This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-04-20T06:40:02+00:00 www.secnews.physaphae.fr AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2021-07-14T10:00:00+00:00 https://feeds.feedblitz.com/~/657714266/0/alienvault-blogs~Meaningful-security-metrics www.secnews.physaphae.fr/article.php?IdArticle=3062983 False Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 29% of traffic on ecommerce sites are people with malicious intentions. It’s an issue you must tackle if you want to achieve your business goals. Luckily, there are a lot of ways you can boost your security. Find a reliable ecommerce platform When starting an ecommerce site, the first thing you notice is that there are many ecommerce platforms available. However, many people don’t even consider security when choosing their platform or hosting provider. Both the platform and the host you choose have a significant impact on your site’s security. They use a variety of security measures and features that make your store safer. In general, they should at least offer protection from SQL injections and malware since they are common attacks. Take the time to look at what different platforms and hosts have to offer. Choose HTTPS and SSL HTTPS is short for “Hypertext Transfer Protocol Secure”, and this protocol is designed for establishing secure communications online. HTTPS sites are considered secure and unique because they have certification. In other words, a site that has the “green lock” is authentic, and it isn’t a fake page. For HTTPS to be enabled, a site needs an SSL certificate or Secure Socket Layer. This system helps protect the data going between a buyer and your ecommerce store. Apart from improving security, SSL also brings in more customers as many people avoid stores without it. Do regular backups Accidents and attacks are sometimes unavoidable, but backups help you get your site back online quickly. Whether an update has created an issue with your site or someone has used malicious software – you can’t let your store stay offline. Even the best cybersecurity experts can’t guarantee that your website will be 100% secure. That’s why regular backups are necessary – backing up your site means downloading your whole site and creating a duplicate. If something happens, you can upload this duplicate and get your site back online. Ideally, your hosting provider should offer daily backups as well. Get PCI compliant Lots of people are reluctant to give their bank or credit card details online. They have the right to be sceptical because there have been many cases of this information falling into the wrong hands. That’s why ecommerce websites should attain PCI compliance. ]]> 2021-07-13T10:00:00+00:00 https://feeds.feedblitz.com/~/657595304/0/alienvault-blogs~Best-practices-for-a-secure-ecommerce-website www.secnews.physaphae.fr/article.php?IdArticle=3056142 False Malware,Vulnerability None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Gartner talks about how these threat actors have taken advantage of the changing working environments, both during and post pandemic, targeting the remote workforce with email and SMS campaigns pertaining to be from their local IT Support. Any breach in endpoint security of your remote workforce may be amplified exponentially once they return to the office and the threat actors are then able to get a foothold on the corporate network and start profiling internal architecture, in advance of for example, ransomware deployment. Businesses can start to address these risks as part of their return to office planning by taking a number of tactical steps. Controlled introduction Just like the way a business would rollout a new technology, it is always advisable to address any outstand]]> 2021-07-12T10:00:00+00:00 https://feeds.feedblitz.com/~/657429182/0/alienvault-blogs~Back-to-the-office%e2%80%a6 www.secnews.physaphae.fr/article.php?IdArticle=3051162 False Ransomware,Malware,Vulnerability,Threat,Patching,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Photo by Katie Moum on Unsplash In May, after many months of dedicated effort, our compliance team received word that a U.S. Federal Risk and Authorization Management Program (FedRAMP) moderate certification was granted for the AT&T Threat Detection and Response for Government solution. FedRAMP is a program coordinated by the US General Services Administration and the Department of Homeland Security (DHS) that inspects cloud-based solutions for compliance with 325 distinct security controls. AT&T Threat Detection and Response for Government is purpose-built in the AWS GovCloud (U.S.). and meets the FedRAMP requirements for cloud service providers operating at the Moderate Impact Level. This was an important achievement as it allows our field sales teams to work better with government organizations, taking client conversations beyond a common issue: “Is your offer FedRAMP certified?”   The ability to answer “yes” to the challenge means that the client does not have to research and produce the certification documentation themselves (an enormous task) to place TDR for Government into an approved production environment.  The inclusion of AT&T Threat Detection and Response on the Approved Products List (APL) maintained by DHS and GSA for Continuous Diagnostics and Mitigation (CDM) is further evidence of the solution’s ability to strengthen the cybersecurity posture of federal, state and local government networks and systems. It is very satisfying to observe customers as they spin up an instance of our USM platform-based products for the first time.  Within just a few minutes of the final configuration steps, the customer dashboard will start to come to life with counts of discovered devices, counts of events, and maybe even an alert that requires attention.  Our first AT&T Threat Detection and Response for Government customer was immediately relieved to learn that mandatory reporting of log management activities is automated for him with the solution. Rather than chasing down the details of log aggregation and log management for each distinct technology deployed in the environment, he can rely on the AT&T Threat Detection and Response for Government dashboards to provide him at-a-glance data. He can utilize our library of pre-prepared reports to fulfill monthly audit requirements for FISMA and NIST compliance. Relief from this mundane work is just one of the many benefits that he and the CISO quickly realized. Also in May, President Biden issued an Executive Order encouraging all agencies of the Federal Government to improve the nation’s cybersecurity.  Amongst the many ]]> 2021-07-07T10:00:00+00:00 https://feeds.feedblitz.com/~/656827372/0/alienvault-blogs~Cybersecurity-and-government www.secnews.physaphae.fr/article.php?IdArticle=3051163 True Threat None 5.0000000000000000 AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Photo by Katie Moum on Unsplash In May, after many months of dedicated effort, our compliance team received word that a U.S. Federal Risk and Authorization Management Program (FedRAMP) moderate certification was granted for the AT&T Threat Detection and Response for Government solution. FedRAMP is a program coordinated by the US General Services Administration and the Department of Homeland Defense that inspects cloud-based solutions for compliance with 325 distinct security controls. AT&T Threat Detection and Response for Government is purpose-built in the AWS GovCloud (U.S.). and meets the FedRAMP requirements for cloud service providers operating at the Moderate Impact Level. This was an important achievement as it allows our field sales teams to work better with government organizations, taking client conversations beyond a common issue: “Is your offer FedRAMP certified?”   The ability to answer “yes” to the challenge means that the client does not have to research and produce the certification documentation themselves (an enormous task) to place TDR for Government into an approved production environment.  The inclusion of AT&T Threat Detection and Response on the Approved Products List (APL) maintained by DHS and GSA for Continuous Diagnostics and Mitigation (CDM) is further evidence of the solution’s ability to strengthen the cybersecurity posture of federal, state and local government networks and systems. It is very satisfying to observe customers as they spin up an instance of our USM platform-based products for the first time.  Within just a few minutes of the final configuration steps, the customer dashboard will start to come to life with counts of discovered devices, counts of events, and maybe even an alert that requires attention.  Our first AT&T Threat Detection and Response for Government customer was immediately relieved to learn that mandatory reporting of log management activities is automated for him with the solution. Rather than chasing down the details of log aggregation and log management for each distinct technology deployed in the environment, he can rely on the AT&T Threat Detection and Response for Government dashboards to provide him at-a-glance data. He can utilize our library of pre-prepared reports to fulfill monthly audit requirements for FISMA and NIST compliance. Relief from this mundane work is just one of the many benefits that he and the CISO quickly realized. Also in May, President Biden issued an Executive Order encouraging all agencies of the Federal Government to improve the nation’s cybersecurity.  Amongst the many elements of the]]> 2021-07-07T10:00:00+00:00 https://feeds.feedblitz.com/~/656827372/0/alienvault-blogs~ATampT-Threat-Detection-and-Response-for-Government www.secnews.physaphae.fr/article.php?IdArticle=3031924 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC T1036.003). Background Since 2009, the known tools and capabilities believed to have been used by the Lazarus Group include DDoS botnets, keyloggers, remote access tools (RATs), and drive wiper malware. The most publicly documented malware and tools used by the group actors include Destover, Duuzer, and Hangman. Analysis Several documents identified from May to June 2021 by Twitter users were identified as being linked to the Lazarus group. Documents observed in previous campaigns lured victims with job opportunities for Boeing and BAE systems. These new documents include: Rheinmetall_job_requirements.doc: identified by ESET Research. General_motors_cars.doc: identified by Twitter user @1nternaut. Airbus_job_opportunity_confidential.doc: identified by 360CoreSec. The documents attempted to impersonate new defense contractors and engineering companies like Airbus, General Motors (GM), and Rheinmetall. All of these documents contain macro malware, which has been developed and improved during the course of this campaign and from one target to another. The core techniques for the three malicious documents are the same, but the attackers attempted to reduce the potential detections and increase the faculties of the macros. First iteration: Rheinmetall The first two documents from early May 2021 were related to a German Engineering company focused on the defense and automotive industries, Rheinmetall. The second malicious document appears to include more elaborate content, which may have resulted in the documents going unnoticed by victims. The Macro has base64 encoded files, which are extracted and decoded during execution. Some of the files are split inside the Macro and are not combined until the time of decoding. One of the most distinctive characteristics of this Macro is how it evades detections of a MZ header encoded in base64 (TVoA, TVpB, TVpQ, TVqA, TVqQ or TVro), by separating the first two characters from the rest of the content, as seen in Figure 1. Figure 1: Concealing of MZ header, as captured by Alien Labs. The rest of the content is kept together in lines of 64 characters, and because of this, YARA rules can be used to detect other, typical executable content encoded in base64 aside of the MZ header. In this case, up to nine different YARA rules alerted to suspicious encoded strings in our Alien Labs analysis, like VirtualProtect, GetProcAddress, IsDe]]> 2021-07-06T10:00:00+00:00 https://feeds.feedblitz.com/~/656720256/0/alienvault-blogs~Lazarus-campaign-TTPs-and-evolution www.secnews.physaphae.fr/article.php?IdArticle=3027251 False Malware,Threat,Guideline,Medical APT 38,APT 28 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 88% of respondents reported that they had experienced at least one security incident within the past year. A CSP (content security policy) can be a great solution for defending sites from lethal code injections, especially when used in conjunction with additional layers of security to protect users' most sensitive data.  The standardized set of directives that can be enforced by a CSP tells the browser what sources are trustworthy and which ones to block. This technique has the ability to eliminate many common injection vectors and also can significantly reduce XSS attacks. While CSPs are powerful against XSS and other client-side attacks, website admins should continue to follow security best practices and utilize tools that help to minimize JavaScript vulnerabilities.  How CSPs help prevent malicious attacks When implemented as a part of your website standards, a CSP (or ISP - Information Security Policy - as it is sometimes called) tells the browser to enforce policies that restrict which scripts can be loaded on any given website. You can specify which domains are allowed to run scripts, which are blocked, and which ones get reported but can still be viewed. This not only helps you to narrow your vulnerability, but also can help you discover where malicious attacks are likely to come from in the future. When there are multiple CSPs specified, the browser will default to using the most restrictive directive in order to thwart a malicious attack. For example, to prevent cybercriminals from injecting embedded images with malicious code, an e-commerce site admin might want to limit the domains from which images are allowed to load from.   A content security policy should be a mainstay for any web admin and IT team security protocol. Any other cyber protection that you use will be stabilized by the CSP and create a fortress to protect your website data.  Layers of security Organizations both large and small should be concerned about hackers and data breaches, although the spotlight has been focused on advances in technology, giving a false sense of security. Instances of cybercrime were up again by 37% last year, costing businesses nearly $4.5 million. Cybersecurity strategies that can adapt to the changing techniques that cybercriminals employ to exploit businesses and their customers are more important than ever before as we continue to expand the internet of things and our connectivity capabilities.  While a CSP provides a thick layer of protection, hackers only have to target a single allowed domain that you are not protected against in order to execute an attack that could possibly result in catastrophic data loss, loss of trust from your customers, and loss of revenue. In order to add another layer of security, website admins need an additional layer of JavaScript-based monitoring that is able to analyze script behavior at the granular level.  Sensors that are created for JavaScript have the ability to collect all kinds of behavior signals from scripts that are running on the page while flagging anomalies that have the potential to be malicious code injection]]> 2021-07-06T10:00:00+00:00 https://feeds.feedblitz.com/~/656720248/0/alienvault-blogs~How-to-protect-your-site-against-lethal-unauthorized-code-injections www.secnews.physaphae.fr/article.php?IdArticle=3027252 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC risk of cybersecurity breaches requires that security teams be vigilant in protecting sensitive data. Any breach of regulations can result in legal headaches and customer distrust, making a solid compliance department a wise investment in any business.  Ethics is another vital concern for companies who want to cultivate and maintain a positive public image. Corporations want their clients to see that they are doing the right thing, regardless of what the law dictates. As people increasingly look to their favorite brands to express support for social justice causes, ensuring that a company is on the right side of important public issues can be empowering as well as lucrative. In this growing industry, many women have made their mark, influencing global corporations and guiding them in their approaches towards ethics and compliance. Let’s dig into the increasing importance of ethics and compliance in tech and some opportunities for inclusion and gender equality in this growing field.  Critical compliance With the host of laws and regulations in various industries, such as HIPAA in the healthcare industry or state-by-state privacy laws in tech, compliance can be a very complex and daunting field. It is crucial in any business, and particularly in tech, but sometimes the field does not get the recognition it deserves.  What’s more, the tech industry has a well-known reputation for being dominated by men, and women techies often don’t get the recognition they deserve either. In the fintech industry for example, on average only 37% of the workforce is female, with a mere 19% holding C-Suite positions. In such male-dominated fields, it’s important to celebrate the accomplishments of women and focus on ways to get more women involved in the industry.  Ethics and compliance is one area where we are seeing more women breaking into the industry. This field is booming as technology like artificial intelligence (AI) and the Internet of Things (IoT) make their way into almost every aspect of our personal and professional lives.  For example, the rapidly growing popularity of IoT devices can result in tech companies rushing production of new technology, sometimes at the expense of adequate cybersecurity. It was formerly common for vulnerabilities to remain undiscovered until their use was widespread, leaving users and companies exposed to cyber threats. Companies sometimes downplayed these issues to avoid affecting sales, and the ethics and compliance field is trying to turn this around. This issue led to the passing of the IoT Cybersecurity Improvement Act of 2020, which established rules regarding the cybersecurity of the software used by the American government. While the regulations only affected companies with contracts with the federal government, their purchasing power was large enough that it became a governing standard for the tech industry.  Such regulations are particularly important in industries that handle financial data like the payment card industry. But even with regulations such as ]]> 2021-06-29T10:00:00+00:00 https://feeds.feedblitz.com/~/655898772/0/alienvault-blogs~Empowering-women-in-the-field-of-ethics-and-compliance www.secnews.physaphae.fr/article.php?IdArticle=2994961 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2021-06-28T10:00:00+00:00 https://feeds.feedblitz.com/~/655773962/0/alienvault-blogs~Asset-management-in-the-age-of-digital-transformation www.secnews.physaphae.fr/article.php?IdArticle=2990621 False Tool None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Check Point Research. Hackers have found ransomware ideal for exploiting the COVID-19 expanded digital landscape. The transformation of so many companies operating is a digital mode has created many more targets for extortion. One office with 4,000 employees has become 4,000 offices. In addition to an expanding attack surface, hackers are more active than before because they can get paid easier for their extortion via cryptocurrencies that are more difficult for law enforcement to trace. Criminal hacker groups are becoming more sophisticated in their phishing exploits by using machine learning tools. They are also more coordinated among each other sharing on the dark web and dark web forums. In 2020, according to the cybersecurity firm Emsisoft, ransomware gangs attached more than 100 federal, state, and municipal agencies, upwards of 500 health care centers, 1,680 educational institutions and untold thousands of businesses. As a result of the Colonial Pipeline Ransomware attack and others, the U.S. Department of Justice and the FBI have prioritized investigating and prosecuting hackers who deploy ransomware. The impact for the rest of 2021 will be more ransomware attacks against institutions and corporations who are less cyber secure, especially to targets that cannot afford to have operations impeded such as health care, state & local governments, educational institutions, and small and medium sized businesses. See: The New Ransomware Threat: Triple Extortion - Check Point Software Why Ransomware is So Dangerous and Difficult to Prevent | Manufacturing.net 2. Cyber-attacks are a real threat to commerce and economic prosperity So far this year, cyber-attacks have grown in number and sophistication, repeating a trend of the last several years. The recent cycle of major industry and governmental cyber breaches is emblematic of growing risk. The attacks are also becoming more lethal and costly to industry. A new NIST report was released on the economic impact to the U.S. economy by breaches, and it is alarming. The report suggests that the U.S. Loses hundreds of billions to cybercrime, possibly as much as 1 % to 4 % of GDP annually. The beach stats are part of a bigger global trend. The firm Cybersecurity Ventures predicts that global cybercrime damages will reach $6 trillion annually by this end of this year. The firm’s damage cost estimation is based on historical cybercrime figures including recent year-over-year growth, a dramatic increase in hostile nation-state sponsored and organized crime gang hacking activities, and a cyberattack surface. In both the public and private sectors, there is a]]> 2021-06-24T10:00:00+00:00 https://feeds.feedblitz.com/~/655441428/0/alienvault-blogs~A-midyear-update-for-Cybersecurity-%e2%80%93-trends-to-watch www.secnews.physaphae.fr/article.php?IdArticle=2975539 False Ransomware,Malware,Tool,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AT&T Managed Threat Detection and Response customers. Executive Summary Credential abuse and compromised user accounts are serious concerns for any organization. Credential abuse is often used to access other critical assets within an organization, subsidiaries, or another partner corporation. Once an account is compromised, it can be used for data exfiltration, or to further promote the agenda of a threat actor. Threat actors often compromise the internal email accounts of legitimate organizations for many reasons including to send internal users phishing links leading to additional compromise, to send malicious emails to external users for later compromise, or create inbox rules to forward confidential emails to the threat actor’s account outside of the organization. Monitoring for events surrounding internal, inbound, and outbound email activity is important. The AT&T Managed Threat Detection and Response (MTDR) analyst team received several alarms in response to a user attempting to send an excessive number of emails, resulting in these emails being blocked within Microsoft Office 365. Upon reviewing the user's login behavior, it was observed that this user was seen logged in from foreign IPs which were outside of the user's typical logon behavior. Further analysis of events surrounding the user concluded that this incident was contained. An investigation was created with attached events, artifacts, and login activity to quickly engage the customer and remediate the compromise before the attack could be elevated. Investigation Initial Alarm Review Indicators of Compromise (IOC) There were three alarms generated from events involving Credential Abuse, Anomalous User Behavior, and Security Policy Violation from Office 365 activity from both a foreign country and the United States. Credential abuse Expanded Investigation Events Search The initial Credential Abuse alarm (image 1) for suspicious login activity was generated in response to 12 events related to successful logins from a foreign country and the United States within a 24 hour period. After expanding the events surrounding this user, it was discovered that this user has never logged in from countries outside the United States. The team then used Open Source Intelligence (OSINT) tools to research the foreign IPs and discovered that these were IP addresses belonging to a foreign telecommunications company and were previously blacklisted. Utilizing OSINT during an investigation is imperative to determine ownership, location, history of abuse, and malicious activity surrounding an IP address or domain. IP Blacklist check The Anomalous User Behavior alarm (image 3) pertaining to Outlook 365 email activity was generated due to the excessive number of outbound emails. According to logs, there were fifty-three outbound emails sent from the foreign IP in 24 hours, which is a 1000% increase for this user. Due to the suspicious activity that was occurring, the Intrusion Prevention System (IPS) restricted the user's ability to send emails and generated an additional alarm for review. The implementation of an IPS is important in this instance, because it prevented data exfiltration from the compromised email account. ]]> 2021-06-23T10:00:00+00:00 https://feeds.feedblitz.com/~/655344740/0/alienvault-blogs~Stories-from-the-SOC-Office-Account-Compromise-and-Credential-Abuse www.secnews.physaphae.fr/article.php?IdArticle=2970160 False Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AT&T Managed Threat Detection and Response customers. Executive Summary Credential abuse and compromised user accounts are serious concerns for any organization. Credential abuse is often used to access other critical assets within an organization, subsidiaries, or another partner corporation. Once an account is compromised, it can be used for data exfiltration, or to further promote the agenda of a threat actor. Threat actors often compromise the internal email accounts of legitimate organizations for many reasons including to send internal users phishing links leading to additional compromise, to send malicious emails to external users for later compromise, or create inbox rules to forward confidential emails to the threat actor’s account outside of the organization. Monitoring for events surrounding internal, inbound, and outbound email activity is important. The AT&T Managed Threat Detection and Response (MTDR) analyst team received several alarms in response to a user attempting to send an excessive number of emails, resulting in these emails being blocked within Microsoft Office 365. Upon reviewing the user's login behavior, it was observed that this user was seen logged in from foreign IPs which were outside of the user's typical logon behavior. Further analysis of events surrounding the user concluded that this incident was contained. An investigation was created with attached events, artifacts, and login activity to quickly engage the customer and remediate the compromise before the attack could be elevated. Investigation Initial Alarm Review Indicators of Compromise (IOC) There were three alarms generated from events involving Credential Abuse, Anomalous User Behavior, and Security Policy Violation from Office 365 activity from both a foreign country and the United States. Credential abuse Expanded Investigation Events Search The initial Credential Abuse alarm (image 1) for suspicious login activity was generated in response to 12 events related to successful logins from a foreign country and the United States within a 24 hour period. After expanding the events surrounding this user, it was discovered that this user has never logged in from countries outside the United States. The team then used Open Source Intelligence (OSINT) tools to research the foreign IPs and discovered that these were IP addresses belonging to a foreign telecommunications company and were previously blacklisted. Utilizing OSINT during an investigation is imperative to determine ownership, location, history of abuse, and malicious activity surrounding an IP address or domain. IP Blacklist check The Anomalous User Behavior alarm (image 3) pertaining to Outlook 365 email activity was generated due to the excessive number of outbound emails. According to logs, there were fifty-three outbound emails sent from the foreign IP in 24 hours, which is a 1000% increase for this user. Due to the suspicious activity that was occurring, the Intrusion Prevention System (IPS) restricted the user's ability to send emails and generated an additional alarm for review. The implementation of an IPS is important in this instance, because it prevented data exfiltration from the compromised email account. ]]> 2021-06-23T10:00:00+00:00 https://feeds.feedblitz.com/~/655344740/0/alienvault-blogs~Stories-from-the-SOC-Office-account-compromise-and-credential-abuse www.secnews.physaphae.fr/article.php?IdArticle=2990623 True Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC how to protect personal data from attacks that may be difficult to detect.   What is data poisoning? ML algorithms rely on data to teach them what to look for and how to respond in different situations. The algorithm “learns” based on past information and then generates future decisions accordingly. Online businesses have become increasingly reliant on data generated in this manner for their marketing and customer outreach, to the point that a majority of online business owners have cited data collection and utilization as their single most important priority.  Data privacy protection is absolutely essential for online businesses using customer information for their analytics and algorithms. One of the biggest threats to customer data privacy, however, is data poisoning.  Data poisoning is a type of cyber-attack that causes an algorithm to produce improper results for the data that it reads. In essence, these attacks change the way that algorithms read and react to data inputs, tricking them into generating incorrect results. This can cause business operations to become slow or unproductive, but it can also cause significant financial repercussions to a company as well.  For one thing, it could cause a consumer data breach, reducing trust in the company from existing customers. But it could also result in a big price tag. The cost for retraining an algorithm is very high, so even if the attack is detected, it could ruin a business trying to fix the issue. For these reasons, it is critical that businesses learn how to prevent data poisoning attacks.  Fraud protection Making decisions concerning your technology can be stressful, but making the right cybersecurity choices is key to protecting yourself from fraud. Ecommerce companies use many vendors and products to collect, process, and analyze user data, and each of those vendors could have different privacy terms.  If these outside companies are using AI to provide their services (which they most likely are), you need to be cognizant of their efforts towards data privacy in ML in addition to your own. When a user agrees to work with an online company, they may also be agreeing to share their data with the other businesses that support that company. If a data poisoning attack takes place in one of those, the attack could potentially go undetected and data could easily be used for malicious purposes.  Humans lean towards creating communities a]]> 2021-06-21T10:00:00+00:00 https://feeds.feedblitz.com/~/655207924/0/alienvault-blogs~How-data-poisoning-is-used-to-trick-fraud-detection-algorithms-on-ecommerce-sites www.secnews.physaphae.fr/article.php?IdArticle=2960212 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC first blog on Ransomware and Energy and Utilities and the second blog on Threat Intelligence and Energy and Utilities as well. Convergence of IT/OT is now a reality: Whether intentional or accidental, IT and operational technology (OT) are converging to support business outcomes of reducing costs and taking advantage of efficiencies.  IT assets are being used in OT environments and with the transformation of Industry 4.0 for utilizing IoT. Given the convergence and increased attack surface, NSA has issued guidance around stopping malicious cyber activity against OT. CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF (defense.gov) Security First mindset There is a need for a mindset shift in protecting OT assets given the ineffective traditional approaches and priorities regarding how IT assets are protected. Legacy infrastructure has been in place for decades and is now being combined as part of the convergence of IT and OT. This can be challenging for organizations that previously used separate security tools for each environment and now require holistic asset visibility to prevent blind spots. Today's cybercriminals can attack from all sides, and attacks are laterally creeping across IT to OT and vice versa. Beyond technology, focus on risk and resilience It can be all too easy to deploy security technology and think you've mitigated risk to your business. Still, sadly technology investment is no guarantee of protection against the latest threats. It is critical to take a risk-based approach to security. This means that to decrease enterprise risk, leaders must identify and focus on specific elements of cyber risk to target. More specifically, the many components of cyber risk must be understood and prioritized for enterprise cybersecurity efforts.  Organizations are increasingly aiming to shift from cybersecurity to cyber resilience. This means they must understand the threats they face, measure the potential financial impact of cyber exposures, compare this against the company's risk appetite level, and proactively manage cyber risks by having clear action plans based on their capabilities and capacities to protect against cybercrime. Focus on a risk-based approach The risk-based approach does two critical things at once. First, it designates risk reduction as the primary goal. This enables the organization to prioritize investment, including in implementation-related problem solving based squarely on a cyber program's effectiveness at reducing risk. Second, the program distills top management's risk-reduction targets into specific, pragmatic implementation programs with precise alignment from senior executives to the front line.   Following the risk-based approach, a company will no longer "build the control everywhere"; rather, the focus will be on building the appropriate controls for the worst vulnerabilities to defeat the most significant threats that target the business' most critical areas.  The risk-based approach to cybersecurity is thus ultimately interactive and a dynamic tool to support strategic decision-making.  Focused on business value, utilizing a common language among the interested parties, and directly linking enterprise risks to controls, the approach helps translate executive decisions about risk reduction into control implemen]]> 2021-06-18T10:00:00+00:00 https://feeds.feedblitz.com/~/655028606/0/alienvault-blogs~Riskbased-security-now-more-important-than-ever-for-Energy-and-Utilities www.secnews.physaphae.fr/article.php?IdArticle=2948338 False Ransomware,Tool,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC NIST800-207, characterize Zero Trust architecture as the best solution to managing security risks. Conventional network security follows the “believe yet validate” strategy. It’s replaced with the Zero Trust model. The traditional method implicitly trusts individuals and end devices inside the corporations’ fence, exposing the organization to dangerous inner attackers and rogue identities, granting illegitimate profiles access. With cloud migration of corporate transformational activities, this approach grew outdated. Zero Trust mandates enterprises to constantly analyze and verify that users and their devices have authorization. It requires the company to have insights into all services and be able to impose restrictions on access. Organizations must validate user requests thoroughly before granting access to either corporate or cloud resources. Therefore, Zero Trust relies on real-time insight into user credentials and features, like: the credentials’ and devices’ usual connections firmware versions user identity and type of credential operating system versions and patch levels applications installed on an endpoint Corporations should carefully evaluate the network architecture and access rights to prevent possible threats and minimize the impact of a breach. Separation of device type, authenticity, and group activities are examples of this. For example, unusual interfaces to the domain controller, such as RDP or RPC, must always be questioned or limited to certain privileges. Value of the Zero Trust model The internet of today is an unfriendly environment. Organizations’ information can be exposed to hackers to acquire, damage, or keep confidential information (Personally Identifiable Information (PII), Intellectual Property (IP), and Financial Information). It’s arguable that no network security is ideal and cyberattacks always exist, but Zero Trust decreases security risks and restricts the target area. Amongst the most efficient approaches for corporations to manage access to their network systems, services, and information is to use Zero Trust. To restrain intruders and restrict their rights in a data breach, it employs a variety of preventative approaches such as: ]]> 2021-06-16T10:00:00+00:00 https://feeds.feedblitz.com/~/654838234/0/alienvault-blogs~How-Zero-Trust-architecture-improves-the-organization%e2%80%99s-network-security www.secnews.physaphae.fr/article.php?IdArticle=2934296 False Ransomware,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC cloud access security broker (CASB) solutions, SD-WANs and more. These disparate products come with their own policy management and logging, creating a complexity that increases the administrative cost and can lead to gaps in the overall company’s security posture. With organizations demanding uninterrupted, secure access for their users, no matter where they are located, a new approach for networking and security is needed. This new approach is the secure access service edge (SASE). SASE converges software-defined wide area networking (SD-WAN) and security services— firewall as a service (FWaaS), secure web gateway (SWG), CASB, and Zero Trust Network Access (ZTNA) — into a single cloud-delivered service. SASE solves the challenge of delivering consistent, secure access no matter where users, applications or devices live. Because it is a single service, SASE dramatically reduces complexity and cost. However, the overhead and effort required to deploy a solution like SASE may be more than some organizations are able to undertake. This is where a strong service provider, with the right networking and security platform, can help by engaging with organizations and designing an approach aligned to their business requirements and needs. Palo Alto Networks teams with AT&T to deliver a managed SASE solution Palo Alto Networks and AT&T are collaborating together to deliver a comprehensive managed SASE offering, consisting of Palo Alto Networks’ Prisma Access cloud-delivered security with application-defined, autonomous and ML-powered Prisma SD-WAN. Prisma Access helps secure all users and applications with consolidated, best-in-class security capabilities (such as FWaaS, SWG, CASB, ZTNA and more) while Prisma SD-WAN enables the cloud-delivered branch with the industry’s first next-generation SD-WAN. AT&T SASE with Palo Alto Networks combines a global high-performance network with next-gen SD-WAN to simplify the delivery of consistent security at scale while ensuring optimal work from anywhere experience. The three main principles behind SASE: Application-defined, network-performance optimization and intelligent traffic steering at the network edge. Guaranteed security for all users directly accessing applications over the internet in public or private clouds. Consistent experience for all users across devices and locations grante]]> 2021-06-15T13:30:00+00:00 https://feeds.feedblitz.com/~/654776174/0/alienvault-blogs~Palo-Alto-Networks-teams-with-ATampT-to-deliver-managed-SASE www.secnews.physaphae.fr/article.php?IdArticle=2929891 False Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC here. Introduction It is increasingly common to hear about cyber threats to energy and utility industries. These are malicious acts by adversaries that target our data, intellectual property, or other digital assets. All too often it seems as though energy and utility companies are put in a defensive position to battle it out with these cyber intruders. How can the industry switch to a more offensive position when it comes to understanding these threats? Threat intelligence is a way to make sure your cybersecurity teams can minimize the impact of a threat against your assets. Let’s take a look at how threat intelligence can be an effective source of information for energy and utilities. What is threat intelligence? If you have an adversary threatening your system, it is a good idea to learn who they are, why they want to attack you, and where they are most likely to attack. You also want to know if they have ever been undetected on your network or in your applications, if they are currently there, or if it is likely they will try to breach your business. Threat intelligence is a way to collect that information and make informed and data-driven decisions on how to prepare for an attack, prevent an attack, and identify cyber threats. All of this helps to make your business more resilient so you can remain operational during and after a cyber incident, with a goal of every cyber incident not being catastrophic. Who uses threat intelligence? Cybersecurity is a business enabler. And, having insight into the psyche and rationale of those who want to inflict harm on your business is a good idea for a variety of stakeholders. Albeit, the technical details for each stakeholder will vary. Users of threat intelligence for energy and utility companies may include: SOC analysts IT analysts IT operations teams Incident response teams Development and quality assurance teams C-suites including CISO Boards of Directors Executives use threat intelligence to understand business risk, communicate with functional team leaders, and quickly deploy funding where appropriate to manage threats or bring on experts to assist. Practitioners use threat intelligence to help set priorities in managing threats, identify vulnerabilities, and act proactively. Threat intelligence data is useful and beneficial beyond the team of cybersecurity professionals. Effective use of threat intelligence helps to remove often deeply engrained silos in organizations.  How can energy and utilities benefit from threat intelligence? Think of threat intelligence as the data that helps to inform the decisions in managing the risk an organization is willing to take. Organizations can create their own threat intelligence feeds or purchase a feed specific to their vertical market or geographic location. Automating threat intelligence helps reduce human error, increases fidelity through pattern matching, and delivers results more quickly. Using automated threat intelligence means the right stakeholders can receive relevant and actionable information more quickly. Overall, threat intelligence can help energy and utility organizations: Prevent catastrophic disruptions to services Reduce costs associated with the impact of a breach Reduce the risk of a cyber incident to steal data Increase collaboration and cross-functional work of the IT, development, security, and the rest of the organization With the increase in numbers and growing determination of cyber adversaries, energy and utility organizations need to be more resi]]> 2021-06-10T10:00:00+00:00 https://feeds.feedblitz.com/~/654386754/0/alienvault-blogs~Threat-Intelligence-and-Energy-and-Utilities www.secnews.physaphae.fr/article.php?IdArticle=2901455 False Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 52% believe that these threats challenge the integrity of networks. With the increase in remote work and more tasks taking place online, there are more opportunities than ever before to become a victim of a cyber scam.  Digitisation is pushing forward at a rapid pace which means leaving outdated security measures behind. Using automated security protocols can greatly improve your chances of recovering from a malicious attack. Detecting attacks is becoming more tedious and it requires a more advanced understanding of how cyber criminals and fraudsters execute mass cyber-attacks.  Learning how to protect yourself from this kind of attack and use automated technology to your advantage is critical for personal networks, small businesses and large enterprises as more scammers are beginning to use new tactics. Why basic security may leave you vulnerable Bare minimum security efforts are often not enough to protect against a cyber-attack. It is common to take a reactive approach to cybersecurity, but mistakes like this only leave the door wide open for a major attack. Many people also believe that smartphones and other devices are not as susceptible to being attacked, but the reality is quite the opposite. Protecting all of your devices and not just your computer or network can make you less vulnerable to an attack.  Small businesses and large corporations are both susceptible to being victims of a cyber-attack. And with remote work becoming somewhat the norm, more people are using their devices that could potentially put proprietary data at risk.  There are many ways that small businesses can prepare themselves for a potential attack, and that starts with actively enforcing cybersecurity practices. Things as seemingly unimportant as strong passwords can have a big impact on the strength of your security efforts.  If your company still uses on-premise hardware and software to back up important files instead of using the cloud, then that customer data could be more vulnerable to major malicious attacks. And with the rise in ecommerce, more personal payment data is being stored by companies. If this kind of information gets into the wrong hands, then not only are customers affected, but the reputation of your business could be ruined.  It is also imperative that companies test their security protocols. Many businesses lack a proactive approach to cybersecurity.  One quick and efficient solution to get around this is to rely on Dynamic Application Security Testing, or DAST testing, which is designed to scan your applications for vulnerabilities while they are running.  Detecting attacks Cybercriminals and fraudsters use automated attacks similar to how legitimate businesses use automation to increase productivity. In order to make the most money and scam the highest number of people, automated technology is used to send out mass attacks that cast a wide net across many demographics and types of internet users.  Detecting malicious activity was much easier in the past when there were less devices connected to the internet and computing was still very much about manual input. Now, hackers and scammers are better at covering their tracks, and better at using automation for harmfu]]> 2021-06-09T10:00:00+00:00 https://feeds.feedblitz.com/~/654308794/0/alienvault-blogs~Are-fraudsters-using-automation-to-execute-mass-cyberattacks www.secnews.physaphae.fr/article.php?IdArticle=2895219 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC magic links are in the air. They are becoming an intriguing means to strengthen digital security without inconveniencing users. This article discusses magic links, their magical function, and their potential benefits for a corporation. Magic links Magic links are authorized URLs that carry a token which grants accessibility to a particular user. They enable users to register or log in to a website, as well as make online transactions. When the user clicks on the URL, they get verified instantly. Magic links usually have a short life and are one-of-a-kind. Magic links form a digital authentication technique that can use both a passwordless and a multi-factor authentication system. Why use magic links In a digital world, magic links are useful in passwordless and multi-factor authentication. Passwordless authentication refers to a security system that doesn't use passwords. Users authenticate using a magic link, eliminating the need for passwords. They only require inputting an email address or contact number to get the URL to click. Multi-factor authentication (MFA) is a method of user authentication in various stages. Two or more authentication methods increase the steps the user must take. However, magic links provide the minimum complexity since users only need to click the URL to complete the procedure. How magic links work Magic links consist of three steps: On a sign-in page, the user inputs their email address. If the user has a registered email address, they will receive an email containing a magic link. To finish the sign-in cycle, the user selects and clicks the magic link. Conversely, at the time of registration, the user can also get a live link for authentication later on. This technique is comparable to a password reset process, in which a user receives a hidden link that enables them to update their password. Magic links function in the same way as password resets do, whereas the user doesn't need to type a password to navigate to their profile. Magic link security concerns One of several security issues users may face comes from the email provider. When email providers label magic link emails as spam, a significant email redirects to infrequently used spam folders. Users can require a link over a link without knowing they route to spam. The trick is to choose a reliable email provider with an IP address that traditional spam detection identifies as effective. Organizations can improve security of their magic links implementation. If an application delivers a magic link and the client seeks another, does the first link lapse? Users can become irritated if they have to click on several links to find the recent one. Magic links that expire leave the login process with minimal loopholes but give the user fewer options to sign in. Organizations need to consider this balance. Likewise, certain websites prevent users from utilizing magic links beyond the browser session in which the magic link was provided. When you close your window an]]> 2021-06-08T10:00:00+00:00 https://feeds.feedblitz.com/~/654216844/0/alienvault-blogs~Magic-in-Cybersecurity-Magic-links-to-replace-the-password www.secnews.physaphae.fr/article.php?IdArticle=2889600 False Spam None 4.0000000000000000 AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 61% of cybersecurity teams are understaffed. If you haven’t already, you may soon encounter difficulty finding enough talent to handle your increasing workload. Specialty occupation visa programs may help you find talent internationally to help fill the gaps. Alternatively, you can turn to automation to artificially expand your workforce. By automating some tasks like network monitoring, you can accomplish more with fewer workers. 2. Skills gaps The same survey found that 50% of teams say their applicants are underqualified. The labor shortage, along with increasingly complex cyberattacks, has created a growing skills gap. Even when companies can find potential workers, they may not find anyone with appropriate experience or skills. You can fix this issue by cultivating talented workers instead of looking for them. Your seasoned employees can help train new hires, creating a skilled workforce out of less experienced candidates. Similarly, you can run internship programs that you then hire out of, creating a skilled worker pipeline. 3. Rising cybercrime One of the more obvious challenges of modern cybersecurity is that cybercrime is becoming a more severe issue. On average, security breaches cost businesses $3.86 million in 2020. Cyberattacks are becoming more frequent and damaging, and cybersecurity professionals must rise to the challenge. Companies need to make cybersecurity a priority in both budget and operations amid these rising threats. Cybersecurity professionals should also be more vigilant than ever, scrutinizing activity more closely and thoroughly. Zero-trust networks may be a necessity to manage the sheer volume of attacks some companies see. 4. Remote worker security Securing today’s increasingly distributed workforce can be a challenge. Many tools that remote workers rely on come with new vulnerabilities. For instance, Amazon Cloud Drive does not offer at-rest encryption, and Zoom has notorious security flaws. Managing people on different networks on potentially unsecured devices is rarely straightforward, too. Thankfully, there’s a growing number of remote monitoring platforms you can use to watch remote workers’ traffic. Stricter access controls like two-factor authentication can prevent criminals posing as remote workers from getting into a system. Segmenting your network can further secure remote access and mitigate the impact of a breach. 5. Growing attack surfaces As businesses adopt more connected technologies, network attack surfaces grow. Rising IoT adoption has made companies more agile and transparent, but they also create cybersecurity vulnerabilities. IT security professionals now have more entry points to manage, which can be challenging. One of the best ways to secure new potential entry points is network segmentation. Every device should only have access to the parts of the network it need]]> 2021-06-07T10:00:00+00:00 https://feeds.feedblitz.com/~/654131114/0/alienvault-blogs~Challenges-in-modern-Cybersecurity-and-how-to-fix-them www.secnews.physaphae.fr/article.php?IdArticle=2884724 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The Advanced AlienApp for SentinelOne capitalizes the SentinelOne  API first approach that  helped us build one of the richest apps we’ve ever built. All a customer needs to do is configure their SentinelOne credentials within the app and USM Anywhere will take it from there. The Advanced AlienApp for SentinelOne provides customers with a comprehensive toolset for threat detection and response including: Threat ingestion Asset & Vulnerability Discovery Rich Orchestration and Response engine Reports & Dashboard Auditing Advanced Hunting Abilities and more… In addition, utilizing the SentinelOne state-of-the-art rogue feature, customers can detect assets even if the SentinelOne agent isn’t deployed on those assets.  USM Anywhere can pull the asset inventory from SentinelOne and compare it to the existing asset inventory within USM Anywhere based on a unique identifier to track the asset even if it changed IPs. This process updates existing assets with any new information from the agent and new assets will be added. The asset lifecycle is fully automatic. Having deep visibility on all company’s endpoints is monumental to the company’s safety. This can be  a personal or company laptop or widely used as a company server regardless if it’s a physical or virtual. The ability to collect logs and correlate those among potentially millions of assets helps separate secured organizations from vulnerable ones. The Advanced AlienApp for SentinelOne can provide those security insights at a glance. Customers can get even more security insights as the app can also generate new SentinelOne reports or download existing ones with a click. Customers can generate different types of reports to be downloaded ad hoc or scheduled.]]> 2021-06-04T10:00:00+00:00 https://feeds.feedblitz.com/~/653944346/0/alienvault-blogs~SentinelOne-Advanced-AlienApp www.secnews.physaphae.fr/article.php?IdArticle=2874079 False Vulnerability,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Deloitte Inisights report underscores the reality: the average IT department allocates over half its budget on maintenance but only 19 percent on innovation. And according to a 2021 State of IT Spiceworks Ziff Davis study, updating outdated IT infrastructure is the number one factor driving IT budget increases — cited by 56% of organizations planning on growing IT spend. Also driving cloud adoption is the need to address disaster recovery (DR). While DR has not been typically cost-effective for small to mid-sized businesses, many cloud vendors and providers offer DR solutions like DRaaS (Disaster Recovery as a Service) that address those challenges. But perhaps the greatest driver of cloud adoption today is COVID-19. The pandemic’s disruption to the business landscape forced organizations to consider advanced technologies. The work from home or remote work model is here to stay, and the demand for software-as-a-service (SaaS) applications that allow teams to collaborate from anywhere is steadily increasing. The main spheres of digital transformation While one can argue that the components of digital transformation are numerous, we are highlighting five important spheres. Security As network access moves beyond the office perimeter to meet the demands of a remote workforce, robust security measures are required to maintain the confidentiality, integrity, and availability of corporate and customer data. ]]> 2021-06-04T05:01:00+00:00 https://feeds.feedblitz.com/~/653948998/0/alienvault-blogs~Digital-transformation-explained www.secnews.physaphae.fr/article.php?IdArticle=2884726 False Data Breach,Threat Deloitte None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Focus on cybersecurity across industries has increased recently, no doubt due to factors like COVID-19 forcing a jump in remote work. In 2020, we saw cybersecurity move from being a technical problem to a business issue. Along with the recognition that businesses really need to lead with a security-first mindset to be resilient, the CISO was elevated to a seat at the proverbial table as a true C-suite leader and trusted board advisor. Energy and utilities face unique challenges compared to other industries. According to McKinsey: “In our experience working with utility companies, we have observed three characteristics that make the sector especially vulnerable to contemporary cyberthreats. First is an increased number of threats and actors targeting utilities: nation-state actors seeking to cause security and economic dislocation, cybercriminals who understand the economic value represented by this sector, and hacktivists out to publicly register their opposition to utilities’ projects or broad agendas. The second vulnerability is utilities’ expansive and increasing attack surface, arising from their geographic and organizational complexity, including the decentralized nature of many organizations’ cybersecurity leadership. Finally the electric-power and gas sector’s unique interdependencies between physical and cyber infrastructure make companies vulnerable to exploitation, including billing fraud with wireless “smart meters,” the commandeering of operational-technology (OT) systems to stop multiple wind turbines, and even physical destruction.” Let’s look at one type of common and profitable attack that could impact energy and utility companies – ransomware. What is ransomware? Ransomware is exactly as the name implies – something valuable to your business is being kept from you until a ransom is paid for its return. In simple terms, ransomware is extortion. Ransomware, a form of malicious software, blocks you from accessing your computer systems or files until you pay the cyber adversary to allow you access to your information. The ransom is typically requested in crypto currency because of its anonymity and ease of online payment – this translates to no tracing of the origin or destination of the funds, a common tactic of cyber criminals. Knowingly infecting a system with ransomware and requesting payment to unlock the system is a crime. Law enforcement agencies recommend not paying the ransom associated with ransomware. The thought is that if the ransom is paid, you as the victim of ransomware are then identified as an easy target for further cybercrime and the ransomware attack is perpetuated against others. Who is the target of ransomware? Cyber criminals seek the path of least resistance in their targets and strike against businesses that are easy targets. Ransomware is a business and the perpetrators, like any good businessperson, are looking for a strong ROI. The C]]> 2021-06-03T10:00:00+00:00 https://feeds.feedblitz.com/~/653868100/0/alienvault-blogs~Ransomware-and-energy-and-utilities www.secnews.physaphae.fr/article.php?IdArticle=2870813 False Ransomware,Malware,Tool,Vulnerability,Guideline Deloitte None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Focus on cybersecurity across industries has increased recently, no doubt due to factors like COVID-19 forcing a jump in remote work. In 2020, we saw cybersecurity move from being a technical problem to a business issue. Along with the recognition that businesses really need to lead with a security-first mindset to be resilient, the CISO was elevated to a seat at the proverbial table as a true C-suite leader and trusted board advisor. Energy and utilities face unique challenges compared to other industries. According to McKinsey: “In our experience working with utility companies, we have observed three characteristics that make the sector especially vulnerable to contemporary cyberthreats. First is an increased number of threats and actors targeting utilities: nation-state actors seeking to cause security and economic dislocation, cybercriminals who understand the economic value represented by this sector, and hacktivists out to publicly register their opposition to utilities’ projects or broad agendas. The second vulnerability is utilities’ expansive and increasing attack surface, arising from their geographic and organizational complexity, including the decentralized nature of many organizations’ cybersecurity leadership. Finally the electric-power and gas sector’s unique interdependencies between physical and cyber infrastructure make companies vulnerable to exploitation, including billing fraud with wireless “smart meters,” the commandeering of operational-technology (OT) systems to stop multiple wind turbines, and even physical destruction.” Let’s look at one type of common and profitable attack that could impact energy and utility companies – ransomware. What is ransomware? Ransomware is exactly as the name implies – something valuable to your business is being kept from you until a ransom is paid for its return. In simple terms, ransomware is extortion. Ransomware, a form of malicious software, blocks you from accessing your computer systems or files until you pay the cyber adversary to allow you access to your information. The ransom is typically requested in crypto currency because of its anonymity and ease of online payment – this translates to no tracing of the origin or destination of the funds, a common tactic of cyber criminals. Knowingly infecting a system with ransomware and requesting payment to unlock the system is a crime. Law enforcement agencies recommend not paying the ransom associated with ransomware. The thought is that if the ransom is paid, you as the victim of ransomware are then identified as an easy target for further cybercrime and the ransomware attack is perpetuated against others. Who is the target of ransomware? Cyber criminals seek the path of least resistance in their targets and strike against businesses that are easy targets. Ransomware is a business and the perpetrators, like any good businessperson, are looking for a strong ROI. The C]]> 2021-06-03T10:00:00+00:00 https://feeds.feedblitz.com/~/653868100/0/alienvault-blogs~Ransomware-and-Energy-and-Utilities www.secnews.physaphae.fr/article.php?IdArticle=2884727 True Ransomware,Malware,Tool,Vulnerability,Guideline Deloitte None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2021-06-02T10:00:00+00:00 https://feeds.feedblitz.com/~/653792720/0/alienvault-blogs~Introducing-ATampT-USM-Anywhere-Advisors www.secnews.physaphae.fr/article.php?IdArticle=2867550 False Threat,Guideline Heritage,Heritage None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Bastion which has very militaristic connotations.  In previous posts, the concepts of security cycle theory, attacker motivations, and threat adaptation have been explored.  Another critical concept is that of asymmetric threats.  The terms Asymmetrical Warfare or Asymmetrical Threats can be summarized simply as the asymmetry that exists between two adversaries and the tactics used by the weaker adversary to render the strengths of the stronger adversary moot. It is rare, though mathematically possible, to have parity between adversaries.  Consider team sports, as an example.  While not security nor defense related, there are indeed two adversaries playing a game against each other.  Each side will have advantages and disadvantages.  Within security and defense, it is a bit more profound. Consider the US Military for a moment. Since the end of World War II, which is often thought of as the start of US hegemony, the United States has arguably fielded the most powerful conventional military in the history of the world.  Despite this fact, the US has struggled in conflicts in Vietnam, Somalia, and most recently in Iraq, and Afghanistan. In each of these theaters it was groups of lesser trained, less well-equipped insurgents that created significant challenges to the US military. The US is not alone in this dubious distinction of struggling against militarily weaker opponents. The powerful Prussian military was defeated by a much weaker opponent, France, under the command of Napoleon, and in 1989, the Soviet Union was defeated by the Afghanistan resistance movement after 10 years of bloody guerilla war. If Prussia and the USSR were militarily superior to their foes, how did they end up losing their respective wars?  The losses were largely due to the application of what we now term asymmetrical warfare. In a basic sense Asymmetrical Warfare applies to the strategies and tactics employed by a militarily weaker opponent to gain advantage of vulnerabilities in the stronger opponent therefore rendering the advantages moot. As an example, few military forces on the planet would face the US military in open combat in a Mahanian naval battle or with the US in a linear, kinetic tank battle.  As can be seen by the US routing of the Iraqis tank forces during the Battle of Medina Ridge in Desert Storm, doing so would lead to near certain defeat. If an inferior military opponent cannot fa]]> 2021-05-28T10:00:00+00:00 https://feeds.feedblitz.com/~/653454914/0/alienvault-blogs~Asymmetrical-threats-in-Cybersecurity www.secnews.physaphae.fr/article.php?IdArticle=2850475 False Ransomware,Vulnerability,Threat,Patching,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC bandwidth congestion. Thus it decreases loading periods. Squid supports several caching protocols, such as hypertext caching protocols (HTCP), internet cache protocol (ICP), cache array routing protocol (CARP), and web cache communication protocol (WCCP). It also processes caching requests from Domain Name Server (DNS) lookups and Secure Sockets Layer (SSL). You wouldn’t want to miss enjoying the benefits of Squid proxy servers. Here are some ways to set the server up along with tips to maximize your use out of it. Ways to setup a Squid proxy server Squid proxy servers are usually installed in a separate server from the servers with the original content. The first thing to do is to update your server to install the squid proxy server. Check if the server is running by checking its status in the code, before starting to configure the system. Adding allowable sites In the configuration process, you sift through the sites that are allowable through the intermediary web proxy. These sites are considered as part of your ACL or access control list. These are the only sites that the Squid server will proxy and cache data for. Go through the list of acceptable websites and input in the code. Once all of these are encoded in, restart the proxy and check the status afterward. It’s safe to include an open port in the control list. The open port acts as the passageway for the other sites that were not defined and placed under the list. Blocking websites As much as you can configure the server to include sites to process, you can also block access to several websites. In order to carry out this requirement, create a folder under the access command list that will hold all the restricted sites. Limiting internet access is one of the prominent uses of proxy servers, in general. After listing the blocked or restricted sites, a prompt will appear in the code. Aside from blocked sites, you can also create a list of blocked keywords. Many companies configure their proxies to block access to several social networking sites, such as Facebook, Twitter, and Instagram. Once the list is finalized, make sure to save the file and restart the proxy to confirm. Configuring additional authentication To install an added layer of protection in your Squid proxy, install httpd-tools. This lets you create a password for the proxy. Make sure to assign the proxy server as the file owners. Otherwise, your access will be restricted as well. You can also add a pxuser using htpasswd utility. This calls for a different and much stronger password. Make sure not to forget this username and password. This will be used to authorize all proxy connections later on. Helpful tips to note First of all, every time you change or configure the components of the proxy server, make a copy of the original f]]> 2021-05-27T10:00:00+00:00 https://feeds.feedblitz.com/~/653367170/0/alienvault-blogs~Ways-to-setup-Squid-proxy-server-and-helpful-tips www.secnews.physaphae.fr/article.php?IdArticle=2844812 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Secure Access Service Edge (SASE). Networking and security vendors have been integrating capabilities for decades, and market adoption of these integrations has only accelerated due to innovations such as virtualization and cloud computing. From a networking perspective, routing of traffic extends far beyond IP and MAC addresses to now include application steering and transport-agnostic overlay networks. From a security perspective, the next-generation firewall brought together a full stack solution capable of inspecting packets, URLs, and macro address information with unified threat management (UTM).  SASE brings together these two areas in a manner which revolutionizes the way IT, network, and security organizations will manage their respective domains as well as interoperate cross-functionally. With revolution comes disruption to standard operating procedures; and, that disruption can bring confusion, complexity, and cost in the near term to achieve long-term savings and scalability. That said, transformation does not have to occur in a vacuum. Bringing in an expert, such as a managed services provider (MSP) to assist with the adoption and transition to SASE, can help achieve organizational success throughout the convergence of networking and security solutions. Historical precedent This makes sense when you think about the role MSPs have played throughout the internet era. Early networks were a foreign concept that some even considered a fad, and those disruptive enough to embrace them at the time were faced with complex management of costly systems. Dedicated teams were stood up to manage mainframes that became the first IT organizations. Eventually as these teams became more skilled, businesses emerged loaded with these experts with the acumen to help other organizations build out their own networks. By doing this, these early MSPs sped up the adoption of networking technologies by flattening the learning curve required to turn up a solution and scale their acumen to others as they completed builds for new companies. Noticeably absent (in hindsight) from these early networks was security, which was not even a consideration based on the initial framework of the ARPANET. Network security first started to take shape in 1988 after a student at Cornell University launched the first computer worm to access other connected devices. This resulted in the establishment of the Computer Emergency Response Team (CERT) at Carnegie Mellon University, the world’s first security operation center (SOC), to prevent these sorts of attacks from occurring in the future. As networking technologies evolved over time—along with the need to secure them—the MSPs managing legacy equipment adapted to these evolutions quickly, and helped organizations transform their infrastructures as well. In parallel, the role of the SOC expanded and network security technologies such as the firewall, intrusion detection system, and web application firewall emerged to help combat these threats. Managed security services providers (MSSPs) were spun up to manage these technologies as well as enable them to help protect other businesses. By taking on these evolving technologies, the onus for quickly understanding the evolution fell to network and security MSPs rather than on the organizations they served. The migration to SASE follows this precedent. Managed network and security providers have adept background in their respective domains and the ability to rapidly understand how technologies and architecture must evolve as the areas converge]]> 2021-05-26T10:00:00+00:00 https://feeds.feedblitz.com/~/653282806/0/alienvault-blogs~SASE-as-a-Service-The-role-of-managed-services-in-the-world-of-network-security-convergence www.secnews.physaphae.fr/article.php?IdArticle=2839745 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC A staggering $1.9 billion in cryptocurrency was stolen by criminals in 2020, a recent report by Finaria reveals. Fortunately, despite the growth of the crypto market, crypto crime has decreased by 57% since 2019, dropping to $1.9 billion. The widespread recent implementation of stronger security measures also means crypto-criminals stole 160% more in value in 2019 than in 2020, despite the similar number of crimes. Now, crypto trading bots have become popular in the cryptocurrency world: software that automatically trades on exchanges on your behalf. Strengthening cybersecurity when using trading bots is key to protecting your accounts and money from hackers. API security While trading bots could just use your PC interface to make trades, having access to an API (short for Application Program Interface) key means they can directly access specific trades, which allows them to act quicker. The API key is basically a password your trading bot needs access to in order to operate, use your account, and make cryptocurrency orders. Most exchanges will need you to make an API key, but the exact steps involved vary on each platform. Additionally, you’ll need to make a secret key, which you must keep secret: if someone gains access to your API key and secret key, they’ll be able to trade on your behalf. API keys also have different configuration options that you’ll need to select, such as trade permissions, view permissions, and withdrawal options. You can enhance security levels by always deleting API keys once you stop using a trading bot.   Make sure your trading bot is secure and reliable It’s important to research different trading bots to make sure the one you use is reliable and secure. Using a bot with bad software or an inadequately-coded algorithm has the potential to cost you money. Additionally, your chosen service should function smoothly; if it goes offline or stops working, you’ll again lose money. Research various bots and read reviews to find out how reputable they are. For example, Coinrule is known to include robust security features to protect data. Every user is given a private key with bank-level encryption, which is stored on a server located in segregated data storage for tighter security. Also, be careful never to allow your trading bot to withdraw currency. If criminals get hold of your API keys, this means they’ll be able to take money out of your bank account. Ensuring your bot isn’t able to make withdrawals means criminals will be limited to only being able to make bad trades. Use multi-factor authentication  Using two-factor authentication (or 2FA) is an essential step that gives you an extra layer of security to protect against any potential hackers and attacks. When logging into your exchange with your username and password, two-factor authentication will require you to also enter a One-Time Password (OTP). This One-Time-Password will be promptly sent to your smartphone so you can finish the login process. Your One-Time-Password will either be HMAC-based (HOTP) or Time-based (TOTP). A HOTP password is ]]> 2021-05-25T10:00:00+00:00 https://feeds.feedblitz.com/~/653199996/0/alienvault-blogs~Cryptocurrency-trading-bots-Strengthening-Cybersecurity-and-minimizing-risks www.secnews.physaphae.fr/article.php?IdArticle=2834893 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AWS Policies are a key foundation in good cloud security, but they are often overlooked. In this blog, we take a quick look on some AWS Policies, particularly for Identity and Access Management (IAM), that could become problematic if not properly managed. We'll discuss how they can be used against us to generate attacks like: Ransomware, data exfiltration, credential abuse, and more. Finally, we'll suggest some Open Source tools for cloud policy assessment and pentesting.   Analysis The first step in achieving good security is having effective policies to regulate what can and cannot be done in an environment, both physical devices and cloud infrastructure. These regulatory policies are frequently hard to define and keep up-to-date, especially in a fast-paced environment using infrastructure-as-a-service (IaaS). This blog looks at some changes in policies which can reduce success in some common attack types involving: exfiltration, ransomware, credential abuse, and more. For that reason, AT&T Alien Labs is sharing an easy ‘what to look for’ list in order to detect some red flags in AWS policy changes. It is our hope that this list will be helpful for security analysts and forensic investigators. Policies are spoiler alert, defined by AWS Policies, which define permissions for identities and resources. Every time AWS Identity and Access Management makes a request of any kind to a resource, a policy determines if the IAM is allowed or denied access to that specific resource under the policies for the involved parties. A full understanding of AWS policies (types, creation, enforcement, etc.) is outside the scope of this blog, but it can be found in AWS documentation. People implementing AWS policies should have knowledge of the organization, adapting policies to needs of the business. Afterwards, detection rules should be generated for red flags in CloudTrail or other security tools. By doing this, we are avoiding policy changes in a generic manner, for example using ‘*’ to cover the whole Principal without setting any Conditions to it (MFA, IP, usernames, etc.). The problem resides in changes occurring on a daily basis to the policies, which are often overlooked by analysts. The impact that these changes could have is as big as any other event or alert investigated. In order to classify all AWS actions involving a policy change that could be used by attackers, we’ll sort them based on the potential final attack type. Most of the following techniques would fall under Modify Cloud Compute Infrastructure (T1578) but we have attempted to classify them outside of their specific Cloud technique - as if the activity was happening in a traditional environment. Denial of Service (DoS) Endpoint Denial of Service (T1499): Adversaries may perform Endpoint DoS attacks to degrade or block the availability of services to users. This blockage could be used as an additional impact on top of Data Encrypted for Impact (T1486) to avoid or slow down recovery efforts in a ransomware attack. In this scenario, attackers could be trying to block access to several AWS resources like: S3, EC2 through EFS or EBS, or backups between others. ]]> 2021-05-24T10:00:00+00:00 https://feeds.feedblitz.com/~/653105012/0/alienvault-blogs~AWS-IAM-security-explained www.secnews.physaphae.fr/article.php?IdArticle=2839747 False Ransomware,Tool,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2021-05-20T10:00:00+00:00 https://feeds.feedblitz.com/~/652804266/0/alienvault-blogs~What-is-a-trusted-advisornbsp-%e2%80%a6and-why-do-I-need-one www.secnews.physaphae.fr/article.php?IdArticle=2815277 False Patching None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC improve protection and detection of this type of malicious software.  What is stalkerware? Recent studies by the Kaspersky Institute have revealed the United States, along with Russia and Brazil, are among the top countries affected by “stalkerware” last year. Especially of note is the corresponding increase in victims of spyware coinciding with coronavirus lockdowns and remote work, indicating that opportunists and cyber criminals are taking advantage of an increasingly technologically connected society.  Having the ability to stay connected with friends and family through technology is a gift, but it also opens up a door for receiving unwanted attention. We live in a society where most people save their most precious moments, intimate interactions and heavily guarded secrets on their phones, tablets and laptops in the form of photos, text messages, notes and more.  Because of this, we are seeing an increase in software that enables other users to spy on people through their digital devices. All of this surveillance occurs without the other person even realizing it is happening, making this software even more powerful. This is the reason why the cyber security industry has rapidly expanded over the past few years, as their importance in the lives of companies and individuals has grown. In computing, an application programming interface (API) is an interface that defines interactions between multiple software applications. “APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue,” according to the security analysts at Cloud Defense. “Object level authorization checks should be considered in every function that accesses a data source using an input from the user.” Cyber criminals can use APIs to intercept events in targeted apps, thus surveilling the affected user. Unfortunately, “stalkerware” is available to anyone who has access to the internet and the intent to seek it out. The Coalition Against Stalkerware seeks to raise awareness about this new cyber security threat and the ways in which it poses serious concerns for those who fall victim to it. According to the Coalition, stalkerware is most commonly used in situations of domestic violence or stalking.  How is stalkerware applied? Fortunately, there is some good news when it comes to stalkerware. Physical access to the device being monitored is required to install stalkerware on a vi]]> 2021-05-19T10:00:00+00:00 https://feeds.feedblitz.com/~/652717376/0/alienvault-blogs~Stalkerware-What-is-being-done-to-protect-victims-as-the-number-of-cases-rises www.secnews.physaphae.fr/article.php?IdArticle=2809839 False Threat,Studies None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Expanded Investigation Events Search Searching for additional events was started by filtering all failed logon events to the effected host to validate no events were missed in the alarms. There were over 4,000 events when the research began and grew to over 8,000 in under a minute. Each “invalid user” error contained a different username. Event Deep Dive The attacker was using multiple IP addresses from different countries, indicating a botnet may have been utilized for this attack. The usernames used in the attack did not match any usernames associated with customer accounts, and there was no additional activity involving these usernames. Reviewing for Additional Indicators Any additional events during the time of the attack were reviewed to determine if any other indicators of compromise were detected. The SSH activity in the additional events followed the same pattern as the original alarms attempting to exploit port 22 on this public facing host. All SSH attempts were failed and the host was not compromised. Response Building the Investigation As the alarms and events came into the queue, it was recognized it could be a potential dictionary attack. We reviewed the details of each alarm and events associated with that alarm and determined the usernames used did not match any of the known user accounts. There were no successful logins during this activity as all the usernames were not legitimate. A successful attack would compromise the bastion server and potentially provided access to the rest of the environment. While the alarms were incrementing in the queue, an investigation was created and a report outlining the events was provided to the customer. The event details were added to the Investigation and we provided a recommendation to the customer to review the firewall policy configuration. ]]> 2021-05-18T10:00:00+00:00 https://feeds.feedblitz.com/~/652628988/0/alienvault-blogs~Stories-from-the-SOC-SSH-brute-force-authentication-attempt-tactic www.secnews.physaphae.fr/article.php?IdArticle=2804505 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 70% of ransomware attacks, and insiders are responsible for 30% of all data breaches. As a result, enterprises are constantly looking for ways to reduce the risk of sensitive data being leaked outside the company. And with so many potential weak points, it’s necessary for organizations to put controls and solutions in place that not just monitor for inappropriate egress of corporate data, but also mitigate the risks as close to entirely as possible. To do this, the most common solutions enterprises turn to is Data Loss Prevention.  What is data loss prevention?  In its broadest terms, Data Loss Prevention (DLP) is a set of tools and processes that allow businesses to detect and prevent data breaches, exfiltration, and the malicious destruction or misuse of sensitive data. DLP solutions allow you to monitor and analyze data traffic on your network to spot potential anomalies, this includes inspecting data sent via email or instant messaging, analyzing data streams on your network, checking how data is being used on a managed endpoint, and monitoring data at rest in on-premises file servers or cloud applications and storage. DLP is typically used by organizations in the following scenarios: To protect Personally Identifiable Information (PII) and comply with regulatory requirements specific to the organization’s field of operation To protect Intellectual Property that is critical to the organization Help secure data on cloud systems Help secure an increasingly mobile and disparate workforce Enforce security in Bring Your Own Device (BYOD) environments If a potential violation is found, a DLP solution will trigger a remediation based on policies and rules defined by the organization, for example alerting IT, automatically enforcing encryption of data, or locking down a user to prevent sharing data that could put the organization at risk. DLP solutions will also produce reporting that can help the organization meet regulatory compliance. Explaining data protection complexities and requirements This sounds great in principle, however preventing the inappropriate leakage of sensitive data isn’t a simple process; data types must be established, data must be identified, rules must be defined based on role and data type, implementations must be tested to ensure a balance of security and productivity, and more. So, it’s necessary to ensure that your DLP efforts work to meet your data protection requirements, and that any prospective DLP solution can help you achieve this. SANS provides a rather comprehensive list of key requirements that you need to consider when starting your DLP journey. So, you need ensure any potential vendor includes these: Discovery, Retention, Searching – Analyze your networks for data At Rest (on endpoints, servers, and file shares), In Use, and In Motion (on the network, over email, and in web traffic, as well as any data being copied onto external devices). Monitoring – Discover, identify, correlate, analyze, and log every instance of sensitive data movement or use (removal, modification, or attempted transmission). Alerting – Define and implement actions that ne]]> 2021-05-18T05:01:00+00:00 https://feeds.feedblitz.com/~/652618738/0/alienvault-blogs~What-is-data-loss-prevention www.secnews.physaphae.fr/article.php?IdArticle=2803912 False Ransomware,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Image Source: Pexels The internet has changed over the years. Kids today are less interested in random chat rooms, and more inclined to connect with their friends via social media. Most recently, Zoom parties have become the norm for kids, especially due to the COVID-19 pandemic. On paper, Zoom parties can be great ways for kids to stay connected. They can chat with their friends, and even meet people from different parts of the country – or the world! The big difference between Zoom parties and chatrooms of the past is that your child can see the people they’re talking to. While that might make things seem safer, there are still some precautions you, as a parent, should be taking. Zoom isn’t necessarily 100% safe for kids who might not know the risks. Things like Zoombombing, where “trolls” and scammers hop onto meetings and parties to steal information or cause disruption, have become more prominent. Even cyberbullying or stalking can be a safety issue when your child is spending time on Zoom. So, what can you do to keep your kid safe when they’re spending more time on Zoom parties and connecting with others? What you need to know The more you know about the potential risks of kids using Zoom, the easier it will be to keep your child safe. Educate yourself on the security features Zoom uses as well as any potential threats your child might face when they’re doing virtual learning or attending a “party” on Zoom. Some of the biggest privacy concerns on the Zoom app include: Spamming Messages from random people Content dropping (users linking pornographic images or other inappropriate content) Attendee tracking Vulnerability to hackers You can certainly customize the privacy settings through Zoom, but unless you’re fully familiar with the app itself, it can be easy for your child to fall into certain traps. So, make sure you know the risks ahead of time and discuss some of them with your child before allowing them to get on the platform. Walking your child through Zoom Once you’re ready for your child to use Zoom, walk them through the features. Explain how things work and your expectations. If your child is old enough to use Zoom to connect with their friends, make sure to set up specific rules for them, including: Not giving away personal information Adjusting privacy settings as needed Never joining a meeting with someone they don’t know Never saying something they might regret later since meetings are often recorded If you’re concerned about your child getting into a “random” Zoom party, why not help them set one up where they can connect with their friends? You can host the party and receive your own private link. In doing so, you’ll be able to monitor the guest list and ensure that “Zoombombers” don’t hop in and ruin the fun. Throwing an online party can be a lot of fun when you’re willing to get creative. Feel free to set up a specific theme or plan games for your child and their friends. You’ll be able to foster their friendship and connection while ensuring they all have a safe environment to be themselves. ]]> 2021-05-17T10:00:00+00:00 https://feeds.feedblitz.com/~/652548788/0/alienvault-blogs~Teaching-kids-internet-safety-tips-for-Zoom-parties www.secnews.physaphae.fr/article.php?IdArticle=2798689 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC OWASP Top Ten since its inception. These flaws are pervasive. A 2019 report from Feroot CX Security and Privacy, the 2019 Feroot User Security and Privacy Report concluded that the hidden activities of third-party tools and scripts expose up to 97% of organizations to theft of customer data. More recently, the 2021 Hacker Report showed significant year over year increases in reported web-related security vulnerabilities and that 96% of hackers are working on hacking web applications.  Sadly, these figures are far from surprising. According to that same 2019 Feroot report, modern web applications load an average of 21 third-party scripts as part of the user experience. This integration of third-party code creates a software supply chain that is assembled and executed on the client’s machine in near real time. The risk that one or more of the included scripts has been tampered with by threat actors at any given point in time is real and can have significant consequences as many organizations impacted by “web skimming” or “Magecart” attacks have learned. These attacks occur when an attacker inserts malicious script code, or a reference to include such code, into a payment or other transactional page. The code is downloaded and executed on the client browser which typically sends a copy of the sensitive information to a location of the attacker’s choice. Because of the subtle nature of these campaigns, they can be difficult to detect. For example, Warner Music recently disclosed that a number of the company’s on-line stores had fallen victim to such a campaign that lasted for several months.They are not alone. Many companies have been impacted by such campaigns and given the surge of online transactions as a result of the COVID-19 pandemic, it is no surprise that threat actor groups are increasingly focused on exploitation and monetization of such vulnerabilities.  Even in the absence of malicious intent, simple human error can result in security impacting disclosures. If developers are passing sensitive details in the URL parameters or the page title of a web resource, analytics platforms may receive those elements. These may include usernames, credentials, or other information that could be considered Personally Identifiable Information (PII). Legitimate scripts may collect sensitive data from the website for analysis without the full understanding of]]> 2021-05-14T10:00:00+00:00 https://feeds.feedblitz.com/~/652259278/0/alienvault-blogs~Defending-the-clientside-attack-surface www.secnews.physaphae.fr/article.php?IdArticle=2785193 False Tool,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Lastpass survey, US employees working in mid-sized corporate businesses must manage approximately 75 passwords for work. Unsurprisingly, employees recycle passwords 13 times on average. In other words, employees are using the same passwords over and over. And in many cases, especially for corporate applications and resources that lack strong password requirements, some passwords just aren’t strong enough. Cybercriminals know this, and it’s why breaches happen. If hackers get access to your trusted data, the ramifications can be dire. The costs of a data breach go well beyond financial, and include damage to your company’s brand, trust and reputation. Why do we need stronger and longer passwords? As malware, phishing, and ransomware continue to skyrocket, we must understand that the password is the primary method for attackers to gain access to corporate systems.  Phishing passwords may be the easiest method, but passwords can also be cracked. The stronger the password, the harder it is for cybercriminals to decode. In a typical attack—the brute force password attack—attackers will use software that quickly attempts every possible password combination of numbers, letters, and symbols. These software programs get better as computing power increases. For example, an eight-character strong password was not long ago considered secure and difficult to crack. Today, it can be cracked in eight hours. But if we tack on two more characters to make it ten-character, cracking the password can take approximately five years.  Why do we need unique passwords for every login? As mentioned above, phishing is one of the simplest ways for hackers to steal our passwords. If you think your company has been victimized by phishing, malware, or ransomware, perhaps you’ve taken steps to reset those passwords. But the security risk here is if employees are using the same passwords for different apps, sites or resources. Have you heard about credential stuffing? With credential stuffing, attackers take username and password combinations they already know (which have been stolen or paid for on the dark web) and try them everywhere they can. Use of credential stuffing is escalating, and businesses of all sizes should take note. This type of attack is only successful if and when employees use the same password for different logins. What about password managers? Managing all those passwords doesn’t have to be complicated. A password management system is software that keeps an up-to-date list of all your passwords and logins, using a master password to access the password “vault”. That master password is the only one you need to remember. What if a hacker accesses your vault? Isn’t that riskier? Sure, there is undoubtedly an element of risk, but it’s critical to think in terms of relative safety. As a general rule, using some type of password ]]> 2021-05-06T10:00:00+00:00 https://feeds.feedblitz.com/~/651048994/0/alienvault-blogs~Password-security-tips-and-best-practices-for-enterprises www.secnews.physaphae.fr/article.php?IdArticle=2745384 False Ransomware,Data Breach,Hack LastPass None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC intensified the threat landscape created by malicious attackers who jumped on the first opportunity to attack the more vulnerable home networks. As remote working becomes the new norm, it is paramount to have an agile infrastructure and team for security. Companies need to manage and orchestrate appropriate remediation activities carefully. Focus on providing awareness training Industry research has shown a 300% increase in the rate of cyber-crimes since the pandemic began, as malicious attackers leverage the opportunity to attack vulnerable home networks to access sensitive data. Security awareness is the most important thing to teach your employees when moving towards a secure organizational culture. Security awareness training can help everyone get on the same page and understand the depth of the threats to reduce risks and incidents. Awareness is also critical because it can help employees prepare for unforeseen situations and equip them with security knowledge to know what measures to take in case of a problem.  On top of general awareness for your employees, remember to facilitate your IT team and developers with application security awareness. This is especially important because as threats and malicious attackers find innovative ways to crack vulnerabilities, your IT team should be equipped to find solutions to new attacks.  You can grow your security culture with these teachable moments: Have a conference with your IT department where all employees are given security training For workers working remotely, a security guide should be sent out to them detailing all security attacks, protocols, and preventions to follow Teaching advanced lessons to employees in the R&D department to build secure products and services. Make your employee payment system safer  Creating invoices for sales and payment can be time-consuming, not to mention the number of security risks that come with sending payment invoices over emails. Emails go through several networks, including DNS servers, mail servers, and routers, before reaching the intended recipient.  Along this route, cybercriminals are patiently waiting to intercept the email, looking for vulnerabilities and private information that they use to commit fraud. Since these emails include personal information such as your bank account number and contact number, it makes your emails highly vulnerable to malicious attacks. You can have all the updated technology and an advanced security team. Still, even if you send out one unencrypted email with an attached invoice, you run the threat of being exposed to cybercriminals. Opt for invoicing software apps such as those with PCI-DSS certification, meaning that all financial data will be kept secure using encryption for both your business and your employees.  Implement multi factor authentication Multi factor authentication means adding an extra layer of security that involves asking more than just basic information required in single-factor authentication. It usually consists of a combination of information known only by the user, such as a security question, pin code, or an alternate email.  Research ]]> 2021-05-05T10:00:00+00:00 https://feeds.feedblitz.com/~/650899218/0/alienvault-blogs~IT-security-strategies-that-you-should-think-about-as-employees-return-to-the-office www.secnews.physaphae.fr/article.php?IdArticle=2741264 False Vulnerability,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The FortiGate and FortiManager integrations unlock multiple response actions that make SOC analysts aware of what’s happening with network security and allow them to respond to alarms quickly.  Let’s take a look. FortiGate: Easy Firewall Integration The easiest, most straightforward integration comes via the FortiGate Advanced AlienApp.  This AlienApp allows SOC analysts to send response actions from Alarms or Events directly to your Fortinet firewall.  It is intended for use on a single firewall or HA pair of firewalls, and it allows the following response actions: Add a source or destination address to an Address Group.  The most common use case for this integration is shown in the figure 2 – blocking access to a potentially malicious internet destination.  This functionality can also be used to unblock addresses once the crisis is resolved. Add to custom category.  If you are using URL filtering categories to block access to inappropriate or potentially dangerous web sites, this method will enable you to add a URL to one of your custom categories.  Note that this is useful to block or unblock site Add address to static URL filter.  FortiManager Integration Integration with FortiManager opens up more use cases. FortiManager typically controls many different firewalls in your environment.  Consider the simple use case above – blocking access to a malware command and control.  If there is only one way out of your network, then the FortiGate implementation has you covered, but if you have path diversity, with different exits in different parts of the world or with different providers, the FortiManager integration is needed. This integration does the same set of actions, but communicates with the FortiManager instead of an individual firewall: Add address to Address Group, Custom Category, or URL filter rule Add address to Address. Group, Category, or URL using a rule However, FortiManager will propagate the address group or URL rules down to all the firewalls in the infrastructure they apply to.  This way, all the doors and windows can be closed the threat with a single response action from USM Anywhere.  Note that it may take a couple of minutes for all the changes to occur. Advanced AlienApp Dashboards As with all Advanced AlienApps, we’ve included a rich dashboard for both FortiManager and FortiGate.  The FortiManager dashboard above gives a quick look at active users, alert trends, and event types.  The FortiGate dashboard includes events ]]> 2021-05-04T10:00:00+00:00 https://feeds.feedblitz.com/~/650785136/0/alienvault-blogs~New-Advanced-AlienApps-for-Fortinet www.secnews.physaphae.fr/article.php?IdArticle=2736723 False Malware,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Punctuated equilibrium is a theory originally developed by paleontologists to explain evolutionary biological change.  It has since been applied to numerous other areas such as Political Science, social theory, technological change, corporate behavior, and organizational theory. In short, the theory posits that policies generally remain static and only change incrementally due to various constraints such as bounded rationality, cultures, and vested interests.  Policy is characterized by long periods of stasis that only change when punctuated by changes in the conditions.  History is replete with examples of punctuated equilibrium changing policy and people’s actions and behavior.  The impact can be found on both a macro level in which the world, and nations, may change and a micro level in which communities, companies, and people are impacted. In the 14th Century the world was struck by the Bubonic Plague, otherwise known as the “Black Death”, which, per estimates, killed between 25% and 40% of people living in Europe.  Until that time France and England were in a near state of perpetual war, and the English were content with the Feudal system.  After the plague struck, France and England were forced to agree to a truce to their perpetual warring.  It also brought about the end of the English Feudal system and completely changed society and social structures.  Unfortunately, those with more sinister ideas used the plague to commit pogroms against certain ethic groups.  On June 24, 1914, the heir to the Austrian Throne, Arch Duke Ferdinand was assassinated in the Streets of Sarajevo.  While tensions had been brewing within Europe for years, no country wanted to inflame the situation and a state of tense peace remained.  The assassination, however, proved to be the proverbial straw that broke the camel’s back and thrust Europe into one of the costliest and deadliest wars in history.  This war, in turn, changed the entire world and resulted in new countries being created and others subsumed.  While Europe raged with war between 1914 and 1915, the United States maintained an isolationist posture and did not enter the war.  Certainly, there were some efforts to provide materials and support, but the US took a laisse fair approach to the War in Europe and did not want to intercede.  That all changed on May 7, 1915 when a German U Boat sank]]> 2021-05-03T10:00:00+00:00 https://feeds.feedblitz.com/~/650659168/0/alienvault-blogs~The-new-normal-is-actually-very-normalnbsp-Punctuated-equilibrium-security-cycle-theory-and-the-%e2%80%9cNew-Normal%e2%80%9d www.secnews.physaphae.fr/article.php?IdArticle=2731748 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC estimated that cyber crime will cost businesses as much as $45,000,000,000 by 2025. Each year, small businesses who haven’t put a cyber security plan in place are at the mercy of hackers who are using ever increasingly sophisticated methods to breach their network, compromise their data - and even hold the business to ransom. In this article, we’ll be looking at the importance of creating a small business Cybersecurity plan, and we’ll also show you which steps you need to take to create one of your own. Why you need a Cybersecurity plan Developing a cyber security strategy means you’re being proactive. You’re staying on top of risk and nipping attacks in the bud. Early detection of threats A Cybersecurity plan allows you to sniff attacks out quickly; while this doesn’t necessarily mean you’ll prevent an attack altogether, it does increase your chances of successfully resolving it. Quick response to threats Once you’ve detected a threat, you can then react quickly. Doing so will invariably save you time, money and hassle. It will also prevent your business from encountering a large-scale crisis that shuts it down completely, at least for a while. Improved operational efficiency On a macro level, a Cybersecurity plan allows your business to continue running efficiently. With procedures in place to thwart attacks automatically, your team can continue performing their jobs, focusing on the core aspects of your business. Creating a small business Cybersecurity plan Choose a firewall Firewalls monitor your incoming and outgoing network traffic, looking out for malicious data packets before blocking them to prevent further problems. They are often your first line of defence against online attacks. However, there are different types of firewalls for different-sized businesses with different needs: Network firewalls are designed to protect multiple computers at the same time. Host-based firewalls defend a single computer. If your system has multiple computers, each one would require its own firewall if you choose this type. Enterprise firewalls are the most expensive. They include VPNs and advanced monitoring, and are aimed at bigger businesses with numerous users and networks. Choose the right Cybersecurity software A Cybersecurity strategy starts with investing in the right tools. Cybersecurity tools are the easiest way to give yourself peace of mind, because you know that you’ve built a second line of defence on top of your firewall. All businesses should make antivirus and anti-malware software a key part of their Cybersecurity plan. However, there are a lot of tools to consider, and each one has its pros and cons, being aimed at different organisations facing different threats. Features to look out for include: Threat intelligence Network and host intrusion detection SIEM security and monitoring Patch management Secure VPN Report generator Multi-layer ransomware protection In 2021, the best software may include Artificial Intelligence (AI). AI in antivirus software is able to detect network anomalies, targeting those that behave suspiciously and preventing a breach. It can also spot new user log-ins and disable them, or at the very least notify you or the system administrator. Put together a cross-functional secu]]> 2021-04-29T10:00:00+00:00 https://feeds.feedblitz.com/~/650338002/0/alienvault-blogs~The-importance-of-creating-a-small-business-Cybersecurity-plan www.secnews.physaphae.fr/article.php?IdArticle=2713289 False Ransomware,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC blog post that the version contained 42 enhancements. Of those enhancements, 16 entered into alpha, while the remainder moved to beta or graduated to stable at 15 and 11, respectively. That’s not all that was in Kubernetes version 1.20, however. The new release also came with the announcement of dockershim’s forthcoming deprecation. This blog post will discuss what this change means to admins and provide some recommendations on how admins can respond. Before we do that, however, we need to cover the basics of how dockershim relates to Kubernetes and why the platform decided to deprecate the component in the first place. An Overview of Dockershim Dockershim is a module used by the kubelet to support Container Runtime Interface (CRI) for Docker. Released back with Kubernetes version 1.5 in 2016, CRI is a plugin that allows the kubelet to use different container runtimes without recompiling. Those Kubernetes-supported software that are responsible for containers include containerd, CRI-O and Docker for the next few months, at least. The issue with dockershim is that this container runtime predates Kubernetes’ release of CRI. As noted in its documentation, Kubernetes’ early releases offered compatibility with just one container runtime: Docker. That changed as time went on and as cluster operators expressed the desire to interact with other container runtimes. Kubernetes created CRI to help those cluster operators, but as its support of Docker came before CRI, the container orchestration platform had to come up with an adaptor component that helped the kubelet interact with the Docker container runtime as if it were a CRI compatible runtime. This led to the emergence of dockershim. Keeping dockershim around ultimately created problems for Kubernetes, however. The issue here is that the kubelet needs to call another component—dockershim—before it can interact with continerd, CRI-O or another supported CRI. It’s a middle man that complicates container runtimes for the platform as a whole. Indeed, in the words of Kubernetes, “that’s not great, because it gives us another thing that has to be maintained and can possibly break.” Dockershim was only meant to be a temporary solution. Acknowledging that fact, the task of maintaining dockershim had become sufficiently problematic by the end of 2020 that it placed “a heavy burden on the Kubernetes maintainers,” according to the platform. Hence Kubernetes’ decision to deprecate the component. Going forward, Kubernetes will inform administrators of this deprecating issue starting in version 1.20. As explained by StackRox in a blog post: If you currently use a managed Kubernetes service or a distribution like OpenShift, your provide]]> 2021-04-28T10:00:00+00:00 https://feeds.feedblitz.com/~/650251542/0/alienvault-blogs~What-Docker-runtime-deprecation-means-for-your-Kubernetes www.secnews.physaphae.fr/article.php?IdArticle=2707520 False None Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2021-04-27T10:00:00+00:00 https://feeds.feedblitz.com/~/650172322/0/alienvault-blogs~Priority-on-people-An-argument-against-the-excessive-use-of-Cybersecurity-technology www.secnews.physaphae.fr/article.php?IdArticle=2701309 False Tool,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC internet crime reports rising 69.4% and costing more than $4.2 billion. Now that more companies are embracing digital services after the pandemic, this trend will likely continue. All businesses, regardless of size or industry, must revisit their cybersecurity. Here are the five most important cybersecurity updates for this year. 1. Implementing a Zero-Trust framework The single most crucial cybersecurity upgrade for businesses this year is adopting a zero-trust security framework. These systems, which rely on network segmentation and thorough user verification, aren’t new but are increasingly crucial. In light of rising cyberthreats, companies can’t afford to trust anything inside or outside their networks without proof. A 2020 survey found that 82% of company leaders plan to let their employees work remotely at least part time after the pandemic. That many people accessing data remotely raises security concerns. Hackers could pose as remote workers to gain access or install spyware, and IT teams wouldn’t know it. Zero-trust models mitigate these threats. Verifying user identity at every step helps guarantee only employees can access mission-critical data. Segmentation ensures that only those who need access can get it, and if a breach occurs, it won’t impact the entire network. 2. Securing machine learning training data Machine learning algorithms are becoming increasingly common among companies in various industries. These models take considerable amounts of data to train, which presents an enticing opportunity for cybercriminals. As more companies rely on machine learning, more threat actors will likely try to poison the training data. By injecting incorrect or corrupt data into the training pool, cybercriminals could manipulate a machine learning system. If companies don’t catch the problem before it’s too late, the algorithms they rely on could influence poor or even harmful business decisions. Given this threat, securing machine learning training data is a must. Businesses should carefully inspect the information they use to train machine learning models. They should also enact stricter access controls over training pools, including activity monitoring. 3. Verifying third-party and partner security Businesses should also look outward when improving their cybersecurity. The growing public awareness of cyberthreats is changing expectations about visibility, and that’s a good thing. It’s no longer sufficient to trust that a business partner or third party has robust data security. Companies must verify it. Third-party data breaches in 2020 exposed millions of records, and major events like the SolarWinds hack have revealed how fragile some systems are. In light of these risks, businesses must ask all potential partners to prove]]> 2021-04-26T10:00:00+00:00 https://feeds.feedblitz.com/~/650096666/0/alienvault-blogs~The-most-crucial-Cybersecurity-updates-for-businesses-in www.secnews.physaphae.fr/article.php?IdArticle=2694605 False Data Breach,Hack,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Figure 1. An Information System Inventory (ISI) is a record of Information Systems in an organization and includes information traditionally in an IT Asset Inventory. But a properly constructed ISI should be prioritized as the foundation on which organizations implement a System Development Lifecycle (SDLC) program, facilitate Security Operations activities, make informed risk management decisions, move towards a more data centric view of security and mature their security posture as a whole. The ISI is an opportunity for an organization to have a core source of intelligence that ties security information across the organization together. Having the ability to view risk at multiple levels (network level, system level, division level, organizational level etc.) is becoming ever more important as organizations implement more complex environments and move away from a traditional network perimeter. Policy, process & training: Ensuring reliable information One of the best places to start maturing the ISI is to mature the categorization process. Without measures in place to ensure repeatability and consistency, information may become suspect and of little value.  It is critical to implement a process that satisfies the need for stringent accuracy, but that is not so cumbersome it makes efficient use of personnel resources difficult. One of the most effective ways to balance this need for accuracy with the need for agility, is to invest significant time in process creation, documentation, and training. This includes defining and documenting the process itself, definitions for each field and each possible field answer, and the creation of tools such as interview templates and forms. Utilizing training sessions and tabletop exercises then ensure all interviewers implement the processes in a consistent and accurate manner. As categorizations are conducted on an annual or recurring basis, it is important to continuously update the process documentation, definitions, and training to align with the implemented process. Figure 2. A possible process for categorizing an Information System It is also important to design the categorization process to allow for documentation of reasoning behind critical fields. Besides the obvious benefit of providing a high level of confidence that the information is accurate and easing the quality assurance process, this also has the added benefit of capturing inevitable grey areas and edge cases not considered in the original process. As the organization continues to mature their ISI and the categorization process evolves, notes on previously categorized systems are also invaluable in backfilling information for newly identified business uses. This reduces re-work required, helps ease maintenance of the ISI, and provides a more accurate picture of current risk. Figure 3. A short list of possible categorization fields and reasoning fields for critical fields.]]> 2021-04-23T10:00:00+00:00 https://feeds.feedblitz.com/~/649863674/0/alienvault-blogs~Lessons-learned-from-building-an-inventory-of-systems www.secnews.physaphae.fr/article.php?IdArticle=2682724 False Vulnerability,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC important parts of the modern digital business. Unfortunately, when it comes to cybercrime, it can also be one of the weakest. The Cybersecurity newsletter, The Hacker News, have highlighted this in detail, noting interest from across the digital industry in addressing the holes created by misconfigured SaaS setups. The use of unsanctioned business software, and the lack of controls and best practices to help assist companies with assurance can create a bad concoction. Addressing this requires a complete overhaul of business processes, starting with addressing the very nature of SaaS usage by the company. Looking at core philosophy SaaS is, according to Forbes, a key disruptor in many global markets. Utilized not just by digitally-focused businesses, this has unfortunately meant that many businesses are keen to get on the bandwagon long before they are prepared. This lack of preparation for the use of SaaS is what creates issues with security in the long run. How can businesses meet this risk and mitigate it? A key part of achieving this is through controlling growth. There is a compelling argument to be made that unbridled growth has caused many of the issues that digital businesses, not just SaaS-focused ones, have. Whether that’s through DDoS attacks, insufficient manpower to staff operations or other situations, demand can exceed capacity. That includes security systems. When considering the advantages of the model, businesses moving into SaaS should therefore also ensure that they have proper capacity to meet the customer demand and ensure a high level of cybersecurity assurance. Building from the base Having a measured growth strategy that is inclusive of the potential demands of the business is a first step that allows a cybersecurity response to be built accordingly. The challenge SaaS poses is in a lack of assurance that users are following cyber protocols. The corridor between business and customer can let in malicious users and malware at any stage of a transaction – leading to a loss of data, revenue, reputational damage, or all three. Defining the risk and managing it is a case of forming ‘quarantine’ points, where businesses and their customers are able to securely store their data without risking it being accessed inappropriately by others. SASE systems Increasingly, businesses are meeting this demand using secure access service edge (SASE) systems, according to the UK's Computer Weekly. Research by Gartner expects 40% of businesses will be using SASE by 2024, and for good reason – it provides a secure environment through which to run SaaS, and all the risks it entails, without creating downtime for customers that could lead to lost revenues. Having this secure corridor also allows for other important business security measures, like data protection and security, to be carried out with a high level of assurance. SASE is not the only protocol to follow, and many businesses are constructing their own proprietary system security for their SaaS plat]]> 2021-04-21T10:00:00+00:00 https://feeds.feedblitz.com/~/649686892/0/alienvault-blogs~Bridging-the-Cybersecurity-frontier-SaaS www.secnews.physaphae.fr/article.php?IdArticle=2673811 False Malware,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Your device Whether it’s your smartphone, tablet or desktop, you’ll want to provide that the device you use to file taxes is as secure as possible. The first step involves passwords. Not only should your password be more of a pass phrase (like 2dogswalkingInthe^^park), but the password you use for anything concerning taxes should be completely different from passwords used for other accounts. Sure, remembering different passwords for separate logins is difficult, but password managers can be very helpful, for tax season and for regular password management. Next, it’s highly recommended to use multi-factor authentication (MFA). If you’re doing online banking, you’re probably familiar with MFA, which provides an additional layer of security by sending you a unique one-time code via email or text message. Most online tax services offer this optional, but more secure and recommended, method of authentication. Securely logging in is only the beginning. Before you even log in and start using any tax-related software, you’ll need to make sure that all the software is up to date—not just the tax software but the operating system as well, whether that’s Windows, iOS, Android, or Mac OS. Running the latest version of the software means any security issues will be addressed and up to date, and that system performance is optimized. When it comes to devices, the final piece of the security puzzle is where you are when you file your taxes. Especially when such confidential and sensitive information is being transferred over the internet, a secure network is crucial. If at all possible, avoid using public wi-fi. If you must use public wi-fi, ensure that you’re using a VPN. Your online behavior Tax season can be stressful, and when we’re stressed, it’s much harder to be vigilant about our online behavior and security. But how you react to messages and people online will play a key role in keeping secure. Perhaps the most important takeaway of this entire article is this: never provide sensitive information to anyone online, over text, or over the phone unless you can verify they the person or agency on the other end is legitimate. Whenever you receive a call, text, or email that asks you to provide valuable financial or personal information, it is most likely a scam. By providing this data to thieves, you may lose money or even your identity. Always be suspicious. But how can you tell if it’s a scam? If the message claims to be from the Internal Revenue Service (IRS), know that the first method of contact for the IRS is carried out through the U.S. Postal Service. Only if you’ve responded in some way to their communication through physical mail will they follow up with a phone call. Plus, The IRS will never insist that payment must be made to anyone other than the U.S. Treasury. Be especially skeptical of calls claiming to be from federal agencies that use what may appear to be a legitimate caller ID. Many of these calls are scams. If yo]]> 2021-04-20T10:00:00+00:00 https://feeds.feedblitz.com/~/649590870/0/alienvault-blogs~Best-practices-for-businesses-to-stay-safe-online-this-tax-season www.secnews.physaphae.fr/article.php?IdArticle=2670072 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2020 MITRE ATT&CK test - APT 29 for most total detections and most correlated alerts through comprehensive storyline technology. This autonomous agent utilizes Artificial Intelligence (AI) and machine learning (ML) to help protect against known and unknown threats and eliminates reliance on external factors for protection. This faster, “machine-speed” detection & response provides continuous protection, even when offline. And, in the event of an attack, the SentinelOne agent can perform 1-click remediation and rollback with no custom scripting or re-imaging required. Deep integration with AT&T’s USM platform and Alien Labs OTX AT&T Cybersecurity and SentinelOne bring one of the most unique combinations in the market via the deep integrations between the SentinelOne platform and the AT&T USM platform. This deep integration allows for orchestrated and automated incident response on the endpoints. Additionally, deep integrations were built between the world’s largest open threat intelligence community, AT&T Alien Labs Open Threat Exchange (OTX), and the SentinelOne agent. The AT&T Alien Labs OTX encompasses over 145,000 security professionals submitting over 20 million threat indicators per day. Additional context is provided from the USM sensor network with an additional 20 million threat observations per day and AT&T’s Chief Security Office analyzing over 446 PB of traffic from 200 countries and territories. By correlating the incidents of compromise from AT&T Alien Labs OTX, AT&T is able to deliver added context that allows for faster responses. These same AT&T Alien Labs detections and threat intelligence also informs threat hunting on SentinelOne’s EDR data to help yield richer insights and easier detection of evasive threats. Expert management As one of the world's top MSSPs, AT&T Cybersecurity employs highly experienced and industry certified individuals for the Managed Endpoint Security with SentinelOne offering. AT&T brings over 25 years of experience in delivering managed security services and knows what it takes to keep pace with the dynamic threat landscape. To stay ahead, AT&T’s security analysts maintain security certifications including GSE, CISSP, CEH, and more.  For the Managed Endpoint Security with SentinelOne offering, AT&T ]]> 2021-04-19T20:38:00+00:00 https://feeds.feedblitz.com/~/649544360/0/alienvault-blogs~Introducing-ATampT%e2%80%99s-Managed-Endpoint-Security-with-SentinelOne www.secnews.physaphae.fr/article.php?IdArticle=2668051 False Data Breach,Threat,Guideline APT 29 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Todd Waskelis as we discussed cybersecurity and application security in focus. How has COVID changed the game for application security? Shift Left, Shift Right, and Shift everywhere? 2020 had several significant events around application security, including the move of applications to the cloud, the expansion of remote workers using cloud accessed applications, and an increase in the number of vulnerabilities reported in code. I think if we look at the basic lifecycle of Design, Develop, Test, and Deployment/Maintenance, we tend to focus today on the latter two stages – Test and Maintenance. Traditionally we address those with one-time preproduction testing, which, when issues are discovered, push the cycle backward to development. But once deployed, those identified vulnerabilities become more difficult to address and require either investment in additional infrastructure to ensure controls or, more commonly, prolonged exposure of that vulnerability due to limited resources (time, money, people) to address the issue. Shifting left leads with the idea of ensuring security is at the table during the design discussions not only from a technology perspective but also from a regulatory/legislative view. Knowing what controls will need to be cared for, commensurate with the data being processed, stored, and transacted. It also drives awareness to the developers early that security is a critical component and highlights their responsibilities in that commitment. o Secondly, and just as critical, is integrating frequent and (when possible) automated security testing into the development stage. This reduces the number of vulnerabilities when we move to test, thereby increasing deployment speed and reducing the time to market. o A large portion of the vulnerabilities we see are specific to a custom code or to highly intricate custom configurations. In this way, almost every vulnerability detected in an application can be considered a zero-day vulnerability. o With these recent types of trends, we expect an increased focus on application security during development, that shift left will become more important in the coming year.  o One example is cross-site scripting. It is a purely technical class of vulnerabilities that stems from improper coding of web pages, and plays a major part in large cybercrime campaigns, such as the Mage cart web skimming campaign. Other vulnerability types do not stem from a technical problem, but, rather, from a failure to recognize and enforce business logic which is where we need to rely on the involvement in the design phase. How is the importance of secure code in application security tie into digital trust, risk, and resilience? o  Secure code is more critical today than ever before and that is driven by a number of things, remote workforce, cloud native applications, explosion of mobile devices, emerging technologies like 5G and really the fact that everything is becoming a connected endpoint. o This focus on application security is nothing new, however the threats have grown, the risks have greatly changed the attack surface is much larger now, it's not within the four walls of your enterprise. o The customer experience is moving more and more to purely digital out of convenience, and eventually, that will shift to be the consumer's expectation. If you fail just once and that Digital Trust between you and your client breaks down, you risk significant loss of business and brand loyalty, and market share. o To put this into perspective, let's simplify with a banking example.  Someone walks into a branch office of Bank of Todd and robs the ]]> 2021-04-19T10:00:00+00:00 https://feeds.feedblitz.com/~/649495876/0/alienvault-blogs~Digital-transformation-moves-application-security-to-the-top-of-mind-list www.secnews.physaphae.fr/article.php?IdArticle=2665241 False Vulnerability,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2021-04-16T10:00:00+00:00 https://feeds.feedblitz.com/~/649234968/0/alienvault-blogs~Considerations-for-performing-IoMT-Risk-Assessments www.secnews.physaphae.fr/article.php?IdArticle=2651838 False Tool,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC phishing tests, but also by real scams. As social engineers, it is easy to play on people’s vulnerabilities; their fears, hopes, and dreams. Fears, such as those used in scams against the elderly; hopes, such as those used against the optimistically trusting; and dreams, such as those used against the wistfully romantic. However, with any security practice, we have to temper our thrill of victory, that is, the adrenaline rush of the “gotcha” moment when a person falls for our brilliantly crafted phishing test, with the reality of our true purpose, which is to educate, and build trust.  With that in mind, we must ask ourselves, when have we gone too far? For example, according to a report that was published at the height of the pandemic, Covid-related scams rose to an all-time high.  The cybercriminals have been hard at work, trying to capitalize on our fears, and our desires to seek information, and more recently, our desire to become vaccinated. Has your organization used the pandemic in any recent phishing exercises?  How effective were they?  Was the “hit” rate high?  More importantly, did the people who failed the test thank you for showing them the error of their ways?  I doubt it. I am not stating this merely to make enemies in the security community.  As a 20+ year veteran in the industry, I too understand the struggles and the frustrations of building a security culture in an organization.  However, let’s look to the legal profession for a moment to try to understand why Covid-based phishing exercises are simply wrong. The problem at hand is one of our freedom to act recklessly.  If we look to the landmark U.S. Supreme Court case of Schenck v. United States, we are met with the famous quote about how freedom of speech does not give one the right to “Yell ‘Fire!’ in a crowded theater”.  In a later case, Rochin v. California, the phrase “Shocks the conscience” became part of legal doctrine.  An action is understood to "shock the conscience" if it is "grossly unjust to the observer."  Contrary to helping an already stressed staff, does a Covid-based phishing exercise succeed in anything other than violating the senses, as well as bordering on a cavalier abuse of our “expertise”?  There are so many ways to educate ]]> 2021-04-14T10:00:00+00:00 https://feeds.feedblitz.com/~/649112012/0/alienvault-blogs~Phishing-towards-failed-trust www.secnews.physaphae.fr/article.php?IdArticle=2636844 False Tool None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC This collaboration between USM Anywhere and MobileIron provides near real-time threat detection and response, asset discovery, auditing, reporting, User Behavior Analytics (UBA) enrichment, and more. The Advanced AlienApp for MobileIron Threat Defense enables security teams to view threats through the power of MobileIron Threat Defense and the power to mitigate those threats in the same place using MobileIron Cloud’s Unified Endpoint Management solution. USM Anywhere with the Advanced AlienApp for MobileIron Threat Defense also enables security teams to orchestrate actions that help streamline incident responses and provide even deeper visibility into the assets on the company’s network. MobileIron Threat Defense Mobile devices are now the number one source of personal data consumption, and this pattern has extended to the workplace, especially in light of the COVID-19 pandemic. The ability to access all company data from mobile devices virtually anywhere and anytime is a doubled-edged sword. That’s because cybercriminals are increasingly targeting mobile devices as the means to infiltrate an organization’s most valuable assets. MobileIron Threat Defense helps to detect and mitigate attacks on Android & iOS mobile devices. And all this happens in one place: at the endpoint level, providing protection against attacks on applications, the network, and the device, as well as social engineering attempts such as phishing. MobileIron Threat Defense provides detection for mobile devices even if they are offline. Built in protection means users don’t have to take any action Remediation happens automatically, helping to protect against malicious applications on subscribed devices. MobileIron Threat Defense has the power to defend against known and unknown threats. MobileIron Threat Defense can be added as an option to MobileIron Cloud’s Unified Endpoint Management solution MobileIron Blue is a unique bundle of the MobileIron Cloud ____ bundle plus MobileIron Threat Defense How USM Anywhere, AT&T Alien Labs & MobileIron Threat Defense take threat detection and response to the next level The true icing on the cake is the collaboration among USM Anywhere, AT&T Alien Labs, and MobileIron Threat Defense. USM Anywhere acts as a single pane of glass that displays all the threats detected by MobileIron Threat Defense, so customers can have full visibility over all their mobile a]]> 2021-04-13T10:00:00+00:00 https://feeds.feedblitz.com/~/649035858/0/alienvault-blogs~Advanced-mobile-protection-through-the-AlienApp-for-MobileIron www.secnews.physaphae.fr/article.php?IdArticle=2629839 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC study, which surveyed 577 U.S. IT and IT security practitioners, provides the numbers to underscore the struggle toward proactivity: 69% of respondents admitted their company’s approach to security is reactive and incident driven 56% of respondents expressed concern that their IT security infrastructure contained coverage gaps, allowing attackers to get around network defenses 40% of respondents do not track or measure the company’s IT security posture A proactive cybersecurity approach not only puts you ahead of attackers but can help you maintain and even exceed regulatory requirements. Proactive strategies offer the structure and guidance that help you stay prepared and avoid confusion that may arise. With uncertainty and confusion minimized, measures for incident prevention, detection an]]> 2021-04-09T17:51:00+00:00 https://feeds.feedblitz.com/~/648788162/0/alienvault-blogs~What-is-a-cybersecurity-strategy-and-how-can-your-business-develop-one www.secnews.physaphae.fr/article.php?IdArticle=2613690 False Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Customers often ask me: What is the difference between Zero Trust and SASE?  My answer is almost always the same: Nothing….and, everything.  Both have taken the industry by storm over the last couple of years, and even more so with the security and access demands on the business driven by the existing remote workforce, but both have different implementation approaches.  It is important to understand, however, that one does not fully provide the other; in fact, they reinforce each other.  As you read through Gartner’s research that introduced SASE to the network and cybersecurity world, you’ll note that there are a number of similarities that can lead you to believe that implementing SASE can also implement Zero Trust.  While that may be the case in part, it is not a complete approach.  And just as there is not one product that will get you to Zero Trust, there is also not one product that fully meets Gartner’s vision for SASE.  Zero Trust Network Access (ZTNA) One key area of similarity is in ZTNA.  ZTNA focuses in on providing whitelisting capability for access to services.  This is undoubtedly why it is considered one of the core components of SASE.  Zero Trust is based on a set of principles, or tenets.  One of these tenets is that all network flows are authenticated before being processed, and that access is determined by dynamic policy.  Another tenet requires authentication and encryption applied to all communications independent of location and that security must be performed at the application layer closest to the asset.  These alone are foundational to ZTNA.  ZTNA secures access to services at the application layer (layer 7), rather than a complete network, like traditional remote access VPN implementations. Therefore, it provides for the means to only provide authorized and authenticated users with access to approved applications. Monitoring for risk and trust levels Gartner lists core components of SASE to include SD-WAN, secure web gateway (SWG), ZTNA, firewall-as-a-service and cloud application security broker (CASB).  One thing that often does get overlooked in their whitepaper is that a SASE solution needs to have the ability to identify sensitive data, and have the ability to encrypt and decrypted content with continuous monitoring for risk and trust levels.  Zero Trust eliminates trust from all network communications and seeks to gain confidence that the communications are legitimate.  This level of confidence is applied using trust levels (ironically) and scoring techniques.  Therefore, the implementation of a trust / risk engine that applies contextual scoring capabilities is crucial in a Zero Trust Authorization Core , and SASE provides a means to accomplish this through core component technology.  Dynamic secure access As stated earlier, a tenet of Zero Trust is that access is determined by dynamic policy.  Another tenet of Zero Trust is that technology is utilized for automation in support of user/asset access and other policy decisions.  This monitoring of user and device behaviors along with automation that drives p]]> 2021-04-09T10:00:00+00:00 https://feeds.feedblitz.com/~/648754054/0/alienvault-blogs~The-difference-between-SASE-and-Zero-Trust www.secnews.physaphae.fr/article.php?IdArticle=2610521 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Software-Defined Wide-Area Network (SD-WAN), firewall-as-a-service, Secure Web Gateway, Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA). Gartner has coined the term Secure Access Service Edge (SASE). Other firms have given their own labels: IDC (Software-Defined Secure Access), ESG (Elastic Cloud Gateway), and Forrester (Zero Trust Edge). Whatever the name, SASE in one form or another is being considered by customers across industries. Buzz aside, the question remains: “Are customers actually adopting SASE? And if so, why?” The answer is yes, and we at AT&T can provide some insight. In March, we launched AT&T SASE with Fortinet, expanding our managed security services portfolio by unifying SD-WAN with some of the essential security functions listed in the SASE framework. And because SASE can be quite complex, we offer support for deployment and 24x7 management. This official launch of AT&T’s first SASE offering, though new in terms of branding, has evolved from the work we’ve been doing for several years with customers who have been moving to SD-WAN and want  security to  be part of that conversation — a trend accelerated by COVID.  These customers tend to be national or multi-national organizations, and if they were not on the path to network transformation already, the  sudden need to solve for an expanded remote workforce and increasing number of remote sites, branches, or pop-up locations, pushed them along]]> 2021-04-07T10:00:00+00:00 https://feeds.feedblitz.com/~/648596356/0/alienvault-blogs~Do-customers-really-care-about-SASE-Absolutely-and-here%e2%80%99s-why www.secnews.physaphae.fr/article.php?IdArticle=2598421 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC According to many IT professionals, security is the main reason for AI adoption in corporations. Not only does artificial intelligence increase overall cybersecurity, but also it automates identification and mitigation operations. According to a Capgemini Research Institute, 69% of corporations agree that AI is vital for security because of the growing number of attacks that traditional methods cannot prevent.  According to the findings, 56% of companies say that security experts are overstressed. 23% say they are unable to prevent all attacks. According to a TD Ameritrade study, registered investment advisors (RIAs) are more ready to spend in emerging artificial intelligence security projects. With these funding possibilities, the AI cybersecurity industry will grow at a 23.3% CAGR from $8 billion in 2019 to $38 billion in 2026. Organizations use security information event management (SIEM) for threat detection to capture a large amount of data from across organizations. It is impractical for a user to go through such information to identify possible vulnerabilities. Moreover, artificial intelligence helps search for anomalies throughout technology and user tasks. AI-based methods efficiently scan across the system and compare different information sources to detect vulnerabilities. Anomaly detection is a domain where AI is helpful in a companys’ security defense. It also finds various functionalities to prevent attacks by looking at past incidents (Machine Learning). Applications of AI in security AI in Antivirus Services Antivirus software with artificial intelligence detects network oddities of processes that behave suspiciously. AI antivirus detects and prevents network assets from exploit when malicious software is launched in a network. Modeling user behavior AI simulates and assesses the behavior of network users. The aim of evaluating how users engage with the system is to spot overthrow attempts. AI also observes the users’ actions and identifies odd behavior as anomalies. When a new user logs in, AI-powered machine]]> 2021-04-06T10:00:00+00:00 https://feeds.feedblitz.com/~/648520194/0/alienvault-blogs~Use-AI-to-fight-AIpowered-cyberattacks www.secnews.physaphae.fr/article.php?IdArticle=2592235 False Vulnerability,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC variety of responses to choose from, some effective and some not. Hopefully, you’re the rare breed who plans in advance how to respond. Even better if this planning includes how to prevent them. But to execute a logical, effective response, keep reading. In this guide, I’ll take you through a methodical process of handling a data breach and how to stop it from happening again. Let’s get to it. 1. Stop the breach At the risk of resembling Captain Obvious, before anything else you need to stop the data leak. But to do that you have to recognize a data breach exists. For some organizations the problem with data breaches isn’t responding to them – it’s knowing they are happening at all. Research indicates that breach detection can take half a year or longer on average. That should be a mind-boggling statistic and testament to the general widespread lack of effective cybersecurity. By the time the problem is spotted, potentially private data has been leaking into the wrong hands for a long time. So... contain it quickly. Isolate the systems that have been compromised and immediately take them offline. Late though it might be, it’s critical to stop the problem from spreading to other parts of your network. Shut down any user accounts that you believe have been used to steal data – it’s better to be safe than sorry. You can restore them later. 2. Assess the damage Next, get ready to undertake some forensics. These should be focused not just on tracing how your data was accessed, but the likely impact of it being released to the general public, in the unfortunate event that happens. While determining whether it’s a data breach, leak, or compromise, you should also ask yourself (and your team) a number of questions: What was the attack vector? Was the attack based on social-engineering tactics or through user accounts? How sensitive is the breached data? What is the type of data affected? Does the data contain high-risk information? Was the data encrypted and can it be restored (did the company backup their data)? It’s crucial that you perform this analysis before going on to the next step. Otherwise, your response to the breach could look uninformed and casual to an outsider. Get the facts straight, in other words, before customers start asking awkward questions. 3. Notify those affected Then it’s time to come clean. Inform everyone who is likely to be affected by the breach at the earliest possible opportunity. While it’s not a terrible idea to make sure your systems are safe before breaking the news, that doesn’t give you a license to wait months “just in case.” It’s tempting to play down the breach. Maybe omit some damaging details in hopes of preserving your brand integrity. Unthink those thoughts! If you are not totally honest and it’s discovered later - which it almost certainly will be - brand damage could be much, much worse. There is also the possibility of legal action. Any nasty, negative online comments the breach gen]]> 2021-04-02T10:00:00+00:00 https://feeds.feedblitz.com/~/648187946/0/alienvault-blogs~steps-to-respond-to-a-data-breach www.secnews.physaphae.fr/article.php?IdArticle=2575099 False Data Breach,Hack None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2021-04-01T10:00:00+00:00 https://feeds.feedblitz.com/~/648111136/0/alienvault-blogs~Endpoint-Security-Helping-to-realize-the-benefits-of-SASE www.secnews.physaphae.fr/article.php?IdArticle=2570332 False Ransomware,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC when it comes to cyber defense. To make matters worse, there are laws and regulations in place that require schools to abide by certain standards. Failure to comply with these regulations can result in loss of government funding or hefty fines.  In this article, we will talk about the most common cyber attacks facing educational institutions today and top tips on how to prevent them.  Cyber crime is on the rise As our society increasingly embraces a digital world, partially out of necessity due to the coronavirus pandemic, opportunities for cyber criminals grow more plentiful. In March 2020, the month that marked the onset of the confusion, fear and subsequent lockdowns caused by the global health crisis, organizations experienced a 148% increase in ransomware attacks.  When possible, educational institutions should make efforts to allocate or obtain funding for experts that can assist in the area of cyber security. It’s not difficult to find statistics like the one mentioned above that indicate a great need for heightened vigilance towards cyber criminals.  Ideally, a cloud-based help desk program can be vital to the cyber security of your organization, enabling staff or students to send alerts if they have reason to believe they have been hacked. A cyber security team that offers security measures such daily backups and regular security patches that can go a long way towards protecting your institution. As the saying goes, an ounce of prevention is worth a pound of cure.  Top methods of attack used by cyber criminals against educational institutions According to Red Canary’s “Threat Detection Report,” the top three methods of attack facing educational institutions are from process injection, windows admin shares and scheduled tasks.  Windows admin shares Most of us are familiar with the “administrative access” request from Windows, which is sometimes prompted when we need to install new programs or otherwise make changes to our settings. If a hacker can find a way to guess or steal an administrative user’s password, or access this through brute force, the entire system becomes compromised.  Scheduled tasks Windows task scheduler allows users to arrange for a program or script to be run at a specific time or under certain circumstances.  For example, some users might schedule for an antivirus program to run a scan on their computer late in the evening when the user is less likely to be on the computer. Alternatively, a user can schedule that a certai]]> 2021-03-30T10:00:00+00:00 https://feeds.feedblitz.com/~/647955032/0/alienvault-blogs~What-educational-institutions-need-to-do-to-protect-themselves-from-cyber-threats www.secnews.physaphae.fr/article.php?IdArticle=2560465 False Ransomware,Malware None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC adapt and grow to stay secure while remaining competitive.  Executives must initiate thorough evaluations of their existing cybersecurity strategies to figure out which types of new technologies and risk management strategies they need the most. Apart from remaining competitive with other businesses that are also increasing their cybersecurity posture, it's vital for businesses both large and small to implement more adaptive cybersecurity to combat the ever-looking threat of data breaches and attacks from cybercriminals. To that end, let’s take a look at the top three most important strategies that enterprise executives need to adopt to keep up with an evolving security landscape and a high prevalence of threats to data security:  Regular surveillance of the application security layer Organizations have good reason to be concerned about cybercrime such as phishing emails and ransomware attacks, which witnessed a 37% increase last year and resulted in total average business costs of nearly $4.5 million. Adaptive cybersecurity and the strategies that come with it are the best hope business executives have to stave off increasingly sophisticated cybercrimes such as ransomware.  Any business with an established digital presence or eCommerce store knows that their customers need 24/7 access to their web applications and software. There's no question, then, that application security is an important part of a larger adaptive cybersecurity strategy.  Consider that approximately 84% of software breaches exploit application layer-level security vulnerabilities, and you'll begin to understand why executives need to adopt application security testing tools to keep their customers' data as well as their own organizational data assets secure from threats. To secure and protect data at the application layer-level, executives require a single platform that they and their IT department can use to regularly assess security risks that face their applications.  According to the cybersecurity analysts at Cloud Defense, you can use a unified platform to secure custom code, open source libraries  DKs (software development kits), and APIs (application programming interfaces) to catch security bugs early and often before they impact users or systems. Platforms such as these make it easy to enforce security policies, secure custom code and open source libraries, ultimately achieving preventative security to catch bugs early and often. The future of mitigating threats at the application layer requires tools and approaches that ensure the layer;s security requires careful control of user input. Executives can direct their IT departments to lock down session security and user access as well as harden apps against threats such as SQL injections. Ultimately, the future of application-layer security requires that business executives lean on an adage of the past: never fully trust the user. Blending AI and cybersecurity  The modern lan]]> 2021-03-29T10:00:00+00:00 https://feeds.feedblitz.com/~/647886812/0/alienvault-blogs~Adaptive-cybersecurity-strategies-that-are-needed-in-an-evolving-security-landscape www.secnews.physaphae.fr/article.php?IdArticle=2555226 False Ransomware,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2021-03-26T05:01:00+00:00 https://feeds.feedblitz.com/~/647626668/0/alienvault-blogs~SDWAN-vs-MPLS-how-do-they-compare-from-a-security-perspective www.secnews.physaphae.fr/article.php?IdArticle=2536100 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Zero Trust. Cybersecurity requires a holistic approach, implemented uniformly throughout the enterprise. A practical cyber / information security strategy, aligned with business objectives, built on an industry-accepted framework, and adjusted to the applicable threat landscape, can help create a predictable and consistent environment and minimize business risk. An effective strategy is instrumental in setting the direction for the cybersecurity program and decision-making information security budget allocation, information security initiative prioritization, and objective measurement of the effectiveness of the program. Having a unified strategy enables enterprises to focus their information security efforts to be more inclusive, cohesive, and efficient. Furthermore, an information security strategy developed without regards and alignment to the overall business and IT strategy in the organization will likely lead to inefficiencies and inconsistencies at best, or ineffectiveness and increased operational losses, diminished brand /reputation, at worse. An information security strategy defines the goals, objectives, and methodologies used to address internal and external threats faced by the enterprise.  The strategy drives moving from a reactive posture to a proactive approach.   As the business objectives change and the threat landscape evolves, so must the cybersecurity strategy.  This is not a one-time effort but a continuous process.  However, evolving with a solid foundation makes it much easier to adjust the strategy and subsequent cybersecurity posture.   Organizations must first adopt a framework of security requirements based upon appliable laws and regulations they must comply with, industry standards, and other drivers, such as customers or business partner requirements.   It is crucial to align with the business.  What are the business strategies and how can cybersecurity enable them?  What inputs must be obtained? Business requirements IT strategies Enterprise risk appetite Enterprise risk assessment What are the key activities to determine the current security posture? Gap analysis against the framework Determining program maturity and security capabilities Benchmarking against industry peers Industry state and threat landscape Once the current state is understood organizations can determine where they want to go.  This should all be grounded in aligning with business and IT strategies and reducing risk.  In addition, prioritization takes into account risk management principles, compliance requirements, resources, budget, timelines and dependencies across the organization.   Because this is a process and not a one-time effort, measures and scorecard should be established to show iterative progress in meeting defined targets.  The implementation of the strategy is facilitated by a strong communication plan across the enterprise-from key stakeholders to all employees.  Communication is about garnering support, providing education, establishing the ‘cybersecurity brand,’ adjusting the culture, a]]> 2021-03-25T10:00:00+00:00 https://feeds.feedblitz.com/~/647559004/0/alienvault-blogs~Cybersecurity-strategy%e2%80%a6-To-Plan-or-not-to-plan%e2%80%a6That-is-the-question www.secnews.physaphae.fr/article.php?IdArticle=2531095 False Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Managed Threat Detection and Response (MTDR) analyst team was notified of malware on a customer’s assets who frequently uses freeware. The primary piece of malware that was detected by Cisco® Secure Endpoint (formerly AMP for Endpoints) did not appear to be particularly malicious, so the investigation was originally reported as a medium severity. After some time, several alarms were raised due to additional malware that was encountered on multiple assets within the customer’s environment and it was determined they were likely caused by freeware. After some investigating, a report was created by the analyst containing a list of infected machines, files, and their related malware families. The severity of the investigation was changed to a high severity, and the customer was notified based on their incident response plan (IRP) to begin immediate remediation efforts. Investigation Initial Alarm Review Malware Infection Cisco Secure Endpoint – Threat detected The Initial alarm was raised due to a piece of malware detected by Cisco® Secure Endpoint that was indicative of a single malware infection. The first detection that emerged appeared to be benign, as it was reported by multiple open source intelligence (OSINT) sites as known-clean files. Due to the detection of this original file, this investigation was set at a medium severity as a precautionary measure. After some time, additional alarms were raised that were indicative of a deeper, more malicious infection. It became clear that additional investigation was necessary. During the investigation, nearly two hundred events of varying malware infections were detected, indicating there was propagating malware. The detected events of malware were filtered for benign hashes using the AT&T Alien Labs Open Threat Exchange (OTX) as well as other OSINT sites. The malicious files were organized into a report with infected files, hashes, as well as a list of the fifty suspected infected assets. After the report was organized and the additional alarms were posted within the investigation, the severity was increased from medium to high to prompt immediate customer response and quarantine of these threats. Expanded Investigation ]]> 2021-03-24T10:00:00+00:00 https://feeds.feedblitz.com/~/647490508/0/alienvault-blogs~Stories-from-the-SOC-%e2%80%93-Propagating-malware www.secnews.physaphae.fr/article.php?IdArticle=2526378 False Malware,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC reach $25 billion by 2024, a new Juniper report reveals — up from just $17 billion in 2020. Undoubtedly, cybersecurity should be a top priority for ecommerce owners. At the same time, accessibility is another pressing concern, with the need for websites to comply with the World Wide Web Consortium's Web Content Accessibility Guidelines (WCAG 2.0 AA). However, captchas — essential for making online shopping more secure — lack accessibility, while user-friendly input assistance potentially poses a security risk. Fortunately, it’s possible to make your ecommerce site accessible to customers with disabilities without compromising the strong security standards needed in this digital age. Importance of accessibility Ultimately, WCAG 2.0 AA compliance means that customers with either hearing or sight impairments, learning disabilities, or physical limitations will be able to visit your store. Your website will be compatible with the special software and assistive technologies these visitors may use to access and navigate it. Moreover, by making your ecommerce store accessible, you’ll inevitably reach a wider audience and increase conversions. The secure and streamlined checkout process — an important part of website accessibility — will give customers a faster and more appealing shopping experience. Again, this further boosts conversions, and customers will be more likely to want to repeat such a smooth and stress-free purchase. Best practices for site optimization and accessibility also go hand in hand. For example, images with descriptive text, site maps, breadcrumb links, alt text, and readability will all boost your site’s organic SEO equity. Ecommerce SEO will give you a competitive edge and place your site higher up in the search results. Alternatives to captcha Although captchas are important for strengthening website security, they’re typically inaccessible to people with disabilities who’re unable to clearly see and hear words, letters and numbers. Fortunately, alternative options can bolster security while maintaining accessibility. For example, if you use the captcha to verify that it’s a human visiting your site (and not a robot), try text and/or audio versions that clearly communicate the details of the captcha. So, this could mean including text that reads “type the word in the image” and an audio clip that announces “type the letters spoken in the audio.” Additionally, you can use other accessible alternatives, including human test questions, server-side spam filters, honeypot traps, and heuristic filters. Incorporating a combination of effective and reliable security options will ensure your ecommerce site remains accessible to people with disabilities without increasing the risk of security breaches. The issue of input assistance Input assistance is an essential feature that can help make your ecommerce site more accessible; it essentially works to help correct a customers' ]]> 2021-03-23T10:00:00+00:00 https://feeds.feedblitz.com/~/647417590/0/alienvault-blogs~Cybersecurity-and-accessibility-for-Ecommerce-platforms-Is-it-possible www.secnews.physaphae.fr/article.php?IdArticle=2521155 False Spam None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC more than 4 million people in Texas without power. These outages lasted days, leading to substantial property damage and even death, and they paint a grim picture for the future. Should a cyberattack successfully infiltrate U.S. power grids, the results could be deadly. The Texas power failures did not result from a cyberattack, but they highlight how destructive grid outages can be. As the threat of terroristic cybercrime rises and electrical networks become increasingly crucial, these potential emergencies demand the nation’s attention. Without improved cybersecurity infrastructure, the country’s power grids represent glaring vulnerabilities. Grid integrity is more crucial than ever Digital technologies play a critical role in virtually all aspects of life today, making grid integrity essential. With so much relying on the cloud, data center power losses could render much of an organization’s operations useless. While places like hospitals and factories often have standby generators, not every building has reliable backups. Several people died during the Texas outages trying to stay warm when the power went out, and it could’ve been worse. Officials say the state was minutes away from catastrophic failure that would’ve caused outages lasting for months. When the world relies on electricity to stay alive, power failures can turn fatal. Grid integrity is also crucial to modern business, with server downtime costing 25% of companies $301,000 or more an hour. That’s an expensive and dangerous problem to mitigate, considering how the government relies on these systems. Severe outages could compromise emergency communications and hinder response times. Most grids are vulnerable The Texas grid outages arose because power companies failed to winterize their equipment properly. Environmental protections aren’t the only area in which power grids are vulnerable, though. Much of the nation’s energy infrastructure lacks robust cybersecurity, opening it to cyberattacks. Many power plants now feature automatic controls and remote access, which, while convenient, create vulnerabilities. Energy companies can use these tools safely, but protecting them is expensive, so many don’t. Cybersecurity typically falls far from the top of power providers’ priorities, yet attacks against energy infrastructure have occurred, even in the U.S. In 2015, a cyberattack left more than 230,000 people in Ukraine without power for several hours. In 2019, the North American Electric Reliability Corp. revealed that firewall exploits caused widespread communication outages. As cybercrime rates rise around the globe, power grid cybersecurity is a must. Protecting against grid attacks This problem is a pressing one, but there’s a solution. While the government has taken steps to protect grids from cybercrime,]]> 2021-03-22T10:00:00+00:00 https://feeds.feedblitz.com/~/647345488/0/alienvault-blogs~Texas-power-failures-highlight-dangers-of-grid-attacks www.secnews.physaphae.fr/article.php?IdArticle=2516549 False Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The average cost of a data breach is approximately $3.92M On average, it takes 280 days to identify and contain a breach If your company doesn’t have a security operations center (SOC), it may be time to change that. In fact, a recent study indicates 86% of organizations rate the SOC as anywhere from important to essential to an organization's cybersecurity strategy. What is a SOC? The security operations center (SOC) identifies, investigates, prioritizes, and resolves issues that could affect the security of an organization’s critical infrastructure and data. A well-developed and well-run SOC performs real-time threat detection and incident response, allowing SOC analysts to rapidly deliver security intelligence to stakeholders and senior management. The SOC framework was introduced by The Open Web Application Security Project (OWASP), a nonprofit foundation established to improve software security as a means for responding to cybersecurity incidents. The framework includes technical controls (Security Information and Events Management (SIEM) systems), organizational controls (processes), and also includes a human component (detection and response). Perhaps the most crucial function for a SOC involves a detailed and ongoing attack analysis. This means gathering and reporting on attack data that provides answers to these questions: When did the attack start? Who is behind the attack? How is the attack being carried out? What resources, systems, or data are at risk of being compromised or have already been compromised? A proactive and reactive mechanism Beyond attack analysis, the SOC also provides critical cybersecurity functions that should be a cornerstone for every business today: prevention, detection and response. An effective SOC prioritizes a proactive approach rather than relying on reactive measures. The SOC typically works around the clock to monitor the network for abnormal or malicious activity, which might stop attacks before they happen. How does this work? SOC analysts are well-equipped to prevent threats because they have access to comprehensive network data and possess up-to-date intel on global threat intelligence stats and data covering the latest hacker tools, trends, and methodologies. When it comes to response, think of the SOC as a first responder, carrying out the critical actions that “stop the bleeding” from an attack. When the incident is over, the SOC will also assist or lead restoration and recovery processes. What are the goals of a well-functioning SOC? A well-functioning SOC provides a multitude of benefits, but in order to get the most out of your security operations center, you’ll need to ensure you have experienced personnel to make u]]> 2021-03-18T11:01:00+00:00 https://feeds.feedblitz.com/~/647021824/0/alienvault-blogs~What-is-a-security-operations-center-SOC-Explaining-the-SOC-framework www.secnews.physaphae.fr/article.php?IdArticle=2499469 False Data Breach,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Enterprise-grade mobility offers additional business options, features, and services, helping companies perform functions beyond just enabling employees to work remotely. The right mobility solutions can significantly help increase productivity, reduce inefficiencies, improve Quality of Service (QoS), and manage compliance requirements— while enabling the same security protections on mobile devices as organization’s have on laptops and desktops to help protect critical business information. With today’s highly sophisticated attacks, traditional security elements designed to protect the network infrastructure are not enough to fully protect this critical business information on mobile endpoints. AT&T understands the unique needs of mobile devices to both operate at their highest performance and be properly secured from these emerging threats. Because of this, AT&T is taking another step forward to provide our business customers with Enterprise-Grade mobile security, designed for businesses of any size. AT&T wants to make mobile security an easy choice Now, customers with AT&T Business Mobile Select - Pooled plans can add Lookout Mobile Endpoint Security (MES) Comprehensive for a greatly reduced price per device license per month! Businesses no longer need to make the choice between great security and great savings. This Lookout MES Comprehensive plan provides customers with industry leading mobile security at a deeply discounted price. Additionally, AT&T is bringing the Lookout MES Threats offer to customers at a price that helps make mobile security an easy decision for businesses. Both offers include Lookout’s installation and 24X7 support so customers can get up and running with ease. To learn more about these new offers, visit us at https://cybersecurity.att.com/products/lookout.   Enterprise-Grade mobile security Truly, businesses of all sizes need to understand the importance of mobile security and how to best protect their mobile devices. And, in the ever-evolving threat landscape, businesses should not rely solely on the end-user to self-remediate threats. Rather, implement solutions that can enforce automated remediation through integration with a Mobile Device Management (MDM) solution or Unified Endpoint Management (UEM) tool while also providing real-time alerts to the end user who can immediately take action. Furthermore, mobile security should also provide the ability to create custom policies and integrate into the business’s wholistic ecosystem.  With AT&T, customers can get the right mobility solutions and mobile security solutions for their business. Reach out to us today to learn more about how AT&T can help with both your Enterprise-Grade mobility and Enterprise-Grade security solutions.    ]]> 2021-03-18T10:00:00+00:00 https://feeds.feedblitz.com/~/647018160/0/alienvault-blogs~EnterpriseGrade-Mobility-takes-another-step-forward-with-new-mobile-security-offers www.secnews.physaphae.fr/article.php?IdArticle=2499470 False Tool,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2021-03-18T05:01:00+00:00 https://feeds.feedblitz.com/~/647001252/0/alienvault-blogs~What-is-managed-detection-and-response www.secnews.physaphae.fr/article.php?IdArticle=2498604 False Tool,Vulnerability,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC crypto gambling guide and jumping in to play. Despite the dangers, there are certain ways to ensure safety. It would be best if you had a security checklist to ensure your transactions' privacy and correctness. Let’s take a look at some primary points you should consider to stay safe. Use a secure internet connection and VPN Before you make any crypto transaction, ensure your internet is stable and secure. Avoid public Wi-Fi. It potentially exposes you to hackers with malicious intent. Through vulnerabilities in the software, a middleman can get in between the connection of the public network and your device. This grants them access to your private information. They may also slip you malware. These are just some of the numerous dangers possessed by public wi-fi. To stay safe, ensure you use a VPN whenever you go online. VPN service alters your location and IP address. This helps you remain invisible to malicious people, and your browsing activity remains confidential. Set strong passwords This is no secret that most people use easy-to-guess passwords like their dates of birth. This puts them at risk of hacking as anyone can figure out such passwords and easily access their devices. Thus, create strong passwords using a mix of symbols, small and capital letters, punctuation marks, and digits. Ensure you use lengthy passwords as it reduces predictability. It would be best if you also use different passwords for different devices. Also, change your passwords regularly. Use 2-step verification Through this system, you add another layer of protection to your crypto accounts. Most crypto-friendly platforms support this type of authentication. To log in, you receive a code through your mobile phone or your e-mail address and enter it into the relevant field. As a strategy of preventing hackers from guessing your password, the code changes every thirty seconds. Thus, they may come up with your password successfully, but they cannot access your account if they do not have access to your phone or e-mail. In case you are a crypto gambler, set this feature up for both your e-wallet and account. Pick safe online casinos only The demand for crypto services is considerably high. Thus, to feed this market, numerous companies offer crypto gambling services. Before choosing a company, carry out a proper background check. Analyze whether the site runs through a reputable company, which has exemplary records and is financially stable. Ensure their customer service is excellent and support for customers is continuously available. Also, check their systems to ensure they are fair, which gives you an equal chance of winning. To gather credible information, make use of crypto gambling review sites. Sign up for genuine bitcoin services With bitcoin being arguably the most popular cryptocurrency, we’ll focus on it from here on out. There are complementary bitcoin services that you need to ]]> 2021-03-17T10:00:00+00:00 https://feeds.feedblitz.com/~/646907712/0/alienvault-blogs~Security-checklist-for-using-cryptocurrency-in-online-casino-transactions www.secnews.physaphae.fr/article.php?IdArticle=2494648 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AT&T Cybersecurity Partner Program. It is a honor to work with such a resilient and hardworking partner community, who throughout one of our most turbulent years in our lifetime, have continued to perform at an exceptional level. I’m delighted to share our full list of winners for the 2021 Partner of the Year Awards, along with their comments below: Global Awards Global Partner of the Year:  Softcat We are absolutely delighted to be named AT&T Cybersecurity’s Global Partner of the Year 2021. We are so proud of the collaborative relationship we have developed with the AT&T team over the last 4 years and this award is a testament to that and the significant growth we have delivered with them during what has been a challenging year. It also reflects our ambition to always provide our customers with the best Managed SIEM solution available in the marketplace. Matthew Helling, Head of Cyber Security Services at Softcat  Growth Partner of the Year:  AVCtechnologies AVC Technologies is truly honored and thrilled to win this award. It is a testament of our hard-working SOC (Security Operations Center) who continue to deliver exceptional service and value around the AT&T USM platform along with our high-flying sales team that has done an excellent job demonstrating the business value to our customers. We look forward to another great year of explosive growth with AT&T! Faisal Bhutto, President Cloud & Cybersecurity New Partner of the Year:  Spark New Zealand Spark New Zealand is delighted to be recognised as New Partner of the Year for 2021. Spark is a prominent reseller of USM in New Zealand and also provides 24/7 security support to customers. The combination of AT&T and Spark’s security offering have been attractive within our highly competitive market. Thank you to AT&T who have been so supportive in this relationship. We look forward to delivering more great outcomes for our shared customers. Josh Bahlman, Chief Information Security Officer  Distributor of the Year:  Ingram Micro Today’s cyber-attacks and the criminals behind them are relentless and growing in sophistication. As an industry we must work together across the varying platforms to build and manage security.  AT&T Cybersecurity continues to answer the call from our channel partners for comprehensive and scalable cybersecurity solutions they can deploy and manage with confidence. As a distribution partner for AT&T Cybersecurity, it is an honor to once again be recognized with this award. Eric Kohl, vice president, Security and Data Center, Ingram Micro Regional Awards These awards recognize partners that had the highest sales bookings in each of the 4 regions during last year. North American Partner of the Year:  Avertium It is truly an honor]]> 2021-03-16T10:00:00+00:00 https://feeds.feedblitz.com/~/646804836/0/alienvault-blogs~ATampT-Cybersecurity-announces-%e2%80%98Partners-of-the-Year-Awards%e2%80%99-Winners www.secnews.physaphae.fr/article.php?IdArticle=2490160 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC beat all previous years. The inescapable conclusion is that smart cars are now among the favorite targets of hackers and APT (Advanced Persistent Threat) actors. One of the main reasons for this is the sheer number of different systems that the average connected car contains today. Quite apart from advanced features like autonomous driving and automatic braking, even less expensive cars now offer extensive Bluetooth and WiFi connectivity. As we’ll explore in this article, this makes securing these cars against cyberattack almost impossible for human analysts. Instead, we should think more seriously about turning to automated systems – and soon – in order to make sure that our smart vehicles are safe as they can be. Connectivity vs. Security Connected vehicles pose something of a unique challenge for cybersecurity engineers. This is because the way in which these vehicles are designed and built, as well as how they interact with the real world that you and I inhabit, is quite different from the average mainframe. In most cases, for instance, the connectivity offered by smart vehicles is often designed by automotive product designers, or at very best UI designers, who have little understanding of the way that their desired level of connectivity will affect security. In other words, smart cars are generally keen to connect to any other device that comes within range – whether this be a smartphone, pen drive, set of headphones, or Wifi router – and often does so in a highly insecure manner. This gives rise to a number of consequences: some obvious, some less so. One is that the long-running debate about whether vulnerability scanning vs. pen testing has been resolved, at least as it relates to smart vehicles. They are incredibly easy to penetrate, and so scanning for vulnerabilities becomes the only practical way to protect them. Even insurance companies have been forced to become at least somewhat knowledgeable when it comes to pricing out their service. In short, it now costs more to cover tricked-out supercars loaded with the latest in technology. More connected systems means there is greater opportunity for hackers to execute a successful cyber-carjacking. The s​​​​upply chain Unfortunately for the network engineers attempting to protect smart vehicles, it gets worse. Not only are connected cars keen to connect to everything without performing any due diligence, but the sheer number of different manufacturers that contribute to a finished vehicle makes the idea of standardizing security almost impossible. In the trade, this issue is known as the “supply chain problem,” and is a real headache for engineers. In practice, it goes something like this. They could spend time researching which auto manufacturer has the largest market share for connected cars and try to build systems that would isolate, say, the Bluetooth connectivity that turns the car on and off. But just as they manage to achieve this, their product manager could quite easily swap suppliers for the Bluetooth aerials and render the whole process obsolete. And then, unbelievably, it gets even worse again. Because it’s not jus]]> 2021-03-15T10:00:00+00:00 https://feeds.feedblitz.com/~/646702590/0/alienvault-blogs~Is-automated-vulnerability-scanning-the-best-way-to-secure-smart-vehicles www.secnews.physaphae.fr/article.php?IdArticle=2484775 False Hack,Vulnerability,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Cost of a Data Breach Report, most respondents are concerned that identifying, containing, and paying for a data breach is more burdensome today than ever before. Seventy-one percent feel that remote work will increase the time to identify and contain a breach, while almost the same number believe remote work increases the cost of a breach. The numbers agree: remote work has added $137,000 to the average breach cost. In 2021 and beyond, reactive security measures—typically cumbersome and costly—are no longer sufficient. Instead, proactive strategies that anticipate potential risks or vulnerabilities and prevent them before they even happen are required. One such strategy, network segmentation, is critical for any organization. If you’re not deploying network segmentation, it’s time to get started. What is network segmentation? Network segmentation is a process in which your network is divided into multiple zones, with specific security protocols applied to each zone. The main goal of network segmentation is to have a better handle on managing security and compliance. Typically, traffic is segregated between network segments using VLANs (virtual local area networks), with firewalls representing an additional layer of security for application and data protection.  By separating your network into smaller networks, your organization’s devices, servers, and applications are isolated from the rest of the network. Potential attackers that successfully breach your first perimeter of defense cannot get further, as they remain contained within the network segment accessed. How does network segmentation compare to micro segmentation? The concept of micro segmentation was created to reduce an organization’s network attack surface by applying granular security controls at the workload level and limiting east-west communication. While micro segmentation began as a method of moderating lateral traffic between servers within one segment, it has evolved to incorporate traffic in multiple segments. This intra-segment traffic would allow communication between both servers and applications, as long as the requesting resource meets the permissions set out for that host/application/server/user. Microsegmentation can also be used at a device level. For example, protecting IoT or connected manufacturing or medical devices—since many ship without endpoint security or are difficult to take offline in order to update endpoint security. The key differences between the two strategies can be boiled down like this: Segmentation works with the physical network, policies are broad, limits north-south traffic at the network level, and is typically hardware-based Micro segmentation works with a virtual network, policies are more granular, limits east-west traffic at the workload level, and is typically software-based. An analogy: if your network is a collection of castles, segmentation is like the huge walls surrounding the buildings, while micro segmentation is like armed guards outside each castle door. When deciding between segmentation and micro segmentation, it shouldn’t be a question of one over the other. Incorporating both models into your security strategy is best: segmentation north-south traffic and micro segmentation for east-west traffic. Best practices for segmenting network traffic However you go about segmenting your network, you’ll want to ensure the seg]]> 2021-03-15T05:01:00+00:00 https://feeds.feedblitz.com/~/646680038/0/alienvault-blogs~What-is-network-segmentation-NS-best-practices-requirements-explained www.secnews.physaphae.fr/article.php?IdArticle=2484161 False Data Breach,Vulnerability,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Expanded investigation Soon after this, brute force activity and remote code execution attempts were reported involving Windows® Management Instrumentation (WMI) exploitation coming from a compromised service account that shared a naming convention with the scanner’s hostname, indicating the scanner and service account were compromised and now pivoting activity was occurring with the attacker attempting to gain further entry into the network. These remote code execution (RCE) attempts were flagged with behavior associated with a DNS service vulnerability that had known patches available. Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485) Vulnerability Reference: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-058 After the WMI RCE attempts were flagged, multiple assets with naming conventions that matched domain controllers generated alarms by attempting to contact well known external DNS servers. However this activity was also flagged as suspicious since these assets were not configured for DNS services or had previously been associated with DNS activity. This, combined with the firewall events denying external traffic over port 53, indicated that these servers were not authorized to perform DNS services and that this activity was likely a probing attempt to find methods of exfiltration, such as DNS tunneling. Response The customer was alerted to the activity by the analyst and was able to confirm that it was part of a planned red team exercise. While this particular example was an internal effort, the customer commended our efforts at detecting the threat and responding quickly.   ]]> 2021-03-12T11:00:00+00:00 https://feeds.feedblitz.com/~/646391558/0/alienvault-blogs~Stories-from-the-SOC-%e2%80%93-DNS-recon-exfiltration www.secnews.physaphae.fr/article.php?IdArticle=2473257 False Vulnerability,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Wall Street Journal article describing the Hafnium attack. This attack on Microsoft Exchange Servers was shared publicly on March 2nd with a patch for the issue released on Wednesday, March 3rd. This patch appeared to spark action from the hacker who ramped up and automated their attack for maximum scale. Other articles went on to say that 30,000 US businesses were compromised. The worst part- it was mostly small to medium sized businesses. Why was this? Because larger businesses, with stronger and more mature security practices, had the defenses in place to keep this bad actor from infiltrating their company while many small businesses did not. Cybersecurity is for businesses of any size Security maturity is not based on the size of the business. Recent research on security maturity and business outcomes found that there is not a dependency on company size in relation to having a strong security posture. “The fact that there is no correlation between company size and maturity level indicates to us that doing cybersecurity well is less a function of resources and more a function of thoughtful consideration, planning, and organizational culture.” – Tawnya Lancaster, AT&T Cybersecurity. Organizations who work to align with industry best practices, such as the NIST CSF, are better equipped to handle zero-day threats as well as enable their businesses. To improve upon a business’s security maturity, there are 4 key categories every business should address: cyber strategy and risk, network security, endpoint security, and threat detection and response capabilities. Evaluate your cyber strategy and risk Small businesses want to stay focused on running their business, not necessarily the cybersecurity elements needed to protect it. Employing a trusted advisor to help evaluate where your business is today, and how you plan to adapt and grow to stay competitive, will help  your security measures stack up to the needs of your business now and as your business grows and transforms. A trusted advisor can also assist with evaluating compliance and regulatory requirements as part of achieving a successful security program. Through the guidance of experienced consultants, small businesses can help to  improve their resilience against a growing threat landscape. Networks should be protected  end-to-end Every connected network needs proper security elements in place to help keep that network protected. In today’s modern networks, small businesses can simplify their network security by turning to one vendor that can meet both the connectivity needs and security elements needed to help protect that connectivity. And, with proper visibility and reporting, businesses can not only demonstrate their efforts to remain compliant with industry regulations but also their commitment to the customer to help protect their privacy. Endpoints should be managed and protected Endpoints are a crucial component of every business and are the doors through which businesses run – both internally and out to their customers. These endpoints need to both be managed, such as pushing out software patches for these vulnerabilities, but they also need to be highly secured with solutions able to detect these zero-day a]]> 2021-03-11T11:00:00+00:00 https://feeds.feedblitz.com/~/646268746/0/alienvault-blogs~A-plea-to-small-businesses-Improve-your-security-maturity www.secnews.physaphae.fr/article.php?IdArticle=2467462 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC an article about deepfakes and the technology behind them. At the time, the potential criminal applications of this technology were limited. Since then, research published in Crime Science has delved into the topic in-depth. The study identified several potential criminal applications for deepfakes. Among these categories, the following were deemed the highest risk: Audio/video impersonation Tailored phishing Blackmail Driverless vehicles being used as weapons Disrupting AI-based systems Fake news created by AI This list sparked the idea for this article. Considering that ransomware claims a new victim every 14 seconds, we decided to explore the topic of deepfake ransomware. Is that a real thing? You may never have heard the terms together before, but they’ll certainly play a large role in cybercrimes of the future. How are criminals leveraging this technology? Technically, they aren’t, but criminals are an innovative bunch. We had a taste of what they can do with deepfakes in 2019. A British CEO received a call from the company head, asking him to transfer $243,000. He did so but later became suspicious when he received a second call for another transfer. This is a modern take on email whaling attacks. In this case, however, the victim verified the caller’s identity because he knew the voice. Experts believe that AI made it possible to spoof the company head’s voice and intonations. While we may never know if the CEO was speaking to a bot or not, it shows that criminals can leverage AI-based technology.   How does ransomware come into the equation? Ransomware essentially holds your computer hostage. But how can the two seemingly deeply divergent technologies work together? To understand that, we might have to broaden our definition of ransomware. To do so effectively, we should consider some real-world examples. Imagine you received a video message from your CEO asking you to complete an online form. You know the CEO’s face and voice and can see it on the screen. The idea that the video is fake doesn’t enter your mind, so you click through to the link. Bam!, your computer is infected with ransomware. It might be a traditional form of this malicious threat or a more modern version. Say, for example, you’ve used your work computer to check your Facebook page or store photos. The malware is now able to sniff out pictures and videos of you. Thanks to facial recognition software, this process is automated and simple to complete. This isn’t just run-of-the-mill software, though. It’s a highly sophisticated program with AI built into it. It can not only detect images but use them to create content. It can also sniff out other personal details online and on your computer. It puts all of these together to create a video of you. The footage makes it look like you did something that would damage your reputation. You’re innocent, but the video seems convincing. If you don’t pay the ransom, it’ll be released. The ransom might be in the form of cash or information about your company or clients. Perhaps you don’t care about your reputation. What about that of your family? The idea of ransomware put to this use is a scary one but plausible. Automation makes these attacks more frightening Spearphishing, also known as whaling attacks, requires an intense amount of research. They&rs]]> 2021-03-10T11:00:00+00:00 https://feeds.feedblitz.com/~/646146066/0/alienvault-blogs~Deepfake-cyberthreats-%e2%80%93-The-next-evolution www.secnews.physaphae.fr/article.php?IdArticle=2460962 False Ransomware,Malware,Hack,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC microservices to facilitate their ongoing digital transformations. According to ITProPortal, more than three quarters (77%) of software engineers, systems and technical architects, engineers and decision makers said in a 2020 report that their organizations had adopted microservices. Almost all (92%) of those respondents reported a high level of success. (This could explain why 29% of survey participants were planning on migrating the majority of their systems to microservices in the coming years.) Containers played a big part in some of those surveyed organizations’ success stories. Indeed, 49% of respondents who claimed “complete success” with their organizations’ microservices said that they had deployed at least three quarters of those microservices in containers. Similarly, more than half (62%) of the report’s participants said that their organizations were deploying at least some of their microservices using containers. The benefits and challenges of microservices Microservices present numerous opportunities to organizations that adopt them. They are smaller in size, notes Charter Global, which makes it possible to maintain code and add more features in a shorter amount of time. Organizations also have the option of deploying individual microservices independently of one another, thereby feeding a more dynamic release cycle, as well as of scaling these services horizontally. Notwithstanding those benefits, microservices introduce several security challenges. Computer Weekly cited complexity as the main security issue. Without a uniform way of designing them, admins can design microservices in different environments with different communication channels and programming languages. All of this variety introduces complexity that expands the attack surface. So too does the growing number of microservices. As they scale their microservices to fulfill their evolving business needs, organizations need to think about maintaining the configurations for all of those services. Monitoring is one answer, but they can’t rely on manual processes to obtain this level of visibility. Indeed, manual monitoring leaves too much room for human error to increase the level of risk that these services pose to organizations. Kubernetes as an answer Fortunately, Kubernetes can help organizations to address these challenges associated with their microservices architecture. Admins can specifically use the popular container management platform to maintain their microservices architecture by isolating, protecting and controlling workload through the use of Network Policies, security contexts enforced by OPA Gatekeeper and secrets management. Kubernetes network policies According to Kubernetes’ documentation, groups of containers called “pods” are non-isolated by default. They accept traffic from any source in a standard deployment. This is dangerous, as attackers could subsequently leverage the compromise of one pod to move laterally to any other pod within the cluster. Admins can isolate these pods by creating a Network Policy. These components ]]> 2021-03-04T11:00:00+00:00 https://feeds.feedblitz.com/~/645641730/0/alienvault-blogs~Tips-for-minimizing-security-risks-in-your-microservices www.secnews.physaphae.fr/article.php?IdArticle=2432731 False None Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC  Image source Business technology generally advances on a rapid basis, however, so do the cyberthreats that can endanger your security. According to BusinessWire, more than half of enterprises believe that their security cannot keep up, and according to IBM News Room, more than half of organizations with cybersecurity incident response plans fail to test them. Because of overloaded security teams, poor visibility, and threat alert overload due to the many implemented technologies in place to fight this, for many of these enterprises, the difficulty constantly grows when it comes to detecting and effectively responding to cyber threats. What is XDR? XDR can be defined as a cross-layered detection and response tool. In other words, it collects and then correlates data over a variety of security layers, such as endpoints, emails, servers, clouds, and networks. What this means is that, rather than focusing on end-point detection alone, it can enable your security team to detect, investigate, and respond to threats across multiple layers of security, not just the end-point. This is due to the fact that today’s cyber threats are extremely tricky and complex, to the point where they can hide throughout different layers within an organization. If you were to use a sideload approach, through the usage of different technologies, simply cannot provide a contextual view of all of the threats across the environment, and as such, can slow down the detection, investigation, and response. It allows for improved protection, detection, and response capabilities as well as improved productivity of the operational security personnel, with lower costs associated with owning it. Image source XDR features XDR was designed to simplify the security visibility across an organization’s entire cyber architecture. In other words, to allow an organization to analyze all of the layers associated with their security, not just the end-point, through an]]> 2021-03-03T11:00:00+00:00 https://feeds.feedblitz.com/~/645545710/0/alienvault-blogs~Extended-threat-detection-and-response-XDR-Filling-out-cybersecurity-gaps www.secnews.physaphae.fr/article.php?IdArticle=2427930 False Tool,Threat,Guideline Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Expanded Investigation Once this beaconing activity was discovered, the team conducted a 30-day review of the customer’s entire environment to look for signs of further intrusion.   The original IP address was then analyzed using a variety of OSINT sources to gather related IOCs and other IP addresses that would indicate further intrusion had occurred.  This review showed that no other assets had traffic involving the malicious IP address or other IOCs related to the APT, and that no other assets were exhibiting beaconing activity or lateral movement.  Response The customer complimented the work of the team, citing that due to the quick response and phone calls, they were able to identify and isolate the infected system before any further damage was done. This allowed them to perform a more in-depth investigation without fear of missing other underlying activity that would have been difficult to correlate on their own. The customer stated that they were very happy with the service and feel much more at ease knowing that the AT&T SOC has eyes on their network 24/7/365.  This also led the customer to upgrade their storage tier from 3TB to 6TB so we could monitor more of their environment.  ]]> 2021-03-02T11:00:00+00:00 https://feeds.feedblitz.com/~/645470042/0/alienvault-blogs~Stories-from-the-SOC-%e2%80%93-Beaconing-Activity www.secnews.physaphae.fr/article.php?IdArticle=2421791 False Malware,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC issued a warning about cyberattacks targeting the vaccine supply chain. Threat actors sent a series of spear-phishing emails to organizations involved in COVID vaccine storage and transport. These attacks sought to steal network access credentials and, perhaps more troubling, seemed to be government-sponsored. Security experts noted that these attacks seemed too sophisticated for a random criminal operation. While it’s uncertain what country could be behind the spear-phishing attempts, it’s a troubling prospect. Malicious nation-states may be aiming to incite civil or economic disruption. 2. Cold chain IoT attacks Spear-phishing isn’t the only threat that faces the vaccine supply chain. Given the vaccines’ cold storage requirements, some organizations have turned to IoT tracking devices to ensure their safe and timely delivery. These sensors are a potential life-saver for vaccine distribution, but any endpoint represents a potential vulnerability. Most IoT devices today feature little to no built-in security, leaving them vulnerable to criminals. If someone were to hack into these sensors, it could be disastrous. They could interfere with GPS data, adjust storage temperatures or otherwise jeopardize the vaccines. 3. Vaccine scams Since the vaccines have such a short shelf life, effective distribution relies on quickly reaching out to patients and scheduling appointments. Many health care organizations have turned to text-based outreach programs to streamline this process. Unfortunately, fraudsters have started mimicking these organizations to take vulnerable users’ money. Authorities have noticed an uptick in vaccine-related scams as the rollout continues. Many of these specifically target older patients who may be less likely to recognize a hoax. 4. Ransomware attacks As hospitals and other health care organizations vaccinate more people, they acquire more patient data. This highly sensitive information is a potential goldmine for hackers. Consequently, ransomware attacks targeting these organizations may increase as vaccine distribution continues. Ransomware is already a growing problem. Bitdefender’s Mid-Year Threat Landscape Report found that these attacks increased by more than 715% year-over-year in 2020. With vaccinations generating more valuable medical data, this trend could continue to rise. 5. Misinformation campaigns In late January, the European Medicines Agency re]]> 2021-03-01T11:00:00+00:00 https://feeds.feedblitz.com/~/645396536/0/alienvault-blogs~Cybersecurity-concerns-surrounding-the-COVID-vaccine www.secnews.physaphae.fr/article.php?IdArticle=2416209 False Ransomware,Hack,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC “Return on Security Investment” or ROSI.  Borrowing from the common business term Return on Investment (ROI) where a return on a particular investment (capital investment, personnel, training etc.) could be quantified, the cybersecurity industry attempted to quantify a return on security investment.  Fundamentally, the primary failing of this concept is that it is mathematically impossible (approaches mathematical impossibility) to quantify an event “not occurring”.  In short, if a company has “zero” security events that impact them deleteriously in a given year, was the $5 million security expenditure appropriate? Should it have been less since there was no security event that caused a loss?  If the company experienced an event, was the return on the investment then the difference between the expenditure and the overall losses from the incident?  It simply did not work, as it was mathematically flawed. Fast forward to 2021 and companies once again are fixated on quantifying cyber risk and, more importantly, cybersecurity exposure.  The question is similar and is asked: “Can companies accurately quantify cybersecurity risks today?” This is a complex question but to attempt an answer it is first important to have a working definition of several terms.  Risk- is an artificial construct which can be easily expressed as the function of the likelihood of an adverse event occurring (often provided as a statistical probability) and the impact, should the event be realized (in business, and for the purposes of this article, it will be expressed in monetary terms.).  In short R=fPI. Probability- refers to the extent to which something is probable; the likelihood of something happening.  It can be either quantified (in which case it is deterministic) or qualified in which case it refers to the belief that something will happen (non-deterministic).   Frequentist probability models quantify risk and conditional probability models qualify risk using subjective interpretations.  There is an ongoing debate amongst statisticians and probability folks as to which model is more accurate in predicting actions in real life. Security is a very important concept that can be defined simply as the implementation of controls commensurate with the identified risks. Understanding the above, we can use a real-world example to understand the failings of attempting to quantify cybersecurity risks using traditional models employing frequentist probability theory. Suppose for a moment that you find natural gas on your property and you decide to build a natural gas well.  Being concerned for the environment and the safety of your workers, you want to provide that the natural gas well is engineered correctly against failure which could release gases and have deleterious impacts on people and the environment.  One primary piece of the well is the “Mark Ie Main Actuation Recumbent Key valve” (Mark-Ie MARK).  The manufacturer states that the Mark Ie MARK has a mean failure rate (MFR) of 1 in 2 million actuations causing a catastrophic failure and total destruction of the well.  This means that the valve could fail on the first actuation or never fail as long as it is used, however, given a large enough population of valves tested there will be a ]]> 2021-02-24T11:00:00+00:00 https://feeds.feedblitz.com/~/645036504/0/alienvault-blogs~Quantifying-CyberRisk-Solving-the-riddle www.secnews.physaphae.fr/article.php?IdArticle=2392066 False Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC demand for VIP membership to online casinos is rising. With online gambling in particular, on top of cybersecurity awareness and safe practices, there is the additional need to review and find the  online casinos with a good reputation, and robust online security. Check for scams related to a new site.  Anything involving money gets the attention of cyber criminals. The popularity of online games on marketplaces is growing. You can play for free, but many fun features are offered “for fee”. The rest of the article will focus on online gaming, as that’s legal pretty much everywhere. Risks and threats in online gaming   As you enjoy your gaming session, you need to know the risks involved to take precautions and highly secure your data from unauthorized access. The most common threats to online gamers include the usual lineup: Computer viruses Almost all internet users have encountered computer viruses, as they are quite common. It’s pretty basic, but antivirus is basic protection against old, known attacks. Opening unsolicited emails, downloading free software, and sharing devices like flash disks are ways viruses  can infiltrate your computer. Ransomware attacks Online gamers need to bear in mind they are subject to infection with ransomware. A tell-tale sign that your computer is under attack from ransomware is when you cannot access your files unless you pay a hefty ransom.  Phishing scams & Identity theft Say you receive an email from an online gaming outfit you’ve played on before with a neat offer. How can you be sure it’s really from them and not a phishing attack? Phishing attacks happen when cybercriminals mimic trustworthy individuals or institutions to obtain private information like passwords. With the stolen information, these criminals can access your credit, use your identity to open bank accounts, make PIN changes, or even sell your identity to con artists. Spyware If you’re dealing with a disreputable online gaming operation, especially if the service is free, they might be spying on you and selling your personal information. Spyware does precisely what spies do; studying your every move and action while using the internet without your permission.  Your browsing history quickly finds its way to third parties, which is a serious privacy breach. Trojan malware Especially when ]]> 2021-02-23T11:00:00+00:00 https://feeds.feedblitz.com/~/644972136/0/alienvault-blogs~Cybersecurity-and-online-gaming-Don%e2%80%99t-be-a-victim www.secnews.physaphae.fr/article.php?IdArticle=2387257 False Ransomware None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Cost of a Data Breach Report compared organizations boasting robust security Incident Response (IR) capabilities with those that do not. Well-prepared businesses reported less breach-related costs by an average of about $2 million USD. What is an incident response plan? An Incident Response Plan (IRP) serves as a blueprint, outlining the steps to be followed when responding to a security incident. Think of the IRP as a set of guidelines and processes your security team can follow so threats can be identified, eliminated, and recovered from. It is an essential tool for minimizing damage caused by threats, such as data loss, loss of customer trust, or abuse of resources. With a robust IRP, your company’s team can respond quickly and more efficiently against any type of threat. No matter what type of attack an organization faces, all cyberattacks require incident response. The best scenarios are those in which sufficient preventive measures are in place, including threat detection and intelligence integration tools. For organizations looking to get started with an IRP, there are many templates and frameworks available. Two industry standard incident response frameworks are the National Institute of Standards and Technology (NIST) framework and the SysAdmin, Audit, Network, and Security (SANS) institute framework. We’ve compared the SANS and NIST frameworks here.  Whichever playbook, template or framework you choose, make sure you have the right team in place and are prepared to dedicate the time and resources to this critical organizational process. Who should carry out an incident response plan? While a robust incident response plan is incredibly important, having the right people with the relevant skillsets to execute the plans is equally crucial. To handle a cybersecurity incident effectively, your company should have an incident response team in place. In some organizations, it’s called a Computer Security Incident Response Team (CSIRT) and others may refer to it as a Security Incident Response Team (SIRT) or Computer Incident Response Team (CIRT). The team’s mission is to execute on the incident response plan as soon as an incident is discovered. The incident response team is divided into several groups, each playing a key role in mitigating an incident's potential damage. The team should be comprised of technical and non-technical people who can work together to identify, manage, eradicate and recover from any threat. They are responsible for collecting, analyzing and taking action based on incident data and information, and well as communicating with other stakeholders in the organization and critical third parties, including press, legal, affected customers and law enforcement. The best-prepared CSIRTs should include the following specialized teams: The Security Operations Centers (SOC), ]]> 2021-02-17T06:01:00+00:00 https://feeds.feedblitz.com/~/644493452/0/alienvault-blogs~What-is-an-incident-response-plan-Reviewing-common-IR-templates-methodologies www.secnews.physaphae.fr/article.php?IdArticle=2359185 False Data Breach,Tool,Threat None 5.0000000000000000 AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC are the primary security concern for these professionals in 2021.  Organizations have good reason to be concerned about ransomware attacks. Not only are they highly effective, but often companies find that it is simply easier to pay the ransom than try to rectify the problem. This is far from the best solution as it encourages the criminals to continue their attacks, fails to provide any long-term sense of security for the organization, and may incur liability for the organization.  This article provides an overview of the rise of ransomware attacks and discusses how security professionals can prepare for and prevent attacks.  The anatomy of a ransomware attack Ransomware is essentially a virus that loads onto a user’s computer, where it scans connected drives for files that it then encrypts. The user is also typically locked out of their machine and can only view a screen showing how to make a ransom payment.  Ransomware attacks can take many forms, although the most common is to prevent a user from accessing encrypted files or using their machine until the ransom is paid (cryptocurrencies preferred). More malicious ransomware attacks threaten to release sensitive data to the internet broadly (doxware) or to delete data permanently.  Ransomware can reach a user’s machine using a number of vectors, the most common of which is a phishing attack. However, malicious websites or popups may also provide access for ransomware attacks. Ransomware attacks can also be directly injected into an organization’s network through unsecured network connections (i.e. if no VPN is used). Or, even more simply, criminals may simply use brute force to hack weak passwords and directly insert the ransomware themselves. Ransomware can also attack vulnerabilities in applications arising during the software development process. It is therefore important to use testing methods, such as static and dynamic application security testing (SAST/DAST), that identify these security vulnerabilities continuously while your applications are running.  The prevalence of ransomware attacks Overall ransomware constitutes a small portion of all malware attacks; however, they are also some of the most damaging forms of malware-based attacks as the financial and operational consequences can be devastating.  The FBI saw a 37% increase in the reporting of ransomware attacks from 2018-2019, and an associated increase of 147% in financial losses. Average ransom demands also soared, reaching nearly $200,000 by the end of 2019. And the total average business costs resulting from a ransomware attack (post-attack costs, lost business costs, new cybersecurity investments, etc.) reached nearly $4.5 million as of early 2020. Exacerbating the ransomware concern is the fact that cybercriminals are now offering ]]> 2021-02-15T11:00:00+00:00 https://feeds.feedblitz.com/~/644400928/0/alienvault-blogs~CISOs-report-that-ransomware-is-now-the-biggest-cybersecurity-concern-in www.secnews.physaphae.fr/article.php?IdArticle=2352779 False Ransomware,Spam,Malware,Hack None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Container Journal, 48% of respondents to a 2020 survey said that their organizations were using the platform. That’s up from 27% two years prior. These organizations could be turning to Kubernetes for the many benefits it affords them. As noted in its documentation, Kubernetes comes with the ability to distribute the container network traffic so as to keep organizations’ applications up and running. The platform is also capable of moving the actual state of any deployed containers to a desired state specified by the user as well of replacing and killing containers that don’t respond to a health check. The double-edged growth of Kubernetes clusters The benefits mentioned above trace back to the advantage of the Kubernetes cluster. At a minimum, a cluster consists of a control plane for maintaining the cluster’s desired state and a set of nodes for running the applications and workloads. Clusters make it possible for organizations to run containers across a group of machines in their environment. There’s just one problem: the number of clusters under organizations’ management is on the rise. This growth in clusters creates network complexity that complicates the task of securing a Kubernetes environment. As StackRox explains in a blog post: That’s because in a sprawling Kubernetes environment with several clusters spanning tens, hundreds, or even thousands of nodes, created by hundreds of different developers, manually checking the configurations is not feasible. And like all humans, developers can make mistakes – especially given that Kubernetes configuration options are complicated, security features are not enabled by default, and most of the community is learning how to effectively use components including Pod Security Policies and Security Context, Network Policies, RBAC, the API server, kubelet, and other Kubernetes controls. The last thing that organizations want to do is enable a malicious actor to authorize their Kubernetes environment. This raises an important question: how can organizations make sure they’re taking the necessary security precautions? Look to the Kubernetes API Server Organizations can help strengthen the security of their Kubernetes environment by locking down the Kubernetes API server. Also known as kube-apiserver, the Kubernetes API server is the frontend of the control plane that exposes the Kubernetes API. This element is responsible for helping end users, different parts of the cluster and external elements communicate with one another. A compromise of the API server could enable attackers to manipulate the communication between different Kubernetes components. This could include having them communicate with malicious resources that are hosted externally. Additionally, they could leverage this communication channel to spread malware like cryptominers amongst all the pods, activity which could threaten the availability of the organization’s applications and services. Fortunately, organizations can take several steps to secure the Kubernetes API server. Presented below are a few recommendations. Stay on top of Kubernetes updates From time to time, Kubernetes releases a software update that patches a vulnerability affecting the Kubernetes API server. It’s important that administrators implement those fixes on a timely basis. Otherwise, they could give malici]]> 2021-02-11T11:00:00+00:00 https://feeds.feedblitz.com/~/643985864/0/alienvault-blogs~The-Kubernetes-API-Server-Exploring-its-security-impact-and-how-to-lock-it-down www.secnews.physaphae.fr/article.php?IdArticle=2329673 False Malware,Vulnerability Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC this research, around 50% of all cyberattacks target small businesses, and over 68% of small businesses reported some type of cybercrime in 2018. Criminals have become more sophisticated, making it hard for small businesses to keep up with security measures. Phishing, ransomware, malware, and data breaches are still a severe threat for companies worldwide. In fact, things have gotten even worse in the past few years. COVID-19 has made cybersecurity even more important It’s no secret that the world wasn’t ready to cope with a pandemic. The spreading of COVID-19 has shown that we all live in a fragile world where things can change completely overnight. As businesses and offices went into lockdown, business owners had to change the way they get things done. Offices closed to prevent the virus from spreading, and most businesses reorganized their operation to work remotely. Employees started working from home rather than the office, which only increased the risk of data breaches and other criminal activities. Instead of working in a closed local network, all of the work has to be done online, which gives cyber criminals plenty of opportunities to steal information. Business owners must extend cybersecurity features to each employee, which is much harder to control and more expensive. The security of the entire system now depends on employees’ understanding of cybersecurity. One small mistake is enough to jeopardize the entire company. That’s why cybersecurity is essential more than ever before and why you have to invest in educating employees on the dangers of cybercrime. Proactive budgeting approach  Creating a budget for the following year comes with all kinds of difficult challenges. Traditional budgeting is often tough to figure out, and the smallest mistake can lead to problems that could lead to severe implications, in some cases completely shutting down organizations. Small businesses working on a tight budget often can’t afford to make mistakes in their calculation. That’s why proactive rather than reactive budgeting is the best option. Instead of creating a budget based on past experiences, this approach is focused on the future. The budget is calculated according to the plans for the next year, not previous years’ performance. That way, businesses can plan a budget to cover only the expenses they will need. Cybersecurity should be one of their biggest concerns, so investing more in ]]> 2021-02-10T11:00:00+00:00 https://feeds.feedblitz.com/~/643889694/0/alienvault-blogs~Budgeting-in-cybersecurity-Can-businesses-afford-it www.secnews.physaphae.fr/article.php?IdArticle=2323226 False Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC adopted zero trust policies that require a user to provide additional authentication before accessing an organization’s resources and data.  Traditional, identity-centric zero trust practices focusing solely on protecting the credentials of human users ignore a substantial set of vulnerabilities, namely those involving interactions between machines, applications and workloads. “Machine identities,” which now outnumber human identities 20:1, present organizations with additional security challenges.  To address those challenges, businesses must implement effective processes for recognizing machine identities, provisioning their access to resources, and continuously authenticating identities during interactions with organizational resources. What is Zero Trust? Zero trust security models assume that no identity is inherently trustworthy. All identities are equally distrusted - whether customer, employee, device or process - and require additional authentication.  A well-known example of a zero trust policy is the use of multi-factor authentication to verify a user’s identity. Identity authentication issues for machine identities, while similar, become a bit more complicated.  But, as discussed below, there are policies and processes an organization should consider when implementing zero trust programs that will effectively protect both human and machine identities. Effective application of Zero Trust policies to machine identities  Effective zero trust policies require frequent and continuous validation of all “users.” But to be as effective as possible, the policy must address the question “Who or what constitutes a user?” It is quite normal to think only of human users when the word “identity” is used. But there are any number of intermediate nodes between a human end user and the resources they access within an organization, including devices, applications and networks, as well as the organization’s databases that contain relevant data.  In addition to having their own identities, each of these nodes can be associated with and accessed by a number of other identities, whether they be other devices, workloads, microservices, applications or human users. And each identity involved in an interaction, from human user identities to the machine identities, is a potential target for a hacker.  Many businesses reach the point of zero trust too late, after a problem such as a breach or a failed security audit has already happened. Prudent businesses, however, implement strong zero trust policies proactively.  Effective policies require strong, well-protected, frequently modified credentials and limit access to essential processes and data without negatively impacting interactions and workloads. Zero trust is not a perfect solution with respect to machine identities, but it can be effective. Organizations should consider the f]]> 2021-02-09T11:00:00+00:00 https://feeds.feedblitz.com/~/643787806/0/alienvault-blogs~Zero-Trust-policies-Not-just-for-humans-but-for-machines-and-applications-too www.secnews.physaphae.fr/article.php?IdArticle=2316961 False Hack None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Cybersecurity audit A cybersecurity audit is an assessment of a company’s cybersecurity policies, procedures, and operating effectiveness. The purpose of the audit is to identify internal controls and regulatory weaknesses that may pose risk to the organization. Some audits provide details as to whether a control is effective or ineffective, while other audits won’t go into that detail. Auditors will typically interview key personnel and review system reports to determine if you have the right controls in place. In some cases, auditors may test your systems, depending on the access provided to them. Auditors will always employ industry-standard best practices and adjust the audit to match your organization and industry. Cybersecurity risk assessment A cybersecurity risk assessment is much like an audit but may take things to the next level by determining the effectiveness of security controls. The purpose of the risk assessment is to identify, estimate, and prioritize risk to a co]]> 2021-02-09T06:01:00+00:00 https://feeds.feedblitz.com/~/643785098/0/alienvault-blogs~What-is-cybersecurity-testing-Reviewing-testing-tools-methodologies-for-proactive-cyber-readiness www.secnews.physaphae.fr/article.php?IdArticle=2316962 False Vulnerability,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC If you are in the security or networking industry, there is no doubt that you’ve been hearing the latest Gartner inspired buzz word being dropped in conversations with your colleagues, customers, and vendors alike. In case you haven’t already guessed, I am referring to SASE (pronounced “sassy”). Although it is a hot topic of conversation, it is clear to me that there is still a considerable amount of confusion about what SASE is, its purpose, and what sort of level of urgency it should be given. SASE stands for Secure Access Service Edge and is an architecture model (I’ve also heard it referred to as a concept or framework) developed by Gartner in 2019 that combines software-defined wide area networking (WAN) with comprehensive security functions in order to support the dynamic nature of today’s modern workforce. Applications are moving out of the data center and into the cloud, more employees are working from remote locations than ever before, and data is being accessed from a wide range of company and personally owned devices. All of these factors make it very difficult for network and security administrators to know what applications and data are being accessed by whom as well as their usage. And what you cannot see, you cannot manage or secure. Some of the key principles of SASE are: The data center is no longer the center of the network and organizations that continue to route all of their network traffic through the data center, using a legacy hub-and-spoke topology, will create a situation where their network becomes a business inhibitor. Backhauling remote users’ traffic to the data center that is destined to the cloud inevitably produces latency and affects productivity. Access to data should be based on identity, not the location of the user. The old approach to security was that everyone on the network was trusted while traffic originating from outside of the network should be scrutinized. This philosophy does not work in today’s environment of employees and partners working from just about anywhere and conducting business off network. But besides being antiquated, providing open access to anyone on network is just reckless because it does not take into account the possibility of insider threats. Users and applications are more distributed than ever before, therefore technologies that offer worldwide points of presence and peering relationships should be an important consideration. Having a point of presence that is geographically near a user facilitates a shorter logical path between them and the resource they are accessing, allowing them to focus on accomplishing their job duties or tending to customers, as opposed to waiting for applications and web pages to load. Consolidating the number of vendors can help reduce the complexity of management. This is especially true when network and security technologies are integrated to share data in order to provide contextual intelligence and automation or when they can be managed through one pane-of-glass. These digital transformation trends and diversification within vendor portfolios started well before Gartner had coined the phrase SASE, but businesses have been very receptive to their recommendations for how they should approach networking and security in the future. Something important to note, and I cannot stress it enough, is that despite what all of the great marketing may lead you to believe (and this is coming from a marketer), there is not one off-the-shelf SASE solution on the market. That’s because there is no cut and dry definition of what combination of technologies must be offered to be called SASE. Gartner does specify that there are fi]]> 2021-02-08T11:00:00+00:00 https://feeds.feedblitz.com/~/643707968/0/alienvault-blogs~A-beginner%e2%80%99s-guide-to-SASE www.secnews.physaphae.fr/article.php?IdArticle=2310938 False Malware,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC vulnerability management programs are now able to deal with continuous environments by default, and the IoT cybersecurity act that has just been signed into law contains provisions that specify the liability of developers in the event of an embedded device getting hacked. On the technical side, however, cybersecurity has yet to catch up with the flexibility and complexity of CI/CD pipelines. In this article, therefore, I want to sketch a holistic way forward: a roadmap for how these environments can begin to be secured in the years to come. This roadmap contains five main pillars: 1. Leadership First, and arguably most importantly, finding security vulnerabilities in your CI/CD pipeline requires brave, involved, and forward-thinking leadership. The central challenge of CI/CD pipelines, from a cybersecurity perspective, is that they are constantly evolving. Security solutions that were developed for the environment of three years ago no longer offer adequate protection. In response, leaders need to inspire every member of an organization to adopt the DevSecOps mindset, in which every individual who interacts with a piece of software takes responsibility for its security. This means that managers need to put in place systems and processes through which developers can work with operations staff and through which software can be designed in a way that all key stakeholders know the risks it is exposed to. In addition, leaders should take a long-term view of security in their organizations. CI/CD pipelines provide a great deal of flexibility when it comes to software design and development, but they also require (at least) a three-year, horizon-scanning approach to security flaw identification. 2. Design for DevOps A related point to the one above is that developers must ensure that the code they write and ship via their CI/CD pipelines is designed for the DevOps approach. This means that all source code should be pre-checked with static analysis tools prior to committing to the integration branch. This verifies that it does not introduce critical code vulnerabilities into real world software. This is particularly important today, because of the range of devices on which the average piece of software is deployed. One of the main promises, and advantages, of CI/CD pipelines is that they allow developers to work in a way that is platform-agnostic. However, this can sometimes blind them to the sheer range of places in which their code will eventually be deployed and potentially exposed to attack. Of particular concern here is the (sometimes unauthorized and often unexpected) deployment of code on smartphones. In 2020, we passed a notable watershed – for the first time in history, the majority of internet traffic originates from cell phones. Given this, it seems absurd that the majority of software is still written, by default, for desktop environments. Making sure that code is thor]]> 2021-02-04T11:00:00+00:00 https://feeds.feedblitz.com/~/643441764/0/alienvault-blogs~Rooting-out-the-cybersecurity-risk-in-your-CICD-pipeline www.secnews.physaphae.fr/article.php?IdArticle=2293217 False Tool,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC denial of service attacks, and attacks seeking to exploit known vulnerabilities in internal systems. IPS performs real-time deep packet inspection, examining every packet that traverses your network. Its methods of detection can be either signature-based (where network packets match a known malicious pattern) or anomaly-based (where an instance of traffic is unusual or has never been seen, such as communications to an IP address in a remote part of the world from an internal endpoint). Should malicious or suspicious traffic be detected, the IPS can utilize any one of the following actions: Network sessions can be terminated, blocking the malicious source IP address and user accounts from continuing to communicate with a given internal application, resource, or network host, preventing a detected attack from continuing Firewall policies and/or configurations can be updated to prevent this kind of attack from happening in the future, as well as preventing the offending source IP address from having access to internal hosts Malicious content that continues to reside within the corporate network – such as infected attachments within email – can also be removed or replaced by IPS solutions How IDS compares to IPS In addition to IPS, there are also intrusion detection systems (IDS) that are often mentioned in the same breath. However, these solutions do not produce the same end result.  The difference is found in their names. IDS merely detects and notifies IT, security teams, or a SIEM solution. IPS detects, but also takes action to protect the network from further abuse and attacks. The challenge with only using an IDS solution is the lack of immediacy with regard to response. With internal staff only notified of a detected threat, lag times can exist from the pure human response (or lack thereof) element. IT or Security staff need to first determine an appropriate response (that is, what new configuration or change should be mad]]> 2021-02-04T06:01:00+00:00 https://feeds.feedblitz.com/~/643430226/0/alienvault-blogs~Intrusion-Prevention-Systems-explained-what-is-an-IPS www.secnews.physaphae.fr/article.php?IdArticle=2292431 False Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Lakshmi Ananderi Kandadai of Palo Alto Networks. We are in the midst of unprecedented transformation – both business transformation and technical transformation. From a technology perspective, 5G will change where and how we harness compute power and promote unforeseen product and service innovation. Once 5G attains critical mass with a robust ecosystem, it will touch nearly every organization, promising new revenue potential across a myriad of industries. The recent AT&T Cybersecurity InsightsTM Report: 5G and the Journey to the Edge shows that globally 93% of respondents are either researching, implementing, or have completed a 5G initiative. And, firms that have completed 5G implementation expect approximately 57% growth in Internet of Things (IoT)-connected devices over the next 18-36 months.     5G is revolutionizing intelligent connectivity—driving massive adoption of the IoT. A report from industry analyst firm IDC estimates that 41.5 billion devices will be connected to the internet by 2025. Another projected statistic is that there will be 1.9 billion 5G cellular subscriptions by 2024. The inherent vulnerabilities present in IoT devices make them a target-rich environment to be weaponized with botnets for the purpose of carrying out distributed denial-of-service, or DDoS attacks. The AT&T Cybersecurity Insights Report highlights security priorities as IoT projects move from researching phase to implementing to completion. Vulnerability management becomes a higher priority as organizations reach the implementation and completion phases. Competitive business differentiation is driving the adoption of 5G. We should expect to see 5G play a major role in areas such as smart cities, fleet management, smart factories, robotics, connected health, etc. The greater reliance on cloud and edge compute for these applications, creates a highly distributed environment spanning multi-vendor and multi-cloud infrastructures. Further, end-to-end stand-alone 5G networks will be built based on cloud native service-based architectures. These emerging network architectures vastly impact the network security postures for service providers as well as the industry verticals they serve. Businesses need to establish a strong security posture that can stop cyber attackers from infiltrating their networks, disrupting critical services. The AT&T Cybersecurity Insights report highlights that enterprises are “cautiously optimistic and preparing for the impact of 5G”. The survey data indicates that almost 64% of survey participants rank their confidence in their organizations’ preparedness for the challenges 5G may bring to security as “medium to medium-high”. Service providers and enterprises continue to face new malware-based incidents that threaten network availability and subscriber confidentiality.  According to the report, 76% of enterprises believe 5G will enable entirely new types of threats, those that are not simply extensions of today’s threats. These expanding threats and vulnerabilities— previously focused on the internet peering interfaces—can now exploit the application layer in other mobile network interfaces, degrade the customer experience, create network performance challenges, and affect operator revenues. Our partnership with Palo Alto Networks brings the ]]> 2021-02-03T11:00:00+00:00 https://feeds.feedblitz.com/~/643377854/0/alienvault-blogs~New-G-Consumption-trends-demand-a-new-approach-to-security www.secnews.physaphae.fr/article.php?IdArticle=2288671 False Vulnerability None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Lakshmi Ananderi Kandadai of Palo Alto Networks. We are in the midst of unprecedented transformation – both business transformation and technical transformation. From a technology perspective, 5G will change where and how we harness compute power and promote unforeseen product and service innovation. Once 5G attains critical mass with a robust ecosystem, it will touch nearly every organization, promising new revenue potential across a myriad of industries. The recent AT&T Cybersecurity Insights™ Report: 5G and the Journey to the Edge shows that globally 93% of respondents are either researching, implementing, or have completed a 5G initiative. And, firms that have completed 5G implementation expect approximately 57% growth in Internet of Things (IoT)-connected devices over the next 18-36 months.     5G is revolutionizing intelligent connectivity—driving massive adoption of the IoT. A report from industry analyst firm IDC estimates that 41.5 billion devices will be connected to the internet by 2025. Another projected statistic is that there will be 1.9 billion 5G cellular subscriptions by 2024. The inherent vulnerabilities present in IoT devices make them a target-rich environment to be weaponized with botnets for the purpose of carrying out distributed denial-of-service, or DDoS attacks. The AT&T Cybersecurity Insights Report highlights security priorities as IoT projects move from researching phase to implementing to completion. Vulnerability management becomes a higher priority as organizations reach the implementation and completion phases. Competitive business differentiation is driving the adoption of 5G. We should expect to see 5G play a major role in areas such as smart cities, fleet management, smart factories, robotics, connected health, etc. The greater reliance on cloud and edge compute for these applications, creates a highly distributed environment spanning multi-vendor and multi-cloud infrastructures. Further, end-to-end stand-alone 5G networks will be built based on cloud native service-based architectures. These emerging network architectures vastly impact the network security postures for service providers as well as the industry verticals they serve. Businesses need to establish a strong security posture that can stop cyber attackers from infiltrating their networks, disrupting critical services. The AT&T Cybersecurity Insights report highlights that enterprises are “cautiously optimistic and preparing for the impact of 5G”. The survey data indicates that almost 64% of survey participants rank their confidence in their organizations’ preparedness for the challenges 5G may bring to security as “medium to medium-high”. Service providers and enterprises continue to face new malware-based incidents that threaten network availability and subscriber confidentiality.  According to the report, 76% of enterprises believe 5G will enable entirely new types of threats, those that are not simply extensions of today’s threats. These expanding threats and vulnerabilities— previously focused on the internet peering interfaces—can now exploit the application layer in other mobile network interfaces, degrade the customer experience, create network performance challenges, and affect operator revenues. Our partnership with Palo Alto Networks brings the ]]> 2021-02-03T11:00:00+00:00 https://feeds.feedblitz.com/~/643377854/0/alienvault-blogs~New-G-consumption-trends-demand-a-new-approach-to-security www.secnews.physaphae.fr/article.php?IdArticle=2292432 True Vulnerability None 5.0000000000000000 AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC accounting for more than 50% of all credit card-related financial losses. Unfortunately, when it comes to CNP attacks, both consumers and online retailers are only too willing to give hackers a helping hand.  Consumers frequently fall victim to phishing attacks, lose their data to skimming attacks (where card data is stolen during a physical card transaction) or fail to verify that their transactions are taking place on secure websites. Meanwhile, numerous online businesses (particularly smaller, less sophisticated businesses) fail to properly secure their networks or implement sufficient methods of authenticating the identity of the card user during a transaction. Fortunately, as detailed below, there are a number of precautions online retailers should consider to protect themselves and their customers from CNP attacks and provide the most secure online shopping experience possible. While many can be implemented internally, it is also always a good idea to consult a reliable provider of compliance solutions, particularly if an organization is not well-versed in cybersecurity. 1 - Ensure that your payment processing application is PCI compliant As businesses continue to shift to online sales models, there is an increasing need for robust payment processing systems that can identify and defeat CNP attacks. Online retailers can suffer significant reputational effects when they have to disclose a large-scale attack affecting consumers’ financial data, as well as potential financial liabilities associated with individual attacks as they process chargebacks following a consumer’s challenge of a fraudulent transaction.  This is why Compliance with Payment Card Industry (PCI) standards for payment processing software is not just a good idea, it’s an essential obligation of any business that collects credit card data or uses it in consumer transactions. In early 2019, PCI released new standards designed to maximize security throughout the software development lifecycle (SDLC) of payment software, as well as during use in alpha, beta and commercial products. One of the most important standards for organizations to follow is to have adequate testing of payment processing software during the development cycle. Developers should approach testing using both “white box,” inside-out testing early on in the SDLC (static application system testing of SAST) and “black box,” outside-in testing later in the SDLC (dynamic application system testing or DAST).  SAST helps identify issues as the code is being built, while DAST identifies issues that arise in the runtime environment. Because each of these approaches has benefits and drawbacks, as software engineer Mark Preston of Cloud Defense discusses, a multi-layer approach is always required in order to ensure that the software you create is secure. 2  - Use additional authenticati]]> 2021-02-02T11:00:00+00:00 https://feeds.feedblitz.com/~/643304952/0/alienvault-blogs~CardNotPresent-fraud-CNP-Five-things-retailers-can-do-to-protect-themselves-from-CNP-attacks www.secnews.physaphae.fr/article.php?IdArticle=2283033 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Image Source: Pexels This blog was written by an independent guest blogger. One of the biggest barriers to successful e-commerce business is protecting user data. If online shoppers don’t feel their information is safe, they won’t make a purchase. Luckily, there are actions you can take to secure your own e-commerce experience, whether you’re running a digital business or shopping with one. These protections make e-commerce safer at a time when it’s desperately needed. Cyberattacks are on the rise, and with more people shopping online, data is at risk. By understanding the evolving needs of an e-commerce strategy, you can better protect yourself when buying or selling online. Here’s what you should know. The evolving needs of e-commerce business The e-commerce environment is changing. With COVID-19 shuttering many brick-and-mortar retail stores, the pressure has mounted on online sales. At the same time, the broad shift to remote work and virtual meeting places has initiated a wave of cybercrime.   As a result, the field of cybersecurity is growing at a rapid pace in an attempt to counter this wave. By 2026, cybersecurity is expected to grow by 28% as companies across industries add cybersecurity specialists to their payrolls. For e-commerce businesses, having cybersecurity specialists and protections on hand is especially vital. All types of modern digital threats can affect an online store, potentially causing thousands of dollars to resolve and resulting in an invaluable loss of business. These are just a few of the major threats that digital retailers face: Malware Ransomware Phishing attempts Distributed Denial of Service (DDoS) attacks Credit card fraud Any instance of a cyberattack can cause irreparable damage to both the financial and the reputational integrity of a business. Whether the threat is from phished employee login info or a DDoS attack that causes your entire site to go down, the modern e-commerce industry requires substantive protections for safely conducting business. No matter how you are engaging with e-commerce, you can take the following steps to help protect your data and business. How to protect yourself when buying or selling online You never know when a cyberattack is going to affect you. With $17,700 lost every minute due to phishing attacks alone, according to CSO, shopping and selling online requires utilizing every best practice and technological advantage at your disposal. Luckily, there are actions you can take ranging from free to high-end that will give you a safer experience and protect your and your customers’ data. Here’s what you should know. Sellers Any business operating online should make use of all the tools available to them when it comes to protecting customer data. Failure to do so can result in a loss of trust from which it may be impossible to recover. While no strategy is a guarantee of safety, these tips will offer a good foundation for safe e-commerce: Prepare the proper tools. There are a host of systems and software out there for hosting and maintaining an e-commerce platform. However, true e-commerce cybersecurity protections require that you find the right firewalls and ho]]> 2021-02-01T11:00:00+00:00 https://feeds.feedblitz.com/~/643219558/0/alienvault-blogs~Protection-for-your-ecommerce-needs www.secnews.physaphae.fr/article.php?IdArticle=2278073 False Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2021-01-29T22:57:00+00:00 https://feeds.feedblitz.com/~/643045156/0/alienvault-blogs~What-is-Secure-Access-Service-Edge-SASE-Explained www.secnews.physaphae.fr/article.php?IdArticle=2270485 False Malware None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC common security risks that come along with it. We’ll also go over some common problems with serverless computing and information developers need to know to make sure they aren’t victims of a security breach.  The benefits of serverless computing In our digital era, people expect ease and convenience from their technology. Many internet users will abandon websites after just a few seconds if the load time isn’t optimal. The speed with which DevOps teams are expected to roll out new applications is faster than ever. In the competitive landscape of the modern world, achieving work with speed and convenience is a high priority.  Serverless computing is great because it allows developers to focus solely on code instead of server maintenance. Developers don’t have to be concerned with when to patch their operating system or whether they have to change their code so that it is still functional, for example. The sole concentration is on their business applications, freeing up time to focus on what they do best.  Serverless computing is also beneficial because it is highly scalable, as companies only pay for what they need. Serverless computing is also becoming more popular due to the increase in reliance on cloud applications. This has been influenced by the current redirection of business application environments to microservices and containers. Coca Cola, Netflix and Nordstrom are examples of large companies that have adopted serverless computing.  With serverless computing, operational concerns are removed from the focus of the company using them. Issues with fault tolerance, scalability, availability, over/under provisioning of VM resources and other infrastructure concerns are completely the responsibility of the serverless provider. Furthermore, growing companies don’t have to keep idle servers to ensure they have room for growth.  Convenience can come at a cost, however. Even though serverless computing is more affordable than having dedicated in-house servers, relying on serverless cloud computing can potentially expose your business to cyber security risks.  The risks of serverless computing Using a serverless computing model doesn’t absolve developers from responsibility in regards to cyber security. The developer is still in charge of code, data application logic, and application-layer configurations while sharing responsibilities with the serverless provider. Here are some of the most common security risks that arise in ]]> 2021-01-28T11:00:00+00:00 https://feeds.feedblitz.com/~/642911578/0/alienvault-blogs~Serverless-computing-Is-it-worth-the-risk www.secnews.physaphae.fr/article.php?IdArticle=2259017 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AT&T Alien Labs™ has identified a new tool from the TeamTNT adversary group, which has been previously observed targeting exposed Docker infrastructure for cryptocurrency mining purposes and credential theft. The group is using a new detection evasion tool, copied from open source repositories. The purpose of this blog is to share new technical intelligence and provide detection and analysis options for defenders. Background AT&T Alien Labs previously reported on TeamTNT cryptomining malware using a new memory loader based on Ezuri and written in GOlang. Since then, TeamTNT has added another tool to their list of capabilities. Analysis The objective of the new tool is to hide the malicious process from process information programs such as `ps` and `lsof`, effectively acting as a defense evasion technique. The tool, named libprocesshider, is an open source tool from 2014 located on Github, described as "hide a process under Linux using the ld preloader.'' Preloading allows the system to load a custom shared library before other system libraries are loaded. If the custom shared library exports a function with the same signature of one located in the system libraries, the custom version will override it. The tool implements the function readdir() which is being used by processes such as `ps` to read the /proc directory to find running processes and to modify the return value in case there is a match between the processes found and the process needed to hide. The new tool arrives within a base64 encoded script hidden in the TeamTNT cryptominer binary or ircbot (figure 1): Figure 1. base64 encoded script, via Alien Labs analysis. Upon binary execution, the bash script will run through a multitude of tasks. Specifically, the script will: Modify the network DNS configuration. Set persistence through systemd. Drop and activate the new tool as service. Download the latest IRC bot configuration. Clear evidence of activities to complicate potential defender actions. After decoding, we can observe the bash script functionality and how some malicious activity occurs before the shared library is created (figure 2): Figure 2. Decoded bash script, via Alien Labs analysis. The new tool is first dropped as a hidden tar file on disk, the script decompresses it, writes it to '/usr/local/lib/systemhealt.so', and then adds it preload via '/etc/ld.so.preload'. This will be used by the system to preload the file before other system libraries, allowing the attacker to override some common functions (figure 3/4). Figure 3/4. bash script features, via Alien Labs analysis. The main purpose of the tool is to hide the TeamTNT bot from process viewer tools, which use the file '/usr/bin/sbin' as you can s]]> 2021-01-27T11:00:00+00:00 https://feeds.feedblitz.com/~/642828124/0/alienvault-blogs~TeamTNT-delivers-malware-with-new-detection-evasion-tool www.secnews.physaphae.fr/article.php?IdArticle=2251665 False Malware,Tool,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2021-01-26T11:00:00+00:00 https://feeds.feedblitz.com/~/642670184/0/alienvault-blogs~JavaScript-cybersecurity-threats www.secnews.physaphae.fr/article.php?IdArticle=2245930 False Ransomware,Malware,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC highly rated their ability to detect threats versus 53% of respondents who did not use automation as extensively. If a real-time security system successfully separates threats from harmless incidents, it could help overstretched teams better manage their time and prioritize their efforts. However, a poorly trained or overly sensitive real-time system could bombard people with too much information, making it challenging to find genuine dangers. As of February 2020, 887 law enforcement agencies had signed agreements with Ring, which offers real-time footage from connected doorbells. Many could not directly connect arrests to the camera footage, though. Some also said the way Ring makes it easy for people to share clips led to problems where residents asked the police to handle trivial issues, like raccoons in their yards. Real-time information — whether collected to improve physical or cybersecurity — can become reliable and valuable. However, the system must weed out irrelevant data. Effective real-time security requires contextual analysis The security sector is not the only industry to depend on real-time information. Health care providers rely on it to make faster, more personalized care choices for their patients. Research also showed that 92% of companies are increasing their investments in real-time analytics for financial decision-making. Successfully relying on real-time data requires looking at the information in context. Some people become fixated on single data points, failing to see the full picture. That could become problematic when someone tries to access a network’s resource. For example, what if a worker based in the United States provides the correct login information but does so from a German IP address? The lack of location consistency may be a clue to an attack attempt. Adaptive authentication solutions are becoming more widely utilized in the security industry. They use machine learning and ]]> 2021-01-25T11:00:00+00:00 https://feeds.feedblitz.com/~/642613588/0/alienvault-blogs~How-reliable-is-realtime-security www.secnews.physaphae.fr/article.php?IdArticle=2241003 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC cybersecurity certifications comes up very frequently on discussion boards.  What is the best certificate to get?  Is a college degree better for getting a cybersecurity role?  What education or skills are needed for various cybersecurity roles?  And many, many more.  In this post, I'll try to clarify some of these questions and more. Before heading down the certification path or degree path, ask yourself, what is my end goal?  A career in Cybersecurity is relatively demanding and requires commitment.  Cybersecurity is a vast field of endeavor that involves many skills, with so many different paths.  For example, if your goal is eventually to become a Chief Information Security Officer (CISO), not having a degree could limit your opportunities.  For other cybersecurity roles, the requirements vary considerably.  On the other hand, if your passion is identifying weaknesses and vulnerabilities - being an ethical hacker, a college degree is not necessary. Let's begin with a list of typical roles in Cybersecurity, and explore some of the requirements for these roles. We'll follow up with some of the ways to meet these requirements and the education needed.  Some of these roles are engineering-focused, while others require creativity, and some positions have legal or regulatory mandates. SOC Analyst – the SOC Analyst role means different things in different organizations; some may think of this role as a threat analyst. Others consider this role as a technology jockey that monitors firewalls and Intrusion Detection/prevention Services (IDPS). For this post, I’ll use the former term of threat analyst. To be a successful threat analyst, one needs to be able to apply deductive analysis techniques. In other words, decompose the actions that lead to an observable outcome.  Useful skills for a threat analyst are the ability to troubleshoot and reverse engineer.  Knowledge of networking and system administration are foundational to this role.  Over time the threat analyst will understand threat actors Tools, Tactics, and Procedures (TTP).  The threat analyst will spend much of their time using threat analysis tools like Security Information and Event Management (SIEM) or Security Orchestration, Automation, and Response (SOAR) tools.  Many of the SIEM and SOAR vendors offer certifications that the analyst might want to pursue. Network Security Engineer – These engineers typically install, setup, configure, and maintain network security technologies, such as firewalls, proxy servers, Network Intrusion Detection and Prevention devices, and Network Access Controls (NAC). There are many vendor technologies that a network security engineer will have to master; thus, it is beneficial to pursue vendor certification for various technologies. Cloud Security Engineer – this role is similar to the Network Security Engineer and is focused on specific technologies.  In this role, the engineer will design, implement, and maintain security controls in cloud environments.  Desired skills for this role include an understanding of cloud-based technologies, security controls, and attack vectors.  The major cloud vendors  provide training and certifications for their offerings, including Cloud Security Engineering certifications.  Additionally, the Cloud Security Alliance (CSA) and the ]]> 2021-01-21T11:00:00+00:00 https://feeds.feedblitz.com/~/642084338/0/alienvault-blogs~Education-certifications-and-cybersecurity www.secnews.physaphae.fr/article.php?IdArticle=2224110 False Threat,Guideline None 4.0000000000000000