Security

Episode #20: Digital Trust – An Imperative for Business InnovationCISOMAGon January 20, 2022 at 4:00 pm Feedzy

FeedzyRead MoreComing out of the cybersecurity, privacy, and data ethics fields, Digital Trust is becoming a requirement for doing business in the modern, hyperconnected world. There is a significant trust deficit – people are increasingly saying that they don’t trust science or technology (and especially not technology focused companies) to improve their lives. A global survey
The post Episode #20: Digital Trust – An Imperative for Business Innovation appeared first on CISO MAG | Cyber Security Magazine.

Coming out of the cybersecurity, privacy, and data ethics fields, Digital Trust is becoming a requirement for doing business in the modern, hyperconnected world.

There is a significant trust deficit – people are increasingly saying that they don’t trust science or technology (and especially not technology focused companies) to improve their lives.

A global survey by PwC in 2020 found that people have concerns about security and privacy, but often feel trapped with their service providers due to a lack of trusted alternatives. Consumers want trusted alternatives, with 83% wanting control over their data and 85% wishing for companies they can trust with their data. Given a trustworthy option, consumers would not only change providers but are also willing to pay for more enhanced security.

In order to build back trust in technology and in technology innovators and developers, we need to focus on building more trustworthy technology. That includes focusing on cybersecurity at the beginning, but also on being transparent about our uses of tech and making sure they adhere to the values of users and citizens.That’s why the World Economic Forum launched a new initiative on Digital Trust.

The World Economic Forum’s Digital Trust initiative was established to create a global consensus among stakeholders on what Digital Trust means. Digital Trust is part of the Forum’s Centre for Cybersecurity Platform.

In this episode Daniel Dobrygowski, Head of Governance & Trust, World Economic Forum explains what Digital Trust means in the context of business and why it is so important for business innovation.

Consumers are losing their faith in businesses as they sell their personal data to marketers. More consumers are mistrusting technology, for instance, connected technology in smart homes. And this is highlighted in The World Economic Forum’s State of the Connected World 2020 report. Big tech companies can track consumers closely and have a deep understanding about consumer habits, preferences and behaviors. It’s also about lapses in security that are leading to data leaks. Dobrygowski talks about the governance required to reaffirm consumer confidence in both, business and technology.

CISO MAG · Episode #20: Digital Trust – An Imperative for Business Innovation

An attorney and educator with two decades of experience at the intersection of technology, civil rights, law, and policy, Dobrygowski came to the Forum as a Global Leadership Fellow and was one of the founding staff of the Forum’s Centre for Cybersecurity. Previously, he practiced law with international firms in San Francisco and Washington, DC in the areas of antitrust, consumer protection, IP, and privacy. He conducts research and publishes in the fields of cybersecurity & resilience, digital trust, election protection, internet rights, and corporate governance.

Daniel holds an MPA from Harvard University’s Kennedy School of Government, a JD from the University of California, Berkeley, School of Law, and a BA from the Johns Hopkins University. He sits on the board of the Cyber Risk Institute and has been recognized by the NACD as one of the most influential leaders in the corporate governance community.

Also see:

U.K. Govt Introduces Digital Identity Trust Framework

The post Episode #20: Digital Trust – An Imperative for Business Innovation appeared first on CISO MAG | Cyber Security Magazine.

Coming out of the cybersecurity, privacy, and data ethics fields, Digital Trust is becoming a requirement for doing business in the modern, hyperconnected world.

There is a significant trust deficit – people are increasingly saying that they don’t trust science or technology (and especially not technology focused companies) to improve their lives.

A global survey by PwC in 2020 found that people have concerns about security and privacy, but often feel trapped with their service providers due to a lack of trusted alternatives. Consumers want trusted alternatives, with 83% wanting control over their data and 85% wishing for companies they can trust with their data. Given a trustworthy option, consumers would not only change providers but are also willing to pay for more enhanced security.

In order to build back trust in technology and in technology innovators and developers, we need to focus on building more trustworthy technology. That includes focusing on cybersecurity at the beginning, but also on being transparent about our uses of tech and making sure they adhere to the values of users and citizens.That’s why the World Economic Forum launched a new initiative on Digital Trust.

The World Economic Forum’s Digital Trust initiative was established to create a global consensus among stakeholders on what Digital Trust means. Digital Trust is part of the Forum’s Centre for Cybersecurity Platform.

In this episode Daniel Dobrygowski, Head of Governance & Trust, World Economic Forum explains what Digital Trust means in the context of business and why it is so important for business innovation.

Consumers are losing their faith in businesses as they sell their personal data to marketers. More consumers are mistrusting technology, for instance, connected technology in smart homes. And this is highlighted in The World Economic Forum’s State of the Connected World 2020 report. Big tech companies can track consumers closely and have a deep understanding about consumer habits, preferences and behaviors. It’s also about lapses in security that are leading to data leaks. Dobrygowski talks about the governance required to reaffirm consumer confidence in both, business and technology.

CISO MAG · Episode #20: Digital Trust – An Imperative for Business Innovation

An attorney and educator with two decades of experience at the intersection of technology, civil rights, law, and policy, Dobrygowski came to the Forum as a Global Leadership Fellow and was one of the founding staff of the Forum’s Centre for Cybersecurity. Previously, he practiced law with international firms in San Francisco and Washington, DC in the areas of antitrust, consumer protection, IP, and privacy. He conducts research and publishes in the fields of cybersecurity & resilience, digital trust, election protection, internet rights, and corporate governance.

Daniel holds an MPA from Harvard University’s Kennedy School of Government, a JD from the University of California, Berkeley, School of Law, and a BA from the Johns Hopkins University. He sits on the board of the Cyber Risk Institute and has been recognized by the NACD as one of the most influential leaders in the corporate governance community.

Also see:

U.K. Govt Introduces Digital Identity Trust Framework

Data protection: what 2021’s trends tell us to expect in 2022Clíona Perrickon January 20, 2022 at 2:41 pm Feedzy

FeedzyRead More2021 was a hectic year for everyone. The data protection world was also bustling with a ton of new guidance, recommendations, case law and more for businesses to keep up with. It’s easy to lose track of all the important changes, but fear not. This blog guides you through the growing data protection and GDPR […]
The post Data protection: what 2021’s trends tell us to expect in 2022 appeared first on BH Consulting.

2021 was a hectic year for everyone. The data protection world was also bustling with a ton of new guidance, recommendations, case law and more for businesses to keep up with. It’s easy to lose track of all the important changes, but fear not. This blog guides you through the growing data protection and GDPR landscape by looking back at some biggest decisions, trends, and relevant cases of the past year. Together with this summary, we offer recommendations you can follow.

2021 trends: transfer impact assessments

The past year saw a rise in the importance of conducting transfer impact assessments. This means it is key to:

1) Know the transfers taking place.

2) Identify your transfer tool. For example, if there is an absence of an adequacy decision, you need to rely on one of the transfer tools listed under Article 46 of the GDPR.

3) Assess if there is anything in the law or practices in force of the third country that may affect the appropriate safeguards of the transfer tools you are relying on.

4) Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. These can be technical, organisational or contractual.

2021 trends: Standard Contractual Clauses

On 4 June 2021, the Commission issued modernised standard contractual clauses under the GDPR for data transfers. The updated SCCs replace the three sets of SCCs that were adopted under the previous Data Protection Directive. Since 27 September 2021, it is no longer possible to have contracts incorporating these earlier sets of SCCs. Organisations have Until 27 December of this year to update their SCCs.

2021 trends: rising fines

2021 was a year full of fines in the data protection world. According to Atlas VPN, fines for failing to comply with the GDPR hit over €1 billion last year. That’s almost six times higher than the €171 million in fines issued in 2020. Here are some examples of the largest fines.

The Irish Data Protection Commission’s fine of €225 million regarding WhatsApp’s compliance with GDPR. The fine primarily focused on transparency obligations for both users and non-users. Since this ruling, WhatsApp has sought to challenge the hefty fine.

Vodafone’s €8.15 million fine issued by the Spanish DPA (the AEPD) on March 11, 2021 actually comprises of four fines for violating the GDPR and other Spanish laws covering telecommunications and cookies. The Vodafone fine stands as Spain’s biggest yet. Spain has accumulated 351 fines, resulting in €36.7m worth of penalties. While the average penalty rounds to about €105K, Spain has gathered the most fines by far, compared to any other country.

Luxembourg’s National Commission for Data Protection fined Amazon €746 million in July 2021. The online service provider has its EU base in Luxembourg, and it has come under scrutiny in recent years for compiling data on its customers and partners. Amazon has appealed, stating it “strongly disagrees” with the fine.

Last January, Norway’s Data Protection Authority announced its intention to fine Grindr, the location-based dating app, €6.3 million for not complying with GDPR consent rules.

A recurring theme in these fines is consent and transparency for data subjects.

Civil litigation

There was also a rise in civil litigation involving data breaches. This shows an increasing awareness of data subject rights under GDPR. That’s why organisations should ensure they have data breach training and practices in place. Their privacy notices and policies should also clearly outline data protection rights.

The Lloyd v Google case

This case involved Richard Lloyd’s action against Google in 2017 on behalf of over four million Apple iPhone users. The claimants alleged that Google had breached its duties as a data controller under the DPA 1998 in a period between 2011 and 2012. On 10 November 2021, the UK Supreme Court’s unanimous judgment granted Mr Lloyd permission to continue his representative claim (i.e. a US-style opt-out ‘class action’) against Google. However, the UK Supreme Court issued a unanimous judgment overturning a ruling of the Court of Appeal and disallowing a data privacy class action. The Judgment denied Mr. Lloyd the ability to pursue a collective claim for compensation.

Rolfe & Ors v Veale Wasbrough Vizards LLP

This case involved a personal data breach and the possible damage such a breach can cause. The UK High Court’s judgment in 2021 gives controllers some much-needed guidance on compensation for low-level data breaches. The High Court concluded that a single data breach involving a limited amount of personal data was unlikely to cause an individual to suffer distress or be sufficient to form the basis of a claim for damages for distress.

Be it high- or low-level breaches, organisations must have practices in place to counter such instances. So, what are the upcoming trends to watch out for?

Cookie consent

France’s Commission nationale de l’informatique et des libertés (CNIL) recently fined Facebook €60 million for not allowing users to refuse cookies easily. The ruling confirms that withdrawal of consent should be as easy as giving it. From now on, organisations should review and, if necessary, update cookie consent tools and banners on their websites.

What will be the DPC’s priorities?

During 2022, we expect the Data Protection Commission is likely to focus on these areas:

Subject access requests done correctly
Data transfers
Breaches
Transparency regarding processing of personal data
How controllers manage their Record of Processing activities.

One starting place for the year ahead is this: organisations should know their data.

Cliona Perrick is a data protection analyst with BH Consulting

The post Data protection: what 2021’s trends tell us to expect in 2022 appeared first on BH Consulting.

2021 was a hectic year for everyone. The data protection world was also bustling with a ton of new guidance, recommendations, case law and more for businesses to keep up with. It’s easy to lose track of all the important changes, but fear not. This blog guides you through the growing data protection and GDPR landscape by looking back at some biggest decisions, trends, and relevant cases of the past year. Together with this summary, we offer recommendations you can follow.

2021 trends: transfer impact assessments

The past year saw a rise in the importance of conducting transfer impact assessments. This means it is key to:

1) Know the transfers taking place.

2) Identify your transfer tool. For example, if there is an absence of an adequacy decision, you need to rely on one of the transfer tools listed under Article 46 of the GDPR.

3) Assess if there is anything in the law or practices in force of the third country that may affect the appropriate safeguards of the transfer tools you are relying on.

4) Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. These can be technical, organisational or contractual.

2021 trends: Standard Contractual Clauses

On 4 June 2021, the Commission issued modernised standard contractual clauses under the GDPR for data transfers. The updated SCCs replace the three sets of SCCs that were adopted under the previous Data Protection Directive. Since 27 September 2021, it is no longer possible to have contracts incorporating these earlier sets of SCCs. Organisations have Until 27 December of this year to update their SCCs.

2021 trends: rising fines

2021 was a year full of fines in the data protection world. According to Atlas VPN, fines for failing to comply with the GDPR hit over €1 billion last year. That’s almost six times higher than the €171 million in fines issued in 2020. Here are some examples of the largest fines.

The Irish Data Protection Commission’s fine of €225 million regarding WhatsApp’s compliance with GDPR. The fine primarily focused on transparency obligations for both users and non-users. Since this ruling, WhatsApp has sought to challenge the hefty fine.

Vodafone’s €8.15 million fine issued by the Spanish DPA (the AEPD) on March 11, 2021 actually comprises of four fines for violating the GDPR and other Spanish laws covering telecommunications and cookies. The Vodafone fine stands as Spain’s biggest yet. Spain has accumulated 351 fines, resulting in €36.7m worth of penalties. While the average penalty rounds to about €105K, Spain has gathered the most fines by far, compared to any other country.

Luxembourg’s National Commission for Data Protection fined Amazon €746 million in July 2021. The online service provider has its EU base in Luxembourg, and it has come under scrutiny in recent years for compiling data on its customers and partners. Amazon has appealed, stating it “strongly disagrees” with the fine.

Last January, Norway’s Data Protection Authority announced its intention to fine Grindr, the location-based dating app, €6.3 million for not complying with GDPR consent rules.

A recurring theme in these fines is consent and transparency for data subjects.

Civil litigation

There was also a rise in civil litigation involving data breaches. This shows an increasing awareness of data subject rights under GDPR. That’s why organisations should ensure they have data breach training and practices in place. Their privacy notices and policies should also clearly outline data protection rights.

The Lloyd v Google case

This case involved Richard Lloyd’s action against Google in 2017 on behalf of over four million Apple iPhone users. The claimants alleged that Google had breached its duties as a data controller under the DPA 1998 in a period between 2011 and 2012. On 10 November 2021, the UK Supreme Court’s unanimous judgment granted Mr Lloyd permission to continue his representative claim (i.e. a US-style opt-out ‘class action’) against Google. However, the UK Supreme Court issued a unanimous judgment overturning a ruling of the Court of Appeal and disallowing a data privacy class action. The Judgment denied Mr. Lloyd the ability to pursue a collective claim for compensation.

Rolfe & Ors v Veale Wasbrough Vizards LLP

This case involved a personal data breach and the possible damage such a breach can cause. The UK High Court’s judgment in 2021 gives controllers some much-needed guidance on compensation for low-level data breaches. The High Court concluded that a single data breach involving a limited amount of personal data was unlikely to cause an individual to suffer distress or be sufficient to form the basis of a claim for damages for distress.

Be it high- or low-level breaches, organisations must have practices in place to counter such instances. So, what are the upcoming trends to watch out for?

Cookie consent

France’s Commission nationale de l’informatique et des libertés (CNIL) recently fined Facebook €60 million for not allowing users to refuse cookies easily. The ruling confirms that withdrawal of consent should be as easy as giving it. From now on, organisations should review and, if necessary, update cookie consent tools and banners on their websites.

What will be the DPC’s priorities?

During 2022, we expect the Data Protection Commission is likely to focus on these areas:

Subject access requests done correctly
Data transfers
Breaches
Transparency regarding processing of personal data
How controllers manage their Record of Processing activities.

One starting place for the year ahead is this: organisations should know their data.

Cliona Perrick is a data protection analyst with BH Consulting

Crypto.com Suffers Unauthorized Activity Affecting 483 UsersCISOMAGon January 20, 2022 at 2:30 pm Feedzy

FeedzyRead MoreCryptocurrency exchange platform Crypto.com announced that unknown threat actors compromised its user accounts. In an official release, the company stated that a small number of users encountered unauthorized crypto withdrawals on their accounts. The intrusion reportedly affected 483 Crypto.com user accounts. The unauthorized withdrawals totaled 4,836.26 Ethereum coins worth $15,132,516, 443.93 in Bitcoin worth $18,613,630,
The post Crypto.com Suffers Unauthorized Activity Affecting 483 Users appeared first on CISO MAG | Cyber Security Magazine.

Cryptocurrency exchange platform Crypto.com announced that unknown threat actors compromised its user accounts. In an official release, the company stated that a small number of users encountered unauthorized crypto withdrawals on their accounts. The intrusion reportedly affected 483 Crypto.com user accounts. The unauthorized withdrawals totaled 4,836.26 Ethereum coins worth $15,132,516, 443.93 in Bitcoin worth $18,613,630, and over $66,200 in other cryptocurrencies.

How Did the Intrusion Happen?

Crypto.com stated that it identified an unauthorized activity on its user accounts on January 17, 2022, where transactions were being approved without the 2FA authentication from the user side. The crypto platform suspended all withdrawals as a precautionary measure and launched an investigation to find additional details.

Mitigation

As a security measure, Crypto.com invalidated all customer 2FA tokens and asked its customers to re-login and set up their 2FA token to ensure only authorized users can log in. While the threat actors behind the intrusion are unknown, Crypto.com stated it will notify and compensate the affected customers.

Also Read: Lazarus Group Stole $400 M Worth of Cryptocurrencies in 2021

“Full audit of the entire infrastructure has been conducted internally, with a number of improvements being implemented to further harden the security posture. While Crypto.com already performs internal and external penetration tests, Crypto.com has immediately engaged with third-party security firms to perform additional security checks on our platform, as well as initiating additional threat intelligence services,” the release said.

What Crypto.com is Doing to Prevent Intrusions

Crypto.com has introduced the Worldwide Account Protection Program (WAPP) to provide additional protection and security for its users’ funds. It is said that WAPP is designed to protect user funds in cases where a third party gains unauthorized access to their account and withdraws funds without the user’s permission.

To qualify for the WAPP program, users must:

Enable Multi-Factor Authentication (MFA) on all transaction types where MFA is currently available
Set up an anti-phishing code at least 21 days before the reported unauthorized transaction
Not be using jailbroken devices
File a police report and provide a copy of it to Crypto.com
Complete a questionnaire to support a forensic investigation

“The safety of our customers’ funds is our highest priority, and we are continually enhancing our Defense-in-Depth security and protection measures. While we are reminded of the existence of bad actors intent on committing fraud, this new Worldwide Account Protection Program, along with our new MFA infrastructure, gives our users unprecedented protection of their funds, and hopefully, peace of mind,” said Kris Marszalek, co-founder, and CEO of Crypto.com.

The post Crypto.com Suffers Unauthorized Activity Affecting 483 Users appeared first on CISO MAG | Cyber Security Magazine.

Cryptocurrency exchange platform Crypto.com announced that unknown threat actors compromised its user accounts. In an official release, the company stated that a small number of users encountered unauthorized crypto withdrawals on their accounts. The intrusion reportedly affected 483 Crypto.com user accounts. The unauthorized withdrawals totaled 4,836.26 Ethereum coins worth $15,132,516, 443.93 in Bitcoin worth $18,613,630, and over $66,200 in other cryptocurrencies.

How Did the Intrusion Happen?

Crypto.com stated that it identified an unauthorized activity on its user accounts on January 17, 2022, where transactions were being approved without the 2FA authentication from the user side. The crypto platform suspended all withdrawals as a precautionary measure and launched an investigation to find additional details.

Mitigation

As a security measure, Crypto.com invalidated all customer 2FA tokens and asked its customers to re-login and set up their 2FA token to ensure only authorized users can log in. While the threat actors behind the intrusion are unknown, Crypto.com stated it will notify and compensate the affected customers.

Also Read: Lazarus Group Stole $400 M Worth of Cryptocurrencies in 2021

“Full audit of the entire infrastructure has been conducted internally, with a number of improvements being implemented to further harden the security posture. While Crypto.com already performs internal and external penetration tests, Crypto.com has immediately engaged with third-party security firms to perform additional security checks on our platform, as well as initiating additional threat intelligence services,” the release said.

What Crypto.com is Doing to Prevent Intrusions

Crypto.com has introduced the Worldwide Account Protection Program (WAPP) to provide additional protection and security for its users’ funds. It is said that WAPP is designed to protect user funds in cases where a third party gains unauthorized access to their account and withdraws funds without the user’s permission.

To qualify for the WAPP program, users must:

Enable Multi-Factor Authentication (MFA) on all transaction types where MFA is currently available
Set up an anti-phishing code at least 21 days before the reported unauthorized transaction
Not be using jailbroken devices
File a police report and provide a copy of it to Crypto.com
Complete a questionnaire to support a forensic investigation

“The safety of our customers’ funds is our highest priority, and we are continually enhancing our Defense-in-Depth security and protection measures. While we are reminded of the existence of bad actors intent on committing fraud, this new Worldwide Account Protection Program, along with our new MFA infrastructure, gives our users unprecedented protection of their funds, and hopefully, peace of mind,” said Kris Marszalek, co-founder, and CEO of Crypto.com.

Introduction to automated penetration testingon January 20, 2022 at 11:12 am Feedzy

FeedzyRead MorePost Content

Flavijus Piliponis ? stock.ado

Many IT security consulting companies provided manual penetration tests over the past few decades. This service traditionally consisted of a group of well-trained security professionals armed with hacking tools and exploits. Their goal was to probe corporate infrastructure entry points to identify vulnerabilities and gaps that need to be fortified.

While manual pen tests remain the most widely deployed, automated pen testing has started to mature as a second option. Automated pen testing seeks to speed up procedure, while simultaneously reducing costs.

How does automated pen testing work?

Automated processes aren’t new to IT security. Pen testing tasks have remained largely manual, however. Although pen test scanning and hacking tools are often automated, the challenge resides in identifying where along the infrastructure border they should be targeted.

This skill is not easily automated as it is a calculated process that must consider external factors, including the type of business being tested, the structure and buildout of the network, and what apps and services are exposed to the outside world. Think of pen testing professionals as detectives. They use tools and methods to gather important information, which is used to identify potential security weaknesses. This time-consuming process can take days, weeks or months to complete.

Vendors have started integrating automated processes into their pen testing tools. They want to speed up the probing and analysis process to accurately collect relevant data. This frees up security professionals to place their focus elsewhere. In many cases, AI is sophisticated enough to mimic the processes of a manual pen test to quickly identify vulnerabilities. This information can then be used to quickly remediate the identified security risk or risks.

What are the benefits of automated pen testing?

Automated pen testing provides companies with a faster security report at a lower price. An automated penetration platform can be pointed toward a client network and perform scanning, probing and analysis around the clock with little oversight. Automation can also be applied to organize reports by severity of issues to address. In theory, a thorough automated pen test can be completed in significantly less time compared to manual pen tests.

AI has rigid processes and procedures any pen testing tool must follow when running scans and analyzing results. The results of these tests are highly repeatable with little variation between results. In the infosec world — especially from a regulation and compliance perspective — this trait is desirable.

There are even ways to make automated pen tests even cheaper. Cost savings are largely gained by not requiring highly paid security professionals to execute tools and perform high-level analysis of the results. AI-backed tools have become adept at doing this for known security exploits and vulnerabilities. While automated pen test services are not exactly cheap, they often are less expensive than human alternatives when the time savings gained with automated testing platforms are factored in.

Are automated pen testing tools ready for enterprise use?

Automated pen testing platform vendors and service providers claim their platforms and services can figure out what hackers will target thanks to AI. While AI may eventually be able to accomplish this at some point, many still regard these types of systems as inferior to traditional, human-based tests.

The ability to mimic the human brain to perform highly complex and often imaginative tasks is quite challenging for computing systems originally built to operate in a binary mode. Automated pen testing platforms can indeed replicate some tasks a human pen tester does within a fixed set of parameters and when looking for known vulnerabilities and exploits. When it comes to new methods, avenues or outside-the-box thinking, however, nothing compares to a manual pen test.

The most beneficial part of automated pen testing is it can handle more repetitive and basic tasks, freeing up security professionals’ time. Expect automated pen testing tools to be used in hybrid deployments alongside manual testing. The combination still speeds up the testing process at a lower cost. At the same time, this approach ensures security professionals investigate where the automated platform cannot.

Related Resources

Essential Guide to Security -Splunk
The Essential Guide to Security -Splunk
The Essential Guide to Security -Splunk

Dig Deeper on Security analytics and automation

Cisco: Patching bugs is about more than CVSS numberson January 20, 2022 at 11:05 am Feedzy

FeedzyRead MorePost Content

Organizations should be paying more attention to the real-world attack potential of security vulnerabilities and less attention to threat scores when prioritizing out their patch rollouts.

That’s according to team at Cisco’s Kenna Security, which said in a new report that “exploitability” should factor into decision making when deciding when and how to address security vulnerabilities. The report, published Wednesday, was a joint effort between Kenna Security and the Cyentia Institute, a research and data science firm.

The security vendor noted a disparity between the volume of vulnerabilities that are disclosed (around 18,000 in 2021) and those that attackers actually scan for and attempt to exploit with automated scripts. This gives companies an opportunity to whittle down their patch loads and prioritize the bugs that are actually being attacked.

“The good news … is that we don’t need to fret over them all because only about one-third of published CVEs are ever detected by a scanner in enterprise environments. And the proportion observed in your environment is ostensibly much less than that,” the report, titled “Prioritization to Prediction,” said. “So Step 1 in reducing the vulnerability firehose is to filter the flow down to just the assets you’re managing.”

In doing this, Kenna advised companies to consider factors other than traditional vulnerability security ratings. The report noted that Common Vulnerability Scoring System (CVSS) ratings in particular can mislead companies as to just how serious the threat from a given vulnerability might be.

Rather than simply trying to patch the flaws that have the highest CVSS scores, the company suggested administrators look to a variety of sources, including some unconventional ones, to figure out which bugs are being targeted and what the most serious threats to their networks are. For example, the report claimed that prioritizing vulnerabilities with publicly available exploit code is 11 times more effective than focusing on CVSS numbers.

“This is where the concept of ‘exploitability’ comes into play,” Kenna said. “What’s the likelihood that a given vulnerability will be exploited within a window of time?”

Addressing that exploitability — the real-world risk that a given bug is actually going to be subject to attacks in the wild — means looking to sites such as Twitter and gauging the amount of chatter around a bug or exploit.

Kenna Security argued that by combining those external sources with the traditional CVSS and the Common Vulnerabilities and Exposures (CVE) formats, administrators are better able to prevent real-world attacks. They can also spend less time chasing after bugs that, while seemingly serious, don’t actually pose any sort of threat in the short term.

“Not everything has to be this or that; sometimes you actually can have your cake and eat it too,” the report said. “An organization combining a good vulnerability prioritization strategy (exploit code) with high remediation capacity can achieve a 29X reduction in exploitability.”

Overall, Kenna Security said focusing on high-risk vulnerabilities with only observed exploit code or activity leaves “just over 4% of published vulnerabilities that represent a real risk to organizations,” which is a far cry from having to contend with 18,000 new CVEs every year.

Related Resources

E-Guide: Wireless LAN access control: Managing users and their devices -SearchSecurity.com
Software Defined Networking Goes Well Beyond the Data Center -SearchSecurity.com
ISM Essentials Guide on Cloud and Virtualization Security -SearchSecurity.com
Network-Powered BYOD – A Case Study in Simplicity -SearchSecurity.com

Dig Deeper on Network security

NATO and Ukraine Sign Deal to Boost CybersecurityCISOMAGon January 20, 2022 at 10:53 am Feedzy

FeedzyRead MoreThe North Atlantic Treaty Organization (NATO) recently entered into a deal with Ukraine to boost cybersecurity capabilities in the country. The NATO Communications and Information (NCI) Agency and Ukraine signed a renewed Memorandum of Agreement to continue working on cybersecurity and other technology-related projects. The agreement comes after a series of cyberattack incidents in Ukraine
The post NATO and Ukraine Sign Deal to Boost Cybersecurity appeared first on CISO MAG | Cyber Security Magazine.

The North Atlantic Treaty Organization (NATO) recently entered into a deal with Ukraine to boost cybersecurity capabilities in the country. The NATO Communications and Information (NCI) Agency and Ukraine signed a renewed Memorandum of Agreement to continue working on cybersecurity and other technology-related projects.

The agreement comes after a series of cyberattack incidents in Ukraine and heightened tensions over Russia’s invasion. According to a statement from NATO’s Secretary-General Jens Stoltenberg, cybersecurity experts from NATO will be working together with Ukraine to confront the rising cyberthreats in the region. The new cybersecurity collaboration allows Ukrainian access to NATO’s malware information sharing platform along with enhanced cyber cooperation.

NATO is an intergovernmental military alliance between 27 European countries, two North American countries, and one Eurasian country. It constitutes a collective security system and mutual defense against any attacks from external parties.

“We have successfully worked with Ukraine for several years, delivering key capabilities and exchanging knowledge. Under this renewed agreement, we will deepen our collaboration with Ukraine to support them in modernizing their information technology and communications services while identifying areas where training may be required for their personnel. Our experts stand ready to continue this critical partnership,” said NCI Agency General Manager Ludwig Decamps.

Also Read: Russian Networks Accused of Carrying Out Massive Cyberattack on Ukraine

“The Memorandum signed today continues our cooperation established in 2015. With NATO’s support, we plan to further introduce modern information technologies and services into the command and control system of the Armed Forces of Ukraine,” said Ambassador Nataliia Galibarenko, Head of Mission of Ukraine to NATO.

Ukraine Russia and Cyberattacks

This is not the first instance to raise cyberattack tensions between Ukraine and Russia. There were multiple cybersecurity incidents in Ukraine, allegedly by Russian hackers. Ukraine claimed that Russia specifically targeted its security services, governmental offices, the Defence Council, and other enterprises. However, Moscow has always denied Ukraine’s previous claims of targeted cyberattacks, but Ukraine persists that the former is using “hybrid war” tactics against their country. Read More Here

The post NATO and Ukraine Sign Deal to Boost Cybersecurity appeared first on CISO MAG | Cyber Security Magazine.

The North Atlantic Treaty Organization (NATO) recently entered into a deal with Ukraine to boost cybersecurity capabilities in the country. The NATO Communications and Information (NCI) Agency and Ukraine signed a renewed Memorandum of Agreement to continue working on cybersecurity and other technology-related projects.

The agreement comes after a series of cyberattack incidents in Ukraine and heightened tensions over Russia’s invasion. According to a statement from NATO’s Secretary-General Jens Stoltenberg, cybersecurity experts from NATO will be working together with Ukraine to confront the rising cyberthreats in the region. The new cybersecurity collaboration allows Ukrainian access to NATO’s malware information sharing platform along with enhanced cyber cooperation.

NATO is an intergovernmental military alliance between 27 European countries, two North American countries, and one Eurasian country. It constitutes a collective security system and mutual defense against any attacks from external parties.

“We have successfully worked with Ukraine for several years, delivering key capabilities and exchanging knowledge. Under this renewed agreement, we will deepen our collaboration with Ukraine to support them in modernizing their information technology and communications services while identifying areas where training may be required for their personnel. Our experts stand ready to continue this critical partnership,” said NCI Agency General Manager Ludwig Decamps.

Also Read: Russian Networks Accused of Carrying Out Massive Cyberattack on Ukraine

“The Memorandum signed today continues our cooperation established in 2015. With NATO’s support, we plan to further introduce modern information technologies and services into the command and control system of the Armed Forces of Ukraine,” said Ambassador Nataliia Galibarenko, Head of Mission of Ukraine to NATO.

This is not the first instance to raise cyberattack tensions between Ukraine and Russia. There were multiple cybersecurity incidents in Ukraine, allegedly by Russian hackers. Ukraine claimed that Russia specifically targeted its security services, governmental offices, the Defence Council, and other enterprises. However, Moscow has always denied Ukraine’s previous claims of targeted cyberattacks, but Ukraine persists that the former is using “hybrid war” tactics against their country. Read More Here

Cybercriminals Will leverage IoT and 5G for Large-Scale AttacksCISOMAGon January 20, 2022 at 5:45 am Feedzy

FeedzyRead MoreIn 2022, Cybercriminals will leverage the combination of IoT and 5G to conduct large-scale attacks, and attributing these attacks may become much more challenging. Given the speed and capacity available through 5G, hackers will hitch this to their tradecraft to project 2022 as the year 5G enabled cybercrime hits the front burner. Smart cities that
The post Cybercriminals Will leverage IoT and 5G for Large-Scale Attacks appeared first on CISO MAG | Cyber Security Magazine.

In 2022, Cybercriminals will leverage the combination of IoT and 5G to conduct large-scale attacks, and attributing these attacks may become much more challenging. Given the speed and capacity available through 5G, hackers will hitch this to their tradecraft to project 2022 as the year 5G enabled cybercrime hits the front burner. Smart cities that have adopted 5G and are ingraining its power within their communities are more at risk. The burgeoning use of IoTs, and these being supercharged on 5G networks, will come as a ready tool for hackers to disrupt the high-tech social order within these communities.

By Favour Femi-Oyewole, Global Chief Information Security Officer (CISO) at Access Bank Plc.

In addition to this, I also predict the following trends:

The rise in Cybercrime Innovation and Commercialization. We will see an increase in cybercrime innovation, which will lead to increased compromise of organizations as hackers leverage more use of zero-day attacks. The commercialization of hacking as a service will draw skills from the underground and formal cybersecurity job market where brilliant minds with a dark side converge for bounty and bug hunting as they are induced or rewarded to discover vulnerabilities in demand on the dark web. The ability of well-known corporate brands to offer comparative reward incentives may skew discoveries in their favor.

Security Misconfiguration in SaaS Application will be widely felt. Security misconfigurations related to identity and access management in the CI/CD pipeline at a critical supply chain provider would cause a cyber-incident like the SolarWinds debacle. At the same time, organizations will be stretched thin regarding fighting cyber threats on all fronts, the ability of organizations to maintain a presence of mind approach to cybersecurity by ensuring excellent security hygiene & posture re-assessment.  This should scale and withstand the rigors of time, and operations will be a differentiating factor for global service providers. Sadly, this often forgotten corner piece of cybersecurity will once again come to the fore in 2022 as someone drops the ball.

Also see:

The Importance of 5G Security in Today’s World

About the Author

Favour Femi-Oyewole is a Doctoral Student at Covenant University, Ota, Ogun State, Nigeria. She is the Group Chief Information Security Officer in the Access Bank Plc overseeing the Information & Cyber Security of the Group office and the Subsidiaries. Favour also holds several certifications in the IT & Information Security and Cybersecurity field. She is a Cisco Certified Security Professional, Checkpoint Security Administrator, 1st female COBIT 5 Assessor certified in Africa, Certified Chief Information Security Officer, Certified ISO 27001 Lead Implementer, and Lead Auditor. She is also the first female in Africa to be a Blockchain Certified Professional.

Favour is a Certified ISO 27001:2013 Lead Implementer Trainer. She is an Alumni of both Harvard Kennedy School (HKS, Harvard University, and Massachusetts Institute of Technology (MIT), USA. She is a member of the Cybercrime Advisory Council in Nigeria. Favour emerged as the 1st woman in the world to win the Global Certified CISO (C|CISO) of the Year 2017 from the EC-Council in the U.S.

Favour is also an active member of the Global Certified Chief Information Security Officer (CCISO) Advisory Board & Scheme Committee of the EC-Council in the U.S. She is a certified Data Privacy Solutions Engineer (CDPSE), a certification recently awarded to her in June 2020 by ISACA.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post Cybercriminals Will leverage IoT and 5G for Large-Scale Attacks appeared first on CISO MAG | Cyber Security Magazine.

In 2022, Cybercriminals will leverage the combination of IoT and 5G to conduct large-scale attacks, and attributing these attacks may become much more challenging. Given the speed and capacity available through 5G, hackers will hitch this to their tradecraft to project 2022 as the year 5G enabled cybercrime hits the front burner. Smart cities that have adopted 5G and are ingraining its power within their communities are more at risk. The burgeoning use of IoTs, and these being supercharged on 5G networks, will come as a ready tool for hackers to disrupt the high-tech social order within these communities.

By Favour Femi-Oyewole, Global Chief Information Security Officer (CISO) at Access Bank Plc.

In addition to this, I also predict the following trends:

The rise in Cybercrime Innovation and Commercialization. We will see an increase in cybercrime innovation, which will lead to increased compromise of organizations as hackers leverage more use of zero-day attacks. The commercialization of hacking as a service will draw skills from the underground and formal cybersecurity job market where brilliant minds with a dark side converge for bounty and bug hunting as they are induced or rewarded to discover vulnerabilities in demand on the dark web. The ability of well-known corporate brands to offer comparative reward incentives may skew discoveries in their favor.

Security Misconfiguration in SaaS Application will be widely felt. Security misconfigurations related to identity and access management in the CI/CD pipeline at a critical supply chain provider would cause a cyber-incident like the SolarWinds debacle. At the same time, organizations will be stretched thin regarding fighting cyber threats on all fronts, the ability of organizations to maintain a presence of mind approach to cybersecurity by ensuring excellent security hygiene & posture re-assessment.  This should scale and withstand the rigors of time, and operations will be a differentiating factor for global service providers. Sadly, this often forgotten corner piece of cybersecurity will once again come to the fore in 2022 as someone drops the ball.

Also see:

The Importance of 5G Security in Today’s World

About the Author

Favour Femi-Oyewole is a Doctoral Student at Covenant University, Ota, Ogun State, Nigeria. She is the Group Chief Information Security Officer in the Access Bank Plc overseeing the Information & Cyber Security of the Group office and the Subsidiaries. Favour also holds several certifications in the IT & Information Security and Cybersecurity field. She is a Cisco Certified Security Professional, Checkpoint Security Administrator, 1st female COBIT 5 Assessor certified in Africa, Certified Chief Information Security Officer, Certified ISO 27001 Lead Implementer, and Lead Auditor. She is also the first female in Africa to be a Blockchain Certified Professional.

Favour is a Certified ISO 27001:2013 Lead Implementer Trainer. She is an Alumni of both Harvard Kennedy School (HKS, Harvard University, and Massachusetts Institute of Technology (MIT), USA. She is a member of the Cybercrime Advisory Council in Nigeria. Favour emerged as the 1st woman in the world to win the Global Certified CISO (C|CISO) of the Year 2017 from the EC-Council in the U.S.

Favour is also an active member of the Global Certified Chief Information Security Officer (CCISO) Advisory Board & Scheme Committee of the EC-Council in the U.S. She is a certified Data Privacy Solutions Engineer (CDPSE), a certification recently awarded to her in June 2020 by ISACA.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

First Steps to Alleviate Long-Term Consequences from A CyberattackNews teamon January 19, 2022 at 8:51 pm Feedzy

FeedzyRead MoreBrief Guide By Sergey Ozhegov, CEO, SearchInform When a cyberattack occurs it is easy to panic and forget
The post First Steps to Alleviate Long-Term Consequences from A Cyberattack appeared first on Cyber Defense Magazine.Brief Guide By Sergey Ozhegov, CEO, SearchInform When a cyberattack occurs it is easy to panic and forget […]
The post First Steps to Alleviate Long-Term Consequences from A Cyberattack appeared first on Cyber Defense Magazine.

Brief Guide

By Sergey Ozhegov, CEO, SearchInform

When a cyberattack occurs it is easy to panic and forget all the steps you have been told to make before. What is the very first thing to do, to report, to find out every detail about what happened, to inform your users?

Report

According to the regulators, the first thing ever is to report a breach (although we solemnly swear that hoping ardently that comprehensive back up had been configured is believed to be the first thing to think of). It does create an unneeded problem quite often, as many companies can’t discover a source of an incident, aren’t aware of an incident or simply prefer to take time and solve it as soon as possible themselves because they fear ruining their reputation. More often a breach gets discovered by a researcher who, in case a company doesn’t respond to the researcher’s attempt to notify it, posts about it online bringing the situation to a dead end.

Secure

Apart from reporting, the affected systems should be secured promptly. In order to limit the possible spread of a cyberattack, the attack must be contained, which mostly include terminating as many system connections with outer world as possible in the first place, focusing on the Internet, devices and access rights.

Prioritise

Think of what can be affected first or what could be a priority target for a violator. It is fair to look at the matter making your point based on your industry. Depending on a certain industry, particular steps would be of primary importance. User accounts should be secured. Banks should be informed of the possibility of unverified transactions.

Do not reboot

As for the rebooting, there used to be an opinion that booting a computer during an attack might tamper with an attacker’s desire to look at one’s screen, but modern ransomware overwrite encryption keys while a PC is rebooting, it can also cause ransomware relaunch if its remains weren’t detected which would re-encrypt the recovered assets. Today specialists suggest that users hibernate their computers instead.

This also concern the advantages from back up. Back up helps you restore your data but in case of a wrongly treated ransomware situation the retrieved data can get encrypted again.

Backup

Backup ensuring is the first “to-do” one in the list which gets treated by both remediation plan mechanisms and information security. Covering all chances to avoid losing sensitive data, it is strongly advised against backing information with only one type of backup. Files should be insured onsite and offsite, the more different storages save the copies the lesser the risk of never retrieving them. It proves to be helpful storing a few copies on a bunch of your servers while trust a third-party center or cloud service with at least one copy as well to make sure that in case it “rains outside” there are some umbrellas waiting above, as if it leaks inside only the comprehensive information security plumbing, including prevention, monitoring and investigation tools can ensure that such a thing almost never happens.

Monitor and alert

The capability of monitoring all traffic may play the role of an occasional saviour – monitoring doesn’t neutralise a cyberattack, but it helps to notice it when the first alarming processes are triggered.

Notify top management and employees who could be responsible for the affected assets and users first, then think of how to provide customers with correct and timely information as quick as possible, it can help them to rescue their information and money in case its integrity wasn’t or was partially ruptured.

Investigation

Investigation is commonly considered as a final step or rather a long-term phase in which every incident is destined to fade into. A third-party investigation team is usually hired to conduct an in-depth analysis which can take up months of research to inform of the key findings which would have been useful straight when the incident got detected.

Thus, investigation – which usually gets launched after containing a cyberattack and reporting and can be truly time-consuming – is really the process the results of which are highly required right at the beginning of dealing with the consequences. These are the missing facts which can be extracted only from a “probe”. It doesn’t have to be detailed from the very start, but ongoing investigation already deployed in a corporate system helps an enterprise get its bearings significantly faster and with a good deal of transparency unavoidable when managing assets security risks.

All things considered, investigation seems to be not just a first and foremost step to take after a cyberattack occurs but a pre-incident measure which would make every further step a bit more cool-blooded and definitely much more elaborate and mature.

Remediation

Remediation or recovery has its own program under the whole business continuity and disaster recovery plan. This is another measure which should be taken rather in advance, but goes a long way and reminds of itself as the final step to make after an information security incident. Data protection and risk management are well suited for integration with the overall business continuity approach.

Taking a hard look at the current security situation within an organisation, what is implemented and how many sensible measures there are to take yet is part of the continuity approach. Deploying a monitoring solution in an enterprise will alert to the issues which were never addressed and would give an opportunity to configure security policies and establish internal regulations which genuinely correspond with the company’s needs, thus helping enhance risk assessment.

It is advised to ensure data visibility and user activity transparency as well as human behavior smart control allowing to prevent an incident at an early stage or predict a violation, mitigate human error and detect aiding hackers.

A post-breach remediation step fully depends on how well-thought-out the risk management program is and how efficient it had proved itself before. Knowing what time length of a recovery period a certain company can afford, the extent of damage affecting finance due to a forced downtime, loss of data taken hostage or stolen, reimbursing impacted customers is essential for quick and full recovery. Often companies have to splash out on security solutions only after a disaster happens, which multiplies financial loss.

Solid monitoring rules out the possibility of poor communication within a team when an incident occurs, as a specialist responsible for risk mitigation will be promptly alerted to a suspicious event and report it to the management. Corresponding regulations or instructions should be adopted within a company, thus everyone must know his or her role in the breach offset process.

About the Author

Sergey Ozhegov, CEO, SearchInform. He has been contributing to the company’s development, handling strategic decision making since 2015. Co-founder of the annual SearchInform Road Show series of conferences. He has been working in IT and information security for 15 years. Sergey can be reached online at [email protected], www.linkedin.com/in/sergey-ozhegov-6b625681/ and at our company website https://searchinform.com/.

FAIR USE NOTICE: Under the “fair use” act, another author may make limited use of the original author’s work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material “for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.” As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner’s exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.