Login
This week, we welcome Francois Lacelles, Field CTO of Ping Identity for an interview! In the Application Security News, Key takeaways from Imperva breach, From Automated Cloud Deployment to Progressive Delivery, Designing Your First App in Kubernetes: An Overview Food for Thought, Autonomy and the death of CVEs?, and AppSec 'Spaghetti on the Wall' Tool Strategy Undermining Security!
To learn more about Ping Identity, visit: https://securityweekly.com/ping
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://wiki.securityweekly.com/ASWEpisode80
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, we welcome Ty Sbano, Cloud Chief Information Security Officer of Sisense for an interview! In the Leadership and Communications section, The 5 Enemies of Trustworthy Leadership, 5 Things Leaders Do That Stifle Innovation, 'What's Your Purpose'? Big Tech's 7 Favorite Interview Questions, and more!
Show Notes: https://wiki.securityweekly.com/BSWEpisode146
To learn more, please visit - http://www.tysbano.com
Visit https://www.securityweekly.com/bsw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, Signal rushes to patch serious eavesdropping vulnerability, Wi-Fi signal let researchers ID people through walls from their gait, the FBI warns about attacks that bypass MFA, Vulnerable Twitter API leaves tens of thousands of iOS apps open to attacks, and D-Link home routers open to remote takeover will remain unpatched! In the expert commentary, we welcome Justin Elze from TrustedSec, to talk about Red Teaming and Adversary Emulation!
Show Notes: https://wiki.securityweekly.com/HNNEpisode237
To learn more about TrustedSec, visit: https://trustedsec.com/securityweekly
Visit https://www.securityweekly.com/hnn for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, Mike, Matt, and John talk about Cloud Security for Small Teams! In the Application Security News, Ex-Yahoo Engineer Abused Access to Hack 6,000 User Accounts, American Express Insider Breaches Cardholder Information, How a double-free bug in, WhatsApp turns to RCE, Flare-on 6 2019 Writeups, and Five Trends Shaping the Future of Container Security!
Show Notes: https://wiki.securityweekly.com/ASWEpisode79
Visit https://www.securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, we talk Security News, how Turkey fines Facebook $282,000 over privacy breach, why the FBI is encouraging not to pay ransomware demands, the top 10 cybersecurity myths that criminals love, Doordash third-party breach hits 4.9 Million users, and how a "Bulletproof" Dark Web data center was seized by German police! In our second segment, we air a pre-recorded interview with Stewart Room, Partner at PwC, to talk about Data Privacy and The Journey to Code! In our final segment, we air a show trailer of our brand new podcast, Security & Compliance Weekly w/ Jeff Man, Matt Alderman, Scott Lyons, and Josh Marpet!
Show Notes: https://wiki.securityweekly.com/Episode622
Visit https://www.securityweekly.com/psw for all the latest episodes!
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, in our first segment, we talk Enterprise News, discussing how Tripwire unveils a new version of Tripwire Connect, Infrastructure management at scale with Netshield, Five Trends Shaping the Future of Container Security, and some funding updates from BurstIQ and Kenna Security! In our second segment, we welcome Paul Claxton, COO and Managing Partner at Elite Holding, Co., Valiant Consulting, and Reciprocity ROI LLC, to talk about the Top Cyber Threats for COO's, CMO's, and CISO's! In our final segment, we welcome Matt Wyckhouse, Co-Founder and CEO at Finite State, to talk about Supply Chain Security in the IoT Era!
Show Notes: https://wiki.securityweekly.com/ESWEpisode156
Visit https://www.securityweekly.com/esw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, we welcome Jeff Costlow, Deputy CISO at ExtraHop, to discuss how to strengthen your cloud security posture! In the Leadership and Communications segment, Why New Leaders Should Make Decisions Slowly, What Einstein's Most Famous Equation Says About Maximizing Your Productivity, Shift to digital business is booming, but are CEOs ignoring associated risk?, and more!
To learn more about ExtraHop, visit: https://securityweekly.com/extrahop
Visit https://www.securityweekly.com/bsw for all the latest episodes!
Show Notes: https://wiki.securityweekly.com/BSWEpisode145
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, 335 Million Malicious apps were installed on Google Play in September, a new bug found in NSAs Ghidra tool, a Medical Practice closed permanently after a Ransomware attack, researchers find a new hack to read content of password-protected PDF files, and a billboard in Michigan was hacked to play Pornography for drivers along I-75! In the expert commentary, we welcome Sean O'Brien, Founder and CEO of PrivacySafe, to talk about PrivacySafe - The Anti Cloud Appliance!
To learn more about PrivacySafe, visit: https://securityweekly.com/privacysafe
Full Show Notes: https://wiki.securityweekly.com/HNNEpisode236
Visit https://www.securityweekly.com/hnn for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Microsoft this week announced that users all around the world can now keep their most important files protected in OneDrive Personal Vault.
Launched earlier this summer, the Personal Vault is a protected area in OneDrive that requires strong authentication or a second identification step to access. Thus, users can store their files and ensure that they can’t be accessed without a fingerprint, face, PIN, or code received via email or SMS.
Now available worldwide on all OneDrive consumer accounts, Personal Vault allows users to securely store important information such as files, photos, and videos, including copies of documents, and more.
The added security ensures that, even if an attacker manages to compromise the OneDrive account, they won’t have access to any of the files in Personal Vault.
Personal Vault won’t slow users down, as they can easily access content from their PC, on OneDrive.com, or mobile device, Microsoft says.
On top of that, additional security measures are available, including the ability to scan documents or shoot photos directly into Personal Vault. Files and shared items moved into Personal Vault cannot be shared.
Both Personal Vault and files there will close and lock automatically after a period of inactivity, and Personal Vault files are automatically synced to a BitLocker-encrypted area of the user’s Windows 10 PC local hard drive.
“Taken together, these security measures help ensure that Personal Vault files are not stored unprotected on your PC, and your files have additional protection, even if your Windows 10 PC or mobile device is lost, stolen, or someone gains access to it or to your account,” Microsoft says.
OneDrive provides other security features as well, including file encryption, monitoring for suspicious sign-ins, ransomware detection and recovery, virus scanning on downloads, password-protection of sharing links, and version history for all file types.
To use Personal Vault, users only need to click on the feature’s icon, available in OneDrive. Only up to three files can be stored in Personal Vault on OneDrive free or standalone 100 GB plans, but that limit is as high as the total storage limit for Office 365 Personal and Office 365 Home plans.
Related: DHS Highlights Common Security Oversights by Office 365 Customers
Related: Microsoft Adds New Security Features to Office 365
Copyright 2010 Respective Author at Infosec IslandThis week, we welcome Ryan Kelso, Application Security Engineer at 10-Sec, Inc., to discuss Information Disclosure Vulnerabilities! In the Application Security News, Threat Actors Use Percentage-Based URL Encoding to Bypass Email Gateways, Intelligent Tracking Prevention 2.3 and a discussion to Limit the length of the Referer header with some background on Browser Side Channels, Serverless Security Threats Loom as Enterprises Go Cloud Native, and much more!
Full Show Notes: https://wiki.securityweekly.com/ASW_Episode78
Visit https://www.securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, we talk Security News, discussing how a hacker took over a smart home with vulgar music and rising temperatures, a security warning for 23 million YouTube creators following a crazy hack attack, Vimeo sued for storing faceprints of people without their say-so, Selfie Android apps push ads and can record audio, and how adopting DevOps leads to an improved security posture! In our second segment, we air three pre-recorded interviews from the SE village at DEFCON 27 with Billy Boatright, Edward Miro, and Jayson Street! In our final segment, we air two more pre-recorded interviews from the SE Village at DEFCON 27, featuring Perry Carpenter and Chris Edwards!
Full Show Notes: https://wiki.securityweekly.com/Episode621
Visit https://www.securityweekly.com/psw for all the latest episodes!
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com
This week, in the enterprise news segment, Akamai acquires MFA specialist KryptCo, HP acquires Bromium to enhance its security platform, Cyber Insurance firm Cowbell emerges from stealth with $3.3M in seed funding and more! In our second segment, we interview Brian Dye, Chief Product Officer at Corelight, a Help Systems company, to discuss "The Path to Threat Hunting is Paved with Great Network Data". In our third segment, we interview Tony Meehan, Vice President of Engineering at Endgame, to discuss "Building an engineering team for every stage of company growth".
Full Show Notes: https://wiki.securityweekly.com/ES_Episode155
Visit https://www.securityweekly.com/esw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, Facebook suspends tens of thousands of apps from hundreds of developers, a Privilege Escalation flaw found in Forcepoint VPN Client for Windows, WannaCry and why it never went away, 0patch promises support for Windows 7 beyond January 2020, and how the FBI arrests more than 200 hackers in different countries! In the expert commentary, we welcome Grant Sewell, Director of IT Security at Safelite Autoglass, to talk about Risk-based security and identity controls, and the Use of Preempt Security's Platform!
To learn more about Preempt, visit: https://securityweekly.com/preempt
Full Show Notes: https://wiki.securityweekly.com/HNNEpisode235
Visit https://www.securityweekly.com/hnn for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Humans are regularly referred to as the ‘weakest link’ in information security. However, organizations have historically relied on the effectiveness of technical security controls, instead of trying to understand why people are susceptible to mistakes and manipulation. A new approach is clearly required: one that helps organizations to understand and manage psychological vulnerabilities, and adopts technology and controls that are designed with human behavior in mind.
That new approach is human-centred security.
Human-centred security starts with understanding humans and their interaction with technologies, controls and data. By discovering how and when humans ‘touch’ data throughout the working day, organizations can uncover the circumstances where psychological-related errors may lead to security incidents.
For years, attackers have been using methods of psychological manipulation to coerce humans into making errors. Attack techniques have evolved in the digital age, increasing in sophistication, speed and scale. Understanding what triggers human error will help organizations make a step change in their approach to information security.
Identifying Human Vulnerabilities
Human-centred security acknowledges that employees interact with technology, controls and data across a series of touchpoints throughout any given day. These touchpoints can be digital, physical or verbal. During such interactions, humans will need to make decisions. Humans, however, have a range of vulnerabilities that can lead to errors in decision making, resulting in negative impacts on the organization, such as sending an email containing sensitive data externally, letting a tailgater into a building or discussing a company acquisition on a train. These errors can also be exploited by opportunistic attackers for malicious purposes.
In some cases, organizations can put preventative controls in place to mitigate errors being made, e.g. preventing employees from sending emails externally, strong encryption of laptops or physical barriers. However, errors can still get through, particularly if individuals decide to subvert or ignore these types of controls to complete work tasks more efficiently or when time is constrained. Errors may also manifest during times of heightened pressure or stress.
By identifying the fundamental vulnerabilities in humans, understanding how psychology works and what triggers risky behavior, organizations can begin to understand why their employees might make errors, and begin managing that risk more effectively.
Exploiting Human Vulnerabilities
Psychological vulnerabilities present attackers with opportunities to influence and exploit humans for their own advantage. The methods of psychological manipulation used by attackers have not changed since humans entered the digital era but attack techniques are more sophisticated, cost-effective and expansive, allowing attackers to effectively target individuals or to attack on considerable scale.
Attackers use the ever-increasing volume of freely available information from online and social media sources to establish believable personas and backstories in order to build trust and rapport with their targets. This information is carefully used to heighten pressure on the target, which then triggers a heuristic decision-making response. Attack techniques are used to force the target to use a particular cognitive bias, resulting in predictable errors. These errors can then be exploited by attackers.
There are several psychological methods that can be used to manipulate human behavior; one such method that attackers can use to influence cognitive biases is social power.
There are many attack techniques that use the method of social power to exploit human vulnerabilities. Attack techniques can be highly targeted or conducted on scale but they typically contain triggers which are designed to evoke a specific cognitive bias, resulting in a predictable error. While untargeted, ‘spray and pray’ attacks rely on a small percentage of the recipients clicking on malicious links, more sophisticated social engineering attacks are becoming prevalent and successful. Attackers have realized that it is far easier targeting humans than trying to attack technical infrastructure.
The way in which the attack technique uses social power to trigger cognitive biases will differ between scenarios. In some cases, a single email may be enough to trigger one or more cognitive bias resulting in a desired outcome. In others, the attack may gradually manipulate the target over a period of time using multiple techniques. What is consistent is that the attacks are carefully constructed and sophisticated. By knowing how attackers use psychological methods, such as social power, to trigger cognitive biases and force errors, organizations can deconstruct and analyze real-world incidents to identify their root causes and therefore invest in the most effective mitigation.
For information security programs to become more human-centred, organizations must become aware of cognitive biases and their influence on decision-making. They should acknowledge that cognitive biases can arise from normal working conditions but also that attackers will use carefully crafted techniques to manipulate them for their own benefit. Organizations can then begin to readdress information security programs to improve the management of human vulnerabilities, and to protect their employees from a range of coercive and manipulative attacks.
Managing Human Vulnerabilities
Human vulnerabilities can lead to errors that can significantly impact an organization’s reputation or even put lives at risk. Organizations can strengthen information security programs in order to mitigate the risk of human vulnerabilities by adopting a more human-centred approach to security awareness, designing security controls and technology to account for human behavior, and enhancing the working environment to reduce the impact of pressure or stress on the workforce.
Reviewing the current security culture and perception of information security should give an organization a strong indication of which cognitive biases are impacting the organization. Increasing awareness of human vulnerabilities and the techniques attackers use to exploit them, then tailoring more human-centred security awareness training to account for different user groups should be fundamental elements of enhancing any information security program.
Organizations with successful human-centred security programs often have significant overlap between information security and human resource functions. The promotion of a strong mentoring network between senior and junior employees, coupled with the improvement of the structure of working days and the work environment, should help to reduce unnecessary stress that leads to the triggering of cognitive biases affecting decision-making.
Develop meaningful relationships between a mentor and mentee to create an equilibrium of knowledge and understanding. Create a working environment and work-life balance that reduces stress, exhaustion, burnout and poor time management, which all significantly increase the likelihood of errors being made. Finally, consider how the improvement or enhancement of workspaces and environments can reduce stress or pressure on the workforce. Consider what is the most appropriate work environment for the workforce as there may be varying options, e.g. working from home, remote working, or modernizing office spaces, factories or outdoor locations.
From Your Weakest Link to Your Strongest Asset
Underlying psychological vulnerabilities mean that humans are prone to both making errors, and to manipulative and coercive attacks. Errors and manipulation now account for the majority of security incidents, so the risk is profound. By helping staff understand how these vulnerabilities can lead to poor decision making and errors, organizations can manage the risk of the accidental insider. To make this happen, a fresh approach to information security is required.
A human-centred approach to security can help organizations to significantly reduce the influence of cognitive biases that cause errors. By discovering the cognitive biases, behavioral triggers and attack techniques that are most common, tailored psychological training can be introduced into an organization’s awareness campaigns. Technology, controls and data can be calibrated to account for human behavior, while enhancement of the working environment can reduce stress and pressure.
Once information security is understood through the lens of psychology, organizations will be better prepared to manage and mitigate the risks posed by human vulnerabilities. Human-centred security will help organizations transform their weakest link into their strongest asset.
About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
Copyright 2010 Respective Author at Infosec Island
This week, we welcome Brian Lamoureux, Partner at Pannone Lopes Devereaux & O'Gara, to discuss the similarities of Big Tech to Big Tobacco. In the leadership and communications section, Troublesome Teammates, Email challenges and how to set boundaries, Cybersecurity confidence rattled by continued investments, small results, and more!
Full Show Notes: https://wiki.securityweekly.com/BSWEpisode144
Visit https://www.securityweekly.com/bsw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, we welcome Nicolas Valcarcel, Security Engineer at NextRoll! In the Application Security News, BSIMM10 Emphasizes DevOps' Role in Software Security and the BSIMM10 report, Crowdsourced Security & the Gig Economy, Lessons learned through 15 years of SDL at work, Software eats the world, jobs double US employment growth rate, and more!
Full Show Notes: https://wiki.securityweekly.com/ASW_Episode77
Visit https://www.securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, we welcome Jason Lang, Sr. Security Consultant at TrustedSec, to talk about modern-day Red Teaming against some of the largest companies in the U.S.! In our second segment, we welcome Wes Widner, Cloud Engineering Manager at CrowdStrike, to talk about Audio Security, and why personal voice assistants are the wave of the future! In the Security News, how an iOS 13 flaw could provide access to contacts with a passcode, Equifax demands more information before making payouts, confidential data of 24.3 million patients were discovered online, and a SIM Flaw that lets hackers hijack any phone by sending SMS!
To learn more about TrustedSec, visit: https://securityweekly.com/trustedsec
Full Show Notes: https://wiki.securityweekly.com/Episode620
Visit https://www.securityweekly.com/psw for all the latest episodes!
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, in our first segment, John Strand talks Attacking AWS: Elastic Map to Reduce Clusters! In the Enterprise News, hundreds laid off by Symantec as part of restructuring plan, Infection Monkey Industries first Zero Trust Assesment Tool, Shape Security eyes IPO after raising $51 Million at a $1 Billion evaluation, Lacework secures $42 Million and adds new president, board members, and customers, FireMon announced the introduction of FireMon Automation, and more! In our final segment, we talk Cloud Security, and what security products you need in the cloud!
Full Show Notes: https://wiki.securityweekly.com/ES_Episode154
Visit https://www.securityweekly.com/esw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, experts disclosed passcode bypass bug in iOS 13 a week before release, drone attacks hit two Saudi Arabia Aramco oil plants, Google fixes 2FA flaw in built-in security key, LastPass fixes bug that leaks credentials, AMD Radeon Driver flaw lead to VM escape, and how the Air Force will let hackers try to hijack an orbiting satellite! In the expert commentary, we welcome George Avetisov, CEO and Co-Founder at HYPR Corp., to talk about True Passwordless Security!
To learn more about Hypr, visit: https://securityweekly.com/hypr
Full Show Notes: https://wiki.securityweekly.com/HNNEpisode234
Visit https://www.securityweekly.com/hnn for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
FreshRSS