[metaslider id=2951] … Read More
Cyber security awareness top priority in financial sector
By Warwick Ashford – Computerweekly
Information security chiefs in the financial sector say cyber security awareness needs to be a top priority
Employee training is a top priority for improving security, according to 35% of CISOs polled by the Financial Services Information Sharing and Analysis Center (FS-ISAC).
Infrastructure upgrades and network defence were also named as top priorities by 25% of respondents, followed by breach prevention (17%).
Infrastructure upgrades, network defence and breach prevention are prioritised mostly by CISOs reporting into a technical function like chief information officer (CIO), according to the first FS-ISAC CISO cyber security trends report.
Employee training is a priority mainly for CISOs reporting into a non-technical function like the chief operations officer (COO) or the General Counsel.
The report, which is aimed at helping leaders and businesses understand cyber security trends across the globe, said while cyber security used to be handled in the server room, it is now a board room topic.
The survey found that quarterly reports to the board of directors were most common (53%), with some CISOs (8%) reporting more than four times a year or even on a monthly basis.
In the era of increasing security threats and vulnerabilities, the report said CISOs know that keeping top leadership and boards updated regularly on these security risks and effective defences are a priority.
As security has increasingly become a concern for financial institutions, the role of the CISO has been thrust into the organisational spotlight, the report said.
However, the study found that that two-thirds of CISOs do not report to the CEO, and that the top cyber chain of command is more likely to be the CIO, followed by chief risk officer (CRO) and then COO. Only 8% said they report to the CEO.
FS-ISAC recommends training employees should be prioritised for all CISOs, regardless of reporting structure because employees serve as the first line of defence.
Employee training should include awareness about downloading and executing unknown applications on company assets, also in accordance with corporate policies and relevant regulations, and training employees on how to report suspicious emails and attachments, the report said.
FS-ISAC also encourages more frequent and timely reporting to the board of directors to ensure businesses maintain an “at the ready” risk posture and that cyber practices are clear to board members.
As the threat landscape shifts, FS-ISAC recommends that CISOs have expanded reporting responsibilities or dual-reporting responsibilities in the corporate structure to ensure critical information flows freely.
Free and direct flow of critical information to the CEO and to the board of directors will help increase transparency and facilitate faster decision making, the report said
The two most important ways to defend against security threats
By Roger A. Grimes – CSO – February 7, 2018
Patching and security training programs will thwart attacks more effectively than anything else. You’re already doing them. Here’s how to do them better.
An average of 5,000 to 7,000 new computer security threats are announced each year. That’s as many as 19 every day. The rate at which new threats appear make it difficult to decide which ones require your attention. It might surprise you that, while your competitors waste money on high-tech, expensive, and sometimes exotic defenses, you can get far more value by concentrating on just two things you already do. You can spend less money and nothing you do otherwise will provide a better defense.
The two things you need to do better are not a secret. You already know you need to do them. You know from your own experience that what I’m saying is true. The data in favor of doing them is overwhelming. Still, most companies don’t do them well enough.
Change your security focus
Most computer security defenders focus on the wrong things. They focus on specific threats and what they did after hackers broke in, not how they broke in. There may be hundreds of thousands of unique software vulnerabilities and hundreds of millions of unique malware families, but they all share about a dozen different ways that they initially exploited an environment, including:
- Unpatched software
- Social engineering
- Misconfigurations
- Password attacks
- Physical attacks
- Eavesdropping
- User errors
- Denial of service
Focusing on and reducing these root exploitation causes will help you significantly defeat hackers and malware.
If you want to minimize computer security risk the fastest, identify the biggest root exploitation causes in your company that allow threats to do the most damage to your environment. Stop the biggest root cause and you stop every threat that uses that root cause.
So, what are the biggest root exploitation causes in most environments? Unpatched software and social engineering.
Without a doubt, these two root causes are responsible for the most successful and damaging attacks in most companies and have been for decades. One of these root exploitation methods has likely been behind any big attack that has made news in the mainstream media. In my experience, when a company of any size or even the military suffers a big attack, it’s can be traced to one of those two root causes.
Your company’s experience may vary, and if it does, you can ignore this article. The biggest problems for the majority of readers are unpatched software and social engineering. If they fix those two things, it will do more to decrease security risk than all the other things they could do combined.
Uber Total Loss: 57 Million Records Stolen But Data Breach Was Hidden For A Year
Oh boy. Uber is known for pushing the limits of the law and has dozens of lawsuits pending against it, but this one went too far and now comes the reckoning.
Bloomberg was first to report that hackers stole the personal data of 57 million customers and drivers from Uber, a massive breach that the company concealed for more than a year. Finally, this week, they fired their chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers to “delete the data”. Yeah, sure!
Victim Of A Simple Credentials Phishing Attack?
Here’s how the press describes the hack: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company.
From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company. If you read between the lines, that could very well be a simple credentials spear phishing scheme, done with some crafty social engineering, or perhaps careless developers leaving internal login passwords lying around online:
KnowBe4 Releases Email Exposure Check Pro
KnowBe4 Releases Email Exposure Check Pro to Help Organizations Identify At-Risk Users
KnowBe4, provider of the most popular security awareness training and simulated-phishing platform, today announced the release of the new version of its Email Exposure Check (EEC). The new version is called the EEC Pro, has powerful additional features and is still provided at no cost.
While employees give out their corporate email for various reasons, IT is hard-pressed to keep track and
manage the risk. EEC Pro helps IT by identifying an organization’s at-risk users by crawling social media information and scouring hundreds of breach databases to identify risk associated with user emails and identities. The more at-risk email addresses a company has, the bigger its attack surface, and the higher its risk. EEC Pro only requires filling out a form, and works in two stages. The first stage performs deep web searches to find publicly available organization data provided on sites such as LinkedIn and Facebook. This allows the EEC Pro to show what organizational structure an attacker would be able to easily pull together and use to craft targeted attacks.
The second stage of EEC Pro utilizes the Have I Been Pwned data breach service to find users that have had their account information released in any of several hundred breaches. These users are particularly at-risk because an attacker knows more about them, potentially including their actual passwords. As the final step, EEC Pro provides a detailed summary report to the IT team, including an overview of the data found, a summary of organizational risk levels, and a link to a web report that contains a full list of all users found, the breaches the users were found in, and an overview of the data included in the breach. This allows IT managers to ensure exposed emails or exposed passwords are modified.
“Since 91% of data breaches start with a successful phishing attack, an organization must act reasonably or do what is necessary or appropriate to protect its data and take steps to identify weaknesses that expose their employees,” said Stu Sjouwerman, Founder and CEO of KnowBe4. “Employees are the last line of defense within an organization. We want to make it as easy as possible for IT professionals to reduce their attack surface and strengthen their weakest links. You need to create a ‘Human Firewall.’”
Exposed emails and passwords can lead to recent data breaches such as those experienced by security companies Mandiant and Enigma where compromised passwords were not changed.
For more information on KnowBe4 or the Email Exposure Check Pro, contact us via email or give us a call.
SyncCrypt ransomware able to sneak past most antivirus defenses
From SC Magazine – August 17, 2017 – Doug Olenick,
A new ransomware called SyncCrypt is using a unique method of downloading the malicious files that makes it very hard for an antivirus program to detect.
SyncCrypt was detected by Emisoft researcher xXToffeeXx, reported Bleeping Computer, and is spread via spam emails containing an attachment with .wsf (Windows Script File) files. What is unusual about this, other than a .wsf file being used – which is rare – said Bleeping Computer founder Lawrence Abrams, is the .wsf will download an image with embedded .zip files containing the ransomware.
“This method has also made the images undetectable by almost all antivirus vendors on VirusTotal,” Abrams said.
Once the email is opened and the target decides to open the attachment, the social engineering plan being used has the document being listed as a court order, a JavaScript script activates that downloads the image. If the victim clicks on the downloaded image the cybercriminal’s sense of humor, or perhaps musical taste, appears when an image of Olafur Arnalds’ album titled “& They Have Escaped the Weight of Darkness” is shown.
However, whether or not the image is opened the .zip file is downloaded and its contents, a sync.exe, readme.html and readme.png, are extracted, Abrams said. The good news is that while image file tends to pass through most antivirus files contained inside the .zip file are more susceptible to detection. Although Bleeping Computer found that VirusTotal still detected them less than 50 percent of the time.
If properly installed the files are encrypted with a .kk extension and then the ransom note appears giving the victim 48 hours to pay about 0.1 bitcoin.
At this time there is no way to decrypt the files and the best defense is to ensure all files are properly backed up.