Login
The Data Access Agreement (DAA), by which the US and UK have agreed how one country can respond to lawful data demands from police and investigators in the other, took effect on Monday.β¦
Cloudflare is the first major internet infrastructure provider to support post-quantum cryptography for all customers, which, in theory, should protect data if quantum computing ever manages to break today's encryption technologies.β¦
If you've ever found yourself in an interminable meeting listening to the CISO ramble on about the important role you play in protecting yourself and the company from cyberthreats, you could probably point an accusatory finger in large part at the National Cybersecurity Awareness Month (NCSAM) program.β¦
A 30-year-old ex-NSA employee was accused by the FBI of trying to sell classified US information to a foreign government β after the Feds said they linked him to the printing of secret documents.β¦
In November 2020, the Telecommunications (Security) Bill was formally introduced to the UKβs House of Commons by the department for Digital, Culture, Media & Sport. Now, after several readings, debates, committee hearings, and periods of consultation, the Telecommunications (Security) Act is quickly becoming reality for providers of public telecoms networks and services in the UK, going live on 1 October 2022. Here, we outline what exactly the requirements mean for these firms, and what they can do to prepare.
The Act outlines new legal duties on telecoms firms to increase the security of the entire UK network and introduces new regulatory powers to the UK Telecoms regulator OFCOM to regulate Public Telecommunications Providers in the area of cyber security. It place obligations on operators to put in place more measures around the security of their supply chains, which includes the security of the products they procure. The Act grants powers to the Secretary of State to introduce a so-called Code of Practice. It is this Code of Practice which contains the bulk of the technical requirements that operators must comply with. Those not in compliance face large fines (up to 10% of company turnover for one year).
Following the UK Telecoms Supply Chain review in 2018, the government identified three areas of concern that needed addressing:
Following the review, little did we know a major resilience test for the telecoms industry was about to face significant challenges brought on by the Covid-19 pandemic. Data released by Openreach β the UKβs largest broadband network, used by customers of BT, Plusnet, Sky, TalkTalk, Vodafone and Zen β showed that broadband usage more than doubled in 2020 with 50,000 Petabytes (PB) of data being consumed across the country, compared to around 22,000 in 2019.
There is no question the security resilience of the UK telecoms sector is becoming ever more crucial β especially as the government intends to bring gigabit capable broadband to every home and business across the UK by 2025. As outlined in the National Cyber Security Centreβs Security analysis for the UK telecoms sector, βAs technologies grow and evolve, we must have a security framework that is fit for purpose and ensures the UKβs Critical National Telecoms Infrastructure remains online and secure both now and in the futureβ.
The legislation will apply to public telecoms providers (including large companies such as BT and Vodafone and smaller companies that offer telecoms networks or services to the public). More specifically to quote the Act itself:
As the requirements are long and varied and so the timelines to comply have been broken down to help organisations comply. The current Code of Practice expects Tier 1 providers to implement βthe most straightforward and least resource intensive measuresβ by 31 March 2024, and the more complex and resource intensive measures by 31 March 2025.
Tier 2 firms have been given an extra two years on top of the dates outlined above to reflect the relative sizes of providers. Tier 3 providers arenβt in scope of the regulatory changes currently but are strongly encouraged to use the Code of Practice as best practice. The Code of Practice also expects that these firms βmust continue to take appropriate and proportionate measures to comply with their new duties under the Act and the regulationsβ.
The TSA introduces a range of new requirements for those in the telecoms industry to understand and follow. These will require a multi-year programme for affected organisations.Β An area of high focus for example will be on Third Party controls and managing the relationship with them.
However there are more common security requirements as well.Β From our work with many companies across many different industries, we know that establishing that users accessing corporate systems, data and applications are who they say they are isΒ a key aspect of reducing risk by limiting the possibility of attacks coming in through the front door. This is a very real risk highlighted in Verizonβs 2022 Data Breaches Investigations Report, which states that around 82% of data breaches involved a human element, including incidents in which employees expose information directly or making a mistake that enables cyber criminals to access the organisationβs systems.
Therefore, one area to start to try and protect the organisation and take a step on the way to compliance is to build up authentication and secure access to systems, data and applications. However even this can take time to implement over large complex environments. It means gaining an understanding of all devices and ensuring there is a solid profile around them, so they can be reported on, attacks can be blocked and prevented, and access to applications can be controlled as needed.
We will be creating more information around the Act as we move closer to the deadlines, including part two of this blog where we will take a deeper dive into themes introduced by the bill, how it compare with other industriesβ and jurisdictionsβ cyber security initiatives, and explore what else the telecoms industry can do to improve its security posture.
We are also running an event in London on 13 October: βAre you ready for TSA?βΒ which will include peer discussions where participation is welcome on the TSA. If you are interested in attending, please registerΒ here.
Β
Weβd love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Webinar Ransomware has a longer history than you might imagine. The very first recognized attack was at the World Health Organization in 1989 when the AIDS Trojan was distributed to 20,000 attendees via floppy disc.β¦
Jason Button is a director at Cisco and leads the companyβs Security and Trust Mergers and Acquisitions (M&A) team. He was formerly the director of IT at Duo Security, a company Cisco acquired in 2018, making him uniquely positioned to lend his expertise to the M&A process. This blog is the second in a series focused on M&A cybersecurity, following Jacob Bolotinβs post on Managing Cybersecurity Risk in M&A.
All good relationships are built on trust. Add in transparency, and the union becomes even more substantial. βTrust and transparency underpin everything we do,β says Button, βCisco takes security, trust, and transparency very seriously, and itβs part of our teamβs fabric.β
When Cisco acquires a company, the Security and Trust M&A team looks at not only what they can offer in the way of security but also what unique qualities the acquired company brings to Cisco. These qualities might be related to security, but theyβre also found in the acquired companyβs culture, technical knowledge, and processes.
In all acquisitions, the M&A team needs to move fast. In fact, the Cisco team is committed to pushing even faster as long as they never compromise on security. Around 2020, Button and his team began taking stock of how it does things. They evaluated everything from the ground up, willing to tease out what is working and toss out what isnβt.
The team is also on a trajectory of identifying how it can digitize and automate security.
βIf we were going to do things differently, we needed to be bold about it,β says Mohammad Iqbal, information security architect in the Security and Trust M&A team. One of the changes Iqbal proposed to his colleagues is to ensure that an acquired company is integrated into Ciscoβs critical security controls within three months after the acquisition deal closes.
To successfully meet the three-month target, the M&A team works closely with the acquired company to identify and address all non-integrated risks (NIRs) that Cisco inherits from an acquisition and encompass:
NIRs are a subset of eight security domains, or operating norms, that align with Ciscoβs security and trust objectives and top priorities of the larger security community (Figure 1). The M&A teamβs focus on NIRs steers the due diligence conversation away from identifying the acquisitionβs security deficiencies and towards understanding the inherent risks associated with the acquisition and measuring the security liability.
βAcquisitions are coming in with these risks, and so we must address NIRs early when weβre signing non-disclosure agreements. In doing so, we help put these companies in a position to integrate successfully with all the security domains. And this integration should be done in the shortest time possible within a year of close,β Iqbal says.
Building trust and being transparent early on is critical so the acquired company knows whatβs expected of them and is ready to accomplish its three-month and first-year goals.
βI wish this type of conversation was offered to me when Cisco acquired Duo,β Button says. βBeing on the Duo side of that deal, I wouldβve been able to say with confidence, βOK, I get it. I know whatβs expected of me. I know where to go. I know what I need to do with my team.ββ
βWe have a limited time window to make sure an acquisition company is heading down the right route. We want to get in there early and quickly and make it easy,β adds Button.
Reducing the manual intervention required by the acquired company is integral to helping the acquisition meet the three-month goal. Hereβs where automation can play a significant role and the M&A team is looking toward innovation.
βWeβre working on bringing in automated processes to lessen the burden on the acquired company,β says Iqbal. The M&A team realizes that much of the automation can be applied in instrumenting the security controls and associated APIs to help the team move beyond what they have already assessed at acquisition day 0 and gain the visibility they need to get the acquired company to its three-month goal. For example, they can automate getting the acquired company on Ciscoβs vulnerability scans, using internal tools, or attaining administrative access privileges.
So, Iqbal, Button, and the rest of the team are working on automating processesβdeveloping the appropriate architecture pipeline and workflowsβthat help acquired companies integrate critical security controls. While the ability to automate integration with security controls is not novel, the innovation that the M&A team brings to the table is the ability to position an acquired target to integrate with security controls in the most expedited way possible.
As with due diligence, the M&A team strives to complete the discovery phase before the acquisition deal close. Hereβs another step where digitization and automation can simplify and shorten processes. Take the acquisition company questionnaire, for instance.
βInstead of asking dozens of questions, we could give the company an audit script to run in their environment,β Iqbal says. βThen, all they have to do is give us the results.β
Also, the questionnaire can be dynamically rendered through a dashboard, improving the user experience, and shortening completion time. For example, the number of questions about containers could automatically retract if the acquired company uses Azure Kubernetes Service.
Many teams within Cisco compete for an acquired companyβs time before and after an acquisition deal closes. The acquired company is pulled in several different directions. Thatβs why the Security and Trust M&A team doesnβt stop looking for ways to digitize and automate security processes after the closeβto continue to help make the acquired companyβs transition more manageable.
βIf we can make processes simple, people will use them and see the value in them within days, not weeks or quarters,β says Button.
βThe majority of companies we acquire are smaller,β Button says. βThey donβt have large security teams. We want them to tap our plethora of security experts. We want to enable an acquired company to apply Ciscoβs ability to scale security at their company. Again, we want things to be simple for them.β
The M&A team helps facilitate simplicity by telling a consistent story (maintaining consistent messaging unique to the acquired company) to all the groups at Cisco involved in the acquisition, including M&Aβs extended Security and Trust partners such as corporate security, IT, and supply chain. Because each group deals with different security aspects of the integration plan, itβs essential that everyone is on the same page and understands the changes, improvements, and benefits of the acquisition that are relevant to them. Maintaining a consistent message can go a long way toward reducing complexity.
The human element can easily get overlooked throughout an acquisitionβs myriad business, technical, and administrative facets. Balancing the human aspect with business goals and priorities is essential to Button and the entire Security and Trust M&A team. They want to bring the human connection to the table. In this way, trust and transparency are on their side.
βEmotions can run the gamut in an acquisition. Some people will be happy. Others will be scared. If you donβt make a human connection, youβll lose so much value in the acquisition,β Button says. βYou can lose people, skillsets, efforts. If we donβt make that human connection, then we lose that balance, and we wonβt be off to a great start.β
One way the M&A team helps maintain that balance is by embracing the things that make the acquired company unique. βItβs vital to identify those things early on so we can protect and nurture them,β says Button.
He also wants to remind companies that they donβt have to be experts at everything asked of them during acquisition. βCisco has been here for a while. We have entire teams within M&A that are dedicated to doing one thing. We can help acquired companies find out where theyβre struggling. We can handle the things they donβt want to deal with.β
βM&A is complex, but complexity is off the chart when you talk about M&A and security. Our team wonβt be successful if we canβt find a way to make things easier for the acquired company. They need to understand where theyβre headed and why,β Button says. βItβs up to us to motivate them towards a successful outcome.β
Managing Cybersecurity Risk in M&A
Β
Weβd love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Acronis founder Serg Bell is afraid of his own vacuum cleaner, he told The Register in Singapore last week.β¦
Remember the good old days of cyber-incident response, when the job involved digital forensics and lots of stolen credit cards, as opposed to power-grid-breaking malware and multi-million-dollar ransom demands?β¦
As each new smart home device may pose a privacy and security risk, do you know what to look out for before inviting a security camera into your home?
The post 8 questions to ask yourself before getting a home security camera appeared first on WeLiveSecurity
With βSee Yourself in Cyberβ as the theme for this yearβs Cybersecurity Awareness Month, the focus is on you with a look at several quick ways you can quickly get safer online.Β
Now in its 21st year, Cybersecurity Awareness Month marks a long-standing collaboration between the U.S. government and private industry. Itβs aim, empower people to protect themselves from digital forms of crime. And that stands as a good reminder. Phishing attacks, malware, and the other threats we regularly talk about in our blog are indeed forms of crime. And where thereβs crime, thereβs a person behind it.Β
It can be easy to lose sight of that, particularly as the crook on the other end of the attack is hiding behind a computer. Cybercrime can feel anonymous that way, yet itβs anything but. Whether a single bad actor or as part of a large crime organization, people power cybercrime.Β
Yet just as you secure your home to prevent yourself from becoming a victim of a criminal, you can also secure your digital life to prevent yourself from becoming a victim of cybercriminal.Β
You have plenty of places where you can start, and theyβre all good ones. Even a handful of the simplest measures can significantly decrease your risk. Better yet, several take far less time to put into place than you might think, while yet more work automatically once you implement themβmaking them a sort of βset it and forget itβ security measure.Β
With that, this five-step list can get you going:Β
Strong, unique passwords offer another primary line of defense. Yet with all the accounts we have floating around, juggling dozens of strong and unique passwords can feel like a taskβthus the temptation to use (and re-use) simpler passwords. Hackers love this because one password can be the key to several accounts. Instead, try a password manager that can create those passwords for you and safely store them as well. Comprehensive security software will include one, and McAfee also offers a free service with True Key.Β
Updates do all kinds of great things for gaming, streaming, and chatting apps, like add more features and functionality over time. Updates do something elseβthey make those apps more secure. Hackers will hammer away at apps to find or create vulnerabilities, which can steal personal info or compromise the device itself. Updates will often include security improvements, in addition to performance improvements.Β Β
For your computers and laptops:Β
For your smartphones:Β
For your smartphone apps:Β
Often overlooked is the humble browser. Yet if you think about it, the browser is one of the apps we use most often. Particularly on our desktops. It takes us shopping, to shows, the bank, and even work. Hackers realize that, which is why they love targeting browsers. Whether itβs through vulnerabilities in the code that runs the browser, injecting malicious code into a browser session, or any one of several other attack vectors, hackers will try to find a way to compromise computers via the browser.Β
One of the best ways to keep your browser safe is to keep it updated. By updating your browser, youβll get the latest in features and functionality in addition to security fixes that can prevent attacks from hackers. Itβs a straightforward process, and this article will show you can set your browser to automatically update.Β
Whether they come by way of an email, text, direct message, or as bogus ads on social media and in search, phishing attacks remain popular with cybercriminals. Across their various forms, the intent remains the sameβto steal personal or account information by posing as a well-known company, organization, or even someone the victim knows. And depending on the information that gets stolen, it can result in a drained bank account, a hijacked social media profile, or any number of different identity crimes. What makes some phishing attacks so effective is how some hackers can make the phishing emails and sites they use look like the real thing, so learning how to spot phishing attacks has become a valuable skill nowadays. Additionally, comprehensive online protection software will include web protection that can spot bogus links and sites and warn you away from them, even if they look legit.Β
Some signs of a phishing attack include:Β
Email addresses that slightly alter the address of a trusted brand name so it looks close at first glance.Β
Again, this can take a sharp eye to spot. When you get emails like these, take a moment to scrutinize them and certainly donβt click on any links.Β
Another way you can fight back against crooks who phish is to report them. Check out ReportFraud.ftc.gov, which shares reports of phishing and other fraud with law enforcement. Taken together with other reports, your information can aid an investigation and help bring charges on a cybercriminal or an organized ring.Β Β
Chances are youβre using multi-factor authentication (MFA) on a few of your accounts already, like with your bank or financial institutions. MFA provides an additional layer of protection that makes it much more difficult for a hacker or bad actor to compromise your accounts even if they know your password and username. Itβs quite common nowadays, where an online account will ask you to use an email or a text to your smartphone to as part of your logon process. If you have MFA as an option when logging into your accounts, strongly consider using it.Β
This list can get you started, and you can take even more steps now that youβre rolling. Keep dropping by our blog for more ways you can make yourself safer, such as on social media, your smartphone, in app stores, and more. Visit us any time!Β
The post See Yourself in Cyber β Five Quick Ways You Can Quickly Get Safer Online appeared first on McAfee Blog.
About $22 trillion of global debt rated by Moody's Investors Service has "high," or "very high" cyber-risk exposure, with electric, gas and water utilities, as well as hospitals, among the sectors facing the highest risk of cyberattacks.β¦
Internet snoops have been caught concealing spyware in an old Windows logo in an attack on governments in the Middle East.β¦
In Brief The BlackCat ransomware gang, also known as ALPHV, has allegedly broken into IT firm NJVC, a provider of services to civilian US government agencies and the Department of Defense.β¦
Once they've broken into an IT environment, most intruders need less than five hours to collect and steal sensitive data, according to a SANS Institute survey of more than 300 ethical hackers.Β β¦
Overview
If you have open positions at your company for information security professionals and would like to hire from the /r/netsec user base, please leave a comment detailing any open job listings at your company.
We would also like to encourage you to post internship positions as well. Many of our readers are currently in school or are just finishing their education.
Please reserve top level comments for those posting open positions.
Rules & Guidelines
You can see an example of acceptable posts by perusing past hiring threads.
Feedback
Feedback and suggestions are welcome, but please don't hijack this thread (use moderator mail instead.)
Microsoft Corp. is investigating reports that attackers are exploiting two previously unknown vulnerabilities in Exchange Server, a technology many organizations rely on to send and receive email. Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks.
In customer guidance released Thursday, Microsoft said it is investigating two reported zero-day flaws affecting Microsoft Exchange Server 2013, 2016, and 2019.Β CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability that can enable an authenticated attacker to remotely trigger the second zero-day vulnerability β CVE-2022-41082 β which allows remote code execution (RCE) when PowerShell is accessible to the attacker.
Microsoft said Exchange Online has detections and mitigation in place to protect customers. Customers using on-premises Microsoft Exchange servers are urged to review the mitigations suggested in the security advisory, which Microsoft says should block the known attack patterns.
Vietnamese security firm GTSC on Thursday published a writeup on the two Exchange zero-day flaws, saying it first observed the attacks in early August being used to drop βwebshells.β These web-based backdoors offer attackers an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser.
βWe detected webshells, mostly obfuscated, being dropped to Exchange servers,β GTSC wrote. βUsing the user-agent, we detected that the attacker uses Antsword, an active Chinese-based opensource cross-platform website administration tool that supports webshell management. We suspect that these come from a Chinese attack group because the webshell codepage is 936, which is a Microsoft character encoding for simplified Chinese.β
GTSCβs advisory includes details about post-compromise activity and related malware, as well as steps it took to help customers respond to active compromises of their Exchange Server environment. But the company said it would withhold more technical details of the vulnerabilities for now.
In March 2021, hundreds of thousands of organizations worldwide had their email stolen and multiple backdoor webshells installed, all thanks to four zero-day vulnerabilities in Exchange Server.
Granted, the zero-day flaws that powered that debacle were far more critical than the two detailed this week, and there are no signs yet that exploit code has been publicly released (that will likely change soon). But part of what made last yearβs Exchange Server mass hack so pervasive was that vulnerable organizations had little or no advance notice on what to look for before their Exchange Server environments were completely owned by multiple attackers.
Microsoft is quick to point out that these zero-day flaws require an attacker to have a valid username and password for an Exchange user, but this may not be such a tall order for the hackers behind these latest exploits against Exchange Server.
Steven Adair is president of Volexity, the Virginia-based cybersecurity firm that was among the first to sound the alarm about the Exchange zero-days targeted in the 2021 mass hack. Adair said GTSCβs writeup includes an Internet address used by the attackers that Volexity has tied with high confidence to a China-based hacking group that has recently been observed phishing Exchange users for their credentials.
In February 2022, Volexity warned that this same Chinese hacking group was behind the mass exploitation of a zero-day vulnerability in the Zimbra Collaboration Suite, which is a competitor to Microsoft Exchange that many enterprises use to manage email and other forms of messaging.
If your organization runs Exchange Server, please consider reviewing the Microsoft mitigations and the GTSC post-mortem on their investigations.
FreshRSS 