recording and tracking of indicators. In nearly every customer conversation, I hear something like, “We use a text editor to copy/paste all the indicators we find on different sources for a specific threat into a file, or even type it manually.” With SecureX casebooks you have the capability to collect and store key information related to the investigation and also manage and document your progress and findings. We’ve even created a browser plugin for Chrome and Firefox to extract observables from any webpage! By using this plugin, security professionals are able to organize and track the observables in cases and get instant access to threat intelligence and response capabilities

Use Casebook Browser PlugIn to search for observables and sync them with Casebook and TheHive

Another key objective of SecureX is to offer turnkey interoperability into 3rd party solutions. And it’s really turnkey, for example it took me just a few hours to create an integration into the leading open source security incident response platform ‑TheHive. This scalable and free SIRP is designed to make life easier for SOCs, CSIRTSs, CERTs and any information security practitioner dealing with security incidents. Especially distinctive for this platform is a tight integration into MISP (Malware Information Sharing Platform) and the flexibility to add powerful observable analysis as well as active response.

With the combination of Cisco SecureX and TheHive we can

  • easily speed up the collection of observables and information in cases
  • guarantee an error-free handover of observables and cases beyond product borders
  • automate the analysis of observable and many, many more…

In other words, to rapidly drive down The Time to React!

SecureX orchestration

Workflow Action Example to create Task and ConditionHow did I create this integration in a couple of hours, without studying each and every API endpoint, and without advanced programming skills?

The secret sauce is in the workflow-based SecureX orchestration canvas that enables your to build efficient workflows across teams and technologies requiring almost low/no code . With predefined atomic actions you simply drag and drop the tasks/conditions into a flow. We have already seen this in action during the 20sec investigation to take the forensic snapshot and isolate the host. We continuously develop new workflows and integrate them into the cloud platform, but you can also easily create them on your own.

The idea behind this particular integration was to handover observables from SecureX to TheHive via the SecureX orchestration workflows in order to speed up your incident response. The process starts in SecureX as a response action. Next we are creating a case in  casebook via your Private Intel Store (CTIA). For each response action you get the observable type (IP, SHA256, URL, domain,) and observable value (i.e. as input variable. After we added this observables to the case we start to create TheHive case with the same content and attributes. As the last task we add both Case ID’s to a “Global variable”, as result we get a 1:1 reference. With this assignment, we can now compare further added observables.

Process Documentation to synchronize the Case and Observables

Here is a short example, how you can take action and start the workflow:

start the Threat Hunting process with SecureX and TheHive with observables and automation

By using the Browser plugin, it is now also possible to add observables quickly and easily into TheHive.

Please feel free to check out the workflows in detail and find the installation manual in my

GitHub Repo:

and on Cisco DevNet CodeExchange:


To conclude, sometimes, there is no simple answer, but we should never stop asking. With the right tools, we can start to ask better questions and as a result we will get better answers. Where possible, burdensome manual activities should be automated, fragmented solutions should be integrated, complexity should be erradicated. Open source solutions offer a flexible and extensible way to make our job as security professionals more efficient and effective, especially when used alongside commercial tools. The integration I created is just one example of the work we do to collaborate and make life easier. Of course, there are many of other colleagues here at Cisco, Partners and Customers participating in the DevNet community and releasing daily new content! My special thanks goes out to Christopher Van Der Made, who supported me in building this integration – Thanks Chris

To confidently tackle your challenges, you need a platform approach to security. And that’s why every Cisco Secure customer is entitled to a simpler experience with SecureX.Cisco SecureX is built-in with most Cisco security products such as Umbrella , AMP for Endpoints, Firepower devices, next-generation intrusion prevention system (NGIPS), Email Security, and Stealthwatch.

Learn more about SecureX at, watch the demo video, or get started at


The post “Are we affected?” – A simple question, but quite hard to answer appeared first on Cisco Blogs.

US whistleblower Edward Snowden received permanent residency by Russian authorities

The popular US whistleblower Edward Snowden has been granted permanent residency in Russia, the announcement was made by his lawyer.

The former CIA employee and National Security Agency contractor Edward Snowden (37) has been granted permanent residency in Russia, his lawyer announced on Thursday.

In 2013, Edward Snowden shed the light on the mass surveillance program operated by the US government to spy on its citizens and allies.

The man expressed his desire to return to the United States where he is considered a criminal and a threat to homeland security due to his revelation. Snowden is wanted in the United States on espionage charges after he revealed details on the surveillance apparatus used by the National Security Agency (NSA) to collect telephone records of millions of US citizens. 

According to his lawyer Anatoly Kucherena, Snowden’s residency permit was extended as the result of recent changes introduced to Russia’s immigration law. The residency permit and is now indefinite, as reported by AFP press.

“Kucherena said it was “natural” that Snowden wanted to return to the United States but will only do so when the case against him is closed.” reported AFP.

Edward snowden

The application was filed in April, but the decision of the Russian authorities was made public only this week due to a delay in the process caused by the ongoing COVID-19 pandemic.

It is not clear if Snowden plans to apply for Russian citizenship.

Earlier this year, US President Donald Trump announced that he was evaluating the possibility of pardoning Snowden but he did not provide further details on the case. 

In 2015 the White House rejected a petition calling on then-president Barack Obama to pardon the popular US whistleblower.

In September 2019, the US DoJ filed a lawsuit against Edward Snowden to prevent the former CIA employee and National Security Agency contractor from receiving the payment for his book, Permanent Record.

According to the civil lawsuit, filed in the Eastern District of Virginia, Snowden violated non-disclosure agreements signed when he was an employee at the US intelligence agencies.

Pierluigi Paganini

(SecurityAffairs – hacking, Snowden)

The post US whistleblower Edward Snowden received permanent residency by Russian authorities appeared first on Security Affairs.

EU Council sanctions two Russian military intelligence officers over 2015 Bundestag hack

The Council of the European Union announced sanctions imposed on Russian military intelligence officers for 2015 Bundestag hack.

The Council of the European Union announced sanctions imposed on Russian military intelligence officers, belonging to the 85th Main Centre for Special Services (GTsSS), for their role in the 2015 attack on the German Federal Parliament (Deutscher Bundestag).

The 85th Main Centre for Special Services (GTsSS) is the military unit of the Russian government also tracked as APT28  (aka Fancy BearPawn StormSofacy GroupSednit, and STRONTIUM).

The APT28 group (aka Fancy BearPawn StormSofacy GroupSednit, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

“The Council today imposed restrictive measures on two individuals and one body that were responsible for or took part in the cyber-attack on the German Federal Parliament (Deutscher Bundestag) in April and May 2015.” reads the press release published by the Council. “This cyber-attack targeted the parliament’s information system and affected its ability to operate for several days. A significant amount of data was stolen and the email accounts of several members of parliament, including that of Chancellor Angela Merkel, were affected.”

Immediately after the attack the daily Der Spiegel speculated that the Russian Government was behind the attack.  

Bundestag German politicians

The attackers used a sophisticated strain of malware to violated the Bundestag network and syphoned sensitive data. The experts that analyzed the malicious code employed in the hack found many similarities with a piece of malware used in a previous attack against a German Government network that took place in 2014.

“The cyber attack on the “Parlakom” network was discovered in early May. At the parliamentary IT network 20,000 Bundestag accounts are connected – including German Chancellor Angela Merkel and other government officials.” continues the Der Spiegel.

EU’s sanctions imposed on Russian military officers include travel bans and asset freezes, they also block EU organizations and individuals from transferring funds to sanctioned entities and individuals.

The Council’s sanctions target a total of 8 persons and 4 entities and bodies.

“Sanctions are one of the options available in the Union’s framework for a joint diplomatic response to malicious cyber activities (the so-called cyber diplomacy toolbox), and are intended to prevent, discourage, deter and respond to continuing and increasing malicious behaviour in cyberspace,” a press release published earlier reads. “The relevant legal acts, including the names of the individuals and the body concerned, have been published in the Official Journal.”

Two of the officers sanctioned by the Council of the European Union are Dmitry Sergeyevich Badin and Igor Olegovich Kostyukov are known members of the GTsSS.

The two officers were also indicted by US DoJ in October 2018, along with other five members of the Russian Main Intelligence Directorate (GRU), for hacking, wire fraud, identity theft, and money laundering.

Kostyukov was also reached by an executive order issued by President Barack Obama in 2016 to impose sanctions on a number of Russian military and intelligence officials in response to the alleged hacking campaigns against the 2016 US Presidential Election.

Kostyukov is the current chief of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU).

“In this capacity, Igor Kostyukov is responsible for cyber-attacks carried out by the GTsSS, including those with a significant effect constituting an external threat to the Union or its Member States,” states the Council. “In particular, military intelligence officers of the GTsSS took part in the cyber-attack against the German federal parliament (Deutscher Bundestag) which took place in April and May 2015 and the attempted cyber-attack aimed at hacking into the Wi-Fi network of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands in April 2018.”

In July 2020, for the first-ever time, the EU has imposed economical sanctions on Russia, China, and North Korea following cyber-attacks aimed at the EU and its member states.

The EU Council announced sanctions imposed on a Russia-linked military espionage unit, as well as companies operating for Chinese and North Korean threat actors that launched cyber-attacks against the EU and its member states.

The sanctions were imposed as part of a legal framework established on May 17, 2019, which allows the EU to impose targeted restrictive measures to deter and respond to cyber-attacks aimed at the EU or its member states.

Pierluigi Paganini

(SecurityAffairs – hacking, Bundestag)

The post EU Council sanctions two Russian military intelligence officers over 2015 Bundestag hack appeared first on Security Affairs.

Cisco addresses 17 high-severity flaws in security appliances

Security Advisory Bundled Publication for October 2020 – Cisco announced the release of patches for 17 high-severity flaws in its security appliances.

Cisco announced the release of security patches for 17 high-severity vulnerabilities in its security appliances as part of its Security Advisory Bundled Publication for October 2020.

The vulnerability impacts Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC).

“The October 21, 2020 release of the ASA, FMC, and FTD Software Security Advisory Bundled Publication includes 17 Security Advisories that describe 17 vulnerabilities in ASA, FMC, and FTD Software. Cisco has released software updates for these vulnerabilities.” states the advisory.

“All of these vulnerabilities have a Security Impact Rating (SIR) of High.”

Most of the vulnerability addressed by the IT giant can be exploited by remote, unauthenticated attackers. The list of addressed vulnerabilities includes denial-of-service (DoS), CSRF, FMC authentication bypass, and MitM issues.

The company also fixed multiple vulnerabilities that require local access or authentication to be exploited, an attacker can trigger them to read or write files on a device, cause a DoS condition, bypass the secure boot mechanism, and escape containers and execute commands with root privileges.

The good news is that Cisco is not aware of attacks in the wild exploiting these vulnerabilities.

Cisco is also warning of attacks targeting the CVE-2020-3118 high severity vulnerability that affects multiple carrier-grade routers running the Cisco IOS XR Software.

The flaw resides in the Discovery Protocol implementation for Cisco IOS XR Software and could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload an affected device.

Pierluigi Paganini

(SecurityAffairs – hacking)

The post Cisco addresses 17 high-severity flaws in security appliances appeared first on Security Affairs.

VMware fixes several flaws in its ESXi, Workstation, Fusion and NSX-T

VMware patched several flaws in its ESXi, Workstation, Fusion and NSX-T products, including a critical code execution vulnerability.

VMware has fixed several vulnerabilities in its ESXi, Workstation, Fusion and NSX-T products, including a critical flaw that allows arbitrary code execution.

The critical vulnerability, tracked as CVE-2020-3992, is a use-after-free issue that affects the OpenSLP service in ESXi. The vulnerability can allow remote attackers to execute arbitrary code on affected installations of the ESXi product.

The attacker can exploit the flaw needs to be on the management network and have access to port 427 on an ESXi machine in order to exploit the vulnerability.

“OpenSLP as used in ESXi has a use-after-free issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.” reads the advisory published by VMware.

“A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.”

The vulnerability was reported to VMware on July 22 by Lucas Leong (@_wmliang_) from Trend Micro’s Zero Day Initiative.

The virtualization giant addressed the vulnerability in ESXi and VMware Cloud Foundation.

The company also patched a high-severity flaw in NSX-T, tracked as CVE-2020-3993, which is caused by the way a KVM host is allowed to download and install packages from the NSX manager. The flaw could be exploited by a MitM attacker to compromise transport nodes.

“VMware NSX-T contains a security vulnerability that exists in the way it allows a KVM host to download and install packages from NSX manager. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.” reads the advisory.

“A malicious actor with MITM positioning may be able to exploit this issue to compromise the transport node.”

The researchers Reno Robert discovered an out-of-bounds read vulnerability in VMware ESXi, Workstation and Fusion. The issue is due to a time-of-check time-of-use issue in ACPI device.

An attacker with administrative access to a virtual machine may be able to exploit this flaw to leak memory from the vmx process.

VMware also addressed a vulnerability, tracked as CVE-2020-3994, in the vCenter Server session hijack vulnerability in the update function.

“A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates.” reads the advisory.

The vulnerability was repored by Thorsten Tüllmann of the Karlsruhe Institute of Technology.

Pierluigi Paganini

(SecurityAffairs – hacking, VMware)

The post VMware fixes several flaws in its ESXi, Workstation, Fusion and NSX-T appeared first on Security Affairs.

Adobe releases a new set of out-of-band patches for its products

Adobe has released a second out-of-band security update to address critical vulnerabilities affecting several products. 

Adobe has released a second out-of-band security update to fix critical vulnerabilities that impact numerous products of the IT giant. 

The flaws impact Adobe Illustrator, Dreamweaver, Marketo, Animate, After Effects, Photoshop, Premiere Pro, Media Encoder, InDesign, and the Creative Cloud desktop application on Windows and macOS machines. 

Adobe has released seven critical vulnerabilities in Illustrator, including memory corruption and out of bounds read/write issues that can lead to arbitrary code execution. 

Below the vulnerability details:

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
Out-of-Bounds Read

Arbitrary code execution  CriticalCVE-2020-24409
Out-of-Bounds WriteArbitrary code execution 


Memory Corruption    Arbitrary Code Execution    Critical CVE-2020-24412

Adobe has addressed an “important” uncontrolled search path element security flaw in Dreamweaver which could be exploited by attackers to escalate privilege.

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
Uncontrolled Search Path Element
Privilege Escalation ImportantCVE-2020-24425

The company fixed four critical vulnerabilities in Animate, they are out-of-bounds read, stack overflow, and double-free flaws that can result in arbitrary code execution.  

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
Double-freeArbitrary code executionCriticalCVE-2020-9747
Stack-based buffer overflowArbitrary code executionCriticalCVE-2020-9748
Out-of-bounds readArbitrary code executionCriticalCVE-2020-9749

Adobe addressed an “important” XSS issue impacting the Marketo Sales Insight Salesforce package that could have been weaponized to deploy malicious JavaScript in a browser session. 

 Vulnerability Category Vulnerability ImpactSeverityCVE numbers
Cross-site Scripting (stored) JavaScript execution in the browserImportantCVE-2020-24416

The company addressed

Vulnerability details

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
Out-of-Bounds Read Arbitrary Code Execution     Critical  CVE-2020-24418
Uncontrolled search pathArbitrary Code Execution       CriticalCVE-2020-24419

Adobe addressed a single out-of-bounds read and an uncontrolled search path critial flaws in After Effects that could lead to the execution of malicious code are now patched. 

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
Out-of-Bounds Read Arbitrary Code Execution     Critical  CVE-2020-24418
Uncontrolled search pathArbitrary Code Execution       CriticalCVE-2020-24419

Adobe has fixed a critical memory corruption flaw in InDesign that could also be exploited to execute arbitrary code. 

Vulnerability CategoryVulnerability ImpactSeverityCVE Number
Memory Corruption Arbitrary Code ExecutionCriticalCVE-2020-24421

The company also fixed other critical uncontrolled search path issues in PhotoshopPremiere ProMedia Encoder, and Creative Cloud installer for desktop.

Last week, Adobe released a separate set of out-of-band security patches affecting the Magento platform.

Pierluigi Paganini

(SecurityAffairs – hacking, code execution)

The post Adobe releases a new set of out-of-band patches for its products appeared first on Security Affairs.

Healthcare Cybersecurity: What’s at Stake?

Today, healthcare organizations are more connected than ever before.

The number of internet-connected devices in healthcare are rising, and the average hospital room is equipped with 15-20 connected medical devices.1 With this proliferation of devices comes both clinical benefits and security risks.

In the past two years, 63% of healthcare organizations experienced a security incident related to unmanaged and IoT devices.2 Couple this with the fact that last year, more data breaches were reported in healthcare than any other year on record.3 These breaches have the potential to cause significant harm to healthcare organizations, especially if critical clinical machines are infected.

Care delivery models are also changing. As a direct result of the pandemic, telehealth and virtual visits have increased exponentially. Patients now expect secure healthcare on-demand, from any location. This year alone, the growth of virtual visits is up 124%4, and we believe that telehealth will become the new normal in healthcare.

Plus, more clinicians and care teams are working remotely, which means they need secure access to the operational domain and to electronic health and medical records (EHR/EMR). According to healthcare executives in this PwC poll, 70% are prioritizing improving the remote work experience (compared to 49% across other industries) and 67% plan to make remote work a permanent option for roles that allow it (compared to 54% across other industries).5

With all these connections, just think of the volume of healthcare data being transferred and stored every day. All of this data requires a strong defense to enhance patient safety and protect organizations from cybersecurity breaches.

So, what’s at stake?

Healthcare organizations are under great pressure to protect sought-after digital assets, intellectual property, financial information, and patient data.

The financial costs associated with a healthcare organization’s failure to protect confidential patient data can be severe.

In addition to financial burdens associated with poor security, network downtime and loss of critical server and application operations can also be a consequence. Network downtime can interfere with a provider’s ability to treat patients and impact patient safety.

And, possibly the greatest consequence is loss of patient and partner confidence. A healthcare organization that has been the victim of cybercrimes may lose trust and loyalty amongst their patients, insurers and clinical partners.

How can you protect your healthcare organization?

Between managing BYOD access policies, IoT and applications (including more applications and legacy medical devices), access to EHRs and ecosystem partner cloud offers, protecting patient data, fragmented security policies and balancing outside vendor support, the complexity in healthcare continues to grow.

Healthcare providers need an integrated, unified, end-to-end security portfolio to help address patient privacy requirements, improve threat detection, and reduce management complexity, ultimately saving time, money and putting the emphasis back on care delivery.

With Cisco Secure, you can realize the benefits of unified visibility, automation, and stronger defenses. And, with the new Cisco SecureX platform, our products combine to help safeguard your network, users and endpoints, cloud edge, and applications.

As the industry continues to see shifting sites of care, remote work and new care delivery models like telehealth and virtual visits, healthcare organizations need to ensure that their voice and video collaboration tools are secure and protect patient privacy. Healthcare providers need collaboration technology with security built in, not bolted on.

With Cisco Webex, data security is of the utmost importance, and we are dedicated to providing world-class collaboration that is simple, scalable, and designed to meet your HIPAA compliance needs. On top of that, Webex Teams, Webex Control Hub and Webex API have achieved HITRUST CSF Certification, the world’s most widely adopted security framework in the healthcare industry.

Healthcare organizations know no “next time” when it comes to protecting patient data and securing their network, users, endpoints, cloud edge and applications. Now is the time to develop a holistic security strategy to help protect what matters most.

  1. Cybersecurity Magazine, Patient Insecurity: Explosion Of The Internet Of Medical Things​
  2. Armis, Medical and IOT Device Security for Healthcare, 2019​
  3. HIPAA Journal: 2019 Healthcare Data Breach Report​
  4. Frost and Sullivan: Telehealth: A Technology-Based Weapon in the War Against the Coronavirus in 2020
  5. PwC COVID-19 CFO Pulse Survey, 2020
  6. Ponemon 2019 Cost​ of a Data Breach Report​
  7. 2019 HIMSS Cybersecurity Report

The post Healthcare Cybersecurity: What’s at Stake? appeared first on Cisco Blogs.

Sweden bans Huawei and ZTE from building its 5G infrastructure

Sweden is banning Chinese tech giant Huawei and ZTE from building new 5G wireless networks due to national security concerns.

Another state, Sweden, announced the ban of Chinese tech companies Huawei and ZTE from building its 5G network infrastructure.

The Swedish Post and Telecom Authority announced this week that four wireless carriers bidding for frequencies in an upcoming spectrum auction for the new 5G networks (Hi3G Access, Net4Mobility, Telia Sverige and Teracom) cannot use network equipment from the Chinese firms.

The Swedish telecom regulator is also urging carriers to replace any existing equipment from Huawei or ZTE by January 1st, 2025, at the latest.

The decision is the result of assessments made by the Swedish military and security service.

“In accordance with new legislation, which entered into force on 1 January 2020, an examination of applications has been conducted in consultation with the Swedish Armed Forces and the Swedish Security Service, to ensure that the use of radio equipment in these bands does not cause harm to Sweden´s security.” reads a press release published by the Swedish Post and Telecom Authority.

The ban aims at new installations and new implementation of central functions for the radio use in the frequency bands.

Sweden is the latest country to ban Huawei from participating in building 5G networks.

Recently Belgian telecoms operators Orange Belgium and Proximus announced that it will gradually replace the equipment from the Chinese manufacturer Huawei.

Huawei ban

The U.S. is pushing its allies for banning Huawei, ZTE and other Chinese companies, Washington highlighted the risks for national security in case of adoption of Huawei equipment and is urging internet providers and telco operators in allied countries to ban Chinese firms.

The Chinese giant was already excluded by several countries from building their 5G internet networks. The United StatesAustraliaNew ZealandRomania, and Japan announced the exclusion of Huawei technology for their 5G internet networks.

In April 2018, the UK GCHQ intelligence agency warned UK telcos firms of the risks of using ZTE equipment and services for their infrastructure.

In December 2018, a Czech cyber-security agency is warned against using Huawei and ZTE technologies because they pose a threat to state security.

In September, the US Federal Communications Commission (FCC) estimated the cost of a full replacement of all Huawei and ZTE hardware on American wireless networks at $1.837bn.

Klas Friberg, the head of Sweden’s domestic security service (SAPO) declared that foreign states have intensified their intelligence activity and the protection of 5G networks from cyber espionage and hacking campaign from threat actors is crucial for homeland security.

“China is one of the biggest threats to Sweden,” Friberg said. “The Chinese state is conducting cyber espionage to promote its own economic development and develop its military capabilities. This is done through extensive intelligence gathering and theft of technology, research and development. This is what we must consider when building the 5G network of the future.”

Huawei was “surprised and disappointed” by the decision of the Swedish authority.

“Huawei has never caused even the slightest shred of threat to Swedish cyber security and never will,” reads a statement from the Chinese giant Huawei. “Excluding Huawei will not make Swedish 5G networks any more secure. Rather, competition and innovation will be severely hindered.

Pierluigi Paganini

(SecurityAffairs – hacking, 5G)

The post Sweden bans Huawei and ZTE from building its 5G infrastructure appeared first on Security Affairs.

Distorting the truth: The roots of online political disinformation campaigns

On today’s episode of the Security Stories podcast we discuss the history of online manipulation campaigns, and how they’re used today to try and influence political elections.

To do that, we welcome back Theresa Payton, the first female CIO of the White House and author of ‘Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth’.

Also joining us is Nick Biasini. Nick is a threat researcher within Cisco Talos and recently published a paper called ‘The Building Blocks of political disinformation campaigns’. The paper is part of Talos’ hands on research into election security.

We chat about some of the things that shocked Theresa when she was doing her research into manipulation tactics. And Nick talks about the amplification methods that are being used to spread certain lies online. Plus, we talk about what can be done to curb these campaigns with only a few weeks to go until the United States general election.

This is a really fascinating discussion, and whilst it highlighted the huge challenges that we’re facing at the moment, Nick and Theresa shared a lot of great information on how we can overcome them.

Also in this episode, Ben Nahorney shares his latest research on current threat trends. This time we rank the Indicators of Compromise that organizations have encountered grouped by particular topics, including ransomware, credential stealing, and looking at the top operating system IoCs.

Episode time stamps

0.00 Intro
03:01  Discussion on disinformation campaigns with Nick Biasini and Theresa Payton
42:45  Threat trends with Ben Nahorney
52:09  Closing remarks

Play the episode

You can listen to this podcast on Apple PodcastsSpotifyGoogle Podcasts, or wherever you normally get your podcasts from! You can also listen right here and now:

Further resources:

‘The Building Blocks of political disinformation campaigns’

Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth’

The post Distorting the truth: The roots of online political disinformation campaigns appeared first on Cisco Blogs.

Maintaining Data Privacy in the Age of COVID

As the world continues to struggle with the impacts of the COVID-19 pandemic, data and data privacy have never been more critical. Our health status; our test results; our physical locations; our contacts with others – these are exactly the types of information that governments want to collect from individuals to control the spread of the virus, and that companies need to ensure safe working environments. But these are also the types of deeply personal information that people are concerned about sharing and that privacy regulations seek to protect on their behalf.

National or global emergencies are often accompanied by an erosion of individual rights as citizens willingly trade privacy for a sense of security, as anyone who flew before and after the 9/11 attacks can attest. As the COVID-19 virus spread across the world earlier this year, many predicted it would signal the end of data privacy. But consumers don’t see it that way.

The Cisco 2020 Consumer Privacy Survey, released today, explores how individuals around the world are balancing the need to share their information with the need for privacy in the current environment, as well as the ongoing importance of data privacy and privacy regulation. The report, which is our second annual look at consumer privacy issues, draws on responses from a double-blind survey of more than 2600 adults in 12 countries worldwide.

Here are a few highlights of the survey findings:

  1. Despite the pandemic, consumers continue to want their information protected. Most respondents (63%) want no changes to privacy laws or only limited exceptions. And while 57% support an employer’s need to check health information to ensure a safe workplace, only 37% support sharing information about infected neighbors or coworkers. Interestingly, with so many people working and learning remotely, 60% of them are concerned about the privacy protections associated with the tools they are being asked to use for collaborating and transacting remotely.
  2. Nearly a third of consumers are “Privacy Actives” – those who have stopped doing business with organizations over data privacy concerns. Consumers are taking matters into their own hands when they don’t trust how their data is used. The types of companies they have abandoned aren’t just online services, such as social media and ISPs, but traditional brick-and-mortar companies like retail stores, banks, and credit card companies. And once trust is broken, many of these customers are not likely to return.
  3. Consumers expect their governments to take the lead in protecting their data, and residents of all countries surveyed view their privacy laws very favorably. Consumers don’t always trust companies to adhere to their own privacy policies, so they think the primary responsibility should fall to national and local governments.  Given this need, it’s interesting that in every country surveyed, respondents who were aware of their country’s privacy laws overwhelmingly saw those laws as having a positive impact (e.g., respondents in Australia were 58% positive vs. 4% negative; in France, 43% positive vs. 1% negative).
  4. Consumers want more transparency on how their data is being used. Nearly half of all respondents don’t believe they are able to effectively protect their personal data today. The number one reason by far was the issue of transparency: consumers believe that companies simply make it too hard to figure out exactly what they are doing with their customers’ data.

This research suggests that privacy is not only a regulatory issue, but a consumer priority and a business imperative as well. At Cisco, we also believe that privacy is a fundamental human right. Based on that belief and our experience in protecting the data privacy of our customers, employees, and partners, we recommend that organizations do the following:

  • Provide as much transparency as possible to customers on what data you collect, how you use it, and how you protect it. Cisco publishes privacy data sheets and data maps that provide this information for many of our most popular products and services.
  • Ensure that your tools are safe and privacy-ready, and consider privacy issues early and throughout the design process. Cisco follows a privacy-by-design approach with our Secure Development Lifecycle.
  • Drive awareness of privacy regulations in each of the countries where you do business. When consumers understand what protections they have, they are more confident in sharing their data when requested.

 Additional Resources:

Consumer Privacy Infographic

Cisco 2020 Data Privacy Benchmark Study

Cisco Data Privacy

Cisco Trust Portal

The post Maintaining Data Privacy in the Age of COVID appeared first on Cisco Blogs.

Building trust through transparency and privacy by design

Privacy by design and default are principles that have been in the privacy engineering lexicon for decades, but only recently have come more broadly to light. These principles aren’t just recommendations or best practices anymore. Privacy by design and default are legally required of companies building products and services in or for the European Union market and other jurisdictions around the world.

Simply put, privacy by design and default demands that developers consider the privacy implications at the ideation phase and embed privacy protections and functionality into products and services from the start. And, to the extent there are optional configurations and user settings, the default settings should be the most privacy protective.

Privacy professionals have known – and the Cisco 2020 Consumer Privacy Survey provides supporting evidence – that consumers care deeply about privacy. Nearly one third of respondents, identified as “Privacy Actives,” said they stopped doing business with a company over data privacy concerns. Their biggest concern? Transparency. Nearly half did not know what companies were doing with their data and felt they were unable to effectively protect their privacy. Most respondents wanted more transparency in how their data is being used.

Cisco’s privacy program is anchored around three strategic considerations – compliance, ethics, and privacy as a business imperative. We believe that organizations of all types and sizes must address all three when collecting, using, and processing personal data. Transparency regarding how privacy is respected and protected is critical to workforce, customer, and public trust. Ultimately, when choosing and doing business with a vendor, customers consider one fundamental question: “Do I trust you?” If they don’t trust how you handle their data, you won’t get or keep their business.

The Pandemic Effect: Why more people demand privacy

COVID-19 has raised the general public’s awareness of privacy on multiple fronts. For one, governments, employers, and the people around us are all suddenly interested in our sensitive health information – how we’re feeling, what’s our COVID-19 status, where we’ve been, and with whom we’ve been in contact. Contact tracing, while an important tool for containing the pandemic, is incredibly intrusive. According to our study, less than half (49%) of respondents supported contact tracing, with just 37% in favor of sharing COVID-19 status-related information. This is where privacy by design and default address: How do we design a privacy respectful method for contact tracing?

Enabling confidence through transparency

At Cisco, we’ve been working on a way to provide contact tracing and proximity tracking capabilities to enable the economy to reopen. Using the Wi-Fi-based technology of our DNA Spaces platform, we have developed a way to enable our customers to better monitor their campuses or worksites. By using Wi-Fi and data related to access-point proximity, we collect and log location data only while the person is onsite, but nowhere else. Moreover, the person is invisible to DNA Spaces unless and until their device Wi-Fi is turned on, mitigating the privacy risks of stealth monitoring and mass surveillance by design.

We also have partnered with ServiceNow to help ensure data is securely handled with tight access controls and auto-expiry. With ServiceNow, the data is only available on a strict need-to-know basis for a limited time, with logging and audit capabilities to detect and prevent misuse. DNA Spaces will allow offices, schools, and other sites to better manage their facilities, understand utilization and density, and facilitate contact tracing and notification of potential exposure – all while minimizing privacy impact.

As Cisco prepares to re-open our offices and facilities, we will be using DNA Spaces as well. To validate and ensure privacy risks are appropriately addressed and meet local labor law requirements, we worked with several EU-based works councils (i.e., internal labor unions) to obtain feedback and suggestions on product design, disclosures, and user experience. Designing with privacy in mind and being transparent about how we respect and protect privacy builds and maintains trust with our workforce, customers, and users.

Transparency opens the door to trust

Being transparent – especially when we’re in unusual and evolving circumstances as we find ourselves in today – not only gives our customers and workforce the confidence to trust us, it helps us to continually learn and improve. At Cisco, we post privacy data sheets and data maps on the Cisco Trust Portal and publicly explain how our products and services process, manage, and protect personal data.

In return for this transparency, we not only meet our legal obligations, we also get crowd-sourced advice on how to do better. The general public, media, and customers have not been shy about telling us how to improve – what we can do to explain things more clearly, what questions they want answered upfront, and what information they want to see. We appreciate their guidance and incorporate their feedback – after all, they are who we are here to serve.

Today, privacy is much more than just a compliance obligation. It is a fundamental human right and business imperative that is critical to building and maintaining trust. The core privacy and ethical principles of transparency, fairness, and accountability will guide us in this new, digital-first world.

The post Building trust through transparency and privacy by design appeared first on Cisco Blogs.

Security at the Heart of the ‘New Normal’ Workforce

The overnight transition to remote working arrangements caught many businesses off guard and propelled organizations into a new way of working that needs to be both seamless and secure.

Although many organizations had already made their transitions to cloud-first and remote-first strategies even before COVID-19, this is a process that requires significant time and investment. Businesses around the world are at different stages in their journey but what is clear is that cybersecurity needs to be at the heart of this transformation for businesses to operate effectively in this new post-pandemic world.

To better understand the challenges that organizations faced with this sudden transition and how they are adapting their cybersecurity approaches to better prepare for the hybrid workforce of the future, we went to those at the front line – surveying over 3,000 IT decision makers across 21 markets in the Americas, Asia Pacific and Europe from June to September this year in our newly launched report titled Future of Secure Remote Work. 

Here are some highlights from our report.

Transformation at pace 

As organizations prepare for whatever our next normal will bring, it is clear that a flexible and hybrid work environment is here to stay. Remote working reached unprecedented levels at the start of the COVID-19 in March, where two-thirds (62%) of organizations globally had more than half of their workforce working remotely, compared to only 19% before the pandemic.

However, our research reveals that at the pandemic’s outset less than half had sufficient cybersecurity in place to support this sudden shift. 53% were only somewhat prepared and a further 6% said they were not prepared at all to make the accelerated transition to a remote work environment.

We know that bad actors are always looking for opportunities to take advantage of human vulnerabilities, so it comes as no surprise to find that globally, companies are seeing a big increase in cyber threats or alerts amid the shift to mass remote working. In fact, 61% of organizations globally have experienced a jump of 25% or more in cyber threats and alerts since the start of COVID-19. Eight percent of businesses globally did not know whether they have experienced an increase or decrease in cyber threats.

Protecting an increasing number of endpoints

Employees are connecting to corporate resources with more personal, unmanaged devices, creating a blind spot for security teams. One in two respondents stated that office laptops/desktops (56%) and personal devices (54%) are a challenge to protect in a remote environment. This was followed by customer information and cloud applications both at 46%.

Secure access – or the ability to securely enable access to the enterprise network and applications for any user, from any device, at any time – was cited as the biggest cybersecurity challenge faced by nearly two thirds (62%) of global organizations when supporting remote workers. Other cybersecurity concerns raised by organizations globally include data privacy (55%), which has implications for the overall security posture.

The rush to solve these cybersecurity issues has led to IT departments working around the clock. However, with this new set of challenges has also come an opportunity for transformation. The vast majority of IT leaders (85%) say cybersecurity is now extremely important or more important than before COVID-19 at their organization, with two thirds saying this will result in an increase in cybersecurity investments.

Preparing for the future of secure remote work

With over a third of organizations globally expecting more than half of their workforces to continue working remotely beyond the pandemic, cybersecurity approaches must adapt and change for good to support a secure future for hybrid and flexible workplaces.

Below are our key recommendations for IT leaders:

#1 The future of work is dynamic: cybersecurity must meet the need of a distributed workforce.

Policies and controls that once resided in headquarters must now follow the worker wherever and whenever they choose to require access.

Businesses must create a flexible, safe, and secure hybrid work environment with employees moving on and off the network with similar levels of protection. As business and IT leaders deliver significant changes to their technology and business priorities, cybersecurity should be the bridge that enables organizations to reach their full potential.

#2 The success of a flexible hybrid workforce hinges upon preparation, collaboration and empowerment

Network and security teams need to provide seamless and secure access to applications and services, anywhere and anytime. Security, networking and collaboration can no longer be seen in silos, they must work hand in hand.

Leaders must put in place additional enforcement protocols and enhanced cybersecurity policies. Solid employee education programs around cybersecurity are critical to build a healthy security culture.

#3 Simpler and more effective cybersecurity is critical to building business resilience

Security cannot be an afterthought – it should be the foundation behind the success of any digitalization effort. To reduce the likelihood and impact of a cybersecurity breach, organizations need to look for ways to reduce the complexity of their cybersecurity measures.

The future of work has arrived, and it may not be exactly as we imagined it. We welcome you to download Cisco’s Future of Secure Remote Work Report today and learn how cybersecurity can help to build resilient enterprises.

The post Security at the Heart of the ‘New Normal’ Workforce appeared first on Cisco Blogs.

What Cybersecurity and Traveling Have in Common

My favorite thing about my career in cybersecurity has been a constant opportunity to learn new topics. Cybersecurity weaves itself through every aspect of our lives: the phone in your pocket, the smart TV in your home, and on and on. And the idea that each of these devices allows me to gain new knowledge is fascinating. It can also be daunting when there is always so much to learn. I want to share a learning method I’ve developed to help you quickly learn new concepts. I have been using this mental model since I started in the industry. It works equally well whether you are new to the field or if you are adding to years of experience.

Exploring a new city

When I first moved to the Bay area, I picked an area I thought I would like (the Redwoods), I would walk in my neighborhood and explore the streets and restaurants. As I did this, I built up a mental map of the area. Eventually, I wanted to explore new neighborhoods.

I discovered that this way of navigation allowed me to grow my knowledge of a new area and anchor it in my existing understanding. First, I would learn a little bit about a new neighborhood. Then each time I would go back, I would learn a bit more about that area or a new way to get there. The first time I would visit a new area, the map was small and the connections were weak. But over time, I would learn new connections and discover interesting areas to explore.

Eventually, I would build a better map of my neighborhood and others close by.

Applying to security

There are many parallels between different security domains and learning a new city. Learning about cybersecurity starts with picking an area of interest. Then you start exploring that area until you feel comfortable. You understand the tools, know the leaders in the space, and have read the books. Once you feel comfortable in one area, you may branch out to an adjacent area. Your connection to the new topic will be tenuous at first, but if you find it interesting, you will keep returning until you know the second area well.

As you continue to explore new areas it gets easier. Sometimes you can use the same tools or maps, or it is simply that the tools and maps become easier to understand because you have a frame of reference based on all the other things you have used.

If you walk the streets of Rome, Italy after growing up in Los Angeles, United Sates you may find yourself easily disoriented, like jumping from network security to cyber operations, but once you have learned enough new things about the neighborhoods it become easier.

Seeing how each neighborhood is connected from a bird’s eye view and how security is applied at the street level makes new topics easier to understand.

Broad awareness first, then go deep

I love learning about a new city’s hidden gems, but often I will start with the “must-see” landmarks. I use standard methods of travel like walking or trains to move between neighborhoods. Once I have spent some time in a new area, I will start to explore more deeply. When I am in a new city, I first look for parallels or how it’s like what I have seen before.

The same is true for learning cybersecurity. First, try to apply things you already know.. Next, look for the landmarks or recognizable features. Ask yourself, ‘what unique concepts make this domain uniquely different and memorable?’ Finally, explore deeply.

I hope this method of learning will help you frame your new challenges. A career in cybersecurity truly gives you a passport to travel the world. And the skills you learn are globally recognized yet locally relevant in any country you choose to visit or explore.

Interested in learning more about cybersecurity? Start exploring here.

The post What Cybersecurity and Traveling Have in Common appeared first on Cisco Blogs.

Trust in Yourself and the Process: Key Guidance for Forging a Successful Cybersecurity Career

Those in cybersecurity are keenly aware of the concept, “imposter syndrome.” Some think they don’t know enough to succeed in the industry. Others believe they don’t have the right experience to contribute anything meaningful.

In actuality, many people suffer from imposter syndrome at some point in their cybersecurity careers. This reality suggests that many of us are too hard on ourselves when starting off in the industry. Cisco found this to be the case after asking numerous cybersecurity experts the following question: “If given the chance, what advice would you give yourself when you first joined the industry?”

These experts’ responses are presented below.

Jihana Barrett |  Senior Threat Intelligence Analyst, Verizon Enterprise Solutions | @iamjihana | (LinkedIn)

That’’s a good question. For me, I didn’t feel like I had much guidance. There was no woman that I’d seen doing what I was doing. There was a steep learning curve because cybersecurity was still very new to me. I didn’t see myself reflected in those spaces. So I felt lost a lot of the time, and I didn’t have much direction or any mentors to turn to because there were so many men, and not that many women.

If I could go back and tell myself anything, it would have been to pace myself. I would have reassured myself that I was on the right track, that things would turn out the way they’re supposed to. And I would encourage myself to learn as much as I could but to be patient with my learning. A lot of times, newbies want to be experts, and they don’t give themselves the chance to take the steps to get to that point. Having been in the industry for about 11 years now, I totally see that even if you have all the books behind it, you still don’t have the experience when starting out. That experience is what helps me execute my tasks and examine a problem the way that I do. If you’re new, you don’t even know how to think that way. You wouldn’t think that way. I wouldn’t want to shortchange education, but I know how necessary experience is.

So I would have just told myself to be patient. You’re on the right track. You’re doing all the right things. You’re learning. You’re getting the foundations and fundamentals. And every aspect of that industry is going to involve learning. The learning never stops. Basically, I would have taken the pressure off of myself to know everything in the beginning so that I could add value to a space and just know that it was going to come with time.

Tazin Khan Norelius | Founder, Cyber Collective | @techwithtaz | (LinkedIn)

The advice that I would give myself when I first joined the industry would be to trust the process. I don’t necessarily know if I would give my past self any new advice because I’m thankful for the journey that led me to where I am. But trusting the process has been something that I tell everyone and myself often. You can only do what you can do. The rest is up to the process of contributions and reaping the benefit of the work that you put in. So if you trust the process and stay disciplined, great things can happen for you.




Ben Nahorney | Threat Intelligence Analyst at Cisco Security |  @benn333  | (LinkedIn)

I would remind my younger self not to internalize criticism. I am a  threat intelligence analyst, and also a writer. You can’t be a writer without having a thick skin. If you’re a writer, your work is going to be critiqued. Nine out of ten times it’ll be stronger for it.

This goes double for the cybersecurity industry. Conflict between attackers and defenders features heavily here, especially in the response-related corners of the field. In cybersecurity, personal feelings sometimes take a backseat to quickly responding to an issue. It has definitely changed for the better over time, but there is an above-average number of plain-spoken and direct people in this industry.

When coming from a non-computer related field, not everyone will immediately see the value of what you bring, and you’ll have to spend extra time proving your worth. Stand your ground when necessary, but pin your ears back for other ideas and perspectives. You’ll pick up some very valuable information.

So ultimately, my advice to myself would be to learn to take things in stride. That, and don’t get too attached to that hairline.

Noureen Njoroge | Cybersecurity Consulting Engineer, Cisco | @EngineerNoureen | (LinkedIn)

Looking back, I would advise myself as follows:

  1. BE PATIENT with yourself, as it takes time to grasp the vast domains of cybersecurity.
  2. EMBRACE CHANGE, as this industry is constantly evolving, and you have to constantly learn to adapt.
  3. GET A MENTOR ASAP to help answer your discrete career questions and provide you with tailored career advice.
  4. Do not rush into certifications, as they can be costly. Instead, gain some experience, and then consider which specific domain certificate you’d like to pursue, if necessary.
  5. Network with others in the industry by attending local meetups, chapters, and social media platform group gatherings.
  6. Lastly, don’t be too hard on yourself. Cybersecurity is indeed a journey, not a destination.


Fareedah Shaheed | CEO and Founder, Sekuva | @CyberFareedah | (LinkedIn)

When I first joined the industry, I wasn’t aware of all the options and diversity of paths, so I got sucked into the “you MUST be technical to be worthy of anything” world.

If I were to go back, I would tell myself to not worry about how technical I was or wasn’t. I would put more focus on knowing my strengths, interests, and hobbies. I would then spend time figuring out how I could combine them all to make a difference in someone’s life.

Not everyone gets to do that, but if you can find that combination, it can be life-changing. I eventually found it, but I would definitely tell myself to stop stressing over grades, certifications, job titles, compensation, and technical abilities because it doesn’t matter. It didn’t for my journey, at least.

I would tell myself that the impact I was called on to make in this world was bigger than any of that, and that I didn’t have to squeeze myself into a box of degrees, certs, job titles, and career paths.


Omar Santos | Principal Engineer – Product Security Incident Response Team, Cisco | @santosomar | (LinkedIn)

I would basically say to pace yourself and to understand that you’re not going to be able to learn everything overnight. Cybersecurity is very broad. You have things from ethical hacking, pen testing, digital forensics and incident response, exploit development, etc.

So yes, become familiar with all the different domains and the ones that you want to specialize in and that attract you the most. Then dive deeply into it while always recognizing that you will never be an expert in every single area in cybersecurity. Pick your niche and concentrate on it.



Sophia McCall | Junior Security Consultant | @spookphia | (LinkedIn)

The advice I always give to those new to the industry is to network. Networking is so important; had I not done it, I would not be where I am today. By attending a huge amount of conferences and events over the years, I have been able to build a network of professional connections and friends who have helped to support me along my security journey.

If I could turn back time, I definitely would have told myself to not be afraid and to start networking earlier! At first, I was scared to attend events and I didn’t start doing so until nearly the end of my first year at university.

In my opinion, it’s never too early to start networking. The earlier you start, the sooner you can grow your network and utilize it as a stepping stone to help you kick-start your career.

Jane Frankland | CEO, KnewStart | @JaneFrankland | (LinkedIn)

If I could go back to the point when I was just joining information security, which was more than 20 years ago, I would tell myself to not shy away from being visible. I would urge myself to use my voice and network. Visibility is the most important thing that a woman needs to focus on in order to advance her career.

When I talk about visibility, I mean it in a sense of using your voice so that people know about you. You need to get yourself out there. They need to be able to see and understand the work that you are doing. So it’s really important that women build their visibility.

When I came into the industry, I was building my own company. I was leading that company, so visibility to me was important from a leadership perspective. But if there was an opportunity for me to be a spokesperson for my company or to go and speak, I would always avoid it. I would push everyone else forward. Except me. I was absolutely petrified. I was very fearful of the press. I thought they would manipulate my words, which isn’t the case. (Not always, anyway.)

So that would be my advice. Get out there. Be visible. Use your voice, demonstrate your value visibly, really focus on building your network and use all of the tools around you. Nowadays, it’s a different kettle of fish. We’ve got social media and things like that. When I started my career, we didn’t have those. And there weren’t any networking groups for women in those days. That’s the advice I would give myself.

Finally, don’t worry about your age. Don’t worry about how young you look, and don’t worry about not being considered technical. For me, I had a great big hang-up about being really young. I wasn’t actually bothered about being a woman. I didn’t see that as being a disadvantage at all, but I was really concerned that I looked so young and that I wasn’t technical. So I would go back and tell myself to not worry about looking young and to not worry about not being technical. I was able to do my job and to do it really well even though I wasn’t technical in those days.


Rebecca Herold | CEO, The Privacy Professor | @PrivacyProf | (LinkedIn)

There are two pieces of advice I’d give myself from lessons I’ve learned over the years.

The first piece of advice is from a lesson that came from me being too naïve and idealistic early in my career during a time when I was building and managing an information assurance program for a large multinational corporation. The information security and privacy policies I had drafted for the corporation were approved the previous year and lauded and supported by the top executives. They applied to all employees, and they clearly indicated a range of non-compliance penalties to those who chose not to follow the requirements.

During an audit, it was discovered that one of the business unit Senior VPs regularly shared his ID/password with his staff so they could log in to the corporate network on his behalf to do their own time cards, etc. We also learned that he had been sharing his ID/password with his daughter, who used his work computer at home to go online during the early days of the internet so that she could visit chat rooms and do shopping in the few online stores that were then available.

When the audit director, who was much lower in the organization’s chart than the Senior VP, confronted him about this, he stated that he saw no reason to stop since it saved him time and made his daughter happy. I met with my manager, the Sr. VP and CIO, who reported directly to the CEO. I thought he would be outraged at the flaunting of security requirements as much as I. However, he told me that while he admired my egalitarian beliefs, he thought that it just wasn’t practical in a large corporation such as ours to have a high-performing senior executive held to the same standards as everyone else, even if they were security standards.

I did not like that one bit. That made me realize that I needed to do more to understand executive and other management views of information security and privacy.  I could then take those perspectives, and use them in effective ways to raise awareness of all levels in the organization chart about the need for strong security. That was the only way to obtain executive buy-in.

It was around that time that I realized that a one-size-fits-all training session was not going to compel those who already had great latitude in their decision-making for the actions they take to follow sound security practices. I covered this issue of customizing awareness in the two editions of my book, “Managing an Information Security and Privacy Awareness and Training Program.” Even so, I could write an entire book on just this type of situation alone.

Another piece of advice to myself would be to not wait until I feel I am confident I know and can do everything related to information security and privacy before offering ideas or being proactive with actions. Early in my career, I did not speak up with my ideas that likely would have propelled me much further and more quickly in my career if I had. No one will ever know, though.

We need to have confidence and faith in our own capabilities as well as to always approach issues logically. We also need to be aware that others who may be less knowledgeable and/or experienced than you will advance more quickly because they didn’t wait to be 100% knowledgeable or fit 100% of an advertised position within which they ultimately excelled.

Mary Aiken | Professor Forensic Cyberpsychology, University of East London | @maryCyPsy | (LinkedIn)

I don’t really agree with the “if you could go back in time and give yourself advice” post hoc-type question. It evokes the construct of regret, which arguably negatively impacts decision-making processes. At any point in time, you make a decision based on the available facts and advice, whether these are educational choices, career choices, work choices, or life choices. From my perspective, the ground rules are pretty straightforward. Were you ‘compos mentis’ (of sound mind) when you made a choice? If yes, then you should respect your decision. Regret simply serves to undermine decision making not just in the past but importantly going forward, as well.

Bottom line: don’t second guess your own judgement, that is, the ability to make considered decisions and come to a sensible conclusion. My only advice to those who seek a career in cybersecurity is to do what I did and don’t view opportunity through the myopic lens of a singular discipline. Try to adopt a transdisciplinary approach, and don’t underestimate the incredible value of the arts. In terms of decision making, Robert Frost’s “The Road Not Taken” sums it up:

Two roads diverged in a wood, and I—

 I took the one less traveled by,

And that has made all the difference.

Ken Westin | Head of Competitive Intelligence, Elastic | @kwestin | (LinkedIn)

When I was a kid, I was diagnosed with Dysgraphia, a learning disorder related to Dyslexia. This didn’t happen until rather late in my childhood. Up until that point, I believed I was “stupid and lazy,” as that is what many teachers told me. My handwritten work was illegible no matter how hard I tried. Even though I was a creative kid who loved reading and who read at a college level, I could not communicate my ideas on paper.

When I received my diagnosis, it made a huge difference. My parents bought a computer. I took typing classes. I started playing guitar (to help with motor skills). I ended up being the first in my family to graduate from college, and since then, I have built things that many people didn’t think were possible.

The impact on my self-esteem is something I carry even today. If I could go back and tell myself about my disorder, tell myself I wasn’t stupid and to get into computers sooner, I think it would help my confidence throughout all of my life.

Christine Izuakor | CEO of Cyber Pop-up | @Stineology |  (LinkedIn)

The one thing that stands out for me is asking questions and being brave about asking questions. I still remember early in my career how I often found myself being the only woman in the room, the only person of color in the room and/or the youngest person in the room. And on top of that, I already had a very shy and timid personality. Bundled together with asking questions, it was a nightmare for me sometimes.

What I would do is I would take out a notepad every time I heard something I didn’t know or every time there was a concept that I couldn’t quite grasp. I’d go home and do a ton of researching and studying to figure it out. That worked for me.

Sure. I learned things. But I can’t help but reflect that had I been more intentional about asking those questions in the moment, and more open, I could have gotten that feedback and gotten those answers then and there and been able to apply that information and learn more quickly. But then the other piece to that is I was surrounded by people who had so much rich experience, so much talent and so much knowledge.

With that said, I think being able to ask those questions and really get that information and soak that in, as well as to build those relationships with the people around you is an added plus. Don’t be afraid to ask questions. No matter how “beginner level” those questions might sound in your head or how stupid you think some people might think they are, all of that doesn’t matter at the end of the day. When you get answers to those questions, that is helping you to evolve and grow into the best version of you and the best professional that you can be. That is what matters. That’s exactly what I would tell myself. And that’s exactly what I still tell myself today.

Jelena Milosevic | Registered Nurse |  @_j3lena_  | (LinkedIn)

As a beginner, I didn’t know where to start, and I didn’t know what was important. The healthcare system has all kinds of security aspects to consider, and I wanted to know all of them. Over time, I realized that I can’t know everything in this field; nor do I need to. This helped me learn to take a breath, to take a look around, and have more patience with learning step-by-step instead of all at once.

There are many sources of information and free courses/training packages that we can find on the Internet for learning more about security. There are also many companies that will give you a chance to start working even if you don’t have your diploma. Reach out to them to show your initiative! The information security community is awesome. It’s full of people who will help and support you when they see that you’re moving forward with your heart and that you want to learn. If you don’t understand something, they will be there to help. Just be respectful of their time.

Earlier in life, I took a chance to find my place in the security world without losing faith and trust in myself. Thanks to some people and their trust in me, I was able to find my place. I now find what I want and do what I can to produce change for the better. So here I am, a nurse in the information security world.


Want to learn more about the beginning of these experts’ careers in cybersecurity? Download Cisco’s eBook, Diversity in Cybersecurity: Mosaic of Career Possibilities

The post Trust in Yourself and the Process: Key Guidance for Forging a Successful Cybersecurity Career appeared first on Cisco Blogs.

U.S. Charges Russia GRU Intelligence Officers for notorious attacks, including NotPetya

The U.S. DoJ announced charges against six Russian intelligence officers for their role in several major cyberattacks carried out over the last years.

The U.S. Department of Justice announced charges against six members of Russia’s GRU military intelligence agency for their alleged role in several major cyberattacks conducted over the past years.

The defendants are Yuriy Sergeyevich Andrienko, aged 32, Sergey Vladimirovich Detistov, 35, Pavel Valeryevich Frolov, 28, Anatoliy Sergeyevich Kovalev, 29, Artem Valeryevich Ochichenko, 27, and Petr Nikolayevich Pliskin, 32.

The six Russian intelligence officers are believed to be members of the Russia-linked Sandworm APT group (aka Telebots, Iron Viking and Voodoo Bear).

According to the indictment, the GRU officers were involved in attacks on Ukraine, including the attacks aimed at the country’s power grid in 2015 and 2016 that employed the BlackEnergy and Industroyer malware.

US DoJ charged the men with damaging protected computers, conspiracy to conduct computer fraud and abuse, wire fraud, conspiracy to commit wire fraud, and aggravated identity theft.

Government experts linked the Russian APT group to major attacks, including NotPetya, a hacking operation targeting elections in France in 2017, the attack against PyeongChang Winter Olympics that involved the Olympic Destroyer malware, as well as a series of attacks on Georgian companies and government organizations.

“Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics.” reads the press release published by the DoJ. “The indictment charges the defendants with conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name.”

Since November 2015 and until at least in October 2019, the defendants and their co-conspirators were involved in the development and deployment of destructive malware and took part in disruptive hacking campaign actions,.

Below the list overt acts for each defendant:

DefendantSummary of Overt Acts
Yuriy Sergeyevich Andrienko·      Developed components of the NotPetya and Olympic Destroyer malware.
Sergey Vladimirovich Detistov·      Developed components of the NotPetya malware; and·      Prepared spearphishing campaigns targeting the 2018 PyeongChang Winter Olympic Games. 
Pavel Valeryevich Frolov·       Developed components of the KillDisk and NotPetya malware.
Anatoliy Sergeyevich Kovalev·       Developed spearphishing techniques and messages used to target:-       En Marche! officials;-       employees of the DSTL;-       members of the IOC and Olympic athletes; and-       employees of a Georgian media entity.
Artem Valeryevich Ochichenko·       Participated in spearphishing campaigns targeting 2018 PyeongChang Winter Olympic Games partners; and·       Conducted technical reconnaissance of the Parliament of Georgia official domain and attempted to gain unauthorized access to its network.
Petr Nikolayevich Pliskin·       Developed components of the NotPetya and Olympic Destroyer malware. 

The FBI added the defendants to the Cyber’s Most Wanted list.

“The FBI has repeatedly warned that Russia is a highly capable cyber adversary, and the information revealed in this indictment illustrates how pervasive and destructive Russia’s cyber activities truly are,” said FBI Deputy Director David Bowdich.  “But this indictment also highlights the FBI’s capabilities.  We have the tools to investigate these malicious malware attacks, identify the perpetrators, and then impose risks and consequences on them.  As demonstrated today, we will relentlessly pursue those who threaten the United States and its citizens.”

“For more than two years we have worked tirelessly to expose these Russian GRU Officers who engaged in a global campaign of hacking, disruption and destabilization, representing the most destructive and costly cyber-attacks in history,” said Scott Brady, U.S. Attorney for the Western District of Pennsylvania. “The crimes committed by Russian government officials were against real victims who suffered real harm. We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work – in order to seek justice on behalf of these victims.”

GRU intelligence officers charged

Pierluigi Paganini

(SecurityAffairs – hacking, intelligence)

The post U.S. Charges Russia GRU Intelligence Officers for notorious attacks, including NotPetya appeared first on Security Affairs.

Microsoft released out-of-band Windows fixes for 2 RCE issues

Microsoft released two out-of-band security updates to address remote code execution (RCE) bugs in the Microsoft Windows Codecs Library and Visual Studio Code.

Microsoft has released two out-of-band security updates to address two remote code execution (RCE) vulnerabilities that affect the Microsoft Windows Codecs Library and Visual Studio Code.

The two vulnerabilities, tracked as CVE-2020-17022 and CVE-2020-17023, have been rated as important severity.

The CVE-2020-17022 is a remote code execution vulnerability that exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker can exploit the vulnerability to execute arbitrary code.

“Exploitation of the vulnerability requires that a program process a specially crafted image file.” reads the advisory. “The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory.”

The CVE-2020-17022 vulnerability affects all devices running Windows 10, version 1709 or later, and a vulnerable library version.

Windows 10 devices are not affected in their default configuration and that “only customers who have installed the optional HEVC or ‘HEVC from Device Manufacturer’ media codecs from Microsoft Store may be vulnerable.”

The CVE-2020-17022 flaw was reported to Microsoft by Dhanesh Kizhakkinan from FireEye.

The CVE-2020-17023 vulnerability is a remote code execution vulnerability that exists in Visual Studio Code. An attacker can trigger the flaw by tricking a user into opening a malicious ‘package.json’ file, then he could run arbitrary code in the context of the current user.

“If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the advisory.

“To exploit this vulnerability, an attacker would need to convince a target to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute when the target opens the malicious ‘package.json’ file. The update address the vulnerability by modifying the way Visual Studio Code handles JSON files.”

The CVE-2020-17023 vulnerability was reported by Justin Steven.

The IT giant did not provide any mitigating measures or workarounds for the two vulnerabilities.

According to Microsoft, both vulnerabilities are not being exploited in the wild.

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Windows)

The post Microsoft released out-of-band Windows fixes for 2 RCE issues appeared first on Security Affairs.

TikTok launched a public bug bounty program

Chinese video-sharing social networking service TikTok announced this week the launch of a public bug bounty program in collaboration with HackerOne.

The popular Chinese video-sharing social networking service TikTok has launched this week a public bug bounty program through the HackerOne platform.

White hat hackers are invited to report security flaws in TikTok websites, including several subdomains, and both Android and iOS apps.

The company is offering between $1,700 and $6,900 for high-severity flaws, the payout for a critical issue can go up to $14,800.

“We encourage security researchers to focus their efforts on finding security vulnerabilities demonstrating meaningful impact. Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard).” reads the program description.

The idea to reward white hat hackers for reporting security flaws is not new for the Chinese firm that claimed to have already paid out more than $40,000 through its bug bounty program.

The company has had a Vulnerability Reporting Policy and follows a Coordinated Disclosure Policy with a waiting period of 90 days from submission.

“This partnership will help us to gain insight from the world’s top security researchers, academic scholars and independent experts to better uncover potential threats and make our security defenses even stronger,” said Luna Wu of TikTok’s Global Security Team.

Source: Messagero

President Trump is trying to ban TikTok in the United States due to security and privacy concerns. TikTok has denied any accusation of sharing data with the Beijing government. TikTok confirmed that all US user data is stored in the US, with a backup in Singapore.

TikTok challenged the decision in a US court and the judge blocked the President’s request to ban the Chinese company in the country.

The US Government is making pressure on TikTok’s parent firm Bytedance to sell its U.S. operations to an American company.

Pierluigi Paganini

(SecurityAffairs – hacking, TikTok)

The post TikTok launched a public bug bounty program appeared first on Security Affairs.

UK NCSC recommends organizations to fix CVE-2020-16952 SharePoint RCE flaw asap

The U.K. National Cyber Security Centre (NCSC) issued an alert to urge organizations to patch CVE-2020-16952 RCE vulnerability in MS SharePoint Server.

The U.K. National Cyber Security Centre (NCSC) issued an alert to warn of the risks of the exploitation for the CVE-2020-16952 remote code execution (RCE) vulnerability in Microsoft SharePoint Server and urges organizations to address the flaw.

Attackers could exploit this vulnerability to run arbitrary code and execute operations in the context of the local administrator on vulnerable SharePoint servers.

The issue is caused by the improper validation in user-supplied data and can be exploited when a user uploads a specially crafted SharePoint application package to a vulnerable version of SharePoint.

The vulnerability affects Microsoft SharePoint Foundation 2013 Service Pack 1, Microsoft SharePoint Enterprise Server 2016, and Microsoft SharePoint Server 2019, while SharePoint Online as part of Office 365 is not impacted.

“The NCSC strongly advises that organizations refer to the Microsoft guidance referenced in this alert and ensure the necessary updates are installed in affected SharePoint products,” reads the alert. “The NCSC generally recommends following vendor best practice advice in the mitigation of vulnerabilities. In the case of this SharePoint vulnerability, it is important to install the latest updates as soon as practicable.”

The server-side include (SSI) vulnerability CVE-2020-16952 was reported by the researcher Steven Seeley from Qihoo 360 Vulcan Team, who also provided a proof-of-concept exploit for the RCE flaw.

An exploit module for the open-source Metasploit penetration testing framework was also available, it works on SharePoint 2019 on Windows Server 2016.

Security experts recommend applying the October 2020 SharePoint security updates ([1],[2],[3]).

Experts pointed out that SharePoint servers are used in enterprise environments, for this reason, such kind of vulnerabilities is very dangerous.

The UK NCSC confirms that both CVE-2020-16952 and CVE-2015-1641 flaws are included in the list of most exploited vulnerabilities since 2016 published in a joint advisory by the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2020-16952)

The post UK NCSC recommends organizations to fix CVE-2020-16952 SharePoint RCE flaw asap appeared first on Security Affairs.

Stop playing whack-a-mole and put threats to rest with Cisco Stealthwatch Cloud

I was recently able to grab some time with a Cisco customer to hear about their experience with Cisco Stealthwatch Cloud, a SaaS-based Network Detection and Response (NDR) solution. Aspire Technology Partners, a Managed Security Service Provider, explained their use of the product for one of its customers that was in a dangerous situation involving some slippery malware floating around in the network. As I worked on this case study, I couldn’t help but think of one thing in particular…The North Carolina State Fair.

I am a relatively new North Carolina resident. Prior to working from home, I was no stranger to the commute up I-40 to building 9 of Cisco’s RTP campus. As I found my way around my new home state, I kept hearing that the NC State Fair is a rite of passage for new residents. I decided to check it out. What an experience that was. I got to see a monster truck show, a lot of farm animals and the world’s largest pumpkin. I also ate more fried food on a stick than my heart could handle. We also got to play whack-a-mole, a game that requires you to smash each mole as they poke their heads out of the machine with a mallet. As you progress, you earn points for each successful ‘whack’. Unfortunately, you can never really win since they never stop popping up.

Without an NDR tool like Stealthwatch Cloud in place, the modern Security Operations Center (SOC) is effectively doing the same thing. Their endpoint and perimeter solutions, while critical to network safety, are playing whack-a-mole: stomping on malware and isolating devices as they become infected while still knowing that the network is still at risk. Without east-west monitoring and visibility into encrypted traffic, businesses are susceptible to subsequent attacks once malware has established a foothold on the network. If your security team can’t identify how threats are accessing the network, malware could stay hidden for months…or even years.

Aspire Technology Partners was working with a customer who deployed an Incident Response (IR) team to contain a threat, believed to be ransomware, that was surfacing all over their network. The Aspire SOC team decided to deploy Stealthwatch Cloud to track the malware through east-west traffic monitoring. Here are a few reasons why Stealthwatch Cloud was critical to not only detecting the threat, but also stopping it dead in its tracks:

Stealthwatch Cloud deploys almost instantly       

The Aspire SOC team deployed Stealthwatch Cloud on the customer’s private network in just 2 hours. This allowed the team to immediately start digging through east-west flows to hunt down the threat.

Stealthwatch Cloud detects threats behaviorally     

Stealthwatch Cloud uses the network itself as a sensor, and offers both automated threat detection and the ability to search manually for threats. The team needed to identify the foothold of the attacker, and with comprehensive visibility provided by Stealthwatch Cloud, was able to discover that the malware found its way into the network via a vulnerable 3rd party device. No endpoint or agent-based solution could have figured this out.

Built-in remediation methods enable quick response to threats       

Stealthwatch Cloud offers a wealth of integrations with 3rd party and Cisco solutions that allow users to go one step further and communicate across their organization, pivot into other tools to carry on an investigation and much more. Alerts come alongside their supporting observations that contain bits of context that users can leverage as they continue to investigate. A simple firewall rule blocked out this malware for good.

So, stop playing whack-a-mole, unless you’re at the fair. Even with proper agent-based and perimeter protection, your network may still be at risk. You can fill that gap and gain comprehensive visibility on-prem or in the cloud with Stealthwatch Cloud.

To learn more, read the full Aspire Technology Partners Case Study.

Be sure to check out the Stealthwatch Cloud webpage and sign up for a free 60-day trial today.

The post Stop playing whack-a-mole and put threats to rest with Cisco Stealthwatch Cloud appeared first on Cisco Blogs.

Juniper fixes tens of flaws affecting the Junos OS

Juniper Networks has addressed tens of vulnerabilities, including serious flaws that can be exploited to take over vulnerable systems.

Juniper Networks has addressed tens of vulnerabilities, including serious issues that can be exploited to take control of vulnerable systems.

The vendor has published 40 security advisories related to security vulnerabilities in the Junos OS operating system that runs on Juniper’s firewalls and other third-party components.

The vendor addressed multiple critical flaws in the Juniper Networks Mist Cloud UI. The vulnerabilities affect the Security Assertion Markup Language (SAML) authentication, they could be exploited by a remote attacker to bypass SAML authentication.

“Juniper Networks Mist Cloud UI, when SAML authentication is enabled, may incorrectly handle SAML responses, allowing a remote attacker to bypass SAML authentication security controls.” reads the security advisory published by Juniper.

“If SAML authentication is not enabled, the product is not affected. These vulnerabilities can be exploited alone or in combination. The CVSS score below represents the worst case chaining of these vulnerabilities.”

Multiple vulnerabilities in Juniper Networks Junos OS have been fixed by updating third party software included with Junos OS devices.

Juniper fixed a critical remote code execution vulnerability in Telnet server tracked as CVE-2020-10188.

“A vulnerability in the telnetd Telnet server allows remote attackers to execute arbitrary code via short writes or urgent data, because of a buffer overflow involving the netclear and nextitem functions.” reads the advisory.

“This issue only affects systems with inbound Telnet service enabled. SSH service is unaffected by this vulnerability.”

The company also addressed high-severity denial-of-service (DoS) and arbitrary code execution issues.

The good news is that Juniper is not aware of attacks in the wild exploiting the vulnerabilities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also urges organizations to apply the security updates released by the vendor.

“Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.” reads alert issued by CISA.

“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates.”

Pierluigi Paganini

(SecurityAffairs – hacking, Junos)

The post Juniper fixes tens of flaws affecting the Junos OS appeared first on Security Affairs.

This Week in Security News: Cybercriminals Use Stolen Data and Hacking Tools as Prizes in Poker Games and Rap Battles and VirusTotal Now Supports Trend Micro ELF Hash

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how cybercriminals are passing the time during the COVID-19 pandemic with online poker games, where the prizes include stolen data. Also, read about how VirusTotal now supports Trend Micro ELF Hash (aka telfhash).


Read on:

Cybercriminals Use Stolen Data and Hacking Tools as Prizes in Poker Games and Rap Battles

Cybercriminals have put their own spin on passing time during the COVID-19 lockdown with online rap battles, poker tournaments, poem contests, and in-person sport tournaments. The twist is that the prize for winning these competitions is sometimes stolen data and tools to make cybercrime easier, according to new research from Trend Micro.

Becoming an Advocate for Gender Diversity: Five Steps that Could Shape Your Journey

Sanjay Mehta, senior vice president at Trend Micro, was recently named a new board member at Girls In Tech—a noted non-profit and Trend Micro partner working tirelessly to enhance the engagement, education, and empowerment of women in technology. In this blog, Sanjay shares five steps that you can use to become an ally for diversity in the workplace.

October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug

In this month’s Patch Tuesday update, Microsoft pushed out fixes for 87 security vulnerabilities – 11 of them critical – and one of those is potentially wormable. There are also six bugs that were previously unpatched but publicly disclosed, which could give cybercriminals a leg up — and in fact at least one public exploit is already circulating for this group.

VirusTotal Now Supports Trend Micro ELF Hash

To help IoT and Linux malware researchers investigate attacks containing Executable and Linkable Format (ELF) files, Trend Micro created telfhash, an open-source clustering algorithm that helps cluster Linux IoT malware samples. VirusTotal has always been a valuable tool for threat research and now, with telfhash, users of the VirusTotal Intelligence platform can pivot from one ELF file to others.

New Emotet Attacks Use Fake Windows Update Lures

File attachments sent in recent Emotet campaigns show a message claiming to be from the Windows Update service, telling users that the Office app needs to be updated. Naturally, this must be done by clicking the Enable Editing button. According to the Cryptolaemus group, since yesterday, these Emotet lures have been spammed in massive numbers to users located all over the world.

Metasploit Shellcodes Attack Exposed Docker APIs

Trend Micro recently observed an interesting payload deployment using the Metasploit Framework (MSF) against exposed Docker APIs. The attack involves the deployment of Metasploit’s shellcode as a payload, and researchers said this is the first attack they’ve seen using MSF against Docker. It also uses a small, vulnerability-free base image in order for the attack to proceed in a fast and stealthy manner.

Barnes & Noble Warns Customers It Has Been Hacked, Customer Data May Have Been Accessed

American bookselling giant Barnes & Noble is contacting customers via email, warning them that its network was breached by hackers, and that sensitive information about shoppers may have been accessed. In the email to customers, Barnes & Noble says that it became aware that it had fallen victim to a cybersecurity attack on Saturday, October 10th.

ContentProvider Path Traversal Flaw on ESC App Reveals Info

Trend Micro researchers found ContentProvider path traversal vulnerabilities in three apps on the Google Play store, one of which had more than 5 million installs. The three applications include a keyboard customization app, a shopping app from a popular department store, and the app for the European Society of Cardiology (ESC). Fortunately, the keyboard and department store apps have both been patched by developers. However, as of writing this blog, the ESC app is still active.

Carnival Corp. Ransomware Attack Affects Three Cruise Lines

Hackers accessed personal information of guests, employees and crew of three cruise line brands and the casino operations of Carnival Corp. in a ransomware attack the company suffered on Aug. 15, officials have confirmed. Carnival Cruise Line, Holland America Line and Seabourn were the brands affected by the attack, which Carnival said they’re still investigating in an update on the situation this week.

Docker Content Trust: What It Is and How It Secures Container Images

Docker Content Trust allows users to deploy images to a cluster or swarm confidently and verify that they are the images you expect them to be. In this blog from Trend Micro, learn how Docker Content Trust works, how to enable it, steps that can be taken to automate trust validation in the continuous integration and continuous deployment (CI/CD) pipeline and limitations of the system.

Twitter Hackers Posed as IT Workers to Trick Employees, NY Probe Finds

A simple phone scam was the key first step in the Twitter hack that took over dozens of high-profile accounts this summer, New York regulators say. The hackers responsible for the July 15 attack called Twitter employees posing as company IT workers and tricked them into giving up their login credentials for the social network’s internal tools, the state’s Department of Financial Services said.

What is a DDoS Attack? Everything You Need to Know About Distributed Denial-of-Service Attacks and How to Protect Against Them

A distributed denial-of-service (DDoS) attack sees an attacker flooding the network or servers of the victim with a wave of internet traffic so big that their infrastructure is overwhelmed by the number of requests for access, slowing down services or taking them fully offline and preventing legitimate users from accessing the service at all. DDoS attacks are one of the crudest forms of cyberattacks, but they’re also one of the most powerful and can be difficult to stop.

Cyberattack on London Council Still Having ‘Significant Impact’

Hackney Council in London has said that a cyberattack earlier this week is continuing to have a “significant impact” on its services. Earlier this week, the north London council said it had been the target of a serious cyberattack, which was affecting many of its services and IT systems.


Surprised by the new Emotet attack?  Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cybercriminals Use Stolen Data and Hacking Tools as Prizes in Poker Games and Rap Battles and VirusTotal Now Supports Trend Micro ELF Hash appeared first on .

Adobe fixes Magento flaws that can lead to code execution

Adobe released a series of out-of-band security fixes to address multiple Magento vulnerabilities that lead to code execution, customer list tampering.

Adobe has released a series of out-of-band security fixes to address multiple Magento vulnerabilities that lead to code execution, customer list tampering.

Eight of the vulnerabilities are considered either critical or important, only one is considered a moderate-severity flaw. The critical flaws are tracked as CVE-2020-24407 and CVE-2020-24400.

Below the list of affected versions:

Magento Commerce 2.3.5-p1 and earlier versions  All
Magento Commerce 2.4.0 and earlier versions All
Magento Open Source 2.3.5-p1 and earlier versionsAll
Magento Open Source 2.4.0 and earlier versions All

One of the critical flaws addressed by Adobe is a file upload issue that can allow list bypass. Another critical SQL injection issue can lead to the execution of arbitrary code or arbitrary read/write database access. Both issues require an attacker to have already obtained admin privileges. 

Adobe has also addressed a vulnerability, tracked as CVE-2020-24402, that can allow attackers to manipulate and modify customer lists. 

Other flaws fixed by Adobe include a stored cross-site scripting (XSS) issue (CVE-2020-24408), a user session invalidation bug (CVE-2020-24401), and a security vulnerability that allows Magento CMS pages to be modified without permission (CVE-2020-24404). The company also addressed two restricted resource access bugs, tracked as CVE-2020-24405 and CVE-2020-24403 respectively, and unintended disclosure of a document root path that could lead to sensitive information disclosure (CVE-2020-24406).

This week, Adobe has also released a security update to address a critical remote code execution flaw in Adobe Flash Player (CVE-2020-9746) that could be exploited by threat actors by tricking the victims into visiting a website.

Attackers could exploit this flaw by simply inserting malicious strings in HTTP responses while unaware users visit a website.

Pierluigi Paganini

(SecurityAffairs – hacking, Adobe)

The post Adobe fixes Magento flaws that can lead to code execution appeared first on Security Affairs.

Announcing the Zero Trust Deployment Center

Organizations have been digitally transforming at warp speed in response to the way businesses operate and how people work. As a result, digital security teams have been under immense pressure to ensure their environments are resilient and secure. Many have turned to a Zero Trust security model to simplify the security challenges from this transformation and the shift to remote work.

Over the past year, we have been hard at work helping customers navigate these challenges by listening to their difficulties, sharing our own learnings, and building controls, tools, and practices that enable the implementation of Zero Trust. However, one of the things we hear most consistently is the need for additional deployment support.

We are excited to announce the launch of the Zero Trust Deployment Center—a repository of information to improve their Zero Trust readiness as well as specific guidance on implementing Zero Trust principles across their identities, endpoints, data, applications, networks, and infrastructure. The Zero Trust Deployment Center breaks down deployment guidance into plain-language objectives across each of the technology pillars, providing an actionable list of steps needed to implement Zero Trust principles in your environment.

This repository is the perfect place to start planning and deploying your Zero Trust strategy.

A screenshot of the Zero Trust Deployment Center web page

Figure 1:  Zero Trust Deployment Center web page.

If you are already well underway in your journey, these objectives will provide a great framework to help measure your progress and ensure you are meeting critical milestones. If you’re interested in measuring your Zero Trust maturity, we’ve also created a Zero Trust assessment tool to help measure your current maturity and identify possible next milestones and priorities along with technologies.

Learn more about Zero Trust and Microsoft Security. Also, bookmark the Security blog to keep up with our expert coverage on security matters. And follow us at @MSFTSecurity for the latest news and updates on cybersecurity. 

The post Announcing the Zero Trust Deployment Center appeared first on Microsoft Security.

Security Unlocked—A new podcast exploring the people and AI that power Microsoft Security solutions

It’s hard to keep pace with all the changes happening in the world of cybersecurity. Security experts and leaders must continue learning (and unlearning) to stay ahead of the ever-evolving threat landscape. In fact, many of us are in this field because of our desire to continuously challenge ourselves and serve the greater good.

So many of the advancements in security are now utilizing this amorphous, at times controversial, and complex term called “artificial intelligence” (AI). Neural networks, clustering, fuzzy logic, heuristics, deep learning, random forests, adversarial machine learning (ML), unsupervised learning. These are just a few of the concepts that are being actively researched and utilized in security today.

But what do these techniques do? How do they work? What are the benefits? As security professionals, we know you have these questions, and so we decided to create Security Unlocked, a new podcast launching today, to help unlock (we promise not to overuse this pun) insights into these new technologies and the people creating them.

In each episode, hosts Nic Fillingham and Natalia Godyla take a closer look at the latest in threat intelligence, security research, and data science. Our expert guests share insights into how modern security technologies are being built, how threats are evolving, and how machine learning and artificial intelligence are being used to secure the world.

Each episode will also feature an interview with one of the many experts working in Microsoft Security. Guests will share their unique path to Microsoft and the infosec field, what they love about their calling and their predictions about the future of ML and AI.

New episodes of Security Unlocked will be released twice a month with the first three episodes available today on all major podcast platforms. We will talk about specific topics in future blogs and provide links to podcasts to get more in-depth.

Episode 1: Going ‘deep’ to identify attacks, and Holly Stewart

Listen here.

Guests: Arie Agranonik and Holly Stewart

Blog referenced: Seeing the big picture: Deep learning-based fusion of behavior signals for threat detection

In this episode, Nic and Natalia invited Arie Agranonik, Senior Data Scientist at Microsoft, to better understand how we’re using deep learning models to look at behavioral signals and identify malicious process trees. In their chat, Arie explains the differences and use cases for techniques such as deep learning, neural networks, and transfer learning.

Nic and Natalia also speak with Holly Stewart, Principal Research Manager at Microsoft, to learn how, and when, to use machine learning, best practices for building an awesome security research team, and the power of diversity in security.

Episode 2: Unmasking threats with AMSI and ML, and Dr. Josh Neil

Listen here.

Guests: Ankit Garg, Geoff McDonald, and Dr. Josh Neil

Blog referenced: Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning

In this episode, members of the Microsoft Defender ATP Research team chat about how the antimalware scripting interface (AMSI) and machine learning are stopping active directory attacks.

They’re also joined by Josh Neil, Principal Data Science Manager at Microsoft, as he discusses his path from music to mathematics, one definition of “artificial intelligence,” and the importance of combining multiple weak signals to gain a comprehensive view of an attack.

Episode 3: Behavior-based protection for the under-secured, and Dr. Karen Lavi

Listen here.

Guests: Hardik Suri and Dr. Karen Lavi

Blog referenced: Defending Exchange servers under attack

In this episode, Nic and Natalia chat with Hardik Suri on the importance of keeping servers up-to-date and how behavior-based monitoring is helping protect under-secured Exchange servers.

Dr. Karen Lavi, Senior Data Scientist Lead at Microsoft, joins the discussion to talk about commonalities between neuroscience and cybersecurity, her unique path to Microsoft (Teaser: She started in the Israeli Defense Force and later got her PhD in neuroscience), and her predictions on the future of AI.

Please join us monthly on the Microsoft Security Blog for new episodes. If you have feedback on how we can improve the podcast or suggestions for topics to cover in future episodes, please email us at, or talk to us on our @MSFTSecurity Twitter handle.

And don’t forget to subscribe to Security Unlocked.

The post Security Unlocked—A new podcast exploring the people and AI that power Microsoft Security solutions appeared first on Microsoft Security.

Openness and support: Discussions on why diverse representation in cybersecurity matters

Security Stories podcast
Security Stories Podcast

I can honestly say that the two discussions featured in the latest episode of the Security Stories podcast have inspired and motivated me more than anything else has recently.

I really hope that as many people as possible get to listen to this episode. And I’m definitely not just saying that for my podcast stats 🙂

Diversity in cybersecurity discussion

Firstly, I caught up with my co-host Noureen Njoroge, as well as Leticia Gamill, Cisco’s Channel leader for Canada and Latin America, and Matt Watchinski, Vice President of Cisco Talos.

Together, we discuss a crucial topic in cybersecurity: the significance of diverse representation, and what that can do for the industry.

Leticia oversees team members based across seven countries, and is a passionate supporter of diversity in cybersecurity. Last year she created a non-profit called LATAM Women in Cybersecurity to encourage more women in Florida and Latin America to enter the field.

As the leader of Talos, the largest commercial threat intelligence group in the world, Matt oversees all the intelligence activities necessary to support our security products and services that keep customers safe.

Matt is a huge ally for diversity in cybersecurity. Within Talos, he has created a culture and a hiring policy that ensures voices from multiple backgrounds can be heard.

And of course most regular Security Stories listeners already know my co-host Noureen, but just in case this is your first time listening, Noureen is a threat intelligence customer engineer. She’s the founder of Cisco’s global cybersecurity mentoring forum, running mentoring events twice a month.

She’s also the founder of the Mentors and Mentees women in Cybersecurity group on LinkedIn and the president of North Carolina Women in Cybersecurity (WiCyS) Affiliate chapter.

Noureen is listed among the Top 30 Most Admired Minority Professionals in Cybersecurity by SeQure World Magazine, and was recently crowned winner of the Cybersecurity Woman of the Year 2020 award.

Together, we talk about what leaders can be doing to ensure they’re hiring from a diverse pool of talent, and where they can hire people beyond the usual recruitment channels. We also discuss how organizations can build a culture of mentoring so that members of diverse teams can feel valued, and retainment levels are strong.

Meeting Mike Hanley

Our CISO story for this episode is Cisco’s new Chief Information Security Officer, Mike Hanley.

Mike steps into the role of CISO for Cisco after spending five years with Cisco Duo. He originally joined to run Duo Labs, and was soon asked by Dug Song to be Vice President of Security and to build and nurture the team around him.

During our chat, Mike talks about what the past few months have been like after stepping into the role of CISO for Cisco in the middle of a global pandemic.

A very revealing note for me: I don’t think there was an answer that Mike gave where he didn’t refer to his team. People are clearly the most important aspect of his role, and in this interview you can see exactly why.

In fact, here’s a comment Mike shared that particularly struck a chord with me:

“I’m constantly in awe of the innovative ideas that the people in my team come up with to solve problems. I have middle-school teachers, designers, engineers, and many more fields of expertise in my team – and every single one of them has brought something really unique and significant.”

From the importance of hiring diverse talent, to building a culture of appreciation, openness and fun (he used the word fun six times in the first few minutes – I was keeping count!), Mike’s interview is a fascinating listen for anyone leading a team today.

Episode time stamps

0.00 Intro
02:27 Discussion on diversity in cybersecurity
46:49 Mike Hanley interview
1h 26: Closing remarks

Play the episode

You can listen to this podcast on Apple PodcastsSpotifyGoogle Podcasts, or wherever you normally get your podcasts from! You can also listen right here and now:

The post Openness and support: Discussions on why diverse representation in cybersecurity matters appeared first on Cisco Blogs.

Becoming resilient by understanding cybersecurity risks: Part 1

All risks have to be viewed through the lens of the business or organization. While information on cybersecurity risks is plentiful, you can’t prioritize or manage any risk until the impact (and likelihood) to your organization is understood and quantified.

This rule of thumb on who should be accountable for risk helps illustrate this relationship:

The person who owns (and accepts) the risk is the one who will stand in front of the news cameras and explain to the world why the worst case scenario happened.

This is the first in a series of blogs exploring how to manage challenges associated with keeping an organization resilient against cyberattacks and data breaches. This series will examine both the business and security perspectives and then look at the powerful trends shaping the future.

This blog series is unabashedly trying to help you build a stronger bridge between cybersecurity and your organizational leadership.

A visualization of how to manage organizational risk through leadership

Organizations face two major trends driving both opportunity and risk:

  • Digital disruption: We are living through the fourth industrial revolution, characterized by the fusion of the physical, biological, and digital worlds. This is having a profound impact on all of us as much as the use of steam and electricity changed the lives of farmers and factory owners during early industrialization.
    Tech-disruptors like Netflix and Uber are obvious examples of using the digital revolution to disrupt existing industries, which spurred many industries to adopt digital innovation strategies of their own to stay relevant. Most organizations are rethinking their products, customer engagement, and business processes to stay current with a changing market.
  • Cybersecurity: Organizations face a constant threat to revenue and reputation from organized crime, rogue nations, and freelance attackers who all have their eyes on your organization’s technology and data, which is being compounded by an evolving set of insider risks.

Organizations that understand and manage risk without constraining their digital transformation will gain a competitive edge over their industry peers.

Cybersecurity is both old and new

As your organization pulls cybersecurity into your existing risk framework and portfolio, it is critical to keep in mind that:

  • Cybersecurity is still relatively new: Unlike responding to natural disasters or economic downturns with decades of historical data and analysis, cybersecurity is an emerging and rapidly evolving discipline. Our understanding of the risks and how to manage them must evolve with every innovation in technology and every shift in attacker techniques.
  • Cybersecurity is about human conflict: While managing cyber threats may be relatively new, human conflict has been around as long as there have been humans. Much can be learned by adapting existing knowledge on war, crime, economics, psychology, and sociology. Cybersecurity is also tied to the global economic, social, and political environments and can’t be separated from those.
  • Cybersecurity evolves fast (and has no boundaries): Once a technology infrastructure is in place, there are few limits on the velocity of scaling an idea or software into a global presence (whether helpful or malicious), mirroring the history of rail and road infrastructures. While infrastructure enables commerce and productivity, it also enables criminal or malicious elements to leverage the same scale and speed in their actions. These bad actors don’t face the many constraints of legitimate useage, including regulations, legality, or morality in the pursuit of their illicit goals. These low barriers to entry on the internet help to increase the volume, speed, and sophistication of cyberattack techniques soon after they are conceived and proven. This puts us in the position of continuously playing catch up to their latest ideas.
  • Cybersecurity requires asset maintenance: The most important and overlooked aspect of cybersecurity is the need to invest in ‘hygiene’ tasks to ensure consistent application of critically important practices.
    One aspect that surprises many people is that software ‘ages’ differently than other assets and equipment, silently accumulating security issues with time. Like a brittle metal, these silent issues suddenly become massive failures when attackers find them. This makes it critical for proactive business leadership to proactively support ongoing technology maintenance (despite no previous visible signs of failure).

Stay pragmatic

In an interconnected world, a certain amount of playing catch-up is inevitable, but we should minimize the impact and probabilities of business impact events with a proactive stance.

Organizations should build and adapt their risk and resilience strategy, including:

  1. Keeping threats in perspective: Ensuring stakeholders are thinking holistically in the context of business priorities, realistic threat scenarios, and reasonable evaluation of potential impact.
  2. Building trust and relationships: We’ve learned that the most important cybersecurity approach for organizations is to think and act symbiotically—working in unison with a shared vision and goal.
    Like any other critical resource, trust and relationships can be strained in a crisis. It’s critical to invest in building strong and collaborative relationships between security and business stakeholders who have to make difficult decisions in a complex environment with incomplete information that is continuously changing.
  3. Modernizing security to protect business operations wherever they are: This approach is often referred to as Zero Trust and helps security enable the business, particularly digital transformation initiatives (including remote work during COVID-19) versus the traditional role as an inflexible quality function.

One organization, one vision

As organizations become digital, they effectively become technology companies and inherit both the natural advantages (customer engagement, rapid scale) and difficulties (maintenance and patching, cyberattack). We must accept this and learn to manage this risk as a team, sharing the challenges and adapting to the continuous evolution.

In the coming blogs, we will explore these topics from the perspective of business leaders and from cybersecurity leaders, sharing lessons learned on framing, prioritizing, and managing risk to stay resilient against cyberattacks.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Becoming resilient by understanding cybersecurity risks: Part 1 appeared first on Microsoft Security.

Lemon Duck brings cryptocurrency miners back into the spotlight

Attackers are constantly reinventing ways of monetizing their tools. Cisco Talos recently discovered a complex campaign employing a multi-modular botnet with multiple ways to spread. This threat, known as “Lemon Duck,” has a cryptocurrency mining payload that steals computer resources to mine the Monero virtual currency. The actor employs various methods to spread across the network, like sending infected RTF files using email, psexec, WMI and SMB exploits, including the infamous Eternal Blue and SMBGhost threats that affect Windows 10 machines. Some variants also support RDP brute-forcing. In recent attacks we observed, this functionality was omitted. The adversary also uses tools such as Mimikatz, that help the botnet increase the amount of systems participating in its mining pool.


The post Lemon Duck brings cryptocurrency miners back into the spotlight appeared first on Cisco Blogs.

Technology as a Security Springboard: How These Experts Pivoted to Cybersecurity

Last week I highlighted some of the brilliant stories which are covered in our new eBook, “Diversity in cybersecurity: A Mosaic of Career Possibilities”.

For this blog, we meet some new folks, and uncover how they got their unique starts in the industry.

What’s interesting about these stories in particular, is that most people started in a general field of technology. But something happened during that time to persuade them to go into cybersecurity.

Katie Moussouris | CEO of Luta Security | @k8em0 | (LinkedIn) 

There wasn’t a defining moment for me because cybersecurity as an industry wasn’t really called an industry yet. I became a hacker at an early age, but back then, we were just focusing on computer security, which was an offshoot of computer science.

I think a lot of people who have been in cybersecurity for as long as I have—over 20 years professionally—have a very meandering path that led them down this career rabbit hole.

For myself, I was a molecular biologist, and I was working on the human genome project at MIT. I decided molecular biology wasn’t for me, but I wasn’t quite sure what I wanted to do.

So I took a detour, which I thought was temporary, into the systems administrators group at the genome center at MIT. I helped them build those systems out, and then, I took another systems administration job at MIT in the Department of Aeronautics and Astronautics. There, I took care of the network that helped launch some Mars rovers. This was the late 90s we’re talking about here.

From there, defending the systems that I was in charge of led me back into the nascent security fold.

Sophia McCall | Junior Security Consultant | @spookphia | (LinkedIn) 

I was interested in computers from a young age. IT was always my favorite subject; I always wanted to pursue something in technology as a career. I remember when I was about 14 or 15, I completed the IT material so quickly in class that the teachers ended up having to write up separate extra exercises just for me every week!

After school, when I was about 16, I progressed to college to complete a BTEC Level 3 Extended Diploma in Software Development. Over two years, I learned to build and program everything you could think of: websites, games, mobile applications, scripts, and more. On this diploma course, we had a networking module that focused on security.

It was at this point when I definitely heard my “calling.”After nearly two years of building things, I discovered that breaking them was much more fun! 

Following this “Eureka” moment, I applied to study a BSc (Hons) in Cyber Security Management at university.

Four years later, including a year’s placement in industry and a huge amount of community involvement, I completed my degree with First Class Honors. I’m now about to commence my first role in the industry as a Junior Security Consultant of penetration testing. 

Ken Westin | Head of Competitive Intelligence, Elastic | @kwestin | (LinkedIn) 

I was working as the Webmaster and Linux Administrator for a company whose endpoint security product blocked USB flash drives from connecting to systems. At that time, my only exposure to security was on the defensive side.

I was curious about how the USB malware we were trying to block worked and how it got into forums where some of these tools were being traded. I therefore started experimenting with them and set out to build several Proofs of Concept (POCs) that would steal data from systems, phone data home to a server, etc.

I went down a lot of rabbit holes in my research, and I even built a website called that provided samples of the USB malware to help educate network admins. (This was also the first time the FBI reached out to me.)

Around this time, one of my co-workers had his car broken into and his laptop bag stolen. We joked about what would have happened if a thief had stolen my bag and plugged in one of my weaponized flash drives into a computer.  

After the conversation, I started building tools based on my USB malware that were designed to protect devices and data if they were stolen. 

Richard Archdeacon | Advisory Chief Information Security Officer, Duo Security, Cisco | (LinkedIn) 

Like most people, I fell into cybersecurity through exposure to some really big security events. I had a background in IT transformations. Security was becoming increasingly important at the time, but it was still low on the radar unless you worked at a bank or financial organization.  

That all started to change with the big virus attacks. Code Red, Nimda, and the “I Love You” virus all swept us up by surprise at the time (security was still low on the radar unless you worked at a bank or financial organization). In one of the virus attacks, I saw a whole corporation lose its email system.

This didn’t occur simply through the attack; much of it transpired because of a faulty incident response. Everyone at the company was panicking and answering every warning email with a “CC all” reply. So it ground to a halt.  

It struck me that this meant nobody knew how to prevent or respond to these attacks and that security was going to be vital going forward. All our digital transformations would come to naught if a simple attack could cripple us. So we had to develop security in the same way that we were changing IT. 

I think the final confirmation for me came when we read reports from SOCA and other organizations that showed the link between hackers and organized crime. It struck me then that we were not dealing with script kiddies but bad people who were committed to doing bad things to innocent victims. This was more than just a job; it was a calling. 

Omar Santos | Principal Engineer – Product Incident Response Team, Cisco | @santosomar | (LinkedIn)  

It started when I left college and joined the United States Marines. I was in the U.S. Marine Corps, and my military occupational specialty was in electronics and secure communications. From there, I shifted into networking and specifically network security. That’s when I knew that cybersecurity was for me. 

After I left the Marine Corps, I joined Cisco in 2000, and I was part of the technical assistance center. I was supporting firewalls, IPS devices, VPNs, and a lot of encryption. 

From there, I shifted gears into advanced services, which is now called “CX,” or the customer experience. Along the way, I did secure implementations, a lot of network design, and architectural reviews. 

At the end, I was actually doing penetration testing and ethical hacking against many large Cisco customers. I shifted gears again, and now Im part of the product security incident response team where we specialize in vulnerability management. I also concentrate on helping industry-wide efforts. I’m the chair of several industry-wide initiatives like FIRST and OASIS.

Mo Amin | Independent Cyber Security Culture Consultant  | @infosecmo | (LinkedIn) 

When I started out, it wasn’t called “cybersecurity” back then. It was IT security.

The defining moment for me was when I got involved in a forensic investigation after my manager at the time asked if I wanted to shadow him and learn a few things. I was working in desktop support, and I found it fascinating. It was the catalyst for me.  

From there, I made a lot of mistakes, learned a lot, and adapted. I’ve been fortunate enough to work with some really good people along the way, and I still find the work interesting. 

Rebecca Herold | CEO, The Privacy Professor | @PrivacyProf | (LinkedIn) 

I got onto the information security, privacy and compliance path at the beginning of my career as a result of creating and maintaining the change control system at a large multinational financial/healthcare corporation.

I didn’t even realize change control was a critical information security control at the time until I started seeing the ways in which human interactions and noncompliance with procedures caused some major problems, such as down-time (loss of availability) for the entire corporation.

After I went to the IT Audit area, I performed an enterprise-wide information security audit. As a result of that audit, I recommended that an information security department be created.

There, I created all the corporation’s information security and privacy policies along with their supporting procedures, and created the training program, established requirements for the firewalls and web servers, performed risk assessments, established the requirements for one of the very first online banks at a time before there were any regulatory requirements for them, and generally oversaw the program. I’ve loved working in information security and privacy, simultaneously, ever since.


Fareedah Shaheed | CEO and Founder, Sekuva | @CyberFareedah | (LinkedIn) 

At first, cybersecurity was just an interesting career path. But once I got into corporate, I realized that there was more to security than coding or networking.  

My corporate job introduced me to the world of security awareness and the human aspect of security that I didn’t know existed. In that instant, my entire world changed, and my career in cybersecurity was solidified. 

Instead of security being reduced to lines of code or sitting at a desk for eight hours, it became about the human brain, teaching, and authentically connecting with people. 

And once I started my own business and brand, I fell deeply in love with creating a movement and tribe around security awareness and education. 

Now, it’s no longer about the “right career” but about the “right calling.”

It became something much more than me and my curiosity. It became an industry where I could create massive transformation and impact.  

Martijn Grooten | Researcher, Writer, and Security Professional | @martijn_grooten | (LinkedIn) 

During my very first security conference back in 2007, I saw a talk on the Julie Amero case: a teacher who faced a long prison sentence because malware on her laptop had displayed adult content to a class of minors. 

It taught me how security can have an impact on people’s lives and also how different people can have very different threat models. 

The latter lesson I think is relevant well beyond IT security. It could help us understand society better as a whole. 


Noureen Njoroge | Cybersecurity Consulting Engineer, Cisco | @EngineerNoureen | (LinkedIn) 

Curiosity led me to a cybersecurity career. I was that one student who always had questions to ask.

Upon obtaining my Bachelor’s Degree in Information Technology, I landed a Systems Admin role, which involved lots of routing, switching, and datacenter tasks. Truly humble beginnings, indeed.

Those late-night shifts at the datacenter were the core foundation of my career, as I learned a lot.   

While at this role, I attended a lunch-and-learn session that was hosted by the Infosec team. They shared information on the latest malware trends, tactics, techniques, and procedures used by threat actors.

I was so fascinated by the knowledge shared, and I asked so many questions to the point where they offered me the opportunity to shadow the team in order to learn more. It was this opportunity that deepened my interest in security.  

Later on, I was offered an opportunity to join the MIT Cybersecurity program. From the knowledge I had already attained, I knew that cybersecurity would be the future, and I wanted to be part of it. 

Looking back, I am glad to have embraced every opportunity presented, for “It’s better to be prepared for an opportunity and not have one than to have an opportunity and not be prepared.” – Whitney M. Young, Jr. 

Jason Lau | Chief Information Security Officer, | @JasonCISO | (LinkedIn) 

As part of my engineering degree, we had to experiment with integrated circuit chips and program them to do a variety of different things. It just so happens it was around that time when the first ever PlayStation was released.

In my spare time while getting my engineering degree, I researched and hacked” the boot sequence of the machine with a ModChip” I programmed, and I was able to play video games from different regions around the world. (Back in those days, games were on CDs and had country regional restrictions on them. Some of the best games never came to my region!) 

I was one of the first with these ModChips at that time, so my friend and I started to help others on the side. This freelance job was quite thrilling and exciting!

This was my first experience with hacking and reverse engineering. It taught me how to use root cause analysis to really dig deeper in order to understand the underlying technology and reasons for why things worked (and didn’t work). 

This is a fundamental skill which I have found useful in my cybersecurity career. 

Phillimon Zongo | Chief Executive Officer at Cyber Leadership Institute | @PhilZongo | (LinkedIn) 

I would say my eureka moment came around the end of 2015 when I went back to the drawing board and took a deep look at my career path. I felt like my career had stagnated. 

I wanted to specialize in cybersecurity because by that time it was one of the fastest growing fields within the technology risk space. It was clearly the center of attention for the board of directors, regulators, customers, and even investors. Instead of spreading myself thin across every aspect of technology risk, I wanted to go deep in cybersecurity. 

I realized that there was a major problem in cybersecurity: a lot of the material that I was reading was very technical in nature, but it was almost impossible for me to link cybersecurity tools to strategic business goals.

I realized that the subject of cybersecurity was confined within the corridors of IT. It was supposed to be a responsibility of everyone from the front office staff to the board of directors and cybersecurity professionals themselves. That’s when I realized there was a major gap. 

After months of researching and talking to other people, I realized that I needed to develop skills that would help me translate the complex side of cybersecurity into a language that was understandable by senior business leaders. 


Want to learn more about how technology propelled these experts into cybersecurity? Download our eBook: Diversity in cybersecurity: A mosaic of career possibilities today. 

The post Technology as a Security Springboard: How These Experts Pivoted to Cybersecurity appeared first on Cisco Blogs.

Threat Landscape Trends: Endpoint Security, Part 2

Part 2: LOLBins, operating systems, and threat types

Being aware of what’s occurring on the threat landscape can be a valuable tool when it comes to defending your organization. If you’re well informed, that puts you in a good position to decide how best to protect your assets and allocate resources accordingly. While it’s important to stay up to date with the latest ground-breaking attack techniques and new threats, it’s equally important to keep abreast of the overall trends.

The fact is that, for every novel technique discovered, there are countless attacks taking place in the same time frame that use well-known and well-trodden tactics. For every attack carried out by a nation state, there’s a dozen million-dollar ransomware attacks that started with a simple phishing email.

This is why watching the trends is so important: it provides a view of what you’re most likely to encounter. This is the purpose of this new blog series, Threat Landscape Trends. In it, we’ll be taking a look at activity in the threat landscape and sharing the latest trends we see. By doing so, we hope to shed light on areas where you can quickly have an impact in defending your assets, especially if dealing with limited security resources.

In Part 1, we took a look at critical severity threats and MITRE ATT&CK tactics that were spotted by the Indication of Compromise (IoC) feature in Cisco’s Endpoint Security solution. In this second part, we’re going to step back and look at a larger swath of the IoC alerts to see what’s most frequently encountered.

The methodology remains the same as in Part 1, which we provide again at the end of this blog. In a nutshell, the data presented here is similar to alerts you would see within the dashboard of Cisco’s Endpoint Security solution, only aggregated across organizations. This time we rank the IoCs that organizations have encountered grouped by particular topics. The data set covers the first half of 2020, from January 1st through June 30th.

Signal from Noise

According to Cisco’s 2020 CISO Benchmark Report, one of the biggest issues IT folks face is alert fatigue. Of the respondents that claim they suffer from such fatigue, 93 percent said they receive at least 5,000 alerts per day. In circumstances like this, it’s absolutely critical to be able to derive what’s important from what can be discarded.

As we showed in Part 1, the vast majority of alerts fall into the low and medium severity categories (35 and 51 percent, respectively). It may be tempting to discount lower severities outright. Indeed, in some circumstances, this may be the correct course of action.

For instance, some of the more common low severity IoCs, like running PsExec as an administrator or stopping the firewall with NetSh, may on occasion trigger on activities carried out by IT administration—whether or not these are considered best practices. While not an attack, these sorts of alerts may be worth having a conversation about with the IT department, when time allots.

However, the significance of an alert shouldn’t be based on the severity alone. Under some circumstances, low severity alerts can be just as concerning as a critical severity alert. The trick is to figure out the context surrounding them. What happened before and after an alert? Are there other lower-severity alerts in the same time frame? Stringing together a series of suspicious alerts can give a much clearer picture of potential attacks that may only alert on lower severity IoCs.

For example, let’s say an attacker sends a phishing email to your organization. If the recipient opens the Word attachment, a macro contained within launches a script (triggering the IoC W32.WinWord.Powershell.ioc). The script in turn runs encoded PowerShell commands (W32.PowershellEncodedBuffer.ioc) to set the stage to download further malicious code (W32.PowershellDownloadString.ioc).

This scenario is comprised entirely of low- and medium-severity IoCs. Each of these by themselves do not necessarily point to an attack, but when viewed as a string of IoCs, it’s very unlikely that these would be associated with anything but malicious activity. At the end of the day, the idea with the lower IoC categories is that they indicate activity within your environment that should be investigated, especially if IT says they didn’t do it.

With this in mind, in the metrics that follow we’ll look at medium, high, and critical-severity IoCs. This is because, while low-severity IoCs are critical when looking at a series of alerts appearing in sequence, individually they can muddy the waters when analyzing larger malicious trends across organizations. Filtering out these IoCs ensures that the activity that we’re focusing on is actual malicious activity, as opposed to a round-about administrative solution.

So, without further ado, let’s have a look at more threat landscape trends, covering LOLBins, OSes, and other threats.


Utilizing the tools built into operating systems is a very common attack tactic these days. Leveraging such readily available binaries decreases the chances that an attacker will be discovered, compared to custom-tailored malicious tools that can stand out. Using readily available tools for malicious activity is generally referred to as “living off the land,” and the binaries utilized are called LOLBins. (To learn more about LOLBins, Talos has published a detailed blog on their use in the threat landscape.)

The use of LOLBins appears to be quite common for malicious activity, based on alerts seen during the first half of 2020. In our research, 20-27 percent of the IoC alerts organizations encountered at least once in a given month were related to suspicious LOLBin activity.

Percentage of IoC alerts organizations encountered related to suspicious LOLBins.

What’s notable is the five percent jump witnessed in April. This is primarily due to activity related to an adware application called Browser Assistant. This adware generally injects JavaScript into web browsers to display advertisements. During April, Browser Assistant was seen using PowerShell to load itself into memory without launching files (using reflective DLL injection, to be specific). This is highly suspect, being a technique often used by fileless malware.

Two LOLBins in particular appear to dominate the top LOLBin IoCs seen: PowerShell and the Windows Scripting Host (covering both WScript and CScript). Both of these LOLBins facilitate the execution of scripts within the Windows operating system.

Top LOLBin IoCs
Top LOLBin IoCs

Overall, PowerShell is involved in five of the top ten IoCs seen relating to LOLBins, comprising around 59 percent of all LOLBin alerts. In many cases, PowerShell is used to download malicious code into memory or download further executables. The Windows Scripting Host is often leveraged to launch malicious files, perform reconnaissance, move throughout the network, or contact remote locations. The Windows Scripting Host made up 23 percent of all LOLBin alerts.

What’s interesting in looking at the malicious use of these native binaries is that bad actors often leverage one LOLBin to launch another. This is clear with the eighth and tenth entries in our list and can be seen in other IoCs beyond the top ten. Malicious actors likely swap LOLBins during an attack in order to hide their tracks.

Top OS IoCs

Let’s take a look at the two primary desktop operating systems, Windows and macOS, to see how attackers are targeting them.


Naturally, PowerShell makes its presence known, with appearances in three IoCs in the top ten. The Windows Scripting Host appears twice as well, showing just how prevalent LOLBins are in the Windows environment. In all, half of the top 10 IoCs on Windows use LOLBins.

Top Windows IoCs

Adware also appears quite prominently on Windows, with three adware installers and ad-injecting IoCs making the top 10. However, these IoCs should not be taken lightly for being adware. These instances are some of the more egregious adware installers, often going well beyond what is considered a legitimate install process.

Other activities of note include:

  • The presence of The Onion Router (TOR) connections ranks highly. TOR can feasibly be used to allow encrypted traffic through firewalls, at best to get around IT policies, and worst for data exfiltration.
  • Quietly disabling UAC via the registry is something an attacker might do in order to run malicious code that requires elevated privileges.
  • Using NSlookup to send DNS TXT queries is a technique often used by bad actors for C2 communication.


Adware appears quite frequently on macOS as well, comprising four of the top ten IoCs seen. What’s interesting is that LOLBins don’t appear as frequently here as they do on Windows. Instead, attackers are likely to hide their presence by disabling the security programs, excluding their files from quarantine, clearing command histories, and hiding files.

Top macOS IoCs
Top macOS IoCs

Threat categories

Finally, let’s home in on some specific threat types. Here is a closer look at four key types of threats currently seen on the threat landscape.


The most common IoC alert seen relating to ransomware is the deletion of shadow copies, which are snapshots of the file system used by the Windows operating system for backups. Ransomware threats often delete these files to prevent encrypted files from being restored from local backups. This particular IoC comprised 66 percent of all ransomware-related IoC alerts.

Top Ransomware IoCs

It’s also worth noting that ransomware often uses the Windows Scripting Host to execute a .zip file that contains malicious JavaScript. This is a technique used by malicious actors that install ransomware, such as WastedLocker. However, since such zipped JavaScript files are also used in other malicious attacks outside of ransomware, such as email campaigns for Emotet, it is not included in the list above.

Credential Stealing

The most commonly encountered credential stealing tool, Mimikatz, was featured in Part 1 of our look at Endpoint Security related trends. At 28 percent, this critical-severity, credential-dumping tool topped other regularly used techniques, likely for the all-in-one approach that the tool offers.

Apart from Mimikatz, malicious actors were seen utilizing the Findstr utility on files, digging through LSASS, and combing through the registry in order to find credentials.

Top Credential Stealing IoCs


Adware features heavily on both Windows and macOS operating systems. Adware appearing in the top five generally behave in a manner closer to malware than a simple annoyance of showing you an unexpected advertisement.

Top Adware IoCs
Top Adware IoCs


While cryptomining doesn’t currently feature heavily in overall IoC lists, the most common activities seen include regular activity associated with cryptomining, such as submitting and requesting work from a cryptomining server or wallet-related activity. However, instances of fileless cryptominers and attempts to stop other miners feature in the top five as well.

Top Cryptomining IoCs

How to defend

While no doubt interesting, the information in this blog can also double as a blueprint for a plan of defense. This is especially important if working with limited resources, when prioritizing defensive actions where they’re most needed is critical. If you’re going to do one thing with this new information to protect your organization, focus your efforts on what consistently crops up in these lists: LOLBins.

Of course, this may be easier said than done, not only because these binaries are baked into the OS, but because many IT organizations utilize them in their daily operations. So how do you differentiate between normal operations and malicious activity? While it’s fairly obvious when some actions are being carried out by bad actors, others are not so clear.

First and foremost, it’s important to ensure you enable adequate logging on systems. The fact is you can’t pinpoint malicious activity if there’s no record of it.

It’s also important to have a clear understanding of the types of commands and activity that you can expect within these logs. Filtering out what you know is being carried out through automation or IT activities will clear out much of the noise, making it easier to drill down into what should be there.

It’s also important look for patterns. Individual activities and commands may not appear malicious on their own, but in the context of a series of commands, ran before and after, a malicious pattern may emerge. Create playbooks that address these patterns and use automation to detect when they trigger.

When it comes to what commands and activities are expected, every organization is different. Establishing your approach often requires the involvement a variety of people from different teams. Establishing those communications will not only help when building out a defensive plan, but can be critical in quickly resolving an incident if one arises.


We’ve organized the data set in such a way as to obtain more meaningful trends. First, we’ve aggregated the data by the number of organizations that have received an alert about a particular activity, as opposed to the total number of detections in the given time frame. Charts are broken down by months. This means that an organization can be counted in each month, if they see the activity. Tables cover the full six-month period (January 1, 2020 through June 30, 2020), and organizations encountering an IoC are only counted once in these cases.

A word on privacy

Cisco takes customer privacy very seriously. While Cisco Security products can report telemetry back to us, this is an opt-in feature within our products. To further this end, we’ve gone to great lengths to ensure the data used for this blog series is anonymized and aggregated before any analysis is performed on it.


The post Threat Landscape Trends: Endpoint Security, Part 2 appeared first on Cisco Blogs.

Podcast: Taking the unconventional career path in cybersecurity

Security Stories podcast
Security Stories Podcast

In the latest episode of the Security Stories podcast, we take on the topic of cybersecurity careers.

Myself, Ben Nahorney and Noureen Njoroge are joined by guests Mitch Neff, Marketing Lead at Cisco Talos, and Corien Vermaak, Cybersecurity Partner Sales Lead for Cisco APJC.

We each discuss on how we all got our starts in the cybersecurity industry. As it turns out, none of us took a conventional path!

The five of us also talk about the people and the mentors that helped us along the way, including some practical advice for anyone who wants to be a mentor, or gain a mentor.

We then passionately tackle the topic of job descriptions and why they might be contributing to the so called “cybersecurity skills gap”. We also talk about what hiring managers can do to make sure they’re not putting the right people off with their words.

The interview

Curtis Simpson, Chief Information Security Officer at Armis

For our main interview, I had the pleasure of chatting to Curtis Simpson, Chief Information Security Officer at Armis to discover his story.

A self taught cybersecurity geek, Curtis spent 20 years at Sysco, building a decentralized network before moving to Armis.

Curis talks about how he changed perceptions of cybersecurity being “just a cost centre”. He gave some great examples of how cybersecurity is directly tied to business outcomes, such as the productivity of the sales team.

He also touches on just how difficult a decision it was to leave after 20 years, but ultimately he knew it was the right thing.

Finally, we discuss how his organization has reacted to the global pandemic, and I learn about Curtis’ take on the current threat landscape, particularly around securing IoT devices.

We hope this episode proves that that there is no singular footpath into cybersecurity.  And that’s no bad thing.

Time stamps

0.00 Intro
3.46 Interview with Curtis Simpson
47.26 Discussion on careers in cybersecurity
1.42.00 Close

Play the episode

You can listen to this podcast on Apple Podcasts, Spotify, Google Podcasts, or wherever you normally get your podcasts from! You can also listen right here and now:

More career related resources

Here are some more resources as mentioned in our careers discussion:

Noureen’s cybersecurity mentoring hub:
Noureen’s mentor and mentee group on LinkedIn:
Cisco NetAcademy courses:
Blue Team Village Discord of which Talos are a sponsor:

Also check out our just published eBook: Diversity in Cybersecurity: A Mosaic of Career Possibilities

The post Podcast: Taking the unconventional career path in cybersecurity appeared first on Cisco Blogs.

Cyber Security Awareness: A Critical Checklist

October 2020 marks the 17th year of National CyberSecurity Awareness Month, where users and organizations are encouraged to double their efforts to be aware of cybersecurity issues in all their digital dealings—and to take concrete steps to increase their privacy and security as necessary. The Cybersecurity & Infrastructure Security Agency (CISA), in conjunction with the National Cyber Security Alliance (NCSA) has announced a four-week security strategy under the theme “Do Your Part. #BeCyberSmart”. (You can use the NCSAM hashtag #BeCyberSmart during October to promote your involvement in raising cybersecurity awareness.) Their schedule includes the following:



  • Week of October 5 (Week 1):If You Connect It, Protect It
  • Week of October 12 (Week 2):Securing Devices at Home and Work
  • Week of October 19 (Week 3):Securing Internet-Connected Devices in Healthcare
  • Week of October 26 (Week 4):The Future of Connected Devices

Here in Trend Micro’s Consumer Division, we’d like to do our part by providing a breakdown of the security issues you should be aware of as you think about cybersecurity—and to give you some tips about what you can do to protect yourself and your family while working, learning, or gaming at home. To help, we’ve also taken a look back at articles we’ve written recently to address each category of threat—and to provide some quick links to access our library of relevant blogs all in a single place.

The range of threats

As you think about potential threats during Cybersecurity Awareness Month and beyond, keep in mind our basic breakdown of where and how threats arise, which we outlined at the beginning of the year in our Everyday Cyber Threat Landscape blog. An updated summary is given here:

Home network threats: Our homes are increasingly powered by online technologies. Over two-thirds (69%) of US households now own at least one smart home device: everything from voice assistant-powered smart speakers to home security systems and connected baby monitors. But gaps in protection can expose them to hackers. There were an estimated 105m smart home attacks in the first half of 2019 alone. With home routers particularly at risk, it’s a concern that 83% are vulnerable to attack. In the first half of 2020, Trend Micro detected over 10.6 billion suspicious connection attempts on home routers’ unavailable ports—an issue made more worrisome by recent lab-based evidence that home routers are riddled with insecurities, as the Fraunhofer Home Router Security Report 2020 shows. This means you need to take steps to mitigate your router’s weaknesses, while deploying a home network security solution to address other network insecurities and to further secure your smart devices.

Relevant Blogs:

Endpoint threats: These are attacks aimed squarely at you the user, usually via the email channel. Trend Micro detected and blocked more than 26 billion email threats in the first half of 2019, nearly 91% of the total number of cyber-threats. These included phishing attacks designed to trick you into clicking on a malicious link to steal your personal data and log-ins or begin a ransomware download. Or they could be designed to con you into handing over your personal details, by taking you to legit-looking but spoofed sites. Endpoint threats sometimes include social media phishing messages or even legitimate websites that have been booby-trapped with malware. All this means is that installing endpoint security on your PCs and Macs is critical to your safety.

Relevant Blogs:

Mobile security threats: Hackers are also targeting our smartphones and tablets with greater sophistication. Malware is often unwittingly downloaded by users, since it’s hidden in normal-looking mobile apps, like the Agent Smith adware that infected over 25 million Android handsets globally in 2019. Users are also extra-exposed to social media attacks and those leveraging unsecured public Wi-Fi when using their devices. Once again, the end goal for the hackers is to make money: either by stealing your personal data and log-ins; flooding your screen with adverts; downloading ransomware; or forcing your device to contact expensive premium rate phone numbers that they own. The conclusion? Installing a mobile security solution, as well as personal VPN, on your Android or iOS device, should be part of your everyday security defense.

Relevant Blogs:

Identity data breaches are everywhere: The raw materials needed to unlock your online accounts and help scammers commit identity theft and fraud are stored by the organizations you interact with online. Unfortunately, these companies continued to be targeted by data thieves in 2019. As of November 2019, there were over 1,200 recorded breaches in the US, exposing more than 163 million customer records. Even worse, hackers are now stealing card data direct from the websites you shop with as they are entered in, via “digital skimming” malware. That said, an increasingly popular method uses automated tools that try tens of thousands of previously breached log-ins to see if any of them work on your accounts. From November 2017 through the end of March 2019, over 55 billion such attacks were detected. Add these to the classical phishing attack, where email hoaxes designed to get you to unwittingly hand over your data—and your data and identity can be severely compromised. In this category, using both a password manager and an identity security monitoring solution, is critical for keeping your identity data safe as you access your online accounts.

Relevant Blogs:

How Trend Micro can help

Trend Micro fully understands these multiple sources for modern threats, so it offers a comprehensive range of security products to protect all aspects of your digital life—from your smart home network to your PCs and Macs, and from your mobile devices to your online accounts. We also know you need security for your email and your social networks, or simply when browsing the web itself.

Trend Micro Home Network Security: Provides protection against network intrusions, router hacks, web threats, dangerous file downloads and identity theft for every device connected to the home network.

Trend Micro Premium Security Suite: Our new premium offering provides all of the products listed below for up to 10 devices, plus Premium Services by our highly trained pros. It includes 24×7 technical support, virus and spyware removal, a PC security health check, and remote diagnosis and repair. As always, however, each solution below can be purchased separately, as suits your needs.

  • Trend Micro Security:Protects your PCs and Macs against web threats, phishing, social network threats, data theft, online banking threats, digital skimmers, ransomware and other malware. Also guards against over-sharing on social media.
  • Trend Micro Mobile Security:Protects against malicious app downloads, ransomware, dangerous websites, and unsafe Wi-Fi networks.
  • Trend Micro Password Manager:Provides a secure place to store, manage and update your passwords. It remembers your log-ins, enabling you to create long, secure and unique credentials for each site/app you need to sign-in to.
  • Trend Micro WiFi Protection:Protects you on unsecured public WiFi by providing a virtual private network (VPN) that encrypts your traffic and ensures protection against man-in-the-middle (MITM) attacks.
  • Trend Micro ID Security (AndroidiOS): Monitors underground cybercrime sites to securely check if your personal information is being traded by hackers on the Dark Web and sends you immediate alerts if so, so you can take steps to address the problem.

The post Cyber Security Awareness: A Critical Checklist appeared first on .

Best practices for defending Azure Virtual Machines

One of the things that our Detection and Response Team (DART) and Customer Service and Support (CSS) security teams see frequently during investigation of customer incidents are attacks on virtual machines from the internet.

This is one area in the cloud security shared responsibility model where customer tenants are responsible for security. Security is a shared responsibility between Microsoft and the customer and as soon as you put just one virtual machine on Azure or any cloud you need to ensure you apply the right security controls.

The diagram below illustrates the layers of security responsibilities:

Image of the shared responsibility model showing customer, service, and cloud responsibilities

Fortunately, with Azure, we have a set of best practices that are designed to help protect your workloads including virtual machines to keep them safe from constantly evolving threats. This blog will share the most important security best practices to help protect your virtual machines.

The areas of the shared responsibility model we will touch on in this blog are as follows:

  • Tools
  • Identity and directory infrastructure
  • Applications
  • Network Controls
  • Operating System

We will refer to the Azure Security Top 10 best practices as applicable for each:

Best practices

1. Use Azure Secure Score in Azure Security Center as your guide

Secure Score within Azure Security Center is a numeric view of your security posture. If it is at 100 percent, you are following best practices. Otherwise, work on the highest priority items to improve the current security posture. Many of the recommendations below are included in Azure Secure Score.

2. Isolate management ports on virtual machines from the Internet and open them only when required

The Remote Desktop Protocol (RDP) is a remote access solution that is very popular with Windows administrators. Because of its popularity, it’s a very attractive target for threat actors. Do not be fooled into thinking that changing the default port for RDP serves any real purpose. Attackers are always scanning the entire range of ports, and it is trivial to figure out that you changed from 3389 to 4389, for example.

If you are already allowing RDP access to your Azure VMs from the internet, you should check the configuration of your Network Security Groups. Find any rule that is publishing RDP and look to see if the Source IP Address is a wildcard (*). If that is the case, you should be concerned, and it’s quite possible that the VM could be under brute force attack right now.

It is relatively easy to determine if your VMs are under a brute force attack, and there are at least two methods we will discuss below:

  • Azure Defender (formerly Azure Security Center Standard) will alert you if your VM is under a brute force attack.
  • If you are not using Security Center Standard tier open the Windows Event Viewer and find the Windows Security Event Log. Filter for Event ID 4625 (an account failed to log on). If you see many such events occurring in quick succession (seconds or minutes apart), then it means you are under brute force attack.

Other commonly attacked ports would include: SSH (22), FTP (21), Telnet (23), HTTP (80), HTTPS (443), SQL (1433), LDAP 389. This is just a partial list of commonly published ports. You should always be cautious about allowing inbound network traffic from unlimited source IP address ranges unless it is necessary for the business needs of that machine.

A couple of methods for managing inbound access to Azure VMs:

Just-in-time will allow you to reduce your attack service while also allowing legitimate users to access virtual machines when necessary.

Network security groups contain rules that allow or deny traffic inbound to, or outbound traffic from several types of Azure resources including VMs. There are limits to the number of rules and they can become difficult to manage if many users from various network locations need to access your VMs.

For more information, see this top Azure Security Best Practice:

3. Use complexity for passwords and user account names

If you are required to allow inbound traffic to your VMs for business reasons, this next area is of critical importance. Do you have complete confidence that any user account that would be allowed to access this machine is using a complex username/password combination? What if this VM is also domain joined? It’s one thing to worry about local accounts, but now you must worry about any account in the domain that would have the right to log on to that Virtual Machine.

For more information, see this top Azure Security Best Practice:

4. Keep the operating system patched

Vulnerabilities of the operating system are particularly worrisome when they are also combined with a port and service that is more likely to be published. A good example is the recent vulnerabilities affecting the Remote Desktop Protocol called “BlueKeep.” A consistent patch management strategy will go a long way towards improving your overall security posture.

5. Keep third-party applications current and patched

Applications are another often overlooked area, especially third-party applications installed on your Azure VMs. Whenever possible use the most current version available and patch for any known vulnerabilities. An example is an IIS Server using a third-party Content Management Systems (CMS) application with known vulnerabilities. A quick search of the Internet for CMS vulnerabilities will reveal many that are exploitable.

For more information, see this top Azure Security Best Practice:

6. Actively monitor for threats

Utilize the Azure Security Center Standard tier to ensure you are actively monitoring for threats. Security Center uses machine learning to analyze signals across Microsoft systems and services to alert you to threats to your environment. One such example is remote desktop protocol (RDP) brute-force attacks.

For more information, see this top Azure Security Best Practice:

7. Azure Backup Service

In addition to turning on security, it’s always a good idea to have a backup. Mistakes happen and unless you tell Azure to backup your virtual machine there isn’t an automatic backup. Fortunately, it’s just a few clicks to turn on.

Next steps

Equipped with the knowledge contained in this article, we believe you will be less likely to experience a compromised VM in Azure. Security is most effective when you use a layered (defense in depth) approach and do not rely on one method to completely protect your environment. Azure has many different solutions available that can help you apply this layered approach.

If you found this information helpful, please drop us a note at

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Best practices for defending Azure Virtual Machines appeared first on Microsoft Security.

Why we invite security researchers to hack Azure Sphere

Fighting the security battle so our customers don’t have to

IoT devices are becoming more prevalent in almost every aspect of our lives—we will rely on them in our homes, our businesses, as well as our infrastructure. In February, Microsoft announced the general availability of Azure Sphere, an integrated security solution for IoT devices and equipment. General availability means that we are ready to provide OEMs and organizations with quick and cost-effective device security at scale. However, securing those devices does not stop once we put them into the hands of our customers. It is only the start of a continual battle between the attackers and the defenders.

Building a solution that customers can trust requires investments before and after deployment by complementing up-front technical measures with ongoing practices to find and mitigate risks. In April, we highlighted Azure Sphere’s approach to risk management and why securing IoT is not a one-and-done. Products improve over time, but so do hackers, as well as their skills and tools. New security threats continue to evolve, and hackers invent new ways to attack devices. So, what does it take to stay ahead?

As a Microsoft security product team, we believe in finding and fixing vulnerabilities before the bad guys do. While Azure Sphere continuously invests in code improvements, fuzzing, and other processes of quality control, it often requires the creative mindset of an attacker to expose a potential weakness that otherwise might be missed. Better than trying to think like a hacker is working with them. This is why we operate an ongoing program of red team exercises with security researchers and the hacker community: to benefit from their unique expertise and skill set. That includes being able to test our security promise not just against yesterday’s and today’s, but against even tomorrow’s attacks on IoT devices before they become known more broadly. Our recent Azure Sphere Security Research Challenge, which concluded on August 31, is a reflection of this commitment.

Partnering with MSRC to design a unique challenge

Our goal with the three-month Azure Sphere Security Research Challenge was twofold: to drive new high-impact security research, and to validate Azure Sphere’s security promise against the best challengers in their field. To do so, we partnered with the Microsoft Security Response Center (MSRC) and invited some of the world’s best researchers and security vendors to try to break our device by using the same kinds of attacks as any malicious actor might. To make sure participants had everything they needed to be successful, we provided each researcher with a dev kit, a direct line to our OS Security Engineering Team, access to weekly office hours, and email support in addition to our publicly available operating system kernel source code.

Our goal was to focus the research on the highest impact on customer security, which is why we provided six research scenarios with additional rewards of up to 20 percent on top of the Azure Bounty (up to $40,000), as well as $100,000 for two high-priority scenarios proving the ability to execute code in Microsoft Pluton or in Secure World. We received more than 3,500 applications, which is a testament to the strong interest of the research community in securing IoT. More information on the design of the challenge and our collaboration with MSRC can be found here on their blog post.

Researchers identify high impact vulnerabilities before hackers

The quality of submissions from participants in the challenge far exceeded our expectations. Several participants helped us find multiple potentially high impact vulnerabilities in Azure Sphere. The quality is a testament to the expertise, determination, and the diligence of the participants. Over the course of the challenge, we received a total of 40 submissions, of which 30 led to improvements in our product. Sixteen were bounty-eligible; adding up to a total of $374,300 in bounties awarded. The other 10 submissions identified known areas where potential risk is specifically mitigated in another part of the system—something often referred to in the field as “by design.” The high ratio of valid submissions to total submissions speaks to the extremely high quality of the research demonstrated by the participants.

Graph showing the submission breakdown and the total amount of money eligible to be received through the bounty system.

Jewell Seay, Azure Sphere Operating System Platform Security Lead, has shared detailed information of many of the cases in three recent blog posts describing the security improvements delivered in our 20.07, 20.08, and 20.09 releases. Cisco Talos and McAfee Advanced Threat Research (ATR), in particular, found several important vulnerabilities, and one particular attack chain is highlighted in Jewell’s 20.07 blog.

While the described attack required physical access to a device and could not be executed remotely, it exposed potential weaknesses spanning both cloud and device components of our product. The attack included a potential zero-day exploit in the Linux kernel to escape root privileges. The vulnerability was reported to the Linux kernel security team, leading to a fix for the larger open source community which was shared with the Linux community. If you would like to learn more and get an inside view of the challenge from two of our research partners, we highly recommend McAfee ATR’s blog post and whitepaper, or Cisco Talos’ blog post.

What it takes to provide renewable and improving security

With Azure Sphere, we provide our customers with a robust defense based on the Seven Properties of Highly Secured Devices. One of the properties, renewable security, ensures that a device can update to a more secure state—even if it has been compromised. While this is essential, it is not sufficient on its own. An organization must be equipped with the resources, people, and processes that allow for a quick resolution before vulnerabilities impact customers. Azure Sphere customers know that they have the strong commitment of our Azure Sphere Engineering team—that our team is searching for and addressing potential vulnerabilities, even from the most recently invented attack techniques.

We take this commitment to heart, as evidenced by all the fixes that went into our 20.07, 20.08, and 20.09 releases. In less than 30 days of McAfee reporting the attack chain to us, we shipped a fix to all of our customers, without the need for them to take any action due to how Azure Sphere manages updates. Although we received a high number of submissions throughout multiple release cycles, we prioritized analyzing every single report as soon as we received it. The success of our challenge should not just be measured by the number and quality of the reports, but also by how quickly reported vulnerabilities were fixed in the product. When it came to fixing the found vulnerabilities, there was no distinction made between the ones that were proven to be exploited or the ones that were only theoretical. Attackers get creative, and hope is not part of our risk assessment or our commitment to our customers.

Our engagement with the security research community

On behalf of the entire team and our customers, we would like to thank all participants for their help in making Azure Sphere more secure! We were genuinely impressed by the quality and number of high impact vulnerabilities that they found. In addition, we would also like to thank the MSRC team for partnering with us on this challenge.

Our goal is to continue to engage with this community on behalf of our customers going forward, and we will continue to review every potential vulnerability report for Azure Sphere for eligibility under the Azure Bounty Program awards.

Our team learned a lot throughout this challenge, and we will explore and announce additional opportunities to collaborate with the security research community in the future. Protecting our platform and the devices our customers build and deploy on it is a key priority for us. Working with the best security researchers in the field, we will continue to invest in finding potential vulnerabilities before the bad guys do—so you don’t have to!

If you are interested in learning more about how Azure Sphere can help you securely unlock your next IoT innovation:

The post Why we invite security researchers to hack Azure Sphere appeared first on Microsoft Security.

Hacking Grindr Accounts with Copy and Paste

Hacking Grindr Accounts with Copy and Paste

Sexuality, relationships and online dating are all rather personal things. They're aspects of our lives that many people choose to keep private or at the very least, share only with people of our choosing. Grindr is "The World's Largest Social Networking App for Gay, Bi, Trans, and Queer People" which for many people, makes it particularly sensitive. It's sensitive not just because by using the site it implies one's sexual orientation, but because of the sometimes severe ramifications of fitting within Grindr's target demographic. For example, in 2014 Egypt's police were found to be using Grindr to "trap gay people" which was particularly concerning in a country not exactly up to speed with LGBT equality. Another demonstration of how valuable Grindr data is came last year when the US gov deemed that Chinese ownership of the service constituted a national security risk. In short, Grindr data is very personal and inevitably, very sensitive for multiple reasons.

Earlier this week I received a Twitter DM from security researcher Wassime BOUIMADAGHENE:

I contact you because i reported a serious security issue to one of the biggest dating applications for gays (Grindr) but the vendor keep ignoring me !
I sent them all the technical details but no way. The vulnerability allow an attacker to hijack any account.

He wanted help in disclosing what he believed was a serious security vulnerability and clearly, he was hitting a brick wall. I asked for technical detail so I could validated the authenticity of his claim and the info duly arrived. On a surface of it, things looked bad: complete account takeover with a very trivial attack. But I wanted to verify the attack and do so without violating anyone's privacy so I asked Scott Helme for support:

Hacking Grindr Accounts with Copy and Paste

Scott's dealt with plenty of security issues like this in the past, plus he helped me out with the Nissan Leaf disclosure a few years ago too and was happy to help. All I needed was for Scott to create an account and let me know the email address he used which in this case, was

The account takeover all began with the Grindr password reset page:

Hacking Grindr Accounts with Copy and Paste

I entered Scott's address, solved a Captcha and then received the following response:

Hacking Grindr Accounts with Copy and Paste

I've popped open the dev tools because the reset token in the response is key. In fact, it's the key and I copied it onto the clipboard before pasting it into the following URL:

You'll see both the token and Scott's email address in that URL. It's easy for anyone to establish this pattern by creating their own Grindr account then performing a password reset and looking at the contents of the email they receive. When loading that URL, I was prompted to set a new password and pass the Captcha:

Hacking Grindr Accounts with Copy and Paste

And that's it - the password was changed:

Hacking Grindr Accounts with Copy and Paste

So I logged in to the account but was immediately presented with the following screen:

Hacking Grindr Accounts with Copy and Paste

Huh, so you need the app? Alrighty then, let's just log in via the app:

Hacking Grindr Accounts with Copy and Paste

And... I'm in!

Hacking Grindr Accounts with Copy and Paste

Full account takeover. What that means is access to everything the original Grindr account holder had access to, for example, their profile pic (which I immediately changed to a more appropriate one):

Hacking Grindr Accounts with Copy and Paste

Around this time, Scott started receiving private messages, both a request to meet personally and a request for pics:

Hacking Grindr Accounts with Copy and Paste

The conversation with Luke went downhill pretty quickly and I can't reproduce it here, but the thought of that dialogue (and if he'd sent them, his pics) being accessed by unknown third parties is extremely concerning. Consider also the extent of personal information Grindr collects and as with Scott's messages, any completed fields here would immediately be on display to anyone who accessed his account simply by knowing his email address:

Hacking Grindr Accounts with Copy and Paste
Hacking Grindr Accounts with Copy and Paste

A couple of years ago it made headlines when Grindr was found to be sending HIV status off to third parties and given the sensitivity of this data, rightly so. This, along with many of the other fields above, is what makes it so sensational that the data was so trivially accessible by anyone who could exploit this simple flaw.

And as for the website I couldn't log into without being deferred back to the mobile app? Now that I'd logged into the app with Scott's new password, subsequent attempts simply allowed me to authorise the login request myself:

Hacking Grindr Accounts with Copy and Paste

And that's it - I'm in on the website too:

Hacking Grindr Accounts with Copy and Paste

This is one of the most basic account takeover techniques I've seen. I cannot fathom why the reset token - which should be a secret key - is returned in the response body of an anonymously issued request. The ease of exploit is unbelievably low and the impact is obviously significant, so clearly this is something to be taken seriously...

Except it wasn't. The person who forwarded this vulnerability also shared their chat history with Grindr support. After some to-and-fro, he provided full details sufficient to easily verify the account takeover approach on September 24. The Grindr support rep stated that he had "escalated it to our developers" and immediately flagged the ticket as "resolved". My contact followed up the next day and asked for a status update and got... crickets. The following day, he attempted to contact the help / support email addresses as well and after 5 days of waiting and not receiving a response, contacted me. He also shared a screenshot of his attempt to reach Grindr via Twitter DM which, like the other attempts to report the vulnerability, fell on deaf ears.

So I tried to find a security contact at Grindr myself:

I'm conscious that sending a tweet like that elicits all the sorts of responses that inevitably followed it and implies that something cyber is amiss with Grindr. I only tweet publicly once reasonable attempts to make contact privately fail and based on the previous paragraph, those attempts were more than reasonable. A friend actually DM'd me on Twitter and suggested the following:

Not sure that Grindr tweet was necessary, given their DMs are open and they reached out to you fairly soon after

This is why I didn't DM them:

Hacking Grindr Accounts with Copy and Paste

That route was tried and failed and I suggest the only reason their Twitter account publicly replied to me was because my tweet garnered a lot of interest.

After my tweet went out. I had multiple people immediately reach out and provide me with contact info for their security team. I forwarded on the original report and within about an hour and a half of the tweet, the vulnerable resource was offline. Shortly after, it came back up with a fix. In fairness to Grindr, despite their triaging of security reports needing work, their response after I managed to get in touch with the right people was exemplary. Here's how they responded when approached by infosec journo Zack Whittaker:

We are grateful for the researcher who identified a vulnerability. The reported issue has been fixed. Thankfully, we believe we addressed the issue before it was exploited by any malicious parties. As part of our commitment to improving the safety and security of our service, we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these. In addition, we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward.

All in all, this was a bad bug with a good outcome: Grindr did well once I got in touch with them, I believe they're making some positive changes around handling security reports and, of course, the bug has been fixed. Oh - and Scott made some new friends 😊

Identity Fraud: How to Protect Your Identity Data, Accounts and Money During the Coronavirus Crisis

We’ve all been spending more of our time online since the crisis hit. Whether it’s ordering food for delivery, livestreaming concerts, holding virtual parties, or engaging in a little retail therapy, the digital interactions of many Americans are on the rise. This means we’re also sharing more of our personal and financial information online, with each other and the organizations we interact with. Unfortunately, as ever, there are bad guys around every digital corner looking for a piece of the action.

The bottom line is that personally identifiable information (PII) is the currency of internet crime. And cyber-criminals will do whatever they can to get their hands on it. When they commit identity theft with this data, it can be a messy business, potentially taking months for banks and businesses to investigate before you get your money and credit rating back. At a time of extreme financial hardship, this is the last thing anyone needs.

It therefore pays to be careful about how you use your data and how you protect it. Even more: it’s time to get proactive and monitor it—to try and spot early on if it has been stolen. Here’s what you need to know to protect your identity data.

How identity theft works

First, some data on the scope of the problem. In the second quarter of 2020 alone 349,641 identity theft reports were filed with the FTC. To put that in perspective, it’s over half of the number for the whole of 2019 (650,572), when consumers reported losing more than $1.9 billion to fraud. What’s driving this huge industry? A cybercrime economy estimated to be worth as much as $1.5 trillion annually.

Specialized online marketplaces and private forums provide a user-friendly way for cyber-criminals and fraudsters to easily buy and sell stolen identity data. Many are on the so-called dark web, which is hidden from search engines and requires a specialized anonymizing browser like Tor to access. However, plenty of this criminal activity also happens in plain sight, on social media sites and messaging platforms. This underground industry is an unstoppable force: as avenues are closed down by law enforcement or criminal in-fighting, other ones appear.

At-risk personal data could be anything from email and account log-ins to medical info, SSNs, card and bank details, insurance details and much more. It all has a value on the cybercrime underground and the price fraudsters are prepared to pay will depend on supply and demand, just like in the ‘real’ world.

There are various ways for attackers to get your data. The main ones are:

  • Phishing: usually aimed at stealing your log-ins or tricking you into downloading keylogging or other info-stealing malware. Phishing mainly happens via email but could also occur via web, text, or phone. Around $667m was lost in imposter scams last year, according to the FTC.
  • Malicious mobile apps disguised as legitimate software.
  • Eavesdropping on social media: If you overshare even innocuous personal data (pet names, birth dates, etc.,) it could be used by fraudsters to access your accounts.
  • Public Wi-Fi eavesdropping: If you’re using it, the bad guys may be too.
  • Dumpster diving and shoulder surfing: Sometimes the old ways are still popular.
  • Stealing devices or finding lost/misplaced devices in public places.
  • Attacking the organizations you interact with: Unfortunately this is out of your control somewhat, but it’s no less serious. There were 1,473 reported corporate breaches in 2019, up 17% year-on-year.
  • Harvesting card details covertly from the sites you shop with. Incidents involving this kind of “web skimming” increased 26% in March as more users flocked to e-commerce sites during lockdown.


The COVID-19 challenge

As if this weren’t enough, consumers are especially exposed to risk during the current pandemic. Hackers are using the COVID-19 threat as a lure to infect your PC or steal identity data via the phishing tactics described above. They often impersonate trustworthy institutions/officials and emails may claim to include new information on outbreaks, or vaccines. Clicking through or divulging your personal info will land you in trouble. Other fraud attempts will try to sell counterfeit or non-existent medical or other products to help combat infection, harvesting your card details in the process. In March, Interpol seized 34,000 counterfeit COVID goods like surgical masks and $14m worth of potentially dangerous pharmaceuticals.

Phone-based attacks are also on the rise, especially those impersonating government officials. The aim here is to steal your identity data and apply for government emergency stimulus funds in your name. Of the 349,641 identity theft reports filed with the FTC in Q2 2020, 77,684 were specific to government documents or benefits fraud.

What do cybercriminals do with my identity data?

Once your PII is stolen, it’s typically sold on the dark web to those who use it for malicious purposes. It could be used to:

  • Crack open other accounts that share the same log-ins (via credential stuffing). There were 30 billion such attempts in 2018.
  • Log-in to your online bank accounts to drain it of funds.
  • Open bank accounts/credit lines in your name (this can affect your credit rating).
  • Order phones in your name or port your SIM to a new device (this impacts 7,000 Verizon customers per month).
  • Purchase expensive items in your name, such as a new watch or television, for criminal resale. This is often done by hijacking your online accounts with e-tailers. E-commerce fraud is said to be worth around $12 billion per year.
  • File fraudulent tax returns to collect refunds on your behalf.
  • Claim medical care using your insurance details.
  • Potentially crack work accounts to attack your employer.

How do I protect my identity online?

The good news among all this bad is that if you remain skeptical about what you see online, are cautious about what you share, and follow some other simple rules, you’ll stand a greater chance of keeping your PII under lock and key. Best practices include:

  • Using strong, long and unique passwords for all accounts, managed with a password manager.
  • Enable two-factor authentication (2FA) if possible on all accounts.
  • Don’t overshare on social media.
  • Freeze credit immediately if you suspect data has been misused.
  • Remember that if something looks too good to be true online it usually is.
  • Don’t use public Wi-Fi when out-and-about, especially not for sensitive log-ins, without a VPN.
  • Change your password immediately if a provider tells you your data may have been breached.
  • Only visit/enter payment details into HTTPS sites.
  • Don’t click on links or open attachments in unsolicited emails.
  • Only download apps from official app stores.
  • Invest in AV from a reputable vendor for all your desktop and mobile devices.
  • Ensure all operating systems and applications are on the latest version (i.e., patch frequently).
  • Keep an eye on your bank account/credit card for any unusual spending activity.
  • Consider investing in a service to monitor the dark web for your personal data.

How Trend Micro can help

Trend Micro offers solutions that can help to protect your digital identity.

Trend Micro ID Security is the best way to get proactive about data protection. It works 24/7 to monitor dark web sites for your PII and will sound the alarm immediately if it finds any sign your accounts or personal data have been stolen. It features

  • Dark Web Personal Data Manager to scour underground sites and alert if it finds personal info like bank account numbers, driver’s license numbers, SSNs and passport information.
  • Credit Card Checker will do the same as the above but for your credit card information.
  • Email Checker will alert you if any email accounts have been compromised and end up for sale on the dark web, allowing you to immediately change the password.
  • Password Checker will tell you if any passwords you’re using have appeared for sale on the dark web, enabling you to improve password security.

Trend Micro Password Manager enables you to manage all your website and app log-ins from one secure location. Because Password Manager remembers and recalls your credentials on-demand, you can create long, strong and unique passwords for each account. As you’re not sharing easy-to-remember passwords across multiple accounts, you’ll be protected from popular credential stuffing and similar attacks.

Finally, Trend Micro WiFi Protection will protect you if you’re out and about connecting to WiFi hotspots. It automatically detects when a WiFi connection isn’t secure and enables a VPN—making your connection safer and helping keep your identity data private.

In short, it’s time to take an active part in protecting your personal identity data—as if your digital life depended on it. In large part, it does.


The post Identity Fraud: How to Protect Your Identity Data, Accounts and Money During the Coronavirus Crisis appeared first on .

Emotet Trojan is back as the world unlocks

A threat actor named Emotet Trojan has been in the wild for more than 5 years, and now it is back after a 5 months break. It has spread globally, infecting new as well as old targets. It is re-launched with multiple Malspam Campaigns to distribute in all sectors. We…

This Week in Security News: Cybercriminals Distribute Backdoor with VPN Installer and New ‘Alien’ Malware can Steal Passwords from 226 Android Apps


Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how threat actors are bundling Windscribe VPN installers with backdoors. Also, read about a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications.



Read on:


Windows Backdoor Masquerading as VPN App Installer

This article discusses findings covered in a recent blog from Trend Micro where company researchers warn that Windows users looking to install a VPN app are in danger of downloading one that’s been bundled with a backdoor. The trojanized package in this specific case is the Windows installer for Windscribe VPN and contains the Bladabindi backdoor.

The Evolution of Malicious Shell Scripts

The Unix-programming community commonly uses shell scripts as a simple way to execute multiple Linux commands within a single file. Many users do this as part of a regular operational workload manipulating files, executing programs and printing text. However, as a shell interpreter is available in every Unix machine, it is also an interesting and dynamic tool abused by malicious actors.

Microsoft Says It Detected Active Attacks Leveraging Zerologon Vulnerability

Hackers are actively exploiting the Zerologon vulnerability in real-world attacks, Microsoft’s security intelligence team said on Thursday morning. The attacks were expected to happen, according to security industry experts. Multiple versions of weaponized proof-of-concept exploit code have been published online in freely downloadable form since details about the Zerologon vulnerability were revealed on September 14 by Dutch security firm Secura BV.

Stretched and Stressed: Best Practices for Protecting Security Workers’ Mental Health

Security work is stressful under the best of circumstances, but remote work presents its own challenges. In this article, learn how savvy security leaders can best support their teams today — wherever they’re working. Trend Micro’s senior director of HR for the Americas, Bob Kedrosky, weighs in on how Trend Micro is supporting its remote workers.

Exploitable Flaws Found in Facial Recognition Devices

To gain a more nuanced understanding of the security issues present in facial recognition devices, Trend Micro analyzed the security of four different models: ZKTeco FaceDepot-7B, Hikvision DS-K1T606MF, Telpo TPS980 and Megvii Koala. Trend Micro’s case studies show how these devices can be misused by malicious attackers.

New ‘Alien’ Malware Can Steal Passwords from 226 Android Apps

Security researchers have discovered and analyzed a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications. Named Alien, this new trojan has been active since the start of the year and has been offered as a Malware-as-a-Service (MaaS) offering on underground hacking forums.

Government Software Provider Tyler Technologies Hit by Possible Ransomware Attack

Tyler Technologies, a Texas-based provider of software and services for the U.S. government, started informing customers this week of a security incident that is believed to have involved a piece of ransomware. Tyler’s website is currently unavailable and in emails sent out to customers the company said its internal phone and IT systems were accessed without authorization by an “unknown third party.”

U.S. Justice Department Charges APT41 Hackers Over Global Cyberattacks

On September 16, 2020, the United States Justice Department announced that it was charging five Chinese citizens with hacking crimes committed against over 100 institutions in the United States and abroad. The global hacking campaign went after a diverse range of targets, from video game companies and telecommunications enterprises to universities and non-profit organizations. The five individuals were reportedly connected to the hacking group known as APT41.

Phishers are Targeting Employees with Fake GDPR Compliance Reminders

Phishers are using a bogus GDPR compliance reminder to trick recipients – employees of businesses across several industry verticals – into handing over their email login credentials. In this evolving campaign, the attackers targeted mostly email addresses they could glean from company websites and, to a lesser extent, emails of people who are high in the organization’s hierarchy.

Mispadu Banking Trojan Resurfaces

Recent spam campaigns leading to the URSA/Mispadu banking trojan have been uncovered, as reported by malware analyst Pedro Tavares in a Twitter post and by Seguranca Informatica in a blog post. Mispadu malware steals credentials from users’ systems. This attack targets systems with Spanish and Portuguese as system languages.

A Blind Spot in ICS Security: The Protocol Gateway Part 3: What ICS Security Administrators Can Do

In this blog series, Trend Micro analyzes the impacts of the serious vulnerabilities detected in the protocol gateways that are essential when shifting to smart factories and discusses the security countermeasures that security administrators in those factories must take. In the final part of this series, Trend Micro describes a stealth attack method that abuses a vulnerability as well as informs readers of a vital point of security measures required for the future ICS environment.

Major Instagram App Bug Could’ve Given Hackers Remote Access to Your Phone

Check Point researchers disclosed details about a critical vulnerability in Instagram’s Android app that could have allowed remote attackers to take control over a targeted device just by sending victims a specially crafted image. The flaw lets attackers perform actions on behalf of the user within the Instagram app, including spying on victim’s private messages and deleting or posting photos from their accounts, as well as execute arbitrary code on the device.

Addressing Threats Like Ryuk via Trend Micro XDR

Ryuk has recently been one of the most noteworthy ransomware families and is perhaps the best representation of the new paradigm in ransomware attacks where malicious actors go for quality over sheer quantity. In 2019, the Trend Micro™ Managed XDR and Incident Response teams investigated an incident concerning a Trend Micro customer that was infected with the Ryuk ransomware.

What are your thoughts on the Android Instagram app bug that could allow remote access to user’s phones? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cybercriminals Distribute Backdoor with VPN Installer and New ‘Alien’ Malware can Steal Passwords from 226 Android Apps appeared first on .

Lockscreen and Authentication Improvements in Android 11

[Cross-posted from the Android Developers Blog]
As phones become faster and smarter, they play increasingly important roles in our lives, functioning as our extended memory, our connection to the world at large, and often the primary interface for communication with friends, family, and wider communities. It is only natural that as part of this evolution, we’ve come to entrust our phones with our most private information, and in many ways treat them as extensions of our digital and physical identities.

This trust is paramount to the Android Security team. The team focuses on ensuring that Android devices respect the privacy and sensitivity of user data. A fundamental aspect of this work centers around the lockscreen, which acts as the proverbial front door to our devices. After all, the lockscreen ensures that only the intended user(s) of a device can access their private data.

This blog post outlines recent improvements around how users interact with the lockscreen on Android devices and more generally with authentication. In particular, we focus on two categories of authentication that present both immense potential as well as potentially immense risk if not designed well: biometrics and environmental modalities.

The tiered authentication model

Before getting into the details of lockscreen and authentication improvements, we first want to establish some context to help relate these improvements to each other. A good way to envision these changes is to fit them into the framework of the tiered authentication model, a conceptual classification of all the different authentication modalities on Android, how they relate to each other, and how they are constrained based on this classification.

The model itself is fairly simple, classifying authentication modalities into three buckets of decreasing levels of security and commensurately increasing constraints. The primary tier is the least constrained in the sense that users only need to re-enter a primary modality under certain situations (for example, after each boot or every 72 hours) in order to use its capability. The secondary and tertiary tiers are more constrained because they cannot be set up and used without having a primary modality enrolled first and they have more constraints further restricting their capabilities.

  1. Primary Tier - Knowledge Factor: The first tier consists of modalities that rely on knowledge factors, or something the user knows, for example, a PIN, pattern, or password. Good high-entropy knowledge factors, such as complex passwords that are hard to guess, offer the highest potential guarantee of identity.

    Knowledge factors are especially useful on Android becauses devices offer hardware backed brute-force protection with exponential-backoff, meaning Android devices prevent attackers from repeatedly guessing a PIN, pattern, or password by having hardware backed timeouts after every 5 incorrect attempts. Knowledge factors also confer additional benefits to all users that use them, such as File Based Encryption (FBE) and encrypted device backup.

  1. Secondary Tier - Biometrics: The second tier consists primarily of biometrics, or something the user is. Face or fingerprint based authentications are examples of secondary authentication modalities. Biometrics offer a more convenient but potentially less secure way of confirming your identity with a device.

We will delve into Android biometrics in the next section.

  1. The Tertiary Tier - Environmental: The last tier includes modalities that rely on something the user has. This could either be a physical token, such as with Smart Lock’s Trusted Devices where a phone can be unlocked when paired with a safelisted bluetooth device. Or it could be something inherent to the physical environment around the device, such as with Smart Lock’s Trusted Places where a phone can be unlocked when it is taken to a safelisted location.

    Improvements to tertiary authentication

    While both Trusted Places and Trusted Devices (and tertiary modalities in general) offer convenient ways to get access to the contents of your device, the fundamental issue they share is that they are ultimately a poor proxy for user identity. For example, an attacker could unlock a misplaced phone that uses Trusted Place simply by driving it past the user's home, or with moderate amount of effort, spoofing a GPS signal using off-the-shelf Software Defined Radios and some mild scripting. Similarly with Trusted Device, access to a safelisted bluetooth device also gives access to all data on the user’s phone.

    Because of this, a major improvement has been made to the environmental tier in Android 10. The Tertiary tier was switched from an active unlock mechanism into an extending unlock mechanism instead. In this new mode, a tertiary tier modality can no longer unlock a locked device. Instead, if the device is first unlocked using either a primary or secondary modality, it can continue to keep it in the unlocked state for a maximum of four hours.

A closer look at Android biometrics

Biometric implementations come with a wide variety of security characteristics, so we rely on the following two key factors to determine the security of a particular implementation:

  1. Architectural security: The resilience of a biometric pipeline against kernel or platform compromise. A pipeline is considered secure if kernel and platform compromises don’t grant the ability to either read raw biometric data, or inject synthetic data into the pipeline to influence an authentication decision.
  2. Spoofability: Is measured using the Spoof Acceptance Rate (SAR). SAR is a metric first introduced in Android P, and is intended to measure how resilient a biometric is against a dedicated attacker. Read more about SAR and its measurement in Measuring Biometric Unlock Security.

We use these two factors to classify biometrics into one of three different classes in decreasing order of security:

  • Class 3 (formerly Strong)
  • Class 2 (formerly Weak)
  • Class 1 (formerly Convenience)

Each class comes with an associated set of constraints that aim to balance their ease of use with the level of security they offer.

These constraints reflect the length of time before a biometric falls back to primary authentication, and the allowed application integration. For example, a Class 3 biometric enjoys the longest timeouts and offers all integration options for apps, while a Class 1 biometric has the shortest timeouts and no options for app integration. You can see a summary of the details in the table below, or the full details in the Android Android Compatibility Definition Document (CDD).

1 App integration means exposing an API to apps (e.g., via integration with BiometricPrompt/BiometricManager, androidx.biometric, or FIDO2 APIs)

2 Keystore integration means integrating Keystore, e.g., to release app auth-bound keys

Benefits and caveats

Biometrics provide convenience to users while maintaining a high level of security. Because users need to set up a primary authentication modality in order to use biometrics, it helps boost the lockscreen adoption (we see an average of 20% higher lockscreen adoption on devices that offer biometrics versus those that do not). This allows more users to benefit from the security features that the lockscreen provides: gates unauthorized access to sensitive user data and also confers other advantages of a primary authentication modality to these users, such as encrypted backups. Finally, biometrics also help reduce shoulder surfing attacks in which an attacker tries to reproduce a PIN, pattern, or password after observing a user entering the credential.

However, it is important that users understand the trade-offs involved with the use of biometrics. Primary among these is that no biometric system is foolproof. This is true not just on Android, but across all operating systems, form-factors, and technologies. For example, a face biometric implementation might be fooled by family members who resemble the user or a 3D mask of the user. A fingerprint biometric implementation could potentially be bypassed by a spoof made from latent fingerprints of the user. Although anti-spoofing or Presentation Attack Detection (PAD) technologies have been actively developed to mitigate such spoofing attacks, they are mitigations, not preventions.

One effort that Android has made to mitigate the potential risk of using biometrics is the lockdown mode introduced in Android P. Android users can use this feature to temporarily disable biometrics, together with Smart Lock (for example, Trusted Places and Trusted Devices) as well as notifications on the lock screen, when they feel the need to do so.

To use the lockdown mode, users first need to set up a primary authentication modality and then enable it in settings. The exact setting where the lockdown mode can be enabled varies by device models, and on a Google Pixel 4 device it is under Settings > Display > Lock screen > Show lockdown option. Once enabled, users can trigger the lockdown mode by holding the power button and then clicking the Lockdown icon on the power menu. A device in lockdown mode will return to the non-lockdown state after a primary authentication modality (such as a PIN, pattern, or password) is used to unlock the device.

BiometricPrompt - New APIs

In order for developers to benefit from the security guarantee provided by Android biometrics and to easily integrate biometric authentication into their apps to better protect sensitive user data, we introduced the BiometricPrompt APIs in Android P.

There are several benefits of using the BiometricPrompt APIs. Most importantly, these APIs allow app developers to target biometrics in a modality-agnostic way across different Android devices (that is, BiometricPrompt can be used as a single integration point for various biometric modalities supported on devices), while controlling the security guarantees that the authentication needs to provide (such as requiring Class 3 or Class 2 biometrics, with device credential as a fallback). In this way, it helps protect app data with a second layer of defenses (in addition to the lockscreen) and in turn respects the sensitivity of user data. Furthermore, BiometricPrompt provides a persistent UI with customization options for certain information (for example, title and description), offering a consistent user experience across biometric modalities and across Android devices.

As shown in the following architecture diagram, apps can integrate with biometrics on Android devices through either the framework API or the support library (that is, androidx.biometric for backward compatibility). One thing to note is that FingerprintManager is deprecated because developers are encouraged to migrate to BiometricPrompt for modality-agnostic authentications.

Improvements to BiometricPrompt

Android 10 introduced the BiometricManager class that developers can use to query the availability of biometric authentication and included fingerprint and face authentication integration for BiometricPrompt.

In Android 11, we introduce new features such as the BiometricManager.Authenticators interface which allows developers to specify the authentication types accepted by their apps, as well as additional support for auth-per-use keys within the BiometricPrompt class.

More details can be found in the Android 11 preview and Android Biometrics documentation. Read more about BiometricPrompt API usage in our blog post Using BiometricPrompt with CryptoObject: How and Why and our codelab Login with Biometrics on Android.

This Week in Security News: AWS Outposts Ready Launches With 32 Validated Partners and Staples Hit by a Data Breach

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how solutions from 32 Amazon Web Services partners – including Trend Micro – are now available for AWS customers to use with their deployments of AWS Outposts. Also, read about a data breach at U.S. office-supply retailer Staples.


Read on:

Boosting Impact for Profit: Evolving Ransomware Techniques for Targeted Attacks

As described in Trend Micro’s 2020 Midyear Roundup, the numbers pertaining to ransomware no longer tell the full story. While the number of infections, company disclosures, and ransomware families has gone down, the estimated amount of money exchanged for the retrieval of encrypted data has steadily gone up. By going after institutions and companies with the urgent need to retrieve their data and get their systems running again, cybercriminals are able to demand exorbitant amounts of ransom.

AWS Outposts Ready Launches with 32 Validated Partners

Solutions from 32 Amazon Web Services partners, including Trend Micro, are available now for AWS customers to use with their deployments of AWS Outposts, the on-premises version of the industry’s leading public cloud.

Analysis of a Convoluted Attack Chain Involving Ngrok

The Trend Micro Managed XDR team recently handled an incident involving one of Trend Micro’s customers. The incident revealed how a malicious actor incorporated certain techniques into an attack, making it more difficult for blue teams and security researchers alike to analyze the chain of events in a clean and easily understandable manner. In this blog, Trend Micro further analyzes the attack.

39% of Employees Access Corporate Data on Personal Devices

A large proportion of employees are using their own devices to access data belonging to their company, according to a new study by Trend Micro. Researchers found that 39% of workers use personal smartphones, tablets, and laptops to access corporate data, often via services and applications hosted in the cloud.

A Blind Spot in ICS Security: The Protocol Gateway Part 2: Vulnerability Allowing Stealth Attacks on Industrial Control Systems

In this blog series, Trend Micro analyzes the impacts of the serious vulnerabilities detected in the protocol gateways and shares the security countermeasures that security administrators in smart factories must take. In the second part of this series, Trend Micro presents an overview of the verification methods, results of this research, and describes “flaws in the protocol conversion function,” one of the security risks revealed through Trend Micro’s experiments.

Staples Hit by Data Breach: What to Do Now

U.S. office-supply retailer Staples says its recent data breach affected fewer than 2,500 customers. Australian security researcher Troy Hunt, who runs the HaveIBeenPwned website, used his Twitter account to post a copy of an email message sent to an unknown number of Staples online customers.

“Zerologon” and the Value of Virtual Patching

A new CVE was released recently that has made quite a few headlines – CVE-2020-1472, also known as Zerologon. This CVE can allow an attacker to take advantage of the cryptographic algorithm used in the Netlogon authentication process and impersonate the identity of any computer when trying to authenticate against the domain controller.

Billions of Devices Vulnerable to New ‘BLESA’ Bluetooth Security Flaw

Billions of smartphones, tablets, laptops, and IoT devices are using Bluetooth software stacks that are vulnerable to a new security flaw disclosed this summer. Named BLESA (Bluetooth Low Energy Spoofing Attack), the vulnerability impacts devices running the Bluetooth Low Energy (BLE) protocol. BLE is a slimmer version of the original Bluetooth (Classic) standard but designed to conserve battery power while keeping Bluetooth connections alive as long as possible.

California Elementary Kids Kicked Off Online Learning by Ransomware

As students head back to the classroom, the wave of ransomware attacks against schools is continuing. The latest is a strike against a California school district that closed down remote learning for 6,000 elementary school students, according to city officials. The cyberattack, against the Newhall School District in Valencia, affected all distance learning across 10 different grade schools.

Mobile Messengers Expose Billions of Users to Privacy Attacks

When installing a mobile messenger like WhatsApp, new users can instantly start texting existing contacts based on the phone numbers stored on their device. For this to happen, users must grant the app permission to access and regularly upload their address book to company servers in a process called mobile contact discovery. A new research study shows that currently deployed contact discovery services severely threaten the privacy of billions of users.

Should employees be able to access company data via their personal devices? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: AWS Outposts Ready Launches With 32 Validated Partners and Staples Hit by a Data Breach appeared first on .

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

I want a "secure by default" internet with all the things encrypted all the time such that people can move freely between networks without ever needing to care about who manages them or what they're doing with them. I'm a massive proponent of Let's Encrypt's and Cloudflare's missions to secure the web and of browser paradigms such as HSTS and upgrade-insecure-requests via content security policies to help make it a reality. Yet I also find myself constantly using VPNs for a variety of security and privacy related reasons and it got me thinking - why? I mean what's the remaining gap?

Last month I announced I've partnered with NordVPN as a strategic adviser and as part of that effort, I wanted to be a lot clearer in my own narrative around the value proposition of VPNs, especially as the web implements more encryption across more connections. As I started delving back through my own writing over the years, the picture became much clearer and it really crystallised just this week after I inadvertently landed on a nasty phishing site. I also started giving more thought to privacy and how it's constantly eroded in little bites, a thought process that highlighted just how far we still have to go as an industry, and where the value proposition of a VPN was strongest.

In the end I broke it down into 3 Ps: padlocks, phishing and privacy. Here's the value proposition of a VPN in the modern era:

1. HTTPS Still has a Long Way to Go

This is such a mess it's difficult to even know where to begin, so let me just start with the easy bits then progressively unveil just what a train wreck the current state of encrypted web traffic is. Here's one of our "Big 4" Aussie banks and as you can clearly see by virtue of the padlock, it's served over an HTTPS connection:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

Goodo! I know that what's on the page hasn't been modified in transit as it was loaded over the internet nor could anyone intercepting my traffic read it. The last bit is particularly important as I logon and would firstly, like my password not to be eavesdropped on and secondly, would also like to keep my financial information on the website secure. The great thing about the padlock in the browser is that it's assigned automatically by the browser itself; ANZ can't just say "let's whack a padlock up in the omnibar", they only get it if the page (and everything on it) is served securely. If I choose, I can click that padlock and inspect the certificate just to give me that extra peace of mind. Now let's try the mobile app:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

What's the encryption story there? No idea! What I do know is that years ago I reported a bug to ANZ about their mobile app having turned off certificate validation so even though it made an HTTPS connection, it would trust any certificate returned to the app, including one injected by an attacker. Ouch!

I also know that when ANZ updated their app a couple of years ago, they pushed it out by asking people to click on an insecure link that looked just like a phishing attack:

And just to go down the rabbit hole even further, as commendable as the first ANZ screen grab of the HTTPS address in the browser is, you can only get there by first making an insecure request which is what the browser defaults to when you type in "":

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

If you want to get technical about it, yes, there's HSTS involved but it's not preloaded so the first request will always be insecure. But that shouldn't be that surprising given that only 2.3% of the world's top 1 million websites are forcing the first request to be secure:

This isn't meant to be an ANZ-bashing session because let's face it, plenty of banks have had plenty of problems getting their encryption right in the past, but it shows you  just how many place there are for it to go wrong. I was reminded of just what a mess the landscape is just the other day after someone pointed me at a new financial app:

In the ensuing discussions I had about how much we can trust the transport layer, someone pointed out that it was only a few months ago that TikTok was found to be loading videos insecurely allowing the contents of them to be manipulated whilst loading. It's kinda unfathomable to think that this sort of thing is still happening, I was dismayed enough 5 years ago when reporting vulnerabilities likes this, yet here we still are.

Then there's the long, long tail of websites that still to this day, simply don't want to protect their visitors' traffic. For example, one of Australia's most popular websites is the bureau of meteorology, still served insecurely:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

And just in case you thought you'd fix this by using a browser extension such as HTTPS Everywhere, no, you can't:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

This is a baffling approach given they were actually able to respond to a request over HTTPS (so they have a valid cert), but then consciously chose to redirect the traffic to a non-secure address. And before we go down the "yeah but it's a static site so nothing can go wrong" path, all static sites should serve traffic over an encrypted connection for many, many good reasons.

2. A Secure Connection to Satan is Still a Connection to Satan

This tweet by my friend Scott Hanselman has well and truly stood the test of time:

I was reminded of this only a few days ago when I came across yet another Windows virus scam, the kind that's been doing the rounds for a decade now but refuses to die. It all started with a Google alert I have set up for the term "have i been pwned":

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

Initially, I was a little bit excited; does Netflix now have a way of checking your address directly against HIBP? Maybe they're plugging into the API directly from the account page there? Cool! However, moments later:

I saved you a copy of the audio as I'm sure the original one will disappear at some point. Imagine some poor unsuspecting person hearing that, seeing the warning on the screen then falling for the scam. These are massively prevalent and, per the screen grab, served over an encrypted HTTPS connection. But as Scott said earlier on, having privacy on your traffic doesn't mean you're communicating with someone you actually want to.

To test a theory, I fired up NordVPN which connected me to an exit node just up the road from me (that IP address is in Brisbane):

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

I've also got CyberSec enabled to kill nasty stuff off which I think it's fair to say, the scamming site above fits the bill:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

Hitting the same URL sent to me in the original Google alert led to quite a different result this time:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

This is precisely how it went down just this week with me receiving that Google alert, clicking the link and copping the full brunt of the scam. Clearly, I know better than to fall for it, but it did make me stop and wonder how many people do get taken for a ride by these scams.

And just in case you're wondering, the host name in the image where DNS didn't resolve is different to the final scam site as a lot of these phishes bounce you around across multiple domains. Doing a quick check now, with NordVPN off, my Pi-hole still resolved the domain:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

But turning on NordVPN with CyberSec enabled, the domain was black-holed back to my local IP:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

Now to be clear, I still love the Pi-hole (but let's face it, most people aren't going to be installing a Pi in their homes) and you're always going to have DNS block-lists at various states of readiness regarding new malicious domains, but I love CyberSec for the same reason in that by blocking content at the DNS level you can extend the reach well beyond an ad blocker alone. Every browser and every app on the device gets the benefit of known nasty content being binned as it's done at the OS level where DNS is defined and not on a per-client basis.

3. Security != Privacy

This is one of the most obvious value propositions of a VPN, but it deserves being examined in more detail anyway. Let's talk about privacy and I'll break it down into multiple layers beginning with this excellent drawing from Wassim Chegham:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

As soon as we hit the DNS box, privacy starts to go down the toilet as your browser (or other internet connected client) makes a plain text, unencrypted query to a DNS server which is usually your ISP's. Because it's a plain text query, the site your client it querying is immediately observable by anyone sitting on the connection. So what about DNS over HTTPS, or DoH? It solves the interception problem but of course the query still needs to be sent to a DNS server somewhere and at that point, the name being queried and the origin of the query (your IP address) is still visible. From a privacy perspective, this isn't necessarily doing a lot for you.

Side note: we saw a great illustration of how much value ISPs put in being able to intercept DNS queries after the industry body for ISPs in the UK named Mozilla an "Internet Villain" for their push towards DoH. In classic anti-encryption style, the moral neutrality of crypto has led to complaints about increased privacy being used to, well, do things more privately whether they be good things or bad things.

With the DNS dance done, what's the impact on privacy then? Well, per the earlier ANZ example the initial request from the browser is still almost always sent insecurely over HTTP so everyone along the way not only sees where the traffic is going, but can also read and modify the contents of it so again, from a privacy perspective, not good. Per Scott's earlier tweet, only 2.3% of the top million websites in the world are resilient to this courtesy of preloading HSTS. But let's imagine the client has already begun communicating over HTTPS before someone starts poking around in their traffic, what then? That brings us to the next problem:

SNI is Server Name Indication and it was born of a need to host multiple sites and certificates on a single IP address. It means that whilst the contents of your traffic is encrypted, the destination it's being sent to, is not:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

As Cloudflare's CEO wrote in the link above: "SNI leaks every site you go to online to your ISP and anyone else listening on the line". Which led him to talk about ESNI or "Encrypted" SNI. Which is great except... It's only supported in Firefox (Chrome support is going nowhere in a hurry). And it's not on by default. And it requires TLS 1.3. And secure DNS. If you want to check whether it works in your own browser, try Cloudflare's ESNI checker (hint: it almost certainly doesn't work). In time, we may see ESNI get traction, but that time is going to be measured in years, not months, at least for it to gain enough market share for you to genuinely browse the internet in private. Except even then, there's a problem:

Encrypted connections are great, but whilst you're connecting to services from your own IP address, can we really call the connection "private"? If it's my IP address, what can the site I'm visiting determine about me? Here's what NordVPN's "What is my IP address" service told me, right down to my suburb:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

Not only may I not want to share this information with the site I visit, I might not want them knowing I'm the same person coming back on subsequent visits (and no, browsers' incognito and private modes don't fix this). I may also not want them joining the dots on who I am by matching my IP address to other public records; HIBP presently indexes 215 data breaches that exposed IP addresses alongside an extensive array of other personal information. Now, maybe your IP address is dynamic, maybe you browsed a service from 4G and it was your wired connection you used last time, maybe it wasn't the same on multiple different exposures. Maybe...

And now, just to make it even worse, consider all the other locations content gets pulled in from just to load your average web page. Take as an example:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

There are 354 requests required to load the page including requests directly to CNN and their various subdomains, to Adnxs (a tracker), DoubleClick (a tracker) and if you scroll further down the report I've linked to above, (the hint is in the URL), (guess what - a tracker!) and by then I kinda figured I'd made my point and stopped scrolling. The privacy implications don't stop with the site you're visiting, they cascade all the way down the stack of requests that follow that initial one.

As the old saying goes, privacy isn't necessarily about having something to hide, it's also about not having something you want to share; if you're depressed and going to then you may not wish to share that with other people. If you're having trouble with alcohol and visit then you may not want to share that either. If you're pregnant and hopping over to then, again, you may expect to keep that information private (let us not forget the story of how Target managed to "data-mine its way into [a teenage girl's] womb"). Just looking up those URLs I was imagining what sort of conclusions would be drawn about me if someone had access to my connection! (No, I'm not a depressed alcoholic teenager who's expecting...)

But privacy goes well beyond just the obvious issues too, for example folks in the US dealing with the death of net neutrality. When your ISP can see your traffic, they can shape your traffic and remember, HTTPS doesn't fix that problem, at least not today. It extends to censorship too and we start to get into a more contentious area here as that spans everything from the local cafe wifi using deny-lists to government-mandated blocks on content (the latter being particularly contentious regarding certain types of content in certain parts of the world). The point is that the privacy rights assured by a VPN are about a lot more than just protecting your source IP from being exposed to the website you're visiting; it goes well beyond that.


To be clear, using a VPN doesn't magically solve all these issues, it mitigates them. For example, if a site lacks sufficient HTTPS then there's still the network segment between the VPN exit node and the site in question to contend with. It's arguably the least risky segment of the network, but it's still there. The effectiveness of black-holing DNS queries to known bad domains depends on the domain first being known to be bad. CyberSec is still going to do a much better job of that than your ISP, but it won't be perfect. And privacy wise, a VPN doesn't remove DNS or the ability to inspect SNI traffic, it simply removes that ability from your ISP and grants it to NordVPN instead. But then again, I've always said I'd much rather trust a reputable VPN to keep my traffic secure, private and not logged, especially one that's been independently audited to that effect.

The point of all this is that when we look at the value proposition of a VPN, it's about much more than just protecting a segment of the network that may already have HTTPS anyway. We rarely see TLS implemented to its full potential, phishing remains a massive problem and we have far too little privacy when browsing the web.

Ransom from Home – How to close the cyber front door to remote working ransomware attacks

Coronavirus has caused a major shift to our working patterns. In many cases these will long outlast the pandemic. But working from home has its own risks. One is that you may invite ransomware attacks from a new breed of cyber-criminal who has previously confined his efforts to directly targeting the corporate network. Why? Because as a remote worker, you’re increasingly viewed as a soft target—the open doorway to extorting money from your employer.

So how does ransomware land up on your front doorstep? And what can a home worker do to shut that door?

The new ransomware trends

Last year, Trend Micro detected over 61 million ransomware-related threats, a 10% increase from 2018 figures. But things have only gotten worse from there. There has been a 20% spike in ransomware detections globally in the first half of 2020, rising to 109% in the US. And why is that?

At a basic level, ransomware searches for and encrypts most of the files on a targeted computer, so as to make them unusable. Victims are then asked to pay a ransom within a set time frame in order to receive the decryption key they need to unlock their data. If they don’t, and they haven’t backed-up this data, it could be lost forever.

The trend of late, however, has been to focus on public and private sector organizations whose staff are working from home (WFH). The rationale is that remote workers are less likely to be able to defend themselves from ransomware attacks, while they also provide a useful stepping-stone into high-value corporate networks. Moreover, cybercriminals are increasingly looking to steal sensitive data before they encrypt it, even as they’re more likely to fetch a higher ransom for their efforts than they do from a typical consumer, especially if the remote employee’s data is covered by cyber-insurance.

Home workers are also being more targeted for a number of reasons:

  • They may be more distracted than those in the office.
  • Home network and endpoint security may not be up to company levels.
  • Home systems (routers, smart home devices, PCs, etc.,) may not be up-to-date and therefore are more easily exposed to exploits.
  • Remote workers are more likely to visit insecure sites, download risky apps, or share machines/networks with those who do.
  • Corporate IT security teams may be overwhelmed with other tasks and unable to provide prompt support to a remote worker.
  • Security awareness programs may have been lacking in the past, perpetuating bad practice for workers at home.

What’s the attack profile of the remote working threat?

In short, the bad guys are now looking to gain entry to the corporate network you may be accessing from home via a VPN, or to the cloud-hosted systems you use for work or sharing files, in order to first steal and then encrypt company data with ransomware as far and wide as possible into your organization. But the methods are familiar. They’ll

  • Try to trick you into dangerous behavior through email phishing—the usual strategy of getting you to click links that redirect you to bad websites that house malware, or getting you to download a bad file, to start the infection process.
  • Steal or guess your log-ins to work email accounts, remote desktop tools (i.e., Microsoft Remote Desktop or RDP), and cloud-based storage/networks, etc., before they deliver the full ransomware payload. This may happen via a phishing email spoofed to appear as if sent from a legitimate source, or they may scan for your use of specific tools and then try to guess the password (known as brute forcing). One new Mac ransomware, called EvilQuest, has a keylogger built into it, which could capture your company passwords as you type them in. It’s a one-two punch: steal the data first, then encrypt it.
  • Target malware at your VPN or remote desktop software, if it’s vulnerable. Phishing is again a popular way to do this, or they may hide it in software on torrent sites or in app stores. This gives them a foothold into your employer’s systems and network.
  • Target smart home devices/routers via vulnerabilities or their easy-to-guess/crack passwords, in order to use home networks as a stepping-stone into your corporate network.

How can I prevent ransomware when working from home?

The good news is that you, the remote worker, can take some relatively straightforward steps up front to help mitigate the cascading risks to your company posed by the new ransomware. Try the following:

  • Be cautious of phishing emails. Take advantage of company training and awareness courses if offered.
  • Keep your home router firmware, PCs, Macs, mobile devices, software, browsers and operating systems up to date on the latest versions – including remote access tools and VPNs (your IT department may do some of this remotely).
  • Ensure your home network, PCs, and mobile devices are protected with up-to-date with network and endpoint AV from a reputable vendor. (The solutions should include anti-intrusion, anti-web threat, anti-spam, anti-phishing, and of course, anti-ransomware features.)
  • Ensure remote access tools and user accounts are protected with multi-factor authentication (MFA) if used and disable remote access to your home router.
  • Disable Microsoft macros where possible. They’re a typical attack vector.
  • Back-up important files regularly, according to 3-2-1 rule.

How Trend Micro can help

In short, to close the cyber front door to ransomware, you need to protect your home network and all your endpoints (laptops, PCs, mobile devices) to be safe. Trend Micro can help via

  • The Home Network: Home Network Security (HNS) connects to your router to protect any devices connected to the home network — including IoT gadgets, smartphones and laptops — from ransomware and other threats.
  • Desktop endpoints: Trend Micro Security (TMS) offers advanced protection from ransomware-related threats. It includes Folder Shield to safeguard valuable files from ransomware encryption, which may be stored locally or synched to cloud services like Dropbox®, Google Drive® and Microsoft® OneDrive/OneDrive for Business.
  • Mobile endpoints: Trend Micro Mobile Security (also included in TMS) protects Android and iOS devices from ransomware.
  • Secure passwords: Trend Micro Password Manager enables users to securely store and recall strong, unique passwords for all their apps, websites and online accounts, across multiple devices.
  • VPN Protection at home and on-the-go: Trend Micro’s VPN Proxy One (Mac | iOS) solution will help ensure your data privacy on Apple devices when working from home, while its cross-platform WiFi Protection solution will do the same across PCs, Macs, Android and iOS devices when working from home or when connecting to public/unsecured WiFi hotspots, as you venture out and about as the coronavirus lockdown eases in your area.

With these tools, you, the remote worker, can help shut the front door to ransomware, protecting your work, devices, and company from data theft and encryption for ransom.

The post Ransom from Home – How to close the cyber front door to remote working ransomware attacks appeared first on .

This Week in Security News: Microsoft Fixes 129 Vulnerabilities for September’s Patch Tuesday and Trend Micro’s XDR Offerings Simplify and Optimize Detection and Response

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about this month’s Patch Tuesday update from Microsoft. Also, learn about Trend Micro’s Worry-Free XDR: a new version of its XDR platform designed to extend the power of correlated detection and response beyond the endpoint for smaller businesses.

Read on:

Exposed Docker Server Abused to Drop Cryptominer, DDoS Bot

Malicious actors continue to target environments running Docker containers. Trend Micro recently encountered an attack that drops both a malicious cryptocurrency miner and a distributed denial-of-service (DDoS) bot on a Docker container built using Alpine Linux as its base image. A similar attack was also reported by Trend Micro in May; in that previous attack, threat actors created a malicious Alpine Linux container to also host a malicious cryptocurrency miner and a DDoS bot.

Microsoft Fixes 129 Vulnerabilities for September’s Patch Tuesday

Microsoft released patches for 129 CVEs (common vulnerabilities and exposures) as part of its monthly Patch Tuesday rollout. Dustin Childs from Trend Micro’s Zero Day Initiative shared that this marks seven consecutive months of more than 110 bugs fixed and brings the yearly total close to 1,000.

Purple Fox EK Relies on Cloudflare for Stability

A year ago, Trend Micro talked about Purple Fox malware being delivered by the Rig exploit kit. Malwarebytes later found evidence that it had its own delivery mechanism, and thus named it the Purple Fox exploit kit. Trend Micro recently found a spike in the Purple Fox exploit kit with improved delivering tactics in our telemetry. Some of the improvements include use of full HTTPS infrastructure based on Cloudflare as frontend, fully encrypted landing page, and disguised redirection.

New Raccoon Attack Could Let Attackers Break SSL/TLS Encryption

A group of researchers has detailed a new timing vulnerability in Transport Layer Security (TLS) protocol that could potentially allow an attacker to break the encryption and read sensitive communication under specific conditions. Dubbed “Raccoon Attack,” the server-side attack exploits a side-channel in the cryptographic protocol (versions 1.2 and lower) to extract the shared secret key used for secure communications between two parties.

War of Linux Cryptocurrency Miners: A Battle for Resources

The Linux ecosystem is regarded as more secure and reliable than other operating systems, which possibly explains why Google, NASA, and the US Department of Defense (DoD) utilize it for their online infrastructures and systems. Unfortunately, the adoption of Linux systems is also an attractive target for cybercriminals. In this blog, learn about the ruthless battle for computing power among the different cryptocurrency-mining malware that target Linux systems. 

Trend Micro’s XDR Offerings Simplify and Optimize Detection and Response

Trend Micro announced Worry-Free XDR is a new version of its XDR platform designed to extend the power of correlated detection and response beyond the endpoint for smaller businesses. This unmatched channel offering is available now as a standalone or managed solution tailored for SMBs.

Securing Enterprise Security: How to Manage the New Generation of Access Control Devices

Enterprises are increasingly deploying contactless security solutions to control access to their spaces, especially now in the midst of a pandemic. These solutions mostly rely on devices that use facial recognition to manage entry to enterprise premises in an effective and efficient manner. Considering that these access control devices are the first line of defense for employees and assets on enterprise premises, Trend Micro set out to test the security of the devices and to find out whether they are susceptible to cyber as well as physical attacks.

Zeppelin Ransomware Returns with New Trojan on Board

The Zeppelin ransomware has sailed back into relevance, after a hiatus of several months. A wave of attacks were spotted in August by Juniper Threatlab researchers, making use of a new trojan downloader. These, like an initial Zeppelin wave observed in late 2019, start with phishing emails with Microsoft Word attachments (themed as “invoices”) that have malicious macros on board. Once a user enables macros, the infection process starts.

Published New Ebook: Strategic Investment to Secure Smart Factories

Security is undergoing a digital transformation in the manufacturing industry. As the fusion of the cyber world and the physical world progresses, various security issues are mounting. Manufacturing executives must view security as a management issue, not as a system issue. Trend Micro has published an ebook that focuses on security issues in the convergence of IT and OT.

Ransomware Accounted for 41% of All Cyber Insurance Claims in H1 2020

Ransomware incidents have accounted for 41% of cyber insurance claims filed in the first half of 2020, according to a report published today by Coalition, one of the largest providers of cyber insurance services in North America. The high number of claims comes to confirm previous reports from multiple cybersecurity firms that ransomware is one of today’s most prevalent and destructive threats.

What do you think about the Zeppelin ransomware attacks and the rise in ransomware overall? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Microsoft Fixes 129 Vulnerabilities for September’s Patch Tuesday and Trend Micro’s XDR Offerings Simplify and Optimize Detection and Response appeared first on .

1H 2020 Cyber Security Defined by Covid-19 Pandemic

When we published our 2020 Predictions report in December, we didn’t realize there was a global pandemic brewing that would give cybercriminals an almost daily news cycle to take advantage of in their attacks against people and organizations around the world. Malicious actors have always taken advantage of big news to use as lures for socially engineered threats, but these events tend to be fairly short news cycles.

When Covid-19 started making headlines in early 2020, we started seeing new threats using this in the attacks. As you see below, April was the peak month for email-based Covid-19 related threats.

The same was true for phishing URLs related to Covid-19, but for files using Covid-19 in their naming convention, the peak month in the first half was June.

Impact on Cybercrime

The constant 24×7 news around cases, cures and vaccines makes this pandemic unique for cybercriminals. Also, the shift to remote working and the challenges posed to supply chains all gave cybercriminals new content they could use as lures to entice victims into infecting themselves.

As we’ve seen for many years now, email-based threats were the most used threat vector by malicious actors, which makes sense as the number one infection vector to penetrate an organization’s network is to use a socially engineered email against an employee.

We even saw malicious mobile apps being developed using Covid-19 as a lure, as you see below.

In this case it was supporting potential cures for the virus, which many people would have wanted.

Other Highlights in 1H 2020

While Covid-19 dominated the threat landscape in the 1H 2020, it wasn’t the only thing that defined it. Ransomware actors continued their attacks against organizations, but as we’ve been seeing over the past year, they’ve become much more selective in their victims. The spray and pray model using spam has been shifted to a more targeted approach, similar to how nation-state actors and APT groups perform their attacks. Two things showcase this trend:

  1. The number of ransomware detections has dropped significantly from 1H 2019 to 1H 2020, showing that ransomware actors are not looking for broad infection numbers.



2. The ransom amounts have increased significantly over the years, showing ransomware actors are selecting their victims around how much they feel they can extort them for and whether they are more likely to pay a ransom.


Home network attacks are another interesting aspect of the threat landscape in the first half of this year. We have millions of home routers around the world that give us threat data on events coming into and out of home networks.

Threat actors are taking advantage of more remote workers by launching more attacks against these home networks. As you see below, the first half of 2020 saw a marked increase in attacks.

Many of these attacks are brute force login attempts as actors try to obtain login credentials for routers and devices within the home network, which can allow them to do further damage.

The above are only a small number of security events and trends we saw in just six months of 2020. Our full roundup of the security landscape so far this year is detailed out in our security roundup report – Securing the Pandemic-Disrupted Workplace. You can read about all we found to help prepare for many of the threats we will continue to see for the rest of the year.

The post 1H 2020 Cyber Security Defined by Covid-19 Pandemic appeared first on .

We Didn’t Encrypt Your Password, We Hashed It. Here’s What That Means:

We Didn't Encrypt Your Password, We Hashed It. Here's What That Means:

You've possibly just found out you're in a data breach. The organisation involved may have contacted you and advised your password was exposed but fortunately, they encrypted it. But you should change it anyway. Huh? Isn't the whole point of encryption that it protects data when exposed to unintended parties? Ah, yes, but it wasn't encrypted it was hashed and therein lies a key difference:

I see this over and over again and I'm not just on some nerdy pedantic rant, the difference between encryption and hashing is fundamental to how at-risk your password is from being recovered and abused after a data breach. I often hear people excusing the mischaracterisation of password storage on the basis of users not understanding what hashing means, but what I'm actually hearing is that breached organisations just aren't able to explain it in a way people understand. So here it is in a single sentence:

A password hash is a representation of your password that can't be reversed, but the original password may still be determined if someone hashes it again and gets the same result.

Let's start to drill deeper in a way that can be understood by everyday normal people, beginning with what a password hash actually is: there are two defining attributes that are relevant to this discussion:

  1. A password hash is one-way: you can hash but you can never un-hash
  2. The hashing procedure is deterministic: you will always get the same output with the same input

This is important for password storage as it means the following as they relate to the previous points:

  1. The original password is never stored thus keeping it a secret even from the website you provided it to
  2. By being deterministic, when the password is hashed at registration it will match the same password provided and hashed at login

Take, for example, the following password:


This is a good password because it has lowercase, uppercase, numeric and non-alphanumeric values plus is 8 characters long. Yet somehow, your human brain looked at it and decided "no, it's not a good password" because what you're seeing is merely character substitution. The hackers have worked this out too which is why arbitrary composition rules on websites are useless. Regardless, here's what the hash of that password looks like:


This hash was created with the MD5 hashing algorithm and is 32 characters long. A shorter password hashed with MD5 is still 32 characters long. This entire blog post hashed with Md5 is still 32 characters long. This helps demonstrate the fundamental difference between hashing and encryption: a hash is a representation of data whilst encryption is protected data. Encryption can be reversed if you have the key which is why it's used for everything from protecting the files on your device to your credit card number if you save it on a website you use to the contents of this page as it's sent over the internet. In each one of these cases, the data being protected needs to be retrieved in its original format at some point in the future hence the need for encryption. That's the fundamental difference with passwords: you never need to retrieve the password you provided to a website at registration, you only need to ensure it matches the one you provide at login hence the use of hashing.

So, where does hashing go wrong and why do websites still ask you to change your password when hashes are exposed? Here's an easy demo - let's just Google the hash from above:

We Didn't Encrypt Your Password, We Hashed It. Here's What That Means:

And here we have a whole bunch of websites that match the original password with the hashed version. This is where the deterministic nature of hashes becomes a weakness rather than a strength because once the hash and the plain text version are matched to each other, you've now got a handy little searchable index. Another way of thinking about this is that password hashes are too predictable, so what do we do? Add randomness, which brings us to salt.

Imagine that if instead of just hashing the word "P@ssw0rd", we added another dozen characters to it first - totally random characters - and then we hashed it. Someone else comes along and uses the same password and they get their own salt (which means their own collection of totally random characters) which gets added to the password then hashed. Even with the same password, when combined with a unique salt the resultant hash will, itself, also be unique. So long as the same salt used at registration is added to your password at login (and yes, this means storing the salt alongside the hash in a database somewhere), the process can be repeated and the website can confirm if the password is correct.

Problem is, if someone has all the data out of a database Wattpad style, can't they just reproduce the salting and hashing process? I mean you've got the salt and the hash sitting right there, what's to stop someone from having a great big list of passwords, picking a salt from the database then adding it to each password, hashing it and seeing if it matches the one from the breach? The only thing hampering this effort is time; how long would it take to hash that big list of passwords for one user's record from the database? How long for, in Wattpad's case, more than a quarter of a billion users? That all depends on the hashing algorithm that's been chosen. Old, antiquated hashing algorithms that were never really designed for password storage in the first place can be calculated at a rate of tens of billions per second on consumer-grade hardware. Yes, that's "billion" with a "b" for bravo and for the more technical folks, that's where you're at with MD5 or SHA-1. How long is a hashed password going to remain uncracked at that rate of guesses? Usually, not very long.

Going back to the example in the tweet at the start of this blog post, Wattpad didn't encrypt their customers' passwords, they hashed them. With bcrypt. This is a hashing algorithm designed for storing passwords and what really sets it apart from the aforementioned ones is that it's slow. I mean really slow, like it takes tens of millions of times longer to create the hash. You don't notice this as a customer when you're registering on the site or logging on because it's still only a fraction of a second to calculate a hash of your password, but for someone attempting to crack your password by hashing different possible examples and comparing them to the one in Wattpad, it makes life way harder. But not impossible...

Let me demonstrate: here's the Wattpad registration page:

We Didn't Encrypt Your Password, We Hashed It. Here's What That Means:

I was interested in what the password criteria was so I entered a single character and was told that it must be at least 6. Righto, let's now check complexity requirements:

We Didn't Encrypt Your Password, We Hashed It. Here's What That Means:

Will 6 all lowercase characters be allowed? Let's submit the registration form and find out:

We Didn't Encrypt Your Password, We Hashed It. Here's What That Means:

Yep 😎

Here's the problem with this and it's all going to bring us back to Wattpad's earlier statement about changing your password: because Wattpad's entire password criteria appears to boil down to "just make sure you have 6 or more characters", people are able to register using passwords like the one above. That particular password - "passwo" - appears in Have I Been Pwned's Pwned Password service 3,649 times:

We Didn't Encrypt Your Password, We Hashed It. Here's What That Means:

It's a very poor password not because of a lack of numbers, uppercase or non-alphanumeric characters (I could easily make a very strong password that's all lowercase), but because of its predictability and prevalence.

Armed with the knowledge that Wattpad allows very simple passwords, I took a small list of the most common ones that were 6 characters or longer and checked them against a sample of their bcrypt hashes. Let's consider a bcrypt hash like this, for example:


The plain text password that generated that hash is "iloveyou". That's in Pwned Passwords 1.6M times and I would argue it's a rather risky one to allow. But because Wattpad's password criteria is so weak, someone (probably many people) used that password and it was easily cracked.

How about this one:


The plain text version of that one is... wait for it... "wattpad"! These are easy to verify yourself by using an online tool like that checks a given password against a given hash.

This is why Wattpad recommends changing passwords - because they can be cracked even when using a good password hashing algorithm. They can't be unencrypted because they weren't encrypted in the first place. If they were encrypted and there was genuine concern they may be unencrypted then that would imply a key compromise in which case all passwords would be immediately decrypted.

So there's your human-readable version of what password hashing is. I'll leave you again with the quote from above I'd far prefer to see in disclosure notices and ideally, a link through to this blog post too so people have accurate information they can make informed decisions on:

A password hash is a representation of your password that can't be reversed, but the original password may still be determined if someone hashes it again and gets the same result.

Announcing new reward amounts for abuse risk researchers

It has been two years since we officially expanded the scope of Google’s Vulnerability Reward Program (VRP) to include the identification of product abuse risks.

Thanks to your work, we have identified more than 750 previously unknown product abuse risks, preventing abuse in Google products and protecting our users. Collaboration to address abuse is important, and we are committed to supporting research on this growing challenge. To take it one step further, and as of today, we are announcing increased reward amounts for reports focusing on potential attacks in the product abuse space.

The nature of product abuse is constantly changing. Why? The technology (product and protection) is changing, the actors are changing, and the field is growing. Within this dynamic environment, we are particularly interested in research that protects users' privacy, ensures the integrity of our technologies, as well as prevents financial fraud or other harms at scale.

Research in the product abuse space helps us deliver trusted and safe experiences to our users. Martin Vigo's research on Google Meet's dial-in feature is one great example of an 31337 report that allowed us to better protect users against bad actors. His research provided insight on how an attacker could attempt to find Meet Phone Numbers/Pin, which enabled us to launch further protections to ensure that Meet would provide a secure technology connecting us while we're apart.

New Reward Amounts for Abuse Risks

What’s new? Based on the great submissions that we received in the past as well as feedback from our Bug Hunters, we increased the highest reward by 166% from $5,000 to $13,337. Research with medium to high impact and probability will now be eligible for payment up to $5,000.

What did not change? Identification of new product abuse risks remains the primary goal of the program. Reports that qualify for a reward are those that will result in changes to the product code, as opposed to removal of individual pieces of abusive content. The final reward amount for a given abuse risk report also remains  at the discretion of the reward panel. When evaluating the impact of an abuse risk, the panels look at both the severity of the issue as well as the number of impacted users.

What's next? We plan to expand the scope of Vulnerability Research Grants to support research preventing abuse risks. Stay tuned for more information!

Starting today the new rewards take effect. Any reports that were submitted before September 1, 2020 will be rewarded based on the previous rewards table.

We look forward to working closely together with the researcher community to prevent abuse of Google products and ensure user safety.

Happy bug hunting!

Parental Control – Here’s how you can regulate your child’s computer habits

Today’s generation of children is introduced to technology from the moment they are born. So it’s not a surprise to hear that, according to one study from 2013, children are using the Internet from the age of three! This year especially has seen a mass migration from the physical to…

All you need to know about API Security

An Application Programming Interface (API) is a way that allows applications to communicate with one another. It provides a way for developers to build software applications while enabling the extraction and sharing of data in an accessible manner. APIs can be used to facilitate cyberattacks as APIs are widely used…

What Security Means to Elders

senior using smartphone

What Security Means to Elders

Recently, we conducted a survey of 600 families and professionals in the U.S. to better understand what matters to them—in terms of security and the lives they want to lead online. The following article reflects what they shared with us, and allows us to share it with you in turn, with the aim of helping you and your family stay safer and more secure. 1

Findings from Pew Research Center show that internet usage by elders has risen from an average of 14% in 2000 to 67% on average 2017. As these numbers continue to rise, we wanted to find out what was important to them—particularly as more and more of their lives go online.

While many of us take shopping, surfing, and banking online for granted, they mark a dramatic shift for elders. They’ve gone from the days when banking meant banker’s hours and paper passbook to around-the-clock banking and a mobile app. And even if they use the internet sparingly, banking, finances, and commerce have gone digital. Their information is out there, and it needs to be protected.

The good news is, elders are motivated.

What’s on the minds of elders when it comes to their security?

Most broadly, this sentiment captures it well: Technology may be new to me, but I still want to be informed and involved. For example, elders told us that they absolutely want to know if something is broken—and if so, how to fix it as easily as possible. In all, they’re motivated to get smart on the topic of security, get educated on how to tackle risks, and gain confidence that they go about their time on the internet safely. Areas of interest they had were:

Identity protection: This covers a few things—one, it’s monitoring your identity to spot any initial suspicious activity on your personal and financial accounts before it becomes an even larger one; and two, it’s support and tools for recovery in the even your identity is stolen by a crook. (For more on identity theft, check out this blog.)

Social Security monitoring:  Government benefits are very much on the mind of elders, particularly as numerous agencies increasingly direct people to use online services to manage and claim those benefits. Of course, hackers and crooks have noticed. In the U.S., for example, Social Security identified nearly 63,000 likely fraudulent online benefit applications in fiscal 2018, according to the agency’s Office of the Inspector General, up from just 89 in fiscal 2015.

Scam prevention: An article from Protect Seniors Online cities some useful insights from the National Cyber Security Alliance and the Better Business Bureau. According to them there are five top scams in the U.S. that tend to prey on older adults.

  • Tech support scams are run by people, sometimes over the phone, that pretend to be from a reputable company, which will then ask for access to your computer over the internet, install malware, and then claim there’s a problem. After that, they’ll claim to “help” you by removing that malware—for an exorbitant fee.
  • Ransomware scams, where a crook will block access to your computer until you pay a sum of money. This is like the tech support scam, yet without the pretense of support—it’s straight-up ransom.
  • Tax scams that attempt to steal funds by instructing people to make payments to a scammer’s account. In the U.S., note that the IRS will not call to demand payment or appeal an amount you owe.
  • False debt collectors are out there too, acting in many ways like tax scammers. These will often come by way of email, where the hacker will hope that you’ll click the phony link or open a malicious attachment.
  • Sweepstakes and charity scams that play on your emotions, where you’re asked to pay to receive a prize or make a donation with your credit card (thereby giving crooks the keys to your account).

Where can professionals get started?

With that, we’ve put together several resources related to these topics. Drop by our site and check them out. We hope you’ll find some basic information and knowledge of behaviors that can keep you safe.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

Survey conducted in October 2019, consisting of 600 computer-owning  adults in the U.S


The post What Security Means to Elders appeared first on McAfee Blogs.

Pixel 4a is the first device to go through ioXt at launch

Trust is very important when it comes to the relationship between a user and their smartphone. While phone functionality and design can enhance the user experience, security is fundamental and foundational to our relationship with our phones.There are multiple ways to build trust around the security capabilities that a device provides and we continue to invest in verifiable ways to do just that.

Pixel 4a ioXt certification

Today we are happy to announce that the Pixel 4/4 XL and the newly launched Pixel 4a are the first Android smartphones to go through ioXt certification against the Android Profile.

The Internet of Secure Things Alliance (ioXt) manages a security compliance assessment program for connected devices. ioXt has over 200 members across various industries, including Google, Amazon, Facebook, T-Mobile, Comcast, Zigbee Alliance, Z-Wave Alliance, Legrand, Resideo, Schneider Electric, and many others. With so many companies involved, ioXt covers a wide range of device types, including smart lighting, smart speakers, webcams, and Android smartphones.

The core focus of ioXt is “to set security standards that bring security, upgradability and transparency to the market and directly into the hands of consumers.” This is accomplished by assessing devices against a baseline set of requirements and relying on publicly available evidence. The goal of ioXt’s approach is to enable users, enterprises, regulators, and other stakeholders to understand the security in connected products to drive better awareness towards how these products are protecting the security and privacy of users.

ioXt’s baseline security requirements are tailored for product classes, and the ioXt Android Profile enables smartphone manufacturers to differentiate security capabilities, including biometric authentication strength, security update frequency, length of security support lifetime commitment, vulnerability disclosure program quality, and preloaded app risk minimization.

We believe that using a widely known industry consortium standard for Pixel certification provides increased trust in the security claims we make to our users. NCC Group has published an audit report that can be downloaded here. The report documents the evaluation of Pixel 4/4 XL and Pixel 4a against the ioXt Android Profile.

Security by Default is one of the most important criteria used in the ioXt Android profile. Security by Default rates devices by cumulatively scoring the risk for all preloads on a particular device. For this particular measurement, we worked with a team of university experts from the University of Cambridge, University of Strathclyde, and Johannes Kepler University in Linz to create a formula that considers the risk of platform signed apps, pregranted permissions on preloaded apps, and apps communicating using cleartext traffic.

Screenshot of the presentation of the Android Device Security Database at the Android Security Symposium 2020

In partnership with those teams, Google created Uraniborg, an open source tool that collects necessary attributes from the device and runs it through this formula to come up with a raw score. NCC Group leveraged Uraniborg to conduct the assessment for the ioXt Security by Default category.

As part of our ongoing certification efforts, we look forward to submitting future Pixel smartphones through the ioXt standard, and we encourage the Android device ecosystem to participate in similar transparency efforts for their devices.

Acknowledgements: This post leveraged contributions from Sudhi Herle, Billy Lau and Sam Schumacher

What Security Means to Families

digital parenting

What Security Means to Families

One truth of parenting is this: we do a lot of learning on the job. And that often goes double when it comes to parenting and the internet.

That’s understandable. Whereas we can often look to our own families and how we were raised for parenting guidance, today’s always-on mobile internet, with tablets and smartphones almost always within arm’s reach, wasn’t part of our experience growing up. This is plenty new for nearly all of us. We’re learning on the job as it were, which is one of the many reasons why we reached out to parents around the globe to find out what their concerns and challenges are—particularly around family safety and security in this new mobile world of ours.

 Just as we want to know our children are safe as they walk to school or play with friends, we want them to be just as safe when they’re online. Particularly when we’re not around and there to look over their shoulder. The same goes for the internet. Yet where we likely have good answers for keeping our kids safe around the house and the neighborhood, answers about internet safety are sometimes harder to come by.

Recently, we conducted a survey of 600 families and professionals in the U.S. to better understand what matters to them—in terms of security and the lives they want to lead online. The following article reflects what they shared with us, and allows us to share it with you in turn, with the aim of helping you and your family stay safer and more secure. 1

What concerns and questions do parents have about the internet?

The short answer is that parents are looking for guidance and support. They’re focused on the safety of their children, and they want advice on how to parent when it comes to online privacy, safety, and screen time. Within that, they brought up several specific concerns:

Help my kids not feel anxious about growing up in an online world.

There’s plenty wrapped up in this statement. For one, it refers to the potential anxiety that revolves around social networks and the pressures that can come with using social media—how to act, what’s okay to post and what’s not, friending, following, unfriending, unfollowing, and so on—not to mention the notion of FOMO, or “fear of missing out,” and anxiety that arises from feelings of not being included in someone else’s fun.

Keep my kids safe from bullying, or bullying others.

Parents are right to be concerned. Cyberbullying happens. In a study spanning 30 countries, one child in three has said they’ve been the victim of cyberbullying according to a study conducted by UNICEF. On the flip side of that, a 2016 study of more than 5,000 students in the U.S. by the Cyberbullying Research Center reported that 11.5% of students between 12 and 17 indicated that they had engaged in cyberbullying in their lifetime.

Feel like I can leave my child alone with a device without encountering inappropriate content.

If we think of the internet as a city, it’s the biggest one there is. For all its libraries, playgrounds, movie theatres, and shopping centers, there are dark alleys and derelict lots as well. Not to mention places that are simply age appropriate for some and not for others. Just as we give our children freer rein to explore their world on their own as they get older, the same holds true for the internet. There are some things we don’t want them to see and do.

Balance the amount of screen time my children get each day.

Screen time is a mix of many things—from schoolwork and videos to games and social media. It has its benefits and its drawbacks, depending on what children are doing and how often they’re doing it. The issue often comes down to what is “too much” screen time, particularly as it relates to the bigger picture of physical activity, face-to-face time with the family, hanging out with friends, and getting a proper bedtime without the dim light of a screen throwing off their sleep rhythms.

Where can parents get started?

Beyond our job of providing online security for devices, our focus at McAfee is on protecting people. Ultimately, that’s the job we aim to do—to help you and your family be safer. Beyond creating software for staying safe, we also put together blogs and resources that help people get sharp on the security topics that matter to them. For parents, check out this page which puts forward some good guidance and advice that can help. Check it out, and we hope that you’ll find even more ways you can keep you and your family safe.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.



  • Survey conducted in October 2019, consisting of 600 computer-owning adults in the U.S.


The post What Security Means to Families appeared first on McAfee Blogs.

Security is a Feeling- With the McAfee #SecureMyLife RT2Win Sweepstakes!

Security is a Feeling-  Share it with the McAfee #SecureMyLife RT2Win Sweepstakes!

The word ‘security’ means something unique to everyone. Security is a feeling, an emotion, a sense of belonging and place: It could be the feeling of cuddling as a family in a pillow fort, making sure your house is locked at night, or always having a smartphone in your pocket for directions or an emergency.

Though our digital devices are convenient, they can also be cause for possible security concerns due to overlooked weaknesses. Check out the latest research from the McAfee team for more information.

While all this dazzling technology has its appeal, we here at McAfee understand the importance of creating new security solutions for those who want to live their connected lives with confidence.

In fact, to celebrate the latest innovations, we’re giving two [2] lucky people the chance to win an Amazon gift card. Not a customer? Not a problem!  Simply retweet one of our contest tweets with the required hashtag between August 3rd, 2020 – August 16th 2020 for your chance to win. Follow the instructions below to enter, and good luck!

#RT2Win Sweepstakes Official Rules

  • To enter, go to, and find the #RT2Win sweepstakes tweet.
  • There will be four [4] sweepstakes tweets will be released at the following schedule including the hashtags: #RT2Win #Sweepstakes AND #SecureMyLife
    • Monday, August 3, 2020 at 9:05AM PST
    • Thursday, August 6, 2020 at 9:05AM PST
    • Monday, August 10, 2020 at 9:05AM PST
    • Thursday, August 13, 2020 at 9:05AM PST
  • Retweet the sweepstakes tweet released on the above date before 11:59PM PST, from your own handle. The #RT2Win, #Sweepstakes AND #SecureMyLife hashtags must be included to be entered.
  • Sweepstakes will end on Monday August16, 2020  at 11:59pm PT. All entries must be made before that date and time.
  • Winners will be notified on Wednesday August 19, 2020 via Twitter direct message.
  • Limit one entry per person.

     1. How to Win:

Retweet one of our contest tweets on @McAfee_Home that include ““#RT2Win, #Sweepstakes, and #SecureMyLife” for a chance at an Amazon Gift card. Two [2] winners will be selected by  10:00 AM PT August 19, 2020, for a total of two [2] winners. Winners will be notified by direct message on Twitter. For full Sweepstakes details, please see the Terms and Conditions, below.

McAfee #SecureMyLife    RT2Win   Sweepstakes Terms and Conditions

     2. How to Enter: 

No purchase necessary. A purchase will not increase your chances of winning. McAfee’s #RT2Win  Sweepstakes will be conducted from August 3rd through August 16th. All entries for each day of the #SecureMyLife  RT2Win Sweepstakes must be received during the time allotted for the #RT2Win   Sweepstakes. Pacific Daylight Time shall control the McAfee RT2Win Sweepstakes. The #SecureMyLife RT2Win Sweepstakes duration is as follows:

#RT2Win   Sweepstakes:

  • Begins: Monday, August 3rd, 2020 at 7:00am PST
  • Ends: Sunday, August 16, 2020 at 11:59 PST
    • Opportunity 1: Monday, August 3, 2020 at 9:05AM PST
    • Opportunity 2: Thursday, August 6, 2020 at 9:05AM PST
    • Opportunity 3: Monday, August 10, 2020 at 9:05AM PST
    • Opportunity 4: Thursday, August 13, 2020 at 9:05AM PST
  • Winners will be announced: by 10:00AM PST August 19, 2020

For the #SecureMyLife RT2Win Sweepstakes, participants must complete the following steps during the time allotted for the #SecureMyLifeSecureMyLife RT2Win Sweepstakes:

  1. Find the sweepstakes tweet of the day posted on @McAfee_Home which will include the hashtags: #SecureMyLife, #RT2Win and #Sweepstakes.
  2. Retweet the sweepstakes tweet of the day and make sure it includes the #McAfee, #SecureMyLife, #RT2Win and #Sweepstakes hashtags.
    1. Note: Tweets that do not contain the #SecureMyLife, #RT2Win and #Sweepstakes hashtags will not be considered for entry.
  3. Limit one entry per person. 

Two (2) winners will be chosen for the #McAfee #SecureMyLife Sweepstakes tweet from the viable pool of entries that retweeted and included #. McAfee and the McAfee social team will select winners at random from among the viable entries. The winners will be announced and privately messaged on August 19, 2020 on the @McAfee_Home Twitter handle. No other method of entry will be accepted besides Twitter. Only one entry per user is allowed, per Sweepstakes. SWEEPSTAKES IS IN NO WAY SPONSORED, ENDORSED, ADMINISTERED BY, OR ASSOCIATED WITH TWITTER, INC. 

     3. Eligibility: 

McAfee’s #RT2Win   Sweepstakes is open to all legal residents of the 50 United States who are 18 years of age or older on the dates of the #SecureMyLifeSecureMyLife RT2Win Sweepstakes begins and live in a jurisdiction where this prize and #SecureMyLifeSecureMyLife RT2Win  Sweepstakes are not prohibited. Employees of Sponsor and its subsidiaries, affiliates, prize suppliers, and advertising and promotional agencies, their immediate families (spouses, parents, children, and siblings and their spouses), and individuals living in the same household as such employees are ineligible.

     4. Winner Selection:

Winners will be selected from the eligible entries received during the days of the #SecureMyLifeSecureMyLife RT2Win   Sweepstakes periods. Sponsor will select the names of two [2] potential winners of the prizes in a random drawing from among all eligible submissions at the address listed below. The odds of winning depend on the number of eligible entries received. By participating, entrants agree to be bound by the Official #SecureMyLifeSecureMyLife RT2Win Sweepstakes Rules and the decisions of the coordinators, which shall be final and binding in all respects.

     5.Winner Notification: 

Each winner will be notified via direct message (“DM”) on by August 19, 2020. Prize winners may be required to sign an Affidavit of Eligibility and Liability/Publicity Release (where permitted by law) to be returned within ten (10) days of written notification, or prize may be forfeited and an alternate winner selected. If a prize notification is returned as unclaimed or undeliverable to a potential winner, if potential winner cannot be reached within twenty four (24) hours from the first DM notification attempt, or if potential winner fails to return requisite document within the specified time period, or if a potential winner is not in compliance with these Official Rules, then such person shall be disqualified and, at Sponsor’s sole discretion, an alternate winner may be selected for the prize at issue based on the winner selection process described above.

     6. Prizes: 

The prizes for the #SecureMyLifeRT2Win Sweepstakes are two [2] $100 Amazon e-gift cards  (approximate retail value “ARV” of the prize is $100   USD; the total ARV of all gift cards is $200 USD). Entrants agree that Sponsor has the sole right to determine the winners of the #SecureMyLifeRT2Win   Sweepstakes and all matters or disputes arising from the #SecureMyLife RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor. Sponsor will not replace any lost or stolen prizes. Sponsor is not responsible for delays in prize delivery beyond its control. All other expenses and items not specifically mentioned in these Official Rules are not included and are the prize winners’ sole responsibility.

      7. General Conditions: 

Entrants agree that by entering they agree to be bound by these rules. All federal, state, and local taxes, fees, and surcharges on prize packages are the sole responsibility of the prizewinner. Sponsor is not responsible for incorrect or inaccurate entry information, whether caused by any of the equipment or programming associated with or utilized in the #SecureMyLifeRT2Win Sweepstakes, or by any technical or human error, which may occur in the processing of the #SecureMyLifeRT2Win Sweepstakes entries. By entering, participants release and hold harmless Sponsor and its respective parents, subsidiaries, affiliates, directors, officers, employees, attorneys, agents, and representatives from any and all liability for any injuries, loss, claim, action, demand, or damage of any kind arising from or in connection with the #SecureMyLifeRT2Win   Sweepstakes, any prize won, any misuse or malfunction of any prize awarded, participation in any #SecureMyLifeRT2Win   Sweepstakes -related activity, or participation in the #SecureMyLifeRT2Win  Sweepstakes. Except for applicable manufacturer’s standard warranties, the prizes are awarded “AS IS” and WITHOUT WARRANTY OF ANY KIND, express or implied (including any implied warranty of merchantability or fitness for a particular purpose).

If participating in this Sweepstakes via your mobile device (which service may only be available via select devices and participating wireless carriers and is not required to enter), you may be charged for standard data use from your mobile device according to the terms in your wireless service provider’s data plan.  Normal airtime and carrier charges and other charges may apply to data use and will be billed on your wireless device bill or deducted from your pre-paid balance.  Wireless carrier rates vary, so you should contact your wireless carrier for information on your specific data plan.

      8. Limitations of Liability; Releases:

By entering the Sweepstakes, you release Sponsor and all Released Parties from any liability whatsoever, and waive any and all causes of action, related to any claims, costs, injuries, losses, or damages of any kind arising out of or in connection with the Sweepstakes or delivery, misdelivery, acceptance, possession, use of or inability to use any prize (including claims, costs, injuries, losses and damages related to rights of publicity or privacy, defamation or portrayal in a false light, whether intentional or unintentional), whether under a theory of contract, tort (including negligence), warranty or other theory.

To the fullest extent permitted by applicable law, in no event will the sponsor or the released parties be liable for any special, indirect, incidental, or consequential damages, including loss of use, loss of profits or loss of data, whether in an action in contract, tort (including, negligence) or otherwise, arising out of or in any way connected to your participation in the sweepstakes or use or inability to use any equipment provided for use in the sweepstakes or any prize, even if a released party has been advised of the possibility of such damages.

  1. To the fullest extent permitted by applicable law, in no event will the aggregate liability of the released parties (jointly) arising out of or relating to your participation in the sweepstakes or use of or inability to use any equipment provided for use in the sweepstakes or any prize exceed $10. The limitations set forth in this section will not exclude or limit liability for personal injury or property damage caused by products rented from the sponsor, or for the released parties’ gross negligence, intentional misconduct, or for fraud.

     2. Use of Use of Winner’s Name, Likeness, etc.: Except where prohibited by law, entry into the Sweepstakes constitutes permission to use           your name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without               further permission or compensation (including in a public-facing winner list).  As a condition of being awarded any prize, except where           prohibited by law, winner may be required to execute a consent to the use of their name, hometown, aural and visual likeness and prize           information for advertising, marketing, and promotional purposes without further permission or compensation.

         By entering this  sweepstakes, you consent to being contacted by Sponsor for any purpose in connection with this Sweepstakes.

      9. Prize Forfeiture:

If winner cannot be notified, does not respond to notification, does not meet eligibility requirements, or otherwise does not comply with these prize #SecureMyLifeRT2Win   Sweepstakes rules, then the winner will forfeit the prize and an alternate winner will be selected from remaining eligible entry forms for each #SecureMyLifeRT2Win  Sweepstakes.

     10.Dispute Resolution:

Entrants agree that Sponsor has the sole right to determine the winners of the #SecureMyLifeRT2Win Sweepstakes and all matters or disputes arising from the #SecureMyLifeRT2Win   Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor.

     11. Governing Law & Disputes:

Each entrant agrees that any disputes, claims, and causes of action arising out of or connected with this sweepstakes or any prize awarded will be resolved individually, without resort to any form of class action and these rules will be construed in accordance with the laws, jurisdiction, and venue of New York.

     12.Privacy Notice: 

Personal information obtained in connection with this prize McAfee Day #RT2Win Sweepstakes will be handled in accordance policy set forth at McAfee Privacy Policy.

  1. Winner List; Rules Request: For a copy of the winner list, send a stamped, self-addressed, business-size envelope for arrival after January 10th 2020 and before August 16th 2021 to the address listed below, Attn: #RT2Win Sweepstakes.  To obtain a copy of these Official Rules, visit this link or send a stamped, self-addressed business-size envelope to the address listed in below, Attn: Consumer Content Marketing. VT residents may omit return postage.
  2. Intellectual Property Notice: McAfee and the McAfee logo are registered trademarks of McAfee, LLC. The Sweepstakes and all accompanying materials are copyright © 2018 by McAfee, LLC.  All rights reserved.
  3. Sponsor: McAfee, LLC, Corporate Headquarters 2821 Mission College Blvd. Santa Clara, CA 95054 USA

The post Security is a Feeling- With the McAfee #SecureMyLife RT2Win Sweepstakes! appeared first on McAfee Blogs.

Introducing PhishingKitTracker

If you are a security researcher or even a passionate about how attackers implement phishing you will find yourself to look for phishing kits. A phishing kit is not a phishing builder, but a real implementation (actually re-implementation) of a third party website built to lure your victim. Initially attackers use a phishing builder to “clone” the original web site but after that they introduce – in the fresh re-generate website – interesting ad-dons such as for example: evasion techniques (in order to evade to phishing detectors), targeted elements (in order to targetize the victims), fast re-directors ( to follows the attack chain into the original web-site or to a relay to try to infect you) and sometimes exploit-kits to try to exploit your browser before letting you go.

Credit: Alen Pavlovic (here)


There are places where you can buy PhishingKits, for example BleepingComputer wrote a great article on that here, but if you want to get them for free in order to study attack schema and Kit-composition you don’t’ find collections for free. So I decided to share my PhishingKit Tracker, updated automatically by my backend engine every day for study and research purposes.

You can find it HERE (PhishingKitTracker github repo)


This repository holds a collection of Phishing Kits used by criminals to steal user information. Almost every file into the raw folder is malicious so I strongly recommend you to neither open these files, nor misuse the code to prank your friends. Playing with these kits may lead to irreversible consequences which may affect anything from personal data to passwords and banking information.

I am not responsible for any damage caused by the malware inside my repository and your negligence in general.

NB: Large File System Hahead

PhishingKitTracker is stored into Git Large File System (git-lfs) due to the big amount of data tracked. You should install git-lfs before cloning this repository.

RAW Data

In raw folder are tracked the Phishing Kits in the original format. No manipulation are involved in that data. A backend script goes over malicious harvested websites (harvesting from common sources) and checks if Phishing Kits are in there. In a positive case (if a PhishingKit is found) the resulting file is downloaded and instantly added to that folder. This folder is tracked by using Git Large File System since many files are bigger than 100MB. The “RAW Data” is a quite unexplored land, you would find many interesting topics with high probability. Please remember to cite that work if you find something from here, it would be very appreciated.


In stats folder are maintained two up-to-date files:

  1. files_name it holds the frequency of the found file-names associate with kits. In other words every phishing kit is saved on the phishing host with a name. filke_name keeps track about every file names and its frequency. If you are wondering why am I not tracking hashes, is because phishing kits are big compressed archives, so it would make no sense at this stage since they always differ each other (but check in src folder for additional information)
  2. sites hols the frequency of the hosting domain names. In other words where the phishing kit was found. No duplicates are tracked by meaning that the frequency and the file names are unique. So for example if you see something like: 3 it means that in have been found three different Phishing Kits over time.

Both of these files have been generate by simple bash scripts like:

  • ls raw/ | cut -d'_' -f1 | uniq -c | sort -bgr > stats/sites.txt
  • ls raw/ | cut -d'_' -f2 | uniq -c | sort -bgr > stats/files_name.txt

these scripts are run on every commit making files inline with the raw folder.

On the other side a file called similarity.csv is provided with a tremendous delay due to the vast amount of time in generating it. That file provides the similarity between the tracked Phishing Kits. It’s a simple CSV file so that you can import it on your favorite spreadsheet and make graphs, statistics or manipulate it in the way you prefer.


The similarity structure is like the following one: FileA,FileB,SimilarityAVG,SimilarityMin,SimilarityMax where:

  • FileA is PhishingKit which is considered in that analysis.
  • FileB is the PhishingKit to be compared to PhishingKit FileA
  • SimilarityAVG is the Average in similarity. That average is calculated by computing the similarity check to every single (interesting) file in the PhishingKit archive (FileA) to every single (interesting) file in the PhishingKit archive to be compared (FileB)
  • SimilarityMin is the lowest similarity value found between PhishingKitA and PhishingKitB
  • SimilarityMax is the highest similarity value found between PhishingKitA and PhishingKitB

If you want to generate similarity.csv by your own I provide a simple and dirty script into the src folder. So far it has several limitations (for example it computes ZIP only files). please make pull requests for improving and empower it. Each contribute would be very helpful.


Please check those variables ( and change them at your will.

EXTENSION_FOR_ANALYSIS = ['.html','.js','.vbs','.xls','.xlsm','.doc','.docm', '.ps1']
OUTPUT_FILE =  'similarity.csv'                                                 
RAW_FOLDER = '/tmp/raw/'                                                        
TEMP_FOLDER = '/tmp/tt'     

Once you’ve changed them you can run the script and take a long rest. It will navigate through the RAW_FOLDER, grab the .zip files and tries to compute code similarity between them. At the very end it will save results into OUTPUT_FILE. From now you can import such a a file into your favorite spreadsheet processor and elaborate the code similarity.

So far the python script is able to only compare zip tracked phishingkit, for different compressed format it’s still work in progress.

NB: The Python script is in a super early stage of development. Please help to improve it.

How to contribute

Introducing the walking script for different compression formats. In other words if you want to contribute you can write a new section such as the following one ( but for different compression extensions such as: .tar.gz, .tar, .rar. /7z and so on and so forth.

# Extracts Zip files based on EXTENSION_FOR_ANALYSIS. It returns the etire file
# path for future works
def extractZipAndReturnsIntereistingFiles(file_to_extract):
    interesting_files = []
    n_interesting_files = []
        with ZipFile(file_to_extract, 'r') as zipObj:
            listOfFileNames = zipObj.namelist()
            for fileName in listOfFileNames:
                for ext in EXTENSION_FOR_ANALYSIS:
                    if fileName.endswith(ext):
                            zipObj.extract(fileName, TEMP_FOLDER)
                            interesting_files.append(os.path.join(TEMP_FOLDER, fileName))
                        except Exception as e:
                        n_interesting_files.append(os.path.join(TEMP_FOLDER, fileName))
    except Exception as e :
        return interesting_files
    return interesting_files

One more way to contribute is to make the comparison loop smarter and quicker. You might decide to parallelized task by forking and spawning more process or by changing the way I use multi-threading in this quick and dirty statistic script. In conclusion every working pull is welcomed.

Cite the Phishing Kit

@misc{ MR,
       author = "Marco Ramilli",
       title = "Phishing Kits Tracker",
       year = "2020",
       url = "",
       note = "[Online; July 2020]"

Secure IT: Shop Safe Online

Everything we do on a daily basis has some form of “trust” baked into it. Where you live, what kind of car you drive, where you send your children to school, who you consider good friends, what businesses you purchase from, etc. Trust instills a level of confidence that your risk is minimized and acceptable to you. Why should this philosophy be any different when the entity you need to trust is on the other end of an Internet address? In fact, because you are connecting to an entity that you cannot see or validate, a higher level of scrutiny is required before they earn your trust. What Universal Resource Locator (URL) are you really connecting to? Is it really your banking website or new online shopping website that you are trying for the first time? How can you tell?

It’s a jungle out there. So we’ve put together five ways you can stay safe while you shop online:

  1. Shop at sites you trust. Are you looking at a nationally or globally recognized brand? Do you have detailed insight into what the site looks like? Have you established an account on this site, and is there a history that you can track for when you visit and what you buy? Have you linked the valid URL for the site in your browser? Mistyping a URL in your browser for any site you routinely visit can lead you to a rogue website.

  2. Use secure networks to connect. Just as important as paying attention to what you connect to is to be wary of where you connect from. Your home Wi-Fi network that you trust—okay. An open Wi-Fi at an airport, cyber café, or public kiosk—not okay. If you can’t trust the network, do not enter identifying information or your payment card information. Just ask our cybersecurity services experts to demonstrate how easy it is to compromise an open Wi-Fi network, and you’ll see why we recommend against public Wi-Fi for sensitive transactions.

  3. Perform basic checks in your browser. Today’s modern browsers are much better at encrypted and secure connections than they were a few years ago. They use encrypted communication by leveraging a specific Internet protocol, hypertext transfer protocol secure (HTTPS). This means that there is a certificate associated with this site in your browser that is verified before you are allowed to connect and establish the encrypted channel. (Just so you know, yes, these certificates can be spoofed, but that is a problem for another day). How do you check for this certificate? Look up in your browser title bar.

  4. Create strong password for your shopping sites. This issue is covered in another blog post, but use longer passwords, 10–12 characters, and keep them in a safe place that cannot be compromised by an unauthorized person. If a second factor is offered, use it. Many sites will send you a code to your smartphone to type into a login screen to verify you are who you say you are.

  5. Don’t give out information about yourself that seems unreasonable. If you are being asked for your social security number, think long and hard, and then longer and harder, about why that information should be required. And then don’t do it until you ask a trusted source about why that would be necessary. Be wary of anything you see when you are on a website that does not look familiar or normal.

We all use the Internet to shop. It is super convenient, and the return on investment is awesome. Having that new cool thing purchased in 10 minutes and delivered directly to your door—wow! Can you ever really be 100% sure that the Internet site you are visiting is legitimate, and that you are not going to inadvertently give away sensitive and/or financial information that is actually going directly into a hacker’s data collection file? Unfortunately, no. A lot of today’s scammers are very sophisticated. But as we discussed up front, this is a trust- and risk-based decision, and if you are aware that you could be compromised at any time on the Internet and are keeping your eyes open for things that just don’t look right or familiar, you have a higher probability of a safe online shopping experience.

To recap:

  • Visit and use sites you know and trust
  • Keep the correct URLs in your bookmarks (don’t risk mistyping a URL).
  • Check the certificate to ensure your connection to the site is secured by a legitimate and active certificate.
  • Look for anything that is not familiar to your known experience with the site.
  • If you can, do not save credit card or payment card information on the site. (If you do, you need to be aware that if that site is breached, your payment data is compromised.)
  • Use strong passwords for your shopping site accounts. And use a different password for every site. (No one ring to rule them all!)
  • If a site offers a second factor to authenticate you, use it.
  • Check all your payment card statements regularly to look for rogue purchases.
  • Subscribe to an identity theft protection service if you can. These services will alert you if your identity has been compromised.

Safe shopping!

The post Secure IT: Shop Safe Online appeared first on Connected.

Be a Conscientious Risk Manager

Whether you are a CIO or CISO in the Federal, State or Local, Education, or Commercial Business areas, you are all faced the with same challenge, whether you accept it or not. In the security risk management world, if the malicious actor wants into your network, they will figure out a way to get in. You of course still need to build a comprehensive risk governance and management plan, but that plan must be built on the premise of how you will respond, when the breach occurs.

Having spent 38 years in Information Security, the one constant that I see, is that the individuals who make it their business to steal or disrupt your data, are better funded, better trained, and have unlimited hours to execute their trade. What we hope to achieve is being a half-step behind them at worst case. There is no way to stay in step, and a step ahead is out of the question.

So what does this really mean to the conscientious risk manager. Create a strategy whereby you frequently identify the threat, and measure the risk against that threat in your as-built infrastructure. Test frequently, outside and inside, using he same tools and techniques the malicious actors use. Test user security awareness, as we know it only takes one click of a phishing email malicious link, to potentially bring down and entire enterprise. Measure, document, prioritize, and build a risk roadmap strategy to keep risk mitigation focus on those most critical exploitable areas.

Three Top Security Imperatives
Keep in mind that your top three security imperatives are: Reducing your threat exposure, enhancing your response and recovery times, and increasing security visibility. What does security visibility mean, implementing the people, process, and technology in key security areas, to give you a fighting chance to detect, and react to malicious and advanced persistent threats.

Let’s talk people, process, and technology. We all know users are the weakest link in any security chain. Not because they have sinister intent, although sometimes they do, but primarily because in today’s high-powered technical, mobile, and social world, it is commonplace for a lapse in judgment to occur. We live in a rapid–fire, high-availability, high-output world, and mistakes can and will be made. So make is less commonplace, train and educate often, and monitor closely for when that lapse in judgment occurs.

Process: Again our high-powered technical, mobile, and social world often demands we run at warp speed.  Who has time to document? Well — make the time.  Good documentation to include process, policies and standards, as well as a documented and managed configuration control process, will help keep you more secure. Every process, policy and standard document has to have an assigned owner, has to have a designated review date, and has to have an oversight or governance process. All roles and responsibilities need to be included in the documentation, and the expected outcome needs to be defined. Make the time to prepare and socialize your critical information security program documentation.

Technology: Many risk owners fall prey to purchasing every piece of security technology available, at what I like to call the security “choke points”, end-point, network, edge, gateway, etc. This is just what everyone does. However, why not use the process we discussed above — measure, document, prioritize, and build a risk roadmap strategy — as your guideline for what you purchase and deploy for technology. Ask yourself — what is so wrong with selecting and implementing a product, only after you validate how it will help you manage your documented security risk? Of course the answer to that is — nothing.

Focus on Seamless Collaboration
You have documented your risk, you have prioritized your risk roadmap, and as a result you know the very specific technology, or set of technologies, you need to implement first. Most importantly, your technology selections should focus on products that collaborate in a seamless way. In other words, your end-point, edge, network, gateway, sandbox, etc., security technologies all talk to each other. We call this approach to complete security visibility across the whole landscape, Unified Security Stack. And, don’t forget that all technology must have a people and process component as well.

Good information security risk management and risk governance does not come by accident.  It takes planning and execution. In the end, although you may not keep the bad guy out, you will be better prepared for when.

The post Be a Conscientious Risk Manager appeared first on Connected.

Protecting Critical Infrastructure from Cyber Threats

The basic infrastructure that supports our daily lives is deeply dependent on the Internet, and, therefore, continually exposed to the risk of new threats and cyber attacks. As security breaches grow in frequency and sophistication every day, it’s crucial to build resiliency and then take steps to protect critical infrastructure to remain safe and secure online.

It’s important to identify current and future strategies to protect your infrastructure and manage your risk. Cyber security is one of the biggest challenges organizations face today. Regardless of size or industry, every organization must ask themselves, is my security strategy up to date? If your organization is looking to stay on the front line of cyber security, it’s imperative to know how an end-to-end risk management strategy can help you properly secure your infrastructure.

Our security experts have an abundance of experience, and several areas of expertise we can put to work for you. We are committed to keeping your organization safe and secure, and can help design, deploy, and support solutions to address your critical risks and defend your critical infrastructure. For more information, contact one of our security experts today!

The post Protecting Critical Infrastructure from Cyber Threats appeared first on Connected.

Protecting Critical Infrastructure

In this blog, the focus is on protecting critical infrastructure—the essential systems that support our daily lives such as the electric grid, financial institutions, and transportation. Unfortunately, attacks on critical infrastructure have become a concern worldwide. A devastating attack isn’t just a theoretical possibility anymore. As we’ve recently seen with Equifax, and other security breaches in healthcare and other industries, the growing threat of serious attacks on critical infrastructure is real. These days, hackers have become much more formidable, and we will undoubtedly see more of these attacks in the future. It’s no longer a matter of if there will be another attack, but when.

Protecting your infrastructure requires constant vigilance and attention to evolving cyber attacks. Risk is inherent in everything we do, so trying to stay ahead of the cyber security curve is key. Our team of security experts can help you build a security strategy to detect, protect, and react to the complete threat lifecycle. The threats we all need to manage today evolve quickly, and we can help you minimize your risk and maximize your defenses to improve your cyber resiliency.

The post Protecting Critical Infrastructure appeared first on Connected.

The Internet Wants YOU: Consider a Career in Cyber Security.

With the continuous state of change in the global threat landscape, organizations face cyber attacks and security breaches that are growing in frequency and sophistication every day. But now, consider this: according to a study by the Center for Cyber Safety and Education, there will be a shortage of 1.8 million information security workers by 2022. This gap should be of great concern to organizations.

Skilled people make the difference in protecting sensitive data, so it’s more critical than ever that organizations begin to attract and retain the cybersecurity talent needed to defend against the evolving threat landscape. At Connection, we help inspire individuals coming out of universities to engage in co-op or intern-related opportunities, and I strongly encourage other organizations to see what they can do to help young people today who are really interested in building their skills in this area.

The figures don’t lie. The demand for cyber security will only continue to grow. Through local collaborative efforts between employers, training providers, and community leaders, we can ensure individuals have the opportunity to build on their tech knowledge and participate in a secure, thriving economy.

The post The Internet Wants YOU: Consider a Career in Cyber Security. appeared first on Connected.

Cyber Security Careers Are in High Demand

It’s impossible to overstate the importance of security in today’s digital world. Cyber attacks are growing in frequency and sophistication every day, and a key risk to our economy and security is the lack of professionals to protect our growing networks. According to a study by the Center for Cyber Safety and Education, by 2022, there will be a shortage of 1.8 million information security workers. So, it’s critical that that we begin now to prepare our students—and any others who are interested in making a career move—to fill these gaps. Many colleges and universities have developed information assurance programs that help technical, security-minded students achieve a great foundation in this industry. We also challenge corporations to offer intern and co-op opportunities for students in these degree programs, so they can see what security looks like in practical, business-world applications.

Connection is committed to promoting cyber security and online safety.  Cyber security is a viable and rewarding profession and we encourage people from all backgrounds to see information security as an essential career path.

Read this next:

The post Cyber Security Careers Are in High Demand appeared first on Connected.

WPA2 Hacks and You

The world has been rocked once again with a serious flaw in a basic security mechanism that we all take for granted to keep us safe and secure. According to Dark Reading, researchers at Belgium’s University of Leuven have uncovered as many as 10 critical vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure Wi-Fi networks. This is a protocol that—as we have all learned over the last several years—must be configured to keep us safe.

The key reinstallation attack—or KRACKs—impacts all modern wireless networks using the WPA2 protocol. The flaw gives attackers the ability to decrypt data packets that make all private (encrypted) communication no longer private. Although the flaw requires the attacker to have close proximity to the network to execute, this is especially bad news for those with far-reaching wireless signals—such as hotel and hospital lobbies—where an attacker can just sit down and work their trade.

The Vulnerability Notes Database provides a summary and detailed description of the vulnerabilities. It includes a list of vendors who may be affected by the vulnerability, and a status field indicating whether the vendor has any products that are affected.

What can you do?

Vendors are currently identifying their affected products and working on patches to address this attack. In the meantime, here are a few things you can do to keep your information safe:

  1. Apply patches as they are released
  2. Pay careful attention to your wireless environment
  3. Watch for people and technology that look out of place
  4. Utilize a trusted VPN solution
  5. When possible, transfer data over an encrypted channel—such as HTTPS
  6. Restrict sensitive information that would normally pass over a wireless network
  7. And, as always, it’s a good practice to monitor access logs and wireless traffic to look for anomalies in standard business communication

How has this WiFi vulnerability affected your organization? Leave a comment bellow to share your experience and any additional advice you have for staying protected.

Read this next:


The post WPA2 Hacks and You appeared first on Connected.