Posted in Volume 282, Issue 4 - Sept 20th, 2021 — Sept 26th, 2021
Selections from the weekly newsletter, “IT News and Events.”
The 2021 OWASP Top Ten Emphasizes Security Control Areas Over Individual Vulnerabilities For Improved Risk Management
The primary goal of the OWASP Top Ten has always been to drive awareness of the biggest application security risks out there, and thereby establish a 'floor' or minimum standard for application security efforts at an organization.
"The newly released 2021 OWASP Top Ten has done a fantastic job of communicating the breadth and depth of the problems we face today. It is based on thousands of hours of hard work by the OWASP Top Ten leadership and others-including an analysis of telemetry data that is unprecedented in size and scope and one of the biggest industry surveys on the topic ever conducted..." [Secuity Boulevard, September 23rd, 2021]
Criminals hunt for tired and distracted employees
"Despite many companies investing heavily in getting defenses set up, millions of malicious email messages made their way to the end-user, placing many of them at risk of data breaches, fraud and ransomware.
This is according to a new report from Tessian, which analyzed millions of emails passing through its email security tool between July 2020 and July 2021, finding that two million malicious messages bypassed 'traditional email defenses', such as secure email gateways..." [Techradar.pro, September 21st, 2021]
"The Roman military reportedly used what they called 'watchwords' to identify soldiers on patrol. Exclusive groups and guilds used secret passwords to prove membership. The phrase 'open sesame' protected hidden treasure in the story of Ali Baba and the Forty Thieves. In more recent times, the world's first computer passwords were installed in MIT's Compatible Time-Sharing System to distinguish between users of their colossal, shared computing system in the mid-1960s. Passwords are a simple and easy way to recognize and affirm the appropriate participant of a system. But what happens when modern-day cybercriminals get involved?..." [Security Boulevard, September 23rd, 2021]
Commenting On The SANS Threat Intelligence Summit 2021 Presentations - An Analysis And Practical Recommendations
I recently came across to the entire portfolio of SANS Threat Intelligence Summit presentations which are currently online at YouTube and I've decided to take the time and effort to go through them and offer practical and relevant threat intelligence and OSINT advice and recommendations which I hope will come handy to the presenters including anyone currently working in the field or interested in making an impact as a threat
Sample presentations from the Summit include:
Analyzing Chinese Information Operations with Threat Intelligence - this is a pretty informative presentation that offers practical and relevant Information Operations advice including a pretty decent case study on the topic of a high-profile information leak campaign based in China [Security Boulevard, September 20th, 2021]
There is no escaping data security. With so many tasks and transactions now being done virtually, every consumer is faced with an unending stream of requests for logins, passwords, two-factor authentication codes, captchas, and more
On the enterprise side, users have to negotiate through a labyrinth of security layers and access controls to get to the data they need or to share it with others to perform their duties. In other words, data security is very much in your face 24/7. [Datamation, September 20th, 2021]
Building an effective application security program for your organization begins with establishing policies and processes.
"Psychologist Abraham Maslow wrote, in 1964, 'Give a small boy a hammer, and he will find that everything he encounters needs pounding.' This is commonly rephrased as 'if you have a hammer, everything looks like a nail.'
This applies especially well to doctors and surgeons-they want to do the thing that they know how to do, whether that is prescribing pills or performing surgeries. Even when your particular situation and symptoms don't exactly match the conditions that they treat, they'll still be inclined to do the thing that they know how to do, just because the alternative is saying either 'I cannot help you,' which no doctor wants to say, or 'I do not understand what is going on with you,' which no doctor wants to say..." [Security Boulevard, September 21st, 2021]
Cyber attacks are growing in frequency and complexity, due to factors like a higher number of expert malicious actors, more distributed workforces and technologies to protect, and an increase in devices and users that can unknowingly act as attack gateways.
"Although there's no way to guarantee that an organization will stay safe from a cyber attack, several physical and technical safeguards can be established to better protect network data.
September marks the third annual National Insider Threat Awareness Month, launched by various federal agencies to highlight the growing danger insider threats pose to national security
"Though the initiative has successfully increased awareness of the risks associated with insider threats, many organizations remain susceptible to attacks. In fact, 60% of organizations have more than 20 insider attack incidents a year, according to IBM. The cost related to these incidents was over $2.7 million in 2020, showing there is still much progress to be made in fortifying cybersecurity defenses..." [Secuity Boulevard, September 21st, 2021]
With so many devices and users accessing networks, applications and data, identity access management (IAM) has become a cornerstone of cybersecurity best practices
"The short explanation is that you must make sure everyone (and everything) is who they claim they are. You also need to make sure they are allowed to have the access they're requesting.
Multiple options for identity access management exist today. You might encounter privileged access management (PAM), identity-as-a-service (IDaaS) or cloud permissions management (CPM). So, choosing an identity management approach can be confusing. Which acronym is right for you?..." [SecurityIntelligence, September 21st, 2021]
IT futurists have long predicted the eventual disappearance of the so-called perimeter, but the truth is that physical networks - and the solutions for securing them - are far from their last days
"And while the cloud has heralded the arrival of infrastructure-as-a-service (IaaS) and software-defined networks (SDN), at the end of the day, these services are delivered out of physical data centers, albeit distributed and dispersed across the globe. For traditional firms with on-premises IT infrastructures, network security continues to increase in complexity in order to keep up with ever-sophisticated cyber attackers.
Whether on premises or in the cloud, IT infrastructures are prone to the same security issues and are equally exposed to cyber threats. However, with today's networks supporting a vastly greater number of users, devices, and Internet of Things (IoT) sensors, the enterprise attack surface's composition has evolved significantly even when compared to just a few years ago..." [Datamation, September 20th, 2021]
Though many incidents stemmed from familiar security failures, they served up - or resurfaced - some important takeaways.
"Data breaches can have many causes, but most of them boil down to an organization failing to do something or detect something they should have if they had been following security best practices.
Even so, these attacks can reveal a lot about the bad guys' tactics, techniques, and procedures, the state of malware, and developing trends on the threat horizon..." [Dark Reading, September 21st, 2021]
Most employees have access entitlements they don't need and probably shouldn't have.
"Few people are going to willingly give up that excess access; either they don't realize they have it or they expect they will need it eventually. Nor is there a thorough internal check on entitlements. In a traditional identity inventory, users are often in a group that has a wide range of permissions, the permissions of the group are approved, and that would be that for another 90 days until the next inventory review. But individual users in that group likely have more entitlement privileges than they should have access to, resulting in threats to the data..." [Security Boulevard, September 21st, 2021]
DDoS campaigns are exploiting a wider range of vectors
"Distributed denial of service (DDoS) attacks are growing in both frequency and destructive power, new data suggests.
According to a report from application and network performance management company Netscout, there were roughly 5.4 million DDoS attacks in the first half of 2021.
That represents an 11 percent increase compared to the same period last year, the company said, adding that 2021 is on track to becoming another record-breaking year..." [ITProPortal, September 21st, 2021]
Time Is Not On Your Side: Why Every Ciso Needs A Cyber Risk Quantification Strategy Before It's Too Late
Cyber Risk Quantification needs to be the strategy driving your cybersecurity roadmap and priorities starting now. Breaches are getting worse, ransomware can cripple your business, and the financial impacts can last years.
"By looking at the financial impacts of recent high-profile breaches such as Colonial Pipeline or SolarWinds, we can plainly see that the traditional methods of risk assessment are no longer effective; measures such as compliance mandates and maturity models have a purpose, but solely relying on them is no longer sufficient to render the best possible business decisions around cyber security.
Relying solely on the traditional qualitative approaches, security scoring or stop light methods in today's climate will continue to leave you exposed. Making better, data-driven decisions to avoid these costly attacks has to be our focus and this is where Axio's Cyber Risk Quantification can make the difference..." [Secuity Boulevard, September 23rd, 2021]
The way we shop, bank, socialize, and work has evolved - are you ready?
"When vaccination rates climbed in the first half of 2021, we entered a new hybrid world and life started to feel a little more normal as stores, restaurants, and live venues began to reopen. But we didn't just go back to our pre-pandemic lives. The way we shop, bank, socialize, and work evolved - and so did the strategies of internet attackers.
To learn more about this evolution, we drew from intelligence collected by our global network to create our H1 2021 Fraud Risk at a Glance Report. Findings from the report show how online engagement has shifted in the new hybrid world. Read on to learn how companies can adapt their digital strategies to protect legitimate users, enable more accurate fraud detection, and facilitate this new level of digital engagement. You can download the full story here..." [Secuity Boulevard, September 24th, 2021]