Diplomats are supposed to be subtle and clever. Australias just leaked 1000 citizens email addresses
Diplomats are supposed to be subtle and clever. Australia’s just leaked 1,000 citizens’ email addresses
Australia’s Department of Foreign Affairs and Trade (DFAT) has just exposed personal details of over 1,000 citizens in an email.
Australia has all-but-closed its borders during the COVID-19 pandemic, rationing the number of citizens who can fly into the country each day. That policy means the few airlines still flying sell their business class seats and not many more, leading to people holding cheaper tickets being bumped off flights and big backlogs of citizens trying to get home to mostly-COVID-free Australia.
Some of those bumped from flights have quit jobs and packed up homes in in anticipation of returning home. Others are no longer permitted to work in whichever country they currently inhabit.
In recent weeks this has led to political pain for the government as Australians ask increasingly pointed questions about why they can’t come home at a time of their choosing.
So last week the government increased entry quotas and started an emergency loans scheme for those in dire need.
And when it emailed potential recipients of those loans, it used the “To” field.
DBA locked in police-guarded COVID-19-quarantine hotel for the last week shares his story with The RegisterREAD MORE
Officials tried to recall the mail, but that seldom works and didn’t do so on this occasion either.
A little later DFAT sent another mail in which it said: “"We request your assistance in immediately deleting that email from your IT system and refraining from any further forwarding of the email, to protect the privacy of the individuals concerned.”
The Department also tweeted an apology of sorts, but it did not always go down well.
It may be “government agencies doing dumb things with email” week in Australia’s neighborhood, as a similar breach has emerged with New Zealand’s Civil Aviation Authority allegedly making the same mistake when mailing residents who had complained about drone regulations. That breach is detailed in this video. ®
via The Register – Security https://ift.tt/2XeTLgv
September 30, 2020 at 11:32PM
An Order of Cybersecurity with a Side of “Hope”
This is a true story.
I was sitting at breakfast the other day with my wife. As we waited for our food to arrive, four people were sitting at a socially distanced table. They were discussing how they have to restart their computers every month because of “something Microsoft does that makes me restart.” The conversation continued:
Diner 1: “That’s why I only use a capital ‘A’ as my password on that machine.
Diner 2: “Mine is always ‘1234’”
Diner 3: “Same thing with the internet. I use the same password everywhere.”
They continued their conversation with a host of other revealing information. I was waiting for them to start reciting their credit card numbers out loud. I am not sure why they were all loudly broadcasting this at a public place. I would like to think that they were FBI agents and that they were testing me to see if I would take their bait. But I am certain that is not the case.
I started to stand up, and my wife stopped me and said “Don’t you dare go over there and educate them.”
I said “But this is ridiculous. They need to know!”
My wife said, “You’re being officious.”
Me: “No, I am not. I am not acting in any official capacity. Besides, I don’t even have my CISSP card with me.”
My Wife: “No, you knucklehead. Officious means that you are offering your services where they are neither wanted or needed.”
Me: “How is it not needed? They clearly need my advice. I bet that ‘1234’ is also the code for the keyless entry system on that guy’s car!”
My Wife continued: “How do you think they will feel if you go over there and start teaching them about cybersecurity when they are just trying to make breakfast conversation? Besides, you are probably the only person in the room who would really know what to do with the information they are trumpeting.”
Did I mention how astute (and brutally honest) my wife can be at times?
However, she was right.
As a cybersecurity professional, how would you have handled this situation? Should we approach unsuspecting people to teach them how to better protect their information such a passwords, or should our educational efforts be confined to the forced annual security awareness trainings and phishing exercises that we conduct?
We are great evangelists, but we are poor at public relations. We need a better marketing strategy, so here is a proposal that you can use now to raise awareness on a broader scale.
Contact your favorite local media outlet. Whether it is a news publication or a television news outlet, look up their contact information and let them know that October is National Cyber Security Awareness Month, and that you are confident that if they run a piece about cybersecurity, it would be a great benefit to their audience. Perhaps you could offer to write something for them yourself or offer some advice to them if they do not have a subject matter expert on their staff. Maybe this could result in a new career path for you. Whatever it amounts to, your contribution to the community can only help.
via The State of Security https://ift.tt/2dEfvfb
September 30, 2020 at 10:09PM
Twitter removes 130 Iranian accounts for trying to disrupt the US Presidential Debate
Social networking giant Twitter said today that it removed around 130 Iranian Twitter accounts for attempting to disrupt the public conversation during last night's first Presidential Debate for the US 2020 Presidential Election.
Twitter said it learned of the accounts following a tip from the US Federal Bureau of Investigations.
"We identified these accounts quickly, removed them from Twitter, and shared full details with our peers, as standard," the social network said today.
"They [the accounts] had very low engagement and did not make an impact on the public conversation," it added.
Twitter said it plans to publish details about the removed accounts and their tweets on its Transparency portal's section for influence operations.
This marks the second time this month that Twitter has intervened to take down an influence operation on its website following an FBI tip. Twitter previously removed accounts tied to PeaceData, a news site that published misleading articles about world politics, which the FBI claimed was a Russian influence operation.
via ZDNet | Security https://www.zdnet.com/
September 30, 2020 at 08:56PM
Indian startups explore forming an alliance and alternative app store to fight Google’s ‘monopoly’
Google, which reaches more internet users than any other firm in India and commands 99% of the nation’s smartphone market, has stumbled upon an odd challenge in the world’s second largest internet market: Scores of top local entrepreneurs.
Dozens of top startups and firms in India are working to form an alliance and toying with the idea of launching an app store to cut their reliance on Google, five people familiar with the matter told TechCrunch.
The list of entrepreneurs include high-profile names such as Vijay Shekhar Sharma, co-founder and chief executive of Paytm (India’s most valuable startup), Deep Kalra of travel ticketing firm MakeMyTrip, and executives from PolicyBazaar, Sharechat and many other firms.
The growing list of founders expressed deep concerns about Google’s “monopolistic” hold on India, and discussed what they alleged was unfair and inconsistent enforcement of Play Store’s guidelines in the country.
The conversations, which began in recent weeks, escalated on Tuesday after Google said that starting next year developers with an app on Google Play Store must give the company a cut of as much as 30% of several app-related payments.
Dozens of executives “from nearly every top startup and firm” in India attended a call on Tuesday to discuss the way forward, some of the people said, requesting anonymity. A 30% cut to Google is simply unfeasible, people on the call unanimously agreed.
Vishal Gondal, the founder of fitness startup GOQii, confirmed the talks to TechCrunch and said that an alternative app store would immensely help the Indian app ecosystem.
TechCrunch reached out to Paytm on Monday for comment and the startup declined the request.
In recent months, several major startups in India have also expressed disappointment over several of the existing industry bodies, which some say have failed to work on nurturing the local ecosystem.
The tension between some firms and Google became more public than ever late last month after the Android-maker reiterated Play Store’s gambling policy, sending a shockwave to scores of startups in the country that were hoping to cash in on the ongoing season of Indian Premier League cricket tournament.
Google temporarily pulled Paytm’s marquee app from the Play Store citing repeat violation of its Play Store policies. Disappointed by Google’s move, Paytm’s Sharma said in a TV interview, “This is the problem of India’s app ecosystem. So many founders have reached out to us… if we believe this country can build digital business, we must know that it is at somebody else’s hand to bless that business and not this country’s rules and regulations.”
Google has sent notices to several firms in India including Hotstar, TechCrunch reported last month. Indian newspaper Economic Times reported on Wednesday that the Mountain View giant had also sent warnings to food delivery startups Swiggy and Zomato.
Vivek Wadhwa, a Distinguished Fellow at Harvard Law School’s Labor and Worklife Program, lauded the banding of Indian entrepreneurs and likened Silicon Valley giants’ hold on India to the rising days of East India Company, which pillaged India. “Modern day tech companies pose a similar risk,” he told TechCrunch.
Some of the participating members are also hopeful that the government, which has urged the citizens in India to become self-reliant to revive the declining economy, would help their movement.
Other than its reach on Android, Google today also leads the mobile payments market in India, TechCrunch reported earlier this year.
The giant, which has backed a handful of startups in India and is a member of several Indian industry bodies, invested $4.5 billion in Mukesh Ambani’s telecom giant Jio Platforms earlier this year.
India’s richest man Ambani, who runs oil-to-retails giant Reliance Industries, is an ally of Indian Prime Minister Narendra Modi. Jio Platforms has attracted over $20 billion in investment from Google, Facebook, and 11 other high-profile investors this year.
The voluminous investment in Jio Platforms has puzzled many industry executives. “I see no business case for Facebook investing in Jio beyond saying we need regulatory help,” said Miten Sampat, a high-profile angel-investor on a podcast published Wednesday.
“This is a white-collar way of saying there is corruption involved, and if the government gets upset, I have invested somewhere with some friend of the government. All of us are losing at the benefit of one company,” he said. Sampat’s views are shared by many industry executives, though nobody has said it on record and in such clearer terms.
Google said in July that it would work with Jio Platforms on low-cost Android smartphones. Jio Platforms is planning to launch as many as 200 million smartphones in the next three years, according to a pitch the telecom giant has made to several developers. Bloomberg first reported about Jio Platform’s smartphone production plans.
These smartphones, as is the case with nearly 40 million JioPhone feature phones in circulation today, will have an app store with only a few dozen apps, all vetted and approved by Jio, according to one developer who was pitched by Jio Platforms. An industry executive described Jio’s store as a walled-garden.
A possible viable option for startup founders is Indus OS, a Samsung-backed third-party store, which last month said it reaches over 100 million monthly active users. As of earlier this week, Paytm and other firms had not reached out to IndusOS, a person familiar with the matter said.
via TechCrunch https://techcrunch.com
September 30, 2020 at 08:52PM
WIRED25 Day 3: Look at Problems in a New Way
Conversations on the final day of this year’s WIRED25 event revolved around the existential mess that has characterized 2020: Covid-19, election integrity, California wildfires. But the experts who came together to share their insights into these problems, and the work they have been doing to confront them, also communicated a sense of genuine optimism.
National Institute of Allergy and Infectious Diseases director Anthony Fauci started off today’s event in conversation with WIRED editor at large Steven Levy. And while Fauci noted some alarming signs—40,000 new US cases each day, an increase in test positivity in some areas—he remains optimistic about an end to the pandemic. He has trust in the vaccine development process, and he thinks we should expect to have proof of a safe, effective vaccine by November or December. But for Fauci, the prospect of a vaccine in the next few months isn’t the only reason to be hopeful. He believes that hope itself is an effective tool in fighting the pandemic. “Despair makes you throw your hands up and say, it doesn’t matter what I do, what’s going to happen is going to happen,” he said. “That is incorrect. It does matter what we do. And if we do it for a while longer, we will look behind us and the outbreak will be behind us, not among us.”
Next, WIRED senior writer Andy Greenberg spoke with Marc Rogers, Nate Warfield, and Ohad Zaidenberg, who cofounded the volunteer group CTI League to protect hospitals and other essential organizations from phishing and ransomware during the pandemic. “It’s almost fair to say that this is a cyber pandemic, because the bad guys, criminal actors, have always exploited big events,” said Rogers. “And there is no bigger event than a global pandemic.” Even when the pandemic ends, however, hospitals, emergency services, and other organizations will still be vulnerable to cyberattacks, and so CTI League is now looking at ways to continue their work going forward.
WIRED senior writer Lily Hay Newman then spoke with another cybersecurity expert, Maddie Stone, who works as a security researcher at Google Project Zero. The goal of Project Zero is to find and eliminate zero-day vulnerabilities—unknown software flaws that could be exploited by hackers. Zero-day vulnerabilities can be difficult to find and use, so hackers deploy them for narrower applications. “They’re really targeted, sophisticated types of attacks, because it takes a lot of expertise to find them and to exploit them,” Stone said. “So they’re usually only used to target high profile, highly valuable targets, such as political dissidents, human rights activists, journalists, things like that.”
Newman stayed online to chat with Ben Adida, the executive director of VotingWorks, which is the only nonprofit maker of US election equipment. Given the complexity of US elections, Adida said, voting machines are a necessity, and they should not be produced by for-profit companies. “We think that elections are the foundation of democracy, and that foundation should be publicly owned,” he said. But despite persistent worries about voting machine hacks and Trump’s constant fear-mongering about voter fraud—including during last night’s presidential debate—Adida believes that the greatest risk to election integrity comes from us. “The biggest concern I have is that a lot of well-meaning folks out there who care about democracy are going to see an alarmist story on their Twitter feed, or in their Facebook feed, and they’re going to say, ‘I need to tell my friends about this,’” he said. “In the process, they become an unwitting participant in this misinformation game of reducing people’s trust in an election outcome.” He left his audience with a stark warning: “If we lose faith in democracy, we lose democracy.”
via Wired https://ift.tt/2uc60ci
September 30, 2020 at 07:30PM
Putin to Trump: let's collude to stop election hacking
Russia has taken the unusual step of posting a proposal for a new information security collaboration with the United States of America, including a no-hack pact applied to electoral affairs.
The document, titled “Statement by President of Russia Vladimir Putin on a comprehensive program of measures for restoring the Russia – US cooperation in the filed of international information security”, opens by saying “One of today’s major strategic challenges is the risk of a large-scale confrontation in the digital field,” before adding “A special responsibility for its prevention lies on the key players in the field of ensuring international information security (IIS).”
Russia therefore wants to reach agreement with the USA on “a comprehensive program of practical measures to reboot our relations in the field of security in the use of information and communication technologies (ICTs).”
Putin suggested four actions could set the ball rolling:
Russia stands accused of interfering in the 2016 US presidential election with widespread use of fake social media accounts. The USA’s Federal Bureau of Investigations last week warned that “Foreign actors and cybercriminals could create new websites, change existing websites, and create or share corresponding social media content to spread false information in an attempt to discredit the electoral process and undermine confidence in U.S. democratic institutions.” On September 17th FBI director Christopher Ray testified before the House Homeland Security Committee Events and named Russia as a nation already interfering in this year’s elections (video below).
It is unclear if Russia’s document elicited a public response from the USA.
The two nations sought a cyber-détente in 2017, when Putin and Trump discussed a Cyber Security unit with unspecified functions and purposes.
The effort was quickly explained-away as a policy thought bubble that was floated without any accompanying detail. The idea deflated soon afterwards, leaving the two nations in their current state of uneasy enmity.
via The Register – Security https://ift.tt/2XeTLgv
September 27, 2020 at 11:41PM
Dell Encryption Enterprise Installer Search Path privilege escalation
A vulnerability was found in Dell Encryption Enterprise and Endpoint Security Suite Enterprise (the affected version is unknown). It has been declared as critical. This vulnerability affects an unknown part of the component Installer. Upgrading eliminates this vulnerability.
via vuldb.com https://vuldb.com
September 27, 2020 at 11:34PM
Cómo madurar un programa de gestión de vulnerabilidades
El panorama global de ciber-amenazas se encuentra en constante evolución lo cual resalta la necesidad emergente de que las organizaciones fortalezcan su capacidad para identificar, analizar y evaluar los riesgos tecnológicos antes de que evolucionen a incidentes de seguridad completamente. Cuando se trata de mitigar el riesgo, los términos “gestión de parches” y “gestión de vulnerabilidades” se usan como si fueran intercambiables. Cuando en realidad aplicar parches es una de las muchas formas de mitigar los riesgos en ciber-seguridad.
La decisión de desplegar, desinstalar o dejar pasar un parche específico cae dentro de un contexto más amplio de la gestión de vulnerabilidades. Definida como “una práctica de seguridad diseñada específicamente para mitigar o prevenir de manera proactiva la explotación de las vulnerabilidades de TI”, la gestión de vulnerabilidades no es únicamente escaneo y parchado. Es una función holística que tiene la visión proactiva de administrar la, en ocasiones desalentadora, tarea de abordar las vulnerabilidades identificadas en los dispositivos de hardware y software implementados. En pocas palabras, la gestión de vulnerabilidades es un concepto más amplio que envuelve la gestión de parches.
La administración de vulnerabilidades es más que solo recibir alertas cuando su infraestructura necesita un parche aplicado. La gestión de vulnerabilidades consiste en tomar decisiones informadas y priorizar adecuadamente qué vulnerabilidades mitigar y cómo. Esto se logra al incorporar agentes internos para telemetría en todos los sistemas de interés, así como controles externos para inteligencia de amenazas de todas las fuentes.
La gestión de vulnerabilidades se respalda por una inteligencia de amenazas que proporciona una comprensión más profunda de cómo y por qué los atacantes están utilizando ciertas vulnerabilidades e ignorando otras. La inteligencia sobre la explotabilidad de la vulnerabilidad prepara a su organización para lograr el equilibrio correcto entre parchear sistemas vulnerables e interrumpir las operaciones comerciales. Un enfoque basado en el riesgo de las amenazas hace que sea mucho más fácil comunicar el peligro de una vulnerabilidad a sus equipos desde seguridad y operaciones hasta gerentes senior e incluso a el consejo. Este nivel de visibilidad en la lógica detrás de las decisiones tomadas en torno a las vulnerabilidades aumentará la confianza en el equipo de seguridad en toda su organización y ayudará a evitar que ocurran fugas de datos, como la que sufrió Equifax.
Etapas de maduración para un programa de gestión de vulnerabilidades
Hay cuatro etapas principales en cualquier programa eficaz de gestión de vulnerabilidades:
La primera etapa se enfoca en construir un proceso que sea medible y repetible. Las etapas dos a cuatro se centran en ejecutar el proceso con énfasis en la mejora continua.
Examinemos brevemente cada etapa y cómo Tripwire puede ayudarlo.
ETAPA 1: PROCESO DE ESCANEO DE VULNERABILIDAD
La primera etapa se puede dividir en cuatro pasos.
El primer paso es identificar la criticidad de los activos en la organización. No se puede crear un programa eficaz de gestión de riesgos si no se determina qué activos hay que proteger. Estos incluyen sistemas informáticos, dispositivos de almacenamiento, redes, tipo de datos y sistemas de terceros en la red de la organización. Los activos deben clasificarse y priorizarse en función de su riesgo real e inherente para la organización. Se deben considerar muchos aspectos al desarrollar el riesgo inherente de un activo, como la conexión física o lógica a activos clasificados más altos, el acceso de usuarios y la disponibilidad del sistema. Los activos con mayor criticidad tendrán mayor prioridad que los activos con menor criticidad. Sin embargo, la remediación de activos con menor criticidad no debe ignorarse ni posponerse indefinidamente. Todos los activos contribuyen al riesgo organizacional general, y el esfuerzo de remediación siempre debe basarse en minimizar el riesgo general.
El segundo paso es identificar a los propietarios de cada sistema. Los propietarios del sistema son responsables del activo, su riesgo asociado y la responsabilidad si ese activo se ve comprometido. La rendición de cuentas es un factor determinante para el éxito final del programa de gestión de vulnerabilidades. Los activos y vulnerabilidades sin propietario quedarán olvidados y se convertirán en un riesgo no identificado para la organización.
El tercer paso es establecer la frecuencia de escaneo. El Centro para la Seguridad de Internet en su CIS Control 3 “Gestión continua de vulnerabilidades” recomienda que una organización “utilice una herramienta actualizada de escaneo de vulnerabilidades para escanear automáticamente todos los sistemas en la red semanalmente o con mayor frecuencia para identificar todas las vulnerabilidades potenciales en los sistemas de la organización “. El escaneo frecuente permite a los propietarios de los activos rastrear el progreso de la remediación, identificar nuevos riesgos y volver a priorizar la remediación de vulnerabilidades basadas en inteligencia actualizada. Como límite externo, el escaneo de vulnerabilidades debe ocurrir al menos mensualmente.
El cuarto paso es establecer y documentar plazos y umbrales para la remediación. Los plazos de remediación deben tener en cuenta la gravedad del impacto de una vulnerabilidad al ser explotada y darse a conocer a toda la organización. Las vulnerabilidades con el mayor impacto deben remediarse de inmediato. El programa también debe atender las excepciones en caso de que una vulnerabilidad no se pueda remediar dentro del plazo aprobado, documentando el riesgo aceptado junto con un plan de acción para remediar la vulnerabilidad en una fecha determinada.
ETAPA 2: DESCUBRIMIENTO DE ACTIVOS E INVENTARIO
El descubrimiento de activos y el inventario son los controles uno y dos de CIS. Estas son las bases de cualquier programa de seguridad. No puedes proteger lo que no conoces. El propósito de CIS Control 1 es “Administrar (inventariar, rastrear y corregir) activamente todos los dispositivos de hardware en la red para que solo los dispositivos autorizados tengan acceso, y se encuentren dispositivos no autorizados y no administrados y se les impida acceder”. Además, el Control 2 de CIS resalta la necesidad de “Administrar activamente (inventariar, rastrear y corregir) todo el software en la red para que solo el software autorizado esté instalado y pueda ejecutarse, y que el software no autorizado y no administrado se encuentre y se evite su instalación o ejecución. ”
Estos dos controles van de la mano, ya que los atacantes siempre intentan identificar sistemas que sean fácilmente explotables para ingresar a la red de una organización, como Shadow IT. Sin el descubrimiento apropiado de activos y el control de acceso a la red, este tipo de dispositivos pueden proporcionar una sencilla puerta de enlace para un atacante a la red corporativa. Una vez que ingresan, pueden aprovechar el control que han obtenido para atacar otros sistemas e infiltrarse aún más en la red. Estar al tanto de lo que hay en la red le permite al equipo de seguridad de la información proteger mejor los sistemas y proporcionar orientación a los propietarios de sistemas para reducir el riesgo que representan sus activos.
ETAPA 3: DETECCIÓN DE VULNERABILIDAD
Una vez que se identifican todos los activos en la red, el siguiente paso es identificar el riesgo por vulnerabilidad de cada dispositivo. El método recomendado para el escaneo de vulnerabilidades es a través de credenciales. Esto permite una mayor precisión para determinar el riesgo existente de la organización. Luego, de acuerdo a lo encontrado por la etapa de descubrimiento, se pueden correr firmas de vulnerabilidades específicas por sistema operativo encontrado.
ETAPA 4: INFORMES Y REMEDIACIÓN
Una vez que se completa el escaneo de vulnerabilidades, se asigna un puntaje a cada vulnerabilidad utilizando un algoritmo exponencial basado en las habilidades requeridas para explotar la vulnerabilidad, los privilegios obtenidos tras una explotación exitosa y la edad de la vulnerabilidad. Cuanto más fácil sea explotar la vulnerabilidad y cuanto mayor sea el privilegio obtenido, mayor será el puntaje de riesgo. Además de esto, a medida que aumenta la edad de la vulnerabilidad, también aumenta la puntuación de la vulnerabilidad.
La primera métrica que debe obtenerse es la puntuación de riesgo promedio general como referencia para la organización. Con base en esta métrica, las organizaciones deberían comenzar a apuntar a una tasa de reducción de riesgo del 20-25% anual. La siguiente métrica es el puntaje de riesgo promedio por propietario. De manera similar al objetivo para la organización en general, cada propietario debe enfocarse en reducir su puntaje de riesgo promedio en un 10% a 25% año tras año hasta que estén por debajo del umbral aceptado para la organización. Para la implementación exitosa del programa el equipo ejecutivo podría premiar a los propietarios de activos con los puntajes más bajos.
Los datos de vulnerabilidad empíricos para delinear qué vulnerabilidades deben corregirse junto con instrucciones de cómo llevar a cabo la corrección permiten a los propietarios del sistema priorizar sus esfuerzos con un enfoque en las vulnerabilidades que reducirán al máximo el riesgo organizacional general. A medida que se ejecutan nuevos escaneos de vulnerabilidad, las métricas, como las que ofrece CIS, se pueden usar para mostrar un análisis de las tendencias del riesgo y el progreso de la corrección.
La clave es mostrar el progreso mes a mes, trimestre a trimestre y año a año. Los puntajes de riesgo de vulnerabilidad y el tiempo de reparación deberían disminuir a medida que los equipos se familiaricen más con el proceso y se eduquen más sobre los riesgos que plantean los atacantes.
Cómo ayuda Tripwire
La gestión de vulnerabilidades y riesgos es un proceso continuo, y debe adaptarse continuamente al panorama cambiante de amenazas de ciberseguridad. Por lo tanto, el proceso debe revisarse periódicamente y el personal debe mantenerse actualizado con las últimas amenazas y tendencias. Desarrollo continuo para el personal, los procesos y la tecnología asegurarán el éxito del programa de gestión de riesgos y vulnerabilidad empresarial.
Si desea tener un programa de gestión de vulnerabilidades, Tripwire IP360 es la solución que estaba buscando. Tripwire IP360 descubre todos los activos dentro de su organización y las aplicaciones siendo ejecutadas en ellos antes de realizar un análisis de vulnerabilidad. Los análisis de vulnerabilidad con credenciales proporcionan un análisis detallado y también identifican vulnerabilidades que un atacante vería en un análisis de vulnerabilidades externo no autenticado. Finalmente, Tripwire IP360 proporciona una puntuación de riesgo significativa y clasifica las vulnerabilidades numéricamente en función del impacto, la facilidad de explotación y la antigüedad.
Puede obtener más información sobre cómo crear un programa maduro de gestión de vulnerabilidades leyendo este documento técnico.
Este blog se publicó originalmente en inglés aquí: https://ift.tt/2MXssT9
via The State of Security https://ift.tt/2dEfvfb
September 27, 2020 at 10:29PM
Understanding Cybersecurity Supply Chain Risk Management (C-SCRM)
Cybersecurity Supply Chain Risk Management (C-SCRM) deals with more than protecting an organization from cyber-attacks on third parties. It also addresses third parties to those third parties (known as “fourth parties”). Further still, a vendor to your vendor’s vendor is a fifth party, then a sixth party, etc. Your SCRM should involve knowledge of how far, complex and even convoluted your supply chain is. Then measure this complexity with your risk appetite.
(You might wonder, “What happened to the second-party?” Those are your members and customers.)
What really makes the difference between C-SCRM and any other kind of technical vulnerability management (VM)? There really isn’t much difference in the tactics used. What becomes essential in C-SCRM is that the technical aspect of VM gets done and gets done well. With C-SCRM, managing and monitoring aren’t optional. If a company has a relatively small number of third-party vendors, then there may not be too much more to do than a typical VM program. But if one has a multitude of third parties, then it’s inevitable that the total number of suppliers increases exponentially. This factor immediately leads to numerous vulnerabilities for which your company is responsible to manage. While it may seem unfair that you have to manage those vulnerabilities, in the end, your customers are relying on you to provide a solid product and service.
Digital transformation imposes and increases third-party risk. Two primary threats in the increasingly outsourced digital economy are:
Is there any data to show that third-parties are really such a serious risk? According to Verizon’s 2019 Insider Threat Report’s “5 Types of Insider Threats,” the 5th type of insider threat is the Feckless Third-Party, described as follows: “Business partners who compromise security through negligence, misuse, or malicious access to or use of an asset.”
C-SCRM is based on knowledge. As such, the DIKW model is a handy overview here. “D” is for “Data,” “I” is for “Information,” “K” is for “Knowledge,” and “W” is for “Wisdom.” More specifically, input for C-SCRM is found in the D-I-K tiers.
With C-SCRM, the aspects of DIK can be addressed with technologies (especially those leveraging AI) such as firewalls, spam filtering, EDR and DLP. The “Wisdom” tier is relegated to experienced personnel who determine what to do with all of that DIK. Technology can send plenty of bits and bytes to the governance committee, but it can’t decide traits like a company’s risk appetite, product direction or security budget.
How does one decide how to proceed with all of that info?
Think of the visual arts. A vital aspect of visual art that makes it viable art is boundaries; there has to be some kind of border. It could be comic book panels, the borders of the canvas, the limits of the monitor, a scene in a film or a character’s silhouette.
When creating C-SCRM programs, there have to be borders. No organization can possibly handle the entirety of the intel that’s available. Even if it could, not all of it matters. This is why even the most complex VM tools filter data.
With any C-SCRM, you want to know what information is coming in and going out. With the supply chain, especially digital, you now have an exponential amount of data being transferred. As a sample, any and every time a department buys new software for that department, there’s one if not multiple new threat vectors. Unless that vendor and the software has been vetted, then that purchase has created a blind spot.
Not surprisingly, there are plenty of aspects to consider in C-SCRM. Here’s how one might outline them:
The Intelligence step is where you take all of the threats that could materialize from and through your suppliers and cull those possibilities to produce better data sets that would produce actionable steps.
Unless you are certified in app/web testing and the supplier has paid for your testing services, the likelihood of being able to directly test a vendor’s apps and sites is zero. So, feel free to ask for any kind of third-party testing results for your X-party suppliers. If acceptable to the requesting organization, the supplier’s internal ISMS documents or program can be requested in lieu of third-party testing.
There are many paid and free tools available for gathering threat intel. While your supplier may not have direct threats that can be monitored, there are likely extant threats – such as vulnerabilities in the codebase that are outsourced by the company responsible for creating your software – that affect that company. Those threats can be monitored.
Integration is taking the garnered intelligence and putting it into place in your network. In exploring the tools found in the Intelligence phase, the more you can streamline the integration of that data into your environment, the better.
Monitoring, alerting & reporting are in this stage. Each product is different, so in vetting the product, especially for vital data (e.g., Critical alerts of anomalous activity), ensure that it will actually produce email or text alerts.
Maturing the processes is always on the project board. In Year One, it might suffice to use a spreadsheet to keep track of assets by using a service on lower-end server to scan your network. But Year Two may require a more robust software tool for asset tracking and a higher-end server for real-time scanning.
Alternatively, your internal alert ratings could change. What was Low priority last year might now be High and need to re-labeling.
Correction is part of this phase. Are there new suppliers? Are there former vendors that no longer need any kind of access but for which there’s still an IP address opening on your firewall and servers? Correction can be addressed with recurring projects. Set-it-and-forget-it makes it possible.
Before embarking on a C-SCRM plan, have an IR plan. Bad things happen at any time, and they don’t wait until programs are fully developed. If a successful attack were to occur, it’s likely that it will happen before the program is completed because the unfinished program has more security holes in it than a completed one.
What are your communication channels (e.g., call tree)? Who will you contact if the app you just installed company-wide has a bug? Which person at Company X will you call if there’s malicious traffic flowing from that supplier? Who is your contact for the worst-case scenario of a breach in that supplier?
Test the People, Processes and Technologies involved in the IRP. How and when will you practice your IR plan?
After testing, produce the results according to your BC, IR and DR policies. In responding to incidents, it’s important to focus on defense, not offense. (NOTE: Unless you have some special authority, “hacking back” is not a valid response.)
Each of these steps may end up becoming quite complex, which is precisely why C-SCRM is so difficult. The concepts are quite commonsense, but the tremendous amount of detail and the lack of a one-size-fits-all approach makes it appear onerous.
What is to be done if your company is part of someone’s supply chain? Ask yourself, “What are the chinks in my armor?” Maybe the armor imagery isn’t your thing, but what will help your program is making it personal. Maybe you like basketball or football and want to think of it as setting up a defensive move. Or you’re in finance and think of Red Flag warnings. In looking for how to better protect your company’s network, it may help to start calling it “your” network and see, as objectively as possible, where your network has holes.
Depending on a company’s criticality in the chain, customers may ask for your vulnerability assessment results. These are typically considered “for internal use only.” By not sharing them, you’re not avoiding being honest or vulnerable (see what I did there), but there are many ways that those reports can be misunderstood. An example of misunderstanding can occur when internal corporate vulnerability scans assess both Prod and Test servers. If the reports reflect both, then the Test environment is likely filled with holes on purpose. Internal staff will understand the results, but external parties will not and may well consider the team lax in their duties – even if they are on top of the situations. If vulnerability assessments aren’t shareable, at minimum have a professional response ready for those inquiries and provide some metrics by which prospects and risk assessors can measure the internal security of the product or service to which they’re uploading their data.
Here’s a recently developed tool from NIST that can help as you develop and mature your C-SCRM.
About the Author: Ross Moore is the Cyber Security Support Analyst with Passageways. He was Co-lead on SOC 2 Type 1 implementation and Lead on SOC 2 Type 2 implementation, facilitated the company’s BCP/DR TTX, and is a HIPAA Security Officer. Over the course of his 20 year IT career, Ross has served in a variety of operations and infosec roles for companies in the manufacturing, healthcare, real estate, business insurance, and technology sectors. He holds (ISC)2’s SSCP and CompTIA’s Security + certifications, a B.S. in Cyber Security and Information Assurance from WGU, and a B.A. in Bible/Counseling from Johnson University.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
More From Ross Moore about Supply Chain Risk Management
via The State of Security https://ift.tt/2dEfvfb
September 27, 2020 at 10:05PM
This Is the Newest Way to Show Full Stadiums During the Covid-19 Apocalypse
As you all have probably noticed, competitive sports does not like being without fans during covid-19 times. Officials have been racking their brains for ideas—some less strange than others—to deal with empty stadiums for months, and we just got a new one: Fill the stands with South Park residents.
That’s what the Denver Broncos did on Sunday when they faced off against the Tampa Bay Buccaneers. Although the stadium was nowhere near its approximately 76,000-seat capacity, there were purportedly hundreds of South Park cutouts in the stands. In fact, ESPN reported that there were more than 1,800. What makes the initiative even better is that the fictional residents were all wearing masks. A good chunk also appeared to be social distancing.
Which is what everyone should be doing, I might add, especially in large gatherings. FYI, a good chunk doesn’t cut it if you’re a human that can catch and transmit the novel coronavirus.
G/O Media may get a commission
The idea is also pretty funny because the animated show is set in the fictional town of South Park, Colorado. The show’s creators, Trey Parker and Matt Stone, are also reportedly huge Broncos fans.
Besides the South Park cutouts, the game also had about 5,700 actual humans in attendance as well. According to CBS Local, the Broncos worked with the Colorado Department of Public Health and Environment over three months to come up with plans and special rules to allow a limited number of fans to attend in-person. The 5,700 fans were organized in groups of 175 people, which is the limit for outdoor gatherings in the state.
Safety measures included mandatory face coverings and social distancing. The team also axed tailgating and banned congregating in parking lots, concourses or the stadium bowl, per its website. It also installed bipolar ionization in the stadium’s HVAC system, UV-C lights under escalators to reduce and eliminate bacteria on handrails and more than 500 hand sanitization stations.
When it comes to bathrooms, the team states that they are now entirely hands free, including toilets, sinks and paper towel dispensers.
Although I’m not really that into sports, I understand the need for fans. It’s part of that game day atmosphere (and let’s be honest, more money for the teams). And even though some of the initiatives so far have looked kind of, eh, strange—such as the NBA’s fan projections via Microsoft Teams—the important thing is to enjoy sports while being safe. At least it’ll help you forget the apocalyptic situation we’re living in for a while.
via Gizmodo https://gizmodo.com
September 27, 2020 at 09:48PM