CyberSecurity Confabulation

Posted 22 hours ago by Troy Hunt

Presently sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.

Today was all about this whole idea of how we index and track data breaches. Not as HIBP, but rather as an industry; we simply don't have a canonical reference of breaches and their associated attributes. When they happened, how many people were impacted, any press on the incident, the official disclosure messaging and so on and so forth. As someone in the video today said, "what about the Airtel data breach?" Yeah, whatever happened to that?! A quick Google reminds me that this was a few months ago, but did they ever acknowledge it? Send disclosure notices? Did the data go public? I began talking about all this after someone mentioned a breach during the week and for the life of me, I had no idea whether I'd heard about it before, looked into it, or even seen the data. Surely, with so many incidents floating around that have so much impact, we should have a way of cataloguing it all? Have a listen to this week's video and see what you think.

References

Sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.
I've previously given thought to how much easy access to data I give governments (but I do agree that redistributing data breaches to them raises a whole world of issues and is not a good idea)
HIBP does has a list of the 809 data breaches I've already loaded into the system (but this is merely a subset; what about all the stuff that isn't in there because the data hasn't surfaced or there's no email addresses?)

Upcoming Speaking Engagements

Posted 2 days ago by Bruce Schneier

This is a current list of where and when I am scheduled to speak:

I’m speaking at eCrime 2024 in Boston, Massachusetts, USA. The event runs from September 24 through 26, 2024, and my keynote is at 8:45 AM ET on the 24th.
I’m briefly speaking at the EPIC Champion of Freedom Awards in Washington, DC on September 25, 2024.
I’m speaking at SOSS Fusion 2024 in Atlanta, Georgia, USA. The event will be held on October 22 and 23, 2024, and my talk is at 9:15 AM ET on October 22, 2024.

The list is maintained on this page.

How an Asset Inventory Improves The Five Essential Steps of a Risk Management Program

Posted 2 days ago by Jane Devry

It’s the same story we’ve heard a thousand times: In today’s digital landscape, risk is constantly rising. Cyber threats are becoming more sophisticated, and the cost of data breaches is escalating. According to the IBM Security Cost of a Data Breach Report 2024, the average cost of a data breach has reached USD 4.88 million. As such, effective risk management is no longer a luxury—it’s a necessity. A robust risk management program helps organizations proactively identify, assess, and control threats and vulnerabilities that could negatively impact their operations. A critical component of any successful risk management program is a modern asset inventory.

An asset inventory provides a clear, detailed view of all assets within an organization’s IT environment, enabling better risk identification and control. This article explores how an asset inventory is essential to the five steps of an effective risk management process.

Step 1: Identify risks comprehensively by leveraging asset discovery

The first step in managing risk is risk identification, which involves understanding:

potential threats and threat actors
the vulnerabilities that they exploit and that exist in your network

It is a fundamental truth that you can’t protect what you don’t know you have. Likewise, you can’t find vulnerabilities in systems that you don’t know you have. This is where asset discovery comes into play and why it is so important. Asset discovery is a key capability of an asset inventory solution. It automatically identifies and catalogs all assets within an organization’s IT environment.

Consolidating information from existing asset management systems is not asset discovery. While consolidating data into one dashboard can help give you a unified view of your data, it only shows you the part of your infrastructure that you already know exists. Likewise, using expensive consultants to evaluate your network or survey your staff for data to populate an asset inventory is not a substitute for a sophisticated asset discovery tool.

An effective asset inventory solution uses specialized asset discovery tools to locate and document assets, especially those that are not part of an existing inventory, such as unauthorized devices, shadow IT resources, or assets that aren’t actively managed or documented. By ensuring all assets are accounted for, an organization can effectively identify the risks associated with these assets, forming a solid foundation for your risk management program.

Step 2: More accurately assess risk by understanding impact on your business

Once existing risks have been identified, the next step is to assess the level of risk for each. This involves evaluating the likelihood that a threat will exploit a given vulnerability and the impact on your network and associated consequences for the business if you are hit by one of those threats. An asset inventory plays a crucial role in this process by understanding which business functions specific assets enable and how they are interconnected with and interdependent on other critical assets.

Business functions, the core activities that keep your organization running smoothly and generating revenue, should be the focus. Understanding the dependencies between assets and critical functions allows for a more accurate risk assessment. For example, instead of categorizing assets into generic IT groupings like “Windows servers,” it’s more effective to align asset management with specific business functions like “logistics and shipping.” This allows you to accurately understand the impact on the business if, for example, a server went down due to an attack or other disruption.

An asset inventory also enhances third-party risk management. Many organizations rely on third-party vendors and services, which introduce external dependencies and potential risks. A complete asset inventory helps you see and understand these connections, allowing you to make more informed risk management decisions.

Step 3: Prioritize risk based on business function criticality and asset resilience

Effective risk management requires a strategic approach to prioritizing risks. An asset inventory facilitates this by enabling organizations to prioritize risks based on an asset’s resilience and criticality. Resilience considers factors such as how difficult an asset is to access (isolation), how easy it is to compromise (hardness), and how well the network would function if the asset goes down (redundancy).

Criticality assesses an asset’s importance to the organization’s critical functions. Critical business functions are the core business activities that, if they stopped working, your business would cease to operate, and potentially cease to exist if they were down long enough. Identifying and protecting critical business functions is essential for risk management.

Assets with high criticality and low resilience scores should be prioritized when planning risk mitigation. By aligning risk response measures with business priorities, organizations can maximize their cybersecurity budgets and minimize potential risks, ensuring that resources are invested where they have the most impact.

Step 4: Mitigate risks using asset inventory insights

Risk mitigation is about taking action to reduce the impact of identified risks. An asset inventory enables organizations to allocate mitigation resources effectively by focusing their efforts on assets that pose the highest risk.

Technical mitigation measures might include implementing a zero-trust architecture, robust firewalls, intrusion detection systems, and encryption protocols to protect critical assets and prevent unauthorized access. Regular security updates and patches should also be applied to safeguard systems against known vulnerabilities.

Non-technical mitigation measures focus on the people and processes within the organization. This includes training employees on cybersecurity best practices, developing incident response plans, and conducting regular security audits and assessments to identify any gaps or weaknesses in the security infrastructure.

Step 5: Ongoing monitoring, reviewing, and updating

Organizations’ IT environments are not static; they evolve as new capabilities are added and old ones are retired. This organic growth can introduce new risks or change the risk landscape. A constantly updated asset inventory is essential to keep risk response and controls current in a continually shifting environment.

Redjack has found that an organization’s infrastructure changes by an average of 5-15% a month. This underscores the necessity for an automated system to maintain your awareness of your infrastructure. An automated asset inventory ensures that newly discovered devices are added and outdated or decommissioned assets are removed, preventing gaps or inaccuracies in the inventory. This ensures that your risk management program is based on the current state of your IT landscape, reducing the risk of relying on outdated or incomplete asset information.

Summary: The importance of an asset inventory to risk management

A comprehensive asset inventory is more than just a list of hardware and software—it’s a powerful tool for enhancing your risk management program. By enabling effective risk identification, assessment, prioritization, mitigation, and monitoring, an asset inventory helps organizations stay ahead of threats and vulnerabilities, ensuring they can protect their most critical assets and maintain business continuity. In an era where risk is constantly on the rise, leveraging a complete asset inventory is essential for any organization committed to safeguarding its operations and reputation.

The post How an Asset Inventory Improves The Five Essential Steps of a Risk Management Program appeared first on Cybersecurity Insiders.

The Role of Governance, Risk, and Compliance in Modern Cybersecurity Programs

Posted 2 days ago by Jane Devry

A Comprehensive Guide

As with many other fields in technology, cybersecurity is in a constant state of evolution. One often overlooked area is the field of GRC. Governance, Risk, and Compliance (GRC) is a protective structure that aligns IT with an organization’s goals while managing and mitigating risks to the organization.

When GRC is combined with a plan and a good strategy, improvements can usually be observed in decision-making, IT investments, and department fragmentation. Building a comprehensive program will also ensure the organization complies with constantly evolving regulations, reducing the likelihood of cyber threats and regulatory penalties.

Let’s explore how modern Cybersecurity programs are affected by GRC. I’ll also offer practical implementation steps and insights into how your organization can stay protected.

I want to break down what forms the foundation of any robust cybersecurity program: Governance, Risk, and Compliance.

A person holding a stick to a scale

Description automatically generated

Governance: Governance is a set of policies, procedures, and rules or frameworks an organization uses to achieve its business goals. A security professional’s mission is to implement strategies to secure information and systems while keeping the business goals in mind. Some of the results of good governance include openness in communication, effective dispute management, strategic resource allocation, and, most importantly, integrity and responsibility.
Risk Management: An organization can face various risks, including financial, legal, and security risks. Risk management means identifying, assessing, and mitigating them. Some benefits of implementing a sound risk management plan include anticipating internal and external threats and implementing measures to mitigate them before they can cause any harm.
Compliance: Ensure that laws, rules, and regulations are followed. An organization must have compliance to avoid penalties or legal consequences.

The Importance of a GRC Program in Strengthening Cybersecurity

Now that we have explored the definitions of Governance, Risk, and Compliance, let’s examine their advantages.

GRC is crucial in cybersecurity, helping organizations reduce risk and prevent data breaches. Different industries have varying compliance needs, often requiring multiple frameworks to meet business demands. GRC ensures proper security controls, audits, and standards for third-party sharing.

To mention some of the benefits precisely, we can say that a well-implemented GRC program can provide the following:

Business Continuity: A clear incident response plan supports swift recovery from attacks, minimizing downtime and data loss, while GRC identifies critical assets for prioritized recovery, ensuring resilience.
Reduced Cyberattacks: Proactive management, including patching vulnerabilities and training employees, lowers the risk of successful attacks, with regular updates further reducing threats.
Enhanced Decision-Making: GRC provides organizations with comprehensive data insights and analytics, enabling informed decision-making on risk management and security strategies ensuring consistency with organizational objectives and compliance standards.
More robust Security and Risk Visibility: A structured risk management approach enhances protection and provides greater visibility into potential threats. This enables organizations to identify, assess, and mitigate risks more effectively, ensuring continuous improvement in security measures.

In 2020, cyber experts worldwide read the news about the SolarWinds cyberattack. SolarWinds, a major IT management company, suffered a significant data breach when attackers infiltrated its supply chain, compromising its Orion software.

This breach occurred partly due to a lack of a well-implemented and maintained GRC program that could have helped identify vulnerabilities in their supply chain and third-party relationships.

GRC is not just about meeting regulatory requirements; it’s about taking proactive measures to build a resilient, adaptable privacy and security program.

Steps to Implementing an Effective GRC Program

Implementing a sound GRC program involves several key steps.

Step 1—Establish a GRC Framework: Some of the most popular frameworks are ISO 27001, NIST, and COBIT; it will all depend on your organization’s needs. These frameworks provide structured guidelines for governance, risk management, and compliance.

Step 2—Identify Key Risks: A risk assessment is critical to a valid risk management process. By completing one, you will identify vulnerabilities and threats within your organization. This could involve reviewing your network architecture, assessing your software vulnerabilities, and considering human error risks.

Step 3—Build a Compliance Roadmap: Map out all applicable regulations, such as GDPR, CCPA, FedRAMP, and HIPAA, that your organization must follow. Establish a roadmap highlighting key actions, such as enforcing data security measures, conducting periodic audits, and educating your workforce on compliance protocols.

Step 4—Leverage GRC Tools: Automating risk management and compliance is possible with GRC solutions like Archer, LogicGate, LogicManger, and MetricStream. They enable you to centralize data, monitor compliance efforts, and streamline risk assessments for improved GRC management.

Step 5—Ongoing Monitoring and Enhancement: GRC is not a one-off initiative. Once your system is established, you must consistently monitor risk, update compliance protocols, and adapt governance approaches. Regular audits and assessments will help ensure your GRC program remains effective in the face of changing risks.

By adopting these steps, you can help your organization build a customized GRC program that suits your unique needs and covers critical areas of concern.

A person climbing up the stairs to a light bulb

Description automatically generated

Significant Challenges in Rolling Out a GRC Program

Deploying a GRC program can be challenging. Here are some of the most frequent obstacles and how to tackle them:

Challenge 1—Leadership Buy-in: Implementing GRC can be challenging, especially getting management’s support. To overcome this, emphasize the measurable benefits, such as lowering the risk of breaches, avoiding regulatory penalties, and improving business reputation.

Challenge 2—Integrating with Existing Systems: Organizations often face difficulties integrating GRC tools with their privacy and security systems. To overcome this, select tools compatible with your tech stack and assure strong communication between all groups, especially privacy and compliance.

Challenge 3—Compliance Fatigue: It is common for teams to become overwhelmed by the amount of work involved in implementing a program such as GRC. Prevent burnout by automating repetitive processes and providing ongoing training to keep teams engaged with GRC initiatives.

Proactively addressing these challenges will lead to a smoother GRC implementation and long-term success.

Any modern cybersecurity program should have Governance, Risk, and Compliance (GRC), which is crucial for ensuring long-term privacy and security stability. If your organization still needs to adopt a GRC strategy, now is the time to act.

The post The Role of Governance, Risk, and Compliance in Modern Cybersecurity Programs appeared first on Cybersecurity Insiders.

Organizations Can’t Afford to Ignore the Security Risks of Proximity Technology

Posted 2 days ago by Jane Devry

Despite the vulnerabilities of proximity technology, many organizations have yet to take steps to transition to more secure credentialing systems. As a result, businesses across industries may unknowingly be putting themselves at heightened risk of costly data breaches and cyber attacks.

Credential technology like proximity cards and readers are widely used for granting access to buildings or facilities. However, the use of proximity cards extends to other critical areas, such as business applications and employee workstations, leaving sensitive information susceptible to interception by unauthorized users.

While navigating the transition from legacy technology can seem daunting, no business can afford the risks posed by leaving critical gaps in their cybersecurity posture unaddressed.

A measured approach to upgrading unencrypted or vulnerable credential technology enables businesses to effectively mitigate instances of unauthorized access while establishing robust credentialing systems for continued protection and efficiency going forward.

The risks of proximity technology

Hackers are constantly evolving tactics to access sensitive data. But over the past 10 years, stolen credentials have remained a factor in nearly a third (31%) of all data breaches.

So, why do hackers continue to rely on this attack strategy?

One reason is that proximity (125 kHz) cards are particularly susceptible to tampering due to their low frequency and lack of encryption. As a result, bad actors can easily clone a card and gain access to secure areas, systems and information.

Instead, it’s best to opt for secure credentials that operate on near-field communication (NFC) technology, such as contactless smart cards and mobile credentials to prevent issues related to tampering. These solutions use advanced encryption technology to protect credentialing data both at rest and in transmission, rendering it unusable to any hackers attempting to reproduce cards and gain unauthorized access.

In some cases, organizations express concern about the cost and operational disruption associated with upgrading their credentialing infrastructure. But consider the alternative: The average cost of a data breach in 2024 surged to $4.88 million, up from an already staggering $4.45 million in 2023.

The potential repercussions — both financial and reputational — of a major breach are far too significant to ignore. And with the right plan in place, initiatives to upgrade to more secure credentials can be tailored to your business’s needs, both now and in the future.

3 strategies for facilitating a seamless upgrade to secure credentials

Cost, disruption and complexity of implementation are legitimate concerns. However, there are several steps you can take to navigate these issues and ensure a smooth transition.

1.Conduct a thorough risk assessment. Before starting any upgrades, review your systems to pinpoint the most critical vulnerabilities.

If you are leveraging proximity technology for multiple functions — like single sign-on, secure printing, and time and attendance — begin with the area that poses the biggest threat in the event of a breach.

In this scenario, single sign-on would likely take priority due to the potential for data theft or compliance violations if unauthorized individuals gain access to networks, business applications, or sensitive information.

By identifying use cases that require more immediate attention, you can address pressing risks first, while still taking a step-by-step approach to implement robust controls across your organization.

2.Consider ease of integration and user experience. As with any organizational decision, it’s important to consider how changes will affect your existing systems and the employee experience.

For instance, certain systems may enable the addition of mobile credentials with minimal friction, making this an ideal addition to your existing security ecosystem. Another factor to assess is the level of support you can expect to receive, both at the vendor level and the manufacturer level. Expert guidance is especially critical if your implementation spans multiple facilities and use cases.

Additionally, consider piloting the use of new authentication methods with a smaller focus group prior to a broader rollout. As employees provide feedback, you’ll have the opportunity to troubleshoot on a smaller scale to prepare for smoother integration for your entire organization.

3.Look for opportunities to future-proof your systems. Going forward, mobile credentials will become increasingly common, both for their security capabilities and enhanced convenience.

While a physical badge can easily be left behind at home, most employees carry their phones with them at all times. And with the rise of features like digital wallets, people are more accustomed than ever to seamless transactions directly from personal devices.

Digital employee badges stored in a smartphone’s digital wallets can be used to access endpoints across your organization, from doors to printers and shared workstations.

Additionally, mobile credentials are not subject to the same level of wear and tear as physical credentials, reducing the need for IT departments to reprovision a card whenever a badge is lost. It also simplifies new employee onboarding because mobile credentials allow IT teams to grant (and retract) permissions remotely.

Beyond security, shifting to mobile credentials can help you keep pace with evolving technology and improve overall efficiencies. As you make the transition, selecting a reader that supports the most common secure physical and mobile credentials will streamline the process and ensure compatibility with both current and future credential types.

Whether you work in healthcare, banking, manufacturing, education or another industry, the need for robust security is universal. With highly secure mobile credential and smart card options available, proximity technology is long overdue for retirement.

Enhancing your credentialing and reader system now will ensure your organization can effectively safeguard its sensitive information and avoid unnecessary damages as cyberthreats continue to evolve.

The post Organizations Can’t Afford to Ignore the Security Risks of Proximity Technology appeared first on Cybersecurity Insiders.

Ivanti Warns of Active Exploitation of Newly Patched Cloud Appliance Vulnerability

Posted 2 days ago by The Hacker News

Ivanti has revealed that a newly patched security flaw in its Cloud Service Appliance (CSA) has come under active exploitation in the wild. The high-severity vulnerability in question is CVE-2024-8190 (CVSS score: 7.2), which allows remote code execution under certain circumstances. "An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows

Friday Squid Blogging: Squid as a Legislative Negotiating Tactic

Posted 2 days ago by Bruce Schneier

This is an odd story of serving squid during legislative negotiations in the Philippines.

Metasploit Weekly Wrap-Up 09/13/2024

Posted 2 days ago by Spencer McIntyre

SPIP Modules

This week brings more modules targeting the SPIP publishing platform. SPIP has gained some attention from Metasploit community contributors recently and has inspired some PHP payload and encoder improvements.

New module content (2)

SPIP BigUp Plugin Unauthenticated RCE

Authors: Julien Voisin, Laluka, Valentin Lobstein, and Vozec
Type: Exploit
Pull request: #19444 contributed by Chocapikk
Path: multi/http/spip_bigup_unauth_rce
AttackerKB reference: CVE-2024-8517

Description: This adds an exploit module for CVE-2024-8517, an unauthenticated RCE able to execute arbitrary PHP code.

SPIP connect Parameter PHP Injection

Authors: Arnaud Pachot, Davy Douhine, Frederic Cikala, and Valentin Lobstein
Type: Exploit
Pull request: #19432 contributed by Chocapikk
Path: multi/http/spip_connect_exec
CVE reference: BID-54292

Description: Refactor SPIP Modules for Windows Compatibility and Incorporating SPIP Mixin.

Enhancements and features (3)

#19330 from heyder - The start_service method in the http_server.rb library now allows users to specify their SSL preferences directly through the opts parameter. If the ssl option is not provided in opts, it will default to the value in datastore["SSL"].
#19352 from zgoldman-r7 - Adjusts the metadata for the ldap login scanner, adding defaults and adjusting the service and protocol values.
#19432 from Chocapikk - Refactor SPIP Modules for Windows Compatibility and Incorporating SPIP Mixin.

Bugs fixed (1)

#19439 from bcoles - This explicitly defines x86 and x64 as supported architectures for the bypassuac_comhijack module. Prior to this change there were no defined architectures and if you tried to use an x64 based payload the module would fail.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities and cybersecurity news.

My TedXBillings Talk

Posted 2 days ago by Bruce Schneier

Over the summer, I gave a talk about AI and democracy at TedXBillings. The recording is live.

Please share. I’m hoping for more than 200 views….

Ransomware attacks are driving up costs to millions of dollars for schools and educational institutions

Posted 3 days ago by Naveen Goud

As the new academic year unfolds, educational institutions are facing an increasingly alarming threat: ransomware attacks. According to a recent report by Sophos, the rising prevalence of these cyber-attacks is placing significant strain on the IT infrastructure of universities, colleges, and schools, regardless of their size or scope. The report underscores that institutions are grappling with escalating IT costs as they struggle to manage the repercussions of these attacks, which include implementing preventive measures, recruiting skilled personnel to mitigate risks, and recovering from the aftermath.

The “State of Ransomware in Education 2024” report reveals that over 44% of schools across 14 states have been confronted with ransom demands amounting to $5 million or more. Furthermore, approximately 35% of these institutions were required to pay sums exceeding $5 million to regain access to their encrypted data. Although the report does not specify how many institutions ultimately complied with these demands, it does highlight that the largest ransom paid by an educational entity reached a staggering $6.6 million.

On a slightly positive note, the frequency of ransomware attacks in 2024 appears to be lower compared to the previous year, despite the fact that the current year still has four months remaining. However, the report also highlights a concerning trend: the time required for data recovery has increased. Attackers are not only targeting educational institutions’ networks but are also disrupting their backup systems, which significantly hampers efforts to maintain business continuity.

Sophos security experts attribute the surge in ransomware attacks to the vulnerabilities within educational networks and the susceptibility of staff to phishing schemes. These attacks often exploit compromised credentials, leading to broader network breaches and data theft. The report also warns that advanced, AI-driven ransomware attacks could pose even greater risks if institutions fail to allocate sufficient resources towards cybersecurity measures, including hiring specialized talent and investing in robust hardware and software.

In summary, the rising threat of ransomware in education underscores the urgent need for institutions to bolster their cybersecurity defenses, adopt proactive measures, and invest adequately in technology and expertise to safeguard their data and operations.

The post Ransomware attacks are driving up costs to millions of dollars for schools and educational institutions appeared first on Cybersecurity Insiders.