SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2022-08-06 10:46:21	CISO workshop slides (lien direct)	A glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):	Malware Vulnerability Threat Patching Guideline Medical Cloud	Uber APT 38 APT 37 APT 28 APT 19 APT 15 APT 10 APT 34 Guam
	2022-05-26 14:13:08	Iterative scientific infosec (lien direct)	Here's a simple, generic way to manage virtually anything, particularly complex and dynamic things: Think of something to do Try itWatch what happensDiscover and learnIdentify potential improvementsGOTO 1It's a naive programmer's version of Deming's plan-do-check-act cycle - an iterative approach to continuous improvement that has proven very successful in various fields over several decades. Notice that it is rational, systematic and repeatable.Here's a similar grossly-simplified outline of the classical experimental method that has proven equally successful over several centuries of scientific endeavour:Consider available informationPropose a testable hypothesisTest it (design and run experiments)Watch what happensDiscover and learnGOTO 1Either way, I'm a committed fan. The iterative approach with incremental improvements, works well. I approve.Along the way, aside from pushing back the frontiers of science and technology and achieving remarkable advances for human society, we've also learned about the drawbacks and flaws in the processes, and we've developed assorted mechanisms to reduce the risks and increase our chances of success e.g.: Key to 'improving' or 'advancing' is to be able to recognise and ideally measure the improvement or advance - in most cases anyway. Improvements or advances that happen purely by chance ('discoveries') are welcome but rare treats. A big issue in quality assurance is the recognition that there are usually several competing and sometimes contradictory requirements/expectations, not least the definition of 'quality'. For certain customers, a rusty old heap of a car discovered in a barn is just as much the 'quality vehicle' as a Rolls Royce to its customers. Likewise, security improvements depend on one's persp	Patching
	2022-04-23 18:06:15	Topic-specific policy 11/11: secure development (lien direct)	The final topic-specific policy example from ISO/IEC 27002:2022 is another potential nightmare for the naïve and inexperienced policy author. Policy scoping Despite the context and presumed intent, the title of the standard's policy example ("secure development") doesn't explicitly refer to software or IT. Lots of things get developed - new products for instance, business relationships, people, corporate structures and so on. Yes, even security policies get developed! Most if not all developments involve information (requirements/objectives, specifications, plans, status/progress reports etc.) and hence information risks ... so the policy could cover those aspects, ballooning in scope from what was presumably intended when the standard was drafted.Even if the scope of the policy is constrained to the IT context, the information security controls potentially required in, say, software development are many and varied, just as the development and associated methods are many and varied, and more poignantly so too are the information risks. Policy development Your homework challenge, today, is to consider, compare and contrast these five markedly different IT development scenarios:Commercial firmware being developed for a small smart actuator/sensor device (a thing) destined to be physically embedded in the pneumatic braking system of commercial vehicles such as trucks and coaches, by a specialist OEM supplier selected on the basis of lowest price. A long-overdue technical update and refresh for a German bank's mature financial management application, developed over a decade ago by a team of contractors long since dispersed or retired, based on an obsolete database, with fragmentary documentation in broken English and substantial compliance implications, being conducted by a large software house based entirely in India. A cloud-based TV program scheduling system for a global broadcaster, to be delivered iteratively over the next two years by a small team of contractors under the management of a consultancy firm for a client that freely admits it barely understands phase 1 and essentially has no idea what might be required next, or when.A departmental spreadsheet for time recording by home workers, so their time can be tracked and recharged to clients, and their productivity can be monitored by management.Custom hardware, firmware and autonomous software required for a scientific exploration of the Marianas trench - to be deployed in the only two deep-sea drones in existence that are physically capable of delivering and recovering the payload at the extreme depths required.You may have worked in or with projects/initiatives vaguely similar to one, maybe even two or three of these, but probably not all five - and th	Patching Guideline
	2021-10-23 16:00:00	Topic-specific example 11/11: secure development (lien direct)	The final topic-specific policy example from ISO/IEC 27002:2022 is another potential nightmare for the naïve and inexperienced policy author. Despite the context, the title of the standard's policy example ("secure development") doesn't explicitly refer to software or IT. Lots of things get developed - new products for instance, business relationships, corporate structures and so on. Yes, even security policies get developed! Most if not all developments involve information (requirements/objectives, specifications, plans, status/progress reports etc.) and potentially substantial information risks ... so the policy could cover those aspects, ballooning in scope from what was presumably intended when the standard was drafted.Even if the scope of the policy is constrained to the IT context, the information security controls potentially required in, say, software development are many and varied, just as the development and associated methods are many and varied, and more poignantly so are the information risks. Your homework challenge, today, is to consider, compare and contrast these five markedly different IT development scenarios:Commercial firmware being developed for a small smart actuator/sensor device (a thing) destined to be physically embedded in the pneumatic braking system of commercial vehicles such as trucks and coaches, by a specialist OEM supplier selected on the basis of lowest price. A long-overdue technical update and refresh for a German bank's mature financial management application, developed over a decade ago by a team of contractors long since dispersed or retired, based on an obsolete database, with fragmentary documentation in broken English and substantial compliance implications, being conducted by a large software house based entirely in India. A cloud-based TV program scheduling system for a global broadcaster, to be delivered iteratively over the next two years by a small team of contractors under the management of a consultancy firm for a client that freely admits it barely understands phase 1 and essentially has no idea what might be required next, or when.A departmental spreadsheet for time recording by home workers, so their time can be tracked and recharged to clients, and their productivity can be monitored by management.Custom hardware, firmware and autonomous software required for a scientific exploration of the Marianas trench - to be deployed in the only two deep-sea drones in existence that are physically capable of delivering and recovering the payload at the extreme depths required.You may have worked in or with projects/initiatives vaguely similar to one, maybe even two or three of these, but probably not all five - and these are just a few random illustrative examples plucked from the millions of such activities going on right now. The sheer number and variety of possibilities is bewildering, so how on earth can one draft a sensible policy?As is the way with ISO27k, the trick is to focus on the information	Patching Guideline
	2020-05-16 17:38:09	NBlog May 16 - adjusting to the new normal (lien direct)	According to alert AA20-133A from US-CERT:"The U.S. Government has reported that the following vulnerabilities are being routinely exploited by sophisticated foreign cyber actors in 2020:Malicious cyber actors are increasingly targeting unpatched Virtual Private Network vulnerabilities. An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been detected in exploits in the wild.An arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, continues to be an attractive target for malicious actors.March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365). Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack.Cybersecurity weaknesses-such as poor employee education on social engineering attacks and a lack of system recovery and contingency plans-have continued to make organizations susceptible to ransomware attacks in 2020."Well whadyaknow?The US government blames "sophisticated foreign cyber actors" - the usual xenophobic, somewhat paranoid and conspiratorial stance towards those filthy rotten foreigners, desperately attacking little old US of A (today's version of reds under beds I guess);"Unpatched" VPNs and insecurely configured Office 365 services are being targeted, implicitly blaming customers for failing to patch and configure the software correctly, blithely ignoring the fact that it was US-based software vendors behind the systems that required patching and configuring to address exploitable vulnerabilities;	Ransomware Vulnerability Patching
	2020-03-23 13:19:46	NBlog March 20 - COVID-19 PIG update (lien direct)	Here's today's update to my COVID-19 information risk Probability Impact Graphic:I've slightly shifted and revised the wording of some of the risks but there's nothing really new (as far as I know anyway). Reports of panic buying from the UK and US are concerning, given the possible escalation to social disorder and looting … but hopefully sanity will soon return, aided by the authorities promoting “social distancing” and “self-isolation”. Meanwhile, I hope those of you responsible for physically securing corporate premises have appropriate security arrangements in place. Remotely monitored alarms and CCTV are all very well, but what if the guards that would be expected to do their rounds and respond to an incident are off sick or isolated at home? Do you have contingency arrangements for physical security?'Sanity' is a fragile condition: there is clearly a lot of anxiety, stress and tension around, due to the sudden social changes, fear about the infectious disease etc., which is my rationale for including 'mental health issues' in the middle of the PIG. There is some genuinely good news in the medical world concerning progress on coronavirus testing, antiviral drugs and vaccines, although it's hard to spot among the large volume of dubious information and rumours sloshing around on social media (another information risk on the PIG). There's even some good news for infosec pro's. COVID-19 is a golden opportunity for those of us with an interest in security awareness and business continuity. Essentially, we are in the midst of a dramatic case study.	Patching Guideline
	2020-01-22 09:00:00	NBlog Jan 22 - further lessons from Travelex (lien direct)	At the bottom of a Travelex update on their incident, I spotted this yesterday:Customer PrecautionsBased on the public attention this incident has received, individuals may try to take advantage of it and attempt some common e-mail or telephone scams. Increased awareness and vigilance are key to detecting and preventing this type of activity. As a precaution, if you receive a call from someone claiming to be from Travelex that you are not expecting or you are unsure about the identity of a caller, you should end the call and call back on 0345 872 7627. If you have any questions or believe you have received a suspicious e-mail or telephone call, please do not hesitate to contact us. Although I am not personally aware of any such 'e-mail or telephone scams', Travelex would know better than me - and anyway even if there have been no scams as yet, the warning makes sense: there is indeed a known risk of scammers exploiting major, well-publicised incidents such as this. We've seen it before, such as fake charity scams taking advantage of the public reaction to natural disasters such as the New Orleans floods, and - who knows - maybe the Australian bushfires.At the same time, this infosec geek is idly wondering whether the Travelex warning message and web page are legitimate. It is conceivable that the cyber-criminals and hackers behind the ransomware incident may still have control of the Travelex domains, webservers and/or websites, perhaps all their corporate comms including the Travelex Twitter feeds and maybe even the switchboard behind that 0345 number. I'm waffling on about corporate identity theft, flowing on from the original incident.I appreciate the scenario I'm postulating seems unlikely but bear with me and my professional paranoia for a moment. Let's explore the hypot	Ransomware Malware Patching Guideline	APT 15

Last update at: 2024-05-05 15:07:58
See our sources.

To see everything: Our RSS (filtrered)