On June 22nd, 2023, the National Cyber Security Centre ( NCSC ), the UK's cybersecurity agency, released a Cyber Threat Report for the country's legal sector. Developed to update a previous iteration from 2018, the report reflects a dramatic change in the cybersecurity threat landscape, offering advice that considers the security issues inherent with remote working , new data revealing the UK legal sector's vulnerability to cybercrime, and the increasing prevalence of attacks on smaller organizations. Many experts have hailed the NCSC's report as the most important of the year - for good...
Author: Josh Breaker-rolfe
In years gone by, there was a stigma attached to hiding one's browsing history. Wiping browsing history was seen as suspicious; it suggested that someone had something to hide. It was – and still is- the butt of many jokes. However, individuals might want to hide their browsing history for many reasons. They range from the relatively trivial – like concealing a surprise gift – to the essential – like protecting personal data . A person's browsing history can reveal much about them, including their interests, preferences, and sensitive information. Whether you're looking to safeguard your data...
The Network and Information Security 2 ( NIS2 ) Directive is the European Union's (EU) second attempt at an all-encompassing cybersecurity directive. The EU introduced the legislation to update the much-misinterpreted Network and Information Security (NIS) Directive (2016) and improve the cybersecurity of all member states. It signed NIS2 into law in January 2023, expecting all relevant organizations to comply by October 18th, 2024. This article will explore NIS2's goals, why the EU introduced it, whom it applies to, its essential elements, and the penalties for non-compliance. Why was NIS2...
In cybersecurity, knowledge is everything. From APT intelligence to zero-day vulnerabilities, relevant and timely information can be the difference between a thwarted attack and a total disaster. With Business Email Compromise (BEC) attacks at their zenith, there has never been a better time for a comprehensive BEC report. As such, Fortra has released its 2023 BEC Trends, Targets, and Changes in Techniques Report. So, without further ado, let's dive into the report's key findings and what we should learn from them. BEC attacks are more common than ever In 2023, the volume of nefarious emails...
The General Data Protection Regulation (GDPR) is a set of privacy and security standards put into effect by the European Union (EU). Widely accepted as the world's strictest security and privacy law, GDPR imposes regulations on organizations that target or collect data relating to people in the EU. European Parliament signed GDPR into law in 2016, requiring all organizations to comply by May 2018. The EU introduced GDPR to replace the monstrously antiquated Data Protection Directive 1995 and "harmonize" data privacy rules across Europe, providing greater protection and rights to individuals...
Technology has supercharged marketing. The vast data at marketers' disposal provides unparalleled insight into what customers want, why they want it, and how they use products and services. Behavioral analytics benefits businesses and consumers; it allows companies to drive sales and increase conversion rates while providing customers services tailored to their wants and needs. Behavioral analytics is also an invaluable cybersecurity resource; artificial intelligence (AI) and machine learning (ML) tools analyze data to allow security teams to identify suspicious behavior patterns that could...
The FFIEC Cybersecurity Assessment Tool (CAT) is a diagnostic test designed to help institutions identify risks and gauge cybersecurity preparedness. The tool is primarily for financial and non-depository institutions, enabling organizations to make risk-driven security decisions informed by regular cybersecurity assessments and standardized risk measurement criteria. While it is voluntary, financial institutions have expressed concern that failing to use it could result in falling short of compliance standards. In this article, we will explore what the FFIEC CAT is, as well as how and why you...
The Gramm-Leach Bliley Act (GLBA or GLB Act), or financial modernization act, is a bi-partisan federal regulation passed in 1999 to modernize the financial industry. It repealed vast swathes of the Glass-Steagall Act of 1933 and the Bank Holding Act of 1956, allowing commercial banks to offer financial services such as investments or insurance. It also controls how financial institutions deal with their customer's private information. The Act has three sections: The Financial Privacy Rule – Regulates the collection and disclosure of private financial information. The Safeguards Rule – Requires...
The Guru was lucky enough to sit down with Stuart Avery, Business Development Specialist at e2e-assure, at the inaugural International Cyber Expo to discuss key trends, how and why everyone should get involved in cyber, and the industry’s image problem.
According to Avery, cybersecurity has undergone a change over the past few years. The rise of zero trust and identity management has forced cyber-pros to secure the user, not the network.
“It used to be that we took a cybersecurity solution and smashed it into a legacy network, but that’s not how it’s done now. Remote working and “bring your own device” (BYOD) policies mean that cyber isn’t about securing the network anymore, it’s about securing the individual.”
Avery believes that the new, individual focused cybersecurity landscape isn’t just about security, but choice and user experience as well.
“Obviously securing the individual comes first, but it’s important that it is done in a way that gives individuals choice as to how they interact with applications. It’s also imperative that we allow for BYOD without slowing things down with a huge amount of governance.”
Sticking with the subject of the individual, Avery is convinced that, now more than ever, everyone has a part to play in cybersecurity. In light of an individual centric security landscape and the UK government’s new, “holistic” approach to cyber, the role of the individual has never been more crucial.
“The reality is, everyone is responsible for cybersecurity. People have attempted to hack me before, and while they didn’t succeed, because it was so sophisticated I couldn’t help but think – what if they tried that on my Mum? Or my Grandma? I don’t think enough is being done to ensure people know what to look out for, how to identify social engineering attacks or phishing scams.”
Avery believes that the government should place an emphasis on cultural adoption when it comes to raising cybersecurity awareness. This isn’t only important for the individual, but businesses as well.
“I talk to organisations all the time about how important cultural adoption is. Everyone, from the top down, needs to be aware of the role they play in securing themselves, their company, and the country.”
So how do we achieve cultural adoption? According to Avery, the government’s COVID-19 information campaign could serve as a blueprint for raising cybersecurity awareness.
“While I don’t think cybersecurity awareness campaigns need to be as overt as the COVID-19 campaign, I do think we have a lot to learn from that period. Most importantly, recognising the emotional impacts of a crisis, be it COVID or cybersecurity. We hear a lot about the financial impacts of cybercrime, but I don’t think we recognise how distressing it can be, especially for the individual. Helplines would go a long way both for educating the public and supporting them should they fall victim to an attack.”
While Avery believes raising cybersecurity awareness is a worthwhile endeavour, he admits that it will always be an uphill battle.
“The crux of the issue is that cybersecurity relies on people being suspicious, and that’s just not in our nature. We’re hardwired to trust one another. Getting people to distrust everything that comes into their inbox is going to be difficult, especially if they’re busy.”
It’s not only the individual who has a part to play, however. For Avery, vendors should be working to make cybersecurity more attainable. e2e-assure, a SOC-as-a-service provider and Avery’s employer, does that by tailoring their solutions to the customer’s needs. Avery explains:
“Our mission is making cybersecurity affordable. It used to be that cybersecurity was only for the big guys, but that’s not true anymore. We like to think we’re at the forefront of the movement bringing cyber to SMEs. So many vendors only provide holistic protection, which is great for bigger companies, but simply isn’t affordable or even necessary for smaller businesses. We allow organisations to cherry-pick the protections they need to save them from paying for the ones they don’t.”
For Avery, affordability isn’t the only problem plaguing the industry. For the industry to be truly inclusive, he believes it needs a friendlier face.
“There’s a misconception, amongst the public at least, that cybersecurity is still full of hackers in dark rooms, or arrogant tech-geeks reluctant to share their knowledge. In reality, the industry is full of good people with good intentions. I don’t think we celebrate all the good we do. We’re awful for only telling the bad stories, it’s no wonder people don’t listen to us. We keep banging on, telling people ‘You’re going to get hacked’, and they’re never going to respond to that. We need to let the public know that we’re aware of how hard it can be and help them along.”
All in all, Avery has a refreshing take on the state of cybersecurity. Amidst the seemingly endless predictions of catastrophe one is subjected to at a cyber trade show, it’s comforting to hear a brighter outlook. What’s more, Avery is no hypocrite, putting into practice his own mantra of friendliness and approachability.
The post Finding the Sunshine in Cyber – In conversation with Stuart Avery appeared first on IT Security Guru.
More than 75 vulnerabilities have been added to the Cybersecurity and Infrastructure Security Agency’s (CISA)Known Exploited Vulnerabilities Catalogue.
Cisco, Microsoft, Adobe, Oracle, Linux vulnerabilities are listed.
If an attacker was to exploit these vulnerabilities, they could take control of impacted systems.
A considerable number of vulnerabilities were older, ranging from 2010 to 2019, but one more notable vulnerability was a Cisco IOS XR Open Port Vulnerability CVE-2022-20821.
“A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container,” Cisco wrote in the advisory.
The post CISA adds 75 vulnerabilities to catalogue in 3 days appeared first on IT Security Guru.